Phone startup Nothing recently launched its “Nothing Chats” app, which enables iMessage on its Nothing Phone (2) Android device.
However, troubling security issues have already been uncovered that could put users’ Apple ID credentials at risk.
Nothing Chats Merges iMessage, RCS, SMS
The Nothing Chats app aims to conveniently combine iMessage with existing SMS and RCS chats in one place on the Nothing Phone (2). Users link their Google Messages app via QR code for SMS/RCS functionality.
To enable iMessage, they must sign in with their Apple ID, essentially using remote Mac computers provided by Nothing’s partner Sunbird. This links the Phone (2) to iMessage using the same method as web-based solutions.
Apple ID “Destroyed” After Login Says Nothing
Nothing claims user Apple IDs are tokenized in an encrypted database after login, and the actual IDs are then “destroyed” so credentials stay secure.
Messages are also end-to-end encrypted, so the company insists that Apple IDs and chat contents remain protected and inaccessible.
But Technical Flaws Raise Alarms
However, alarming technical shortcomings have already been discovered that counter Nothing’s security claims. Most glaringly, Apple ID credentials are transmitted unencrypted over HTTP connections, not secure HTTPS.
This means Apple IDs could be exposed during login, completely negating supposed safeguards. Sunbird, which developed the backend system, has a concerning reputation for refusing to address security questions.
Previous Attempts to Deliver Buggy Experiences
Other companies have tried bringing iMessage to Android before with similarly buggy experiences. Just this week, Apple announced RCS support coming natively to iPhones in 2024, reducing the appeal of third-party workarounds.
Experts Urge Caution With Apple ID Security
Cybersecurity experts strongly recommend against entering Apple IDs into any third-party service lacking robust protections. Nothing Chat’s security flaws mean exposing account credentials and private messages.
Until Nothing conclusively demonstrates Apple IDs remain shielded end-to-end, experts advise avoiding this app and similar offerings. The privacy risks outweigh any convenience benefits.
Can Nothing Deliver Promised Security Improvements?
Nothing says the HTTP flaw will be addressed in a future update, and maintains that Apple IDs and messages stay securely encrypted. However, trust takes time to rebuild after such glaring oversights.
If Nothing can substantively improve security protections around Apple IDs, it may eventually deliver an appealing consolidated messaging option. But currently, too many red flags exist to recommend Nothing Chats.
Messaging Fragmentation Remains a Key Mobile Dilemma
Android’s messaging landscape remains deeply fragmented between SMS, RCS, and proprietary options like iMessage. Seamlessly bridging these networks could provide major user benefits.
But early entrants like Nothing Chat demonstrate challenges around centralizing diverse communications while also guaranteeing privacy. Until security takes clear precedence, consolidation efforts will falter.
For now, Nothing Chat provides a cautionary tale of the risks in exposing Apple IDs to unvetted third parties. Robust security protections must come first before convenience features. Otherwise, users’ data and privacy pay the price.
