• Nothing Chats, a rival to apps like Beeper and AirMessage, advertised itself as a secure platform for sending messages to iMessage users.
  • However, less than 24 hours after its launch, investigations into the app revealed that Nothing Chats logged every message in plain text and stored unencrypted data, including text messages, images, videos, and more, making it a significant privacy and security risk.
  • The company removed the app from the Play Store following these complaints, citing “several bugs” that need fixing.
  • Ghostalmedia@lemmy.world
    link
    fedilink
    English
    arrow-up
    253
    ·
    1 year ago

    Giving your iCloud credentials to a third party is already sketchy. It gives them the ability to read your messages, documents, health records, etc.

    Nothing / Sunbird basically said “trust me bro, we’re super secure.” Then they did this right out of the gate.

    What a bunch of morons.

    • Beefy-Tootz@lemmy.world
      link
      fedilink
      English
      arrow-up
      58
      ·
      1 year ago

      I wholeheartedly agree with you, but in today’s world, that doesn’t matter to most people. I work in banking and the amount of people who willingly give their whole ass banking information to third parties is insane to me. I’m not talking like just their debit card number or their account and routing numbers, like legitimately their online banking sign in info, and they don’t see any potential risk at all

      • NuXCOM_90Percent@lemmy.zip
        link
        fedilink
        English
        arrow-up
        40
        ·
        1 year ago

        It doesn’t help that banks are normalizing this.

        I recently began changing banks. To authorize a transfer from one to the other, my only option was to login via a popup. No place to specify account details just “log into your account to give us permissions”. Fortunately the new bank is competent so I did it from that side, but it is still normalized insanity

      • Ghostalmedia@lemmy.world
        link
        fedilink
        English
        arrow-up
        30
        arrow-down
        1
        ·
        1 year ago

        IMHO, the big fuck up is on the business side of the fence. Their product’s success rides on Apple not sicking their giant legal team on them. They needed to play this carefully. AKA, they needed to live up to the security promises.

        Now they’re in the press for being an iMessage security vulnerability, and security is something Apple spends a LOT of marketing money on.

        Apple is going to want to protect that image, and I wouldn’t be surprised if they come for Sunbird in the coming weeks.

        They played this fast and loose, and it will probably cost them.

        • kautau@lemmy.world
          link
          fedilink
          English
          arrow-up
          11
          ·
          1 year ago

          Yeah very much this. Their way of running a bunch of Macs intercepting iCloud messages was already sketchy, so I was surprised Apple hadn’t come for them sooner. But now that it turns out everything was being stored unencrypted in plaintext? Apple’s legal team couldn’t be happier, they did their jobs for them.

          • Ghostalmedia@lemmy.world
            link
            fedilink
            English
            arrow-up
            7
            ·
            1 year ago

            My guess is that they would care less about people who decide to sign up for this service, but they are going to care about the customers on the other end of the line. AKA, the people who are not tunneling through Sunbird, and don’t know they’re communicating with a compromised user.

            • kautau@lemmy.world
              link
              fedilink
              English
              arrow-up
              6
              ·
              1 year ago

              That’s definitely true, if they follow their “Apple is the most secure consumer electronics manufacturer” PR strategy, they will be intent to try to trace what accounts were communicating with whom, and alert said Apple users about potential data breaches. Tbh, while it fits their MO of being really good at PR, it’s also just generally a good thing. People should know if messages they sent that they thought were secure turned out not to be.

      • AnActOfCreation@programming.devOP
        link
        fedilink
        English
        arrow-up
        9
        ·
        edit-2
        1 year ago

        I used to use Privacy.com and Mint until I did some looking into Plaid. They present a login screen that looks like your bank and you assume they’re doing some kind of OAuth. Nope they’re just taking your full banking credentials and you have to hope they’re safe. I think Plaid is a ticking time bomb. When it gets hacked a lot of people will be in trouble.

      • The Hobbyist@lemmy.zip
        link
        fedilink
        English
        arrow-up
        8
        ·
        edit-2
        1 year ago

        I think there is an importance nuance: it’s not that most people don’t care about privacy, it’s that they don’t realize that they in fact do.

        If they ever get bitten in the ass caused by privacy issues, they are likely to share their outrage, justifiably. But yeah, most people don’t realize how important privacy is or what a lack of privacy actually implies…

      • deafboy@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        1 year ago

        It’s hard to train people not to shoot themselves in the foot when their own bank is providing free ammo.

        My bank sent me an email this year that literally said Take our security awareness quiz and win an iphone. Click here!

        Then there was one time some lady has called, claiming she has an offer from my bank, but needs to verify MY identity first… After contacting the support, I was assured the call was legit. The lady is selling insurance on behalf of the bank. Her number was supposed to be on the list of the official partners, which it wasn’t. When I’ve asked about caller ID spoofing, they’ve assured me they take security seriously, and are working on a solution. Untill then, I shlould rely on the list…

        All of that is still a progress though, because you’ll never gues what was the official way to top up my paypal account ~10 years back. Giving my full internet banking credentials to some shady payment gateway. I’ve never noped the fuck out of a website so fast…

          • deafboy@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Some banks in my country had a direct integration with paypal for making instant transfers, some have used sketchy 3rd party payment gateways. You could’ve just linked a credit card, but I had zero trust in online card payments at the time. That’s why the idea of paypal wallet with limited balance was appealing to me in the first place.

    • flop_leash_973@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      1 year ago

      Yup, and in any sane world this sort of thing would sink Nothing as a viable and serious option for a phone OEM. If they are willing to get behind such garbage ideas what else are they doing that hasn’t been dragged kicking and screaming into the light yet.

      • Ghostalmedia@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Apple’s health app is basically a platform that can store and unify data from the Apple Watch, and other iOS compatible biometric devices for blood pressure, diabetes, weight, etc.

        It can also download your electronic medical records from hospitals and can locally consolidate your hospital’s data with the data you’ve collected. Like your hospital’s medical records app, you can either store an encrypted copy of all this data locally, or you can save an encrypted copy on iCloud. Your choice.

        IMHO, the health app is particularly useful in places like the US. The US is supposed to have accessible and interoperable electronic medical records, but it’s kind of a shit show. That data can be hard to collect, consolidate, and parse.

        I’ve had some very serious medical issues that resulted in complex hospitalizations and treatment regimens, and I’ve found the app VERY helpful. It’s allowed me and my doctor to work through past treatments and nail down medications and dosages that would get me out of the hospital and not prolong a stay.

        All in all, medical records and biometric monitors are a fragmented cluster fuck. Especially in the dates. Apple health tries to clean that shit up, and in the process, entice people to spend $400 on a smart watch.

    • daqqad@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      1 year ago

      I think very few Android users are actively part of Apple ecosystem. These are just blank accounts they create to show up in a different color on ios messages. I can give you my apple password. I created it when I was briefly issued a Mac at work 10 years ago and never used it since.

      • decisivelyhoodnoises@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        Yes but these blank accounts will cease to be blank after these users start having conversations which use the middleman. And the middleman will have access to them…

      • Pika@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        1 year ago

        I actually try my best to avoid being part of that ecosystem, partially due to the incompatibilities and also partially due to the hostility that Apple users tend to have in that system torwards outsiders.

        I’m the same way with my credentials lol

        • daqqad@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          1
          ·
          1 year ago

          I don’t experience that hostility tbh. Maybe because I’m not a teenager? People I know are split about 50/50.

          I’m also in hcol area in USA so iphone isn’t really a status symbol. Everyone can afford an iPhone, they just treat phones as tools so they get whatever works best for them.

          • Pika@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            1
            ·
            edit-2
            1 year ago

            I agree with the teenager thing, my sister is in highschool and she thinks apple is the world cause she’s concidered uncool in group for having an iPhone 12

            Me being 10 years older I thankfully missed that “life revolves around the brand” train but, it’s still relevant during family gathering because they don’t wanna use my s20+'s camera for pictures preferring to use an iPhone then struggle to share images with everyone

            • EngineerGaming@feddit.nl
              link
              fedilink
              English
              arrow-up
              3
              ·
              1 year ago

              As for photo sharing - this is just wild. A girl on the train took pictures of me and when I tried to get them sent to me, it turned out iPhones can’t do a thing as basic as sending a file by Bluetooth to an Android! It’s so weird that we had to wait until we get to an area with cell reception and do so by a messenger… despite being right next to each other!

          • EngineerGaming@feddit.nl
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            I am in one of the richer cities in my country, and in my uni class iPhones are a noticeable minority, like what, 15-20%? But I’ve never seen them use iMessage, they’re on Telegram and Whatsapp like everyone else.

      • Ghostalmedia@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        My guess is this feature isn’t targeting Android users. It’s targeting iOS users in the US that are due for a phone upgrade.

        “Blue bubbles” is one of the reasons people stick with the platform in the states. And saying your Android phone supports that could allow you to tap into a much larger market in the US. Apple controls more than half of the smartphone market in the states, and default messaging apps also dominate on in the states.

        • daqqad@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          I’d love to find out which group they actually tried to target, but if you’re right - I completely agree. No way I’m handing credentials to my Google account over. That’s why normal companies have APIs.

          RCS might not be perfect, but at least it’s open.

          I really hope EU will continue the trend of forcing Apple to become less of a piece of shit company.

  • SeaJ@lemm.ee
    link
    fedilink
    English
    arrow-up
    85
    ·
    1 year ago

    What crackhead thought it would be a good idea to store all of that unencrypted?

    • Ghostalmedia@lemmy.world
      link
      fedilink
      English
      arrow-up
      63
      ·
      1 year ago

      The same crackhead that thought it was a smart idea to build a business around giving iCloud credentials to a middle man.

      • corsicanguppy@lemmy.ca
        link
        fedilink
        English
        arrow-up
        11
        arrow-down
        1
        ·
        1 year ago

        Are there plans for a desktop client?

        Anybody with a browser is going to be able to use Sunbird. The messages will synchronize. A big challenge has been synchronizing without them storing the data but we got it right. The web app will synchronize with the Sunbird app. Bottom line… Got a browser? You will be able to use Sunbird.

        They already can go to hell.

        The frantic fumbling to find whichever bloody tab on which bloody window is making the chime is really something I can do without. And when I DO ignore it, I’m somehow at fault.

        • kautau@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          ·
          1 year ago

          I mean they can mostly go to hell by stating

          The Sunbird servers do not store user data promoting a safe, secure, and private messaging environment. With end-to-end encrypted, confidential messaging, Sunbird is fully secure and completely private.

          And then literally storing unencrypted user data on their servers, doing the exact opposite of their claims.

          This whole company/product comes off as a shitty cash grab from idiot techbros with little knowledge of software. Apple is going to eat them alive once the litigation starts.

    • anon_8675309@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      ·
      1 year ago

      I mean it’s Carl Pei, right? He’s always done stuff to get attention his products one way or another.

      • Ghostalmedia@lemmy.world
        link
        fedilink
        English
        arrow-up
        18
        ·
        1 year ago

        All Pei did was put a Nothing skin on Sunbird. It was Sunbird that didn’t encrypt the comms.

        That said, Pei was so damn thirsty for marketing attention that Nothing obviously didn’t fully vet the security around Sunbird’s product.

      • interceder270@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        7
        ·
        1 year ago

        Bro, Pei Wei had this BOGO deal. I would eat them almost everyday, except one visit got me more food than I could finish in a day.

        Those drunken noodles.

        Those firecracker chicken.

        Mmm.

        Haven’t been since they removed the deal, lol.

  • danielfgom@lemmy.world
    link
    fedilink
    English
    arrow-up
    63
    arrow-down
    3
    ·
    1 year ago

    This is one of the many reasons I don’t like Nothing. They are willing to put users at risk just so they can sell a few more phones.

    Let me tell you Nothings strategy:

    1. Make an extract clone of the iPhone and put some gimmick lights on it to get attention.

    2. Make some airpod clones but make them see through to again attract attention

    3. Try to get iMessage working on Nothing 2 (screw you if you’re on Nothing 1, Apple style) to reinforce the impression you’re using an iPhone.

    4. If successful, price the Nothing 3 even higher to make it seem premium even though it’s nothing special at all.

    5. Bring features to the Nothing 3, that the Nothing 2 and Nothing 1 will never get, even though there is no reason not to give it to them too.

    6. Repeat for Nothing 5 and every other Nothing ever. And eventually reach iPhone pricing.

    In short, they are using their users just to get popular, become like Apple and get rich. Only to screw you over and make future phones super expensive.

    Much like One Plus did. First you position yourself as flagship killer, and once you get a loyal following and deals with mobile carriers then you push the price sky high and give your supporters the middle finger.

    Anyone who buys Nothing is a fool.

      • MartinXYZ@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Isn’t Pete Lau the CEO of Nothing? He did the same thing with OnePlus. At least I don’t think they didn’t do invites for Nothing.

          • MartinXYZ@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Sorry, I mixed them up, Pete Lau was also one of the big hats at OnePlus. I’m not sure what his title was, then. Oh, I checked up on it; Lau and Pei co-founded OnePlus, Pei was the CEO of OnePlus, but left OnePlus to found Nothing, which he is now the CEO of, leaving Pete Lau as the CEO of OnePlus.

    • dingleberry@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      11
      arrow-down
      2
      ·
      1 year ago

      Nothing is a clone of OnePlus… repeating the same strategy of OnePlus… destined to the same fate as OnePlus.

    • Fisch@lemmy.ml
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      Despite that, I have a Nothing Phone 1 with LineageOS and I think it’s great. The iPhone like design is actually one of the reasons I bought it. Price is also very good for the hardware. What else they’re doing is nothing I care about.

      • danielfgom@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Well the shape of actually the best thing about it. Apple really hit on a winner with that design and the corner radius they use. It’s very pleasing to the eye. Whereas Android phones tend to have sharper corners, for whatever reason.

          • danielfgom@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Wow that is crazy! How can anyone patent a corner? What next? Patent the square?

            That judgement should be thrown out along with the judge who made it!

            I’d like to see if Apple sue Nothing because I think they literally traced an iPhone on paper and then added gimmick lights. Even the lights look like an apple logo

    • Kumatomic@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      I came to the OnePlus bandwagon late and now I know why my experience was so substandard even though so many people had talked them up. I was looking at the Nothing Phone and beginning to consider it because I bought a Pixel I regret and now I think I’ll just stick with the phone that’s paid for because they all suck. I miss my BlackJack II, Sidekick, and even my G1.

      • danielfgom@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        Yes, very sad when happened to One Plus but it was the plan all along. It just shows you that they know what consumers want, especially the really-into-android guys like us, yet when they get what they want in sales and brand, then they drop all that and give us the same slop as everyone else

    • mayonaise_met@feddit.nl
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      As a three time OnePlus customer I don’t blame them. They were a decent deal each time I opted for them, but I feel no loyalty to them or any other brand I’ve had in-between OnePlus phones.

      Like with any corporation, nobody at the company cares about your loyalty as an individual.

  • starman2112@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    44
    arrow-down
    1
    ·
    1 year ago

    I don’t even exist in the same world as the word “infosec” and even I shudder at the phrase “plain text”

  • generalpotato@lemmy.world
    link
    fedilink
    English
    arrow-up
    41
    ·
    edit-2
    1 year ago

    Really? Nobody did an arch review for this and figured this was going to be caught/uncovered/talked about day one?

    • Ghostalmedia@lemmy.world
      link
      fedilink
      English
      arrow-up
      36
      ·
      1 year ago

      I imagine Nothing’s Infosec team must be terrible or non-existent. Any half decent infosec team would immediately raise red flags and pull in the legal dept as soon as they heard “let’s let our customers give their iCloud credentials to a small vendor we just hired.”

      • corsicanguppy@lemmy.ca
        link
        fedilink
        English
        arrow-up
        23
        ·
        1 year ago

        Any half decent infosec team would immediately

        … be over-ridden by a Chief Product Officer who says ‘[something something] for now’ .

  • JimVanDeventer@lemmy.world
    link
    fedilink
    English
    arrow-up
    36
    arrow-down
    1
    ·
    1 year ago

    This sounded like a disaster when it was first revealed they were basically relaying messages through some Macs they had lying around the office.

  • 9thSun@midwest.social
    link
    fedilink
    English
    arrow-up
    16
    ·
    1 year ago

    Just watched a SomeOrdinaryGamers video about this a couple days ago. Muta gave Nothing too much credit saying the texts etc would probably be encrypted. But lol “plain text”. They crazy for that.

  • donut4ever@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    16
    arrow-down
    1
    ·
    edit-2
    1 year ago

    LMAO, who would have thunk it? That was a very desperate attempt to make some sales. I noped it the second I learnt that they were using a mac mini somewhere to log people’s iclouds. That was the most pathetic thing I have seen in a while.

    • Inktvip@lemm.ee
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Nog defending this practice at all, but a fun little fact is that if you get a Mac instance on AWS (and other cloud providers) It’s literally a normal mac mini in a rack enclosure.

  • CatTrickery@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    ·
    1 year ago

    I love how the marketing for this was absolutely everywhere. It wasn’t anything new. It just tried and failed to reinvent the wheel that was matrix bridges.