Nothing's iMessage App Was a Security Catastrophe, Taken Down In 24 Hours (arstechnica.com) 47
Last week, Android smartphone manufacturer "Nothing" announced that it's bringing iMessage to its newest phone through a new "Nothing Chats" app powered by the messaging platform Sunbird. After launching Friday, the app was shut down within 24 hours and the Sunbird app, which Nothing Chat is a clone of, was put "on pause." The reason? It's a security nightmare. Ars Technica reports: The initial sales pitch for this app -- that it would log you into iMessage on Android if you handed over your Apple username and password -- was a huge security red flag that meant Sunbird would need an ultra-secure infrastructure to avoid disaster. Instead, the app turned out to be about as unsecure as you could possibly be. Here's Nothing's statement: "We've removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs. We apologize for the delay and will do right by our users."
How bad are the security issues? Both 9to5Google and Text.com (which is owned by Automattic, the company behind WordPress) uncovered shockingly bad security practices. Not only was the app not end-to-end encrypted, as claimed numerous times by Nothing and Sunbird, but Sunbird actually logged and stored messages in plain text on both the error reporting software Sentry and in a Firebase store. Authentication tokens were sent over unencrypted HTTP so this token could be intercepted and used to read your messages. [...]
Despite being the cause of this huge catastrophe, Sunbird has been bizarrely quiet during this whole mess. The app's X (formerly Twitter) page still doesn't say anything about the shutdown of Nothing Chats or Sunbird. Maybe that's for the best because some of Sunbird's early responses to the security concerns raised on Friday do not seem like they came from a competent developer. [...] Nothing has always seemed like an Android manufacturer that was more hype than substance, but we can now add "negligent" to that list. The company latched on to Sunbird, reskinned its app, created a promo website and YouTube video, and coordinated a media release with popular YouTubers, all without doing the slightest bit of due diligence on Sunbird's apps or its security claims. It's unbelievable that these two companies made it this far -- the launch of Nothing Chats required a systemic security failure across two entire companies.
How bad are the security issues? Both 9to5Google and Text.com (which is owned by Automattic, the company behind WordPress) uncovered shockingly bad security practices. Not only was the app not end-to-end encrypted, as claimed numerous times by Nothing and Sunbird, but Sunbird actually logged and stored messages in plain text on both the error reporting software Sentry and in a Firebase store. Authentication tokens were sent over unencrypted HTTP so this token could be intercepted and used to read your messages. [...]
Despite being the cause of this huge catastrophe, Sunbird has been bizarrely quiet during this whole mess. The app's X (formerly Twitter) page still doesn't say anything about the shutdown of Nothing Chats or Sunbird. Maybe that's for the best because some of Sunbird's early responses to the security concerns raised on Friday do not seem like they came from a competent developer. [...] Nothing has always seemed like an Android manufacturer that was more hype than substance, but we can now add "negligent" to that list. The company latched on to Sunbird, reskinned its app, created a promo website and YouTube video, and coordinated a media release with popular YouTubers, all without doing the slightest bit of due diligence on Sunbird's apps or its security claims. It's unbelievable that these two companies made it this far -- the launch of Nothing Chats required a systemic security failure across two entire companies.
The usual suspects. (Score:5, Insightful)
Senior level developers are expensive. The market is full of greenies who don't realize how much there is to know about security. When interviewed by non-technicians who also don't have a clue, a simple question like "can you make it secure?" will get an honest but completely false answer of "yes."
The other common reason is management imposing impossible deadlines and being deaf to the protests of their people who actually do now a thing or two about security, but are told to ignore it.
There may also be unethical consultants involved, or cheap foreign development shops that don't have incentive to care.
The only surprising thing about this story is how common it is.
Re:The usual suspects. (Score:4, Insightful)
Indeed. So very much this. After CS studies with a security elective (everything on offer back when), it took me something like 5 years to begin to understand how much I did not know that I did not know and 10 additional years or so to fix that.
A major part of any sane engineering education is to enable graduates to really understand the limits of their skills and insights and to know when they need additional skills or need to get an expert to do something. In CS/IT that is still mostly missing and even more so in IT security. Hence crap like this happens. If the ones that wrote this crap even have a degree that is.
News Flash (Score:5, Insightful)
Who would have thought that a company that required you give them your username and password to another service so they could store it on their own servers and pass your messages through, wouldn't be the most secure spot around.
Re: (Score:2)
Who would have thought that a company that required you give them your username and password to another service
How else could it work?
If they're logging onto Apple servers on your behalf, they obviously need your login/pw.
Re: (Score:3)
I didn't suggest otherwise. I simply pointed out that the glaring security issue with their standard setup should have been a indicator for everyone that they may not value security that much.
Re:News Flash (Score:4, Insightful)
This is actually not "obviously" true. Many services have ways to authenticate with a service but then pass your authorization to a third party. Hell, I implemented OpenID around 20 years ago to let people authenticate to my web site using third-party credentials. The fact that Apple chooses not to do this means that the security issues are 50% due to Nothing (because what the fuck were they thinking?) and 50% Apple (because Apple talks about privacy and security, but doesn't act on those words if you ever dare to communicate with any of the non-Apple-purchasing heathens in the world). Apple could have implemented a secure way for third parties to use iMessage, but they care a lot about money and very little about privacy, so Apple just followed the dollars.
This is why I don't give my dollars to Apple, but everyone should make their own choices.
Re: (Score:2)
That's a good example of the industry-wide problem with security. There is a lot to know about security, and most people don't know very much about it, and (worst of all) they don't know how much they don't know. So they think things like "well, obviously, this is the only way to do it" when in fact there are much more secure options out there.
Its a field where everyone who knows anything about it tends to think they know a lot more about it than they do.
Re:News Flash (Score:5, Informative)
This is actually not "obviously" true. Many services have ways to authenticate with a service but then pass your authorization to a third party. Hell, I implemented OpenID around 20 years ago to let people authenticate to my web site using third-party credentials. The fact that Apple chooses not to do this means that the security issues are 50% due to Nothing (because what the fuck were they thinking?) and 50% Apple (because Apple talks about privacy and security, but doesn't act on those words if you ever dare to communicate with any of the non-Apple-purchasing heathens in the world). Apple could have implemented a secure way for third parties to use iMessage, but they care a lot about money and very little about privacy, so Apple just followed the dollars.
This is why I don't give my dollars to Apple, but everyone should make their own choices.
Apple chooses not to do this because they don't want to open iMessage in this way. They are trying to hack their way in and you are blaming Apple for making them do it.
Maybe you should just leave your keys in the ignition when you park your car. Never know, someone might want to use it.
Re: News Flash (Score:4, Insightful)
Why on earth should they get rid of the green bubbles? Whereâ(TM)s that defined in the RCS standard?
As an iPhone user, I find them a convenient way to know that iMessage wasnâ(TM)t used and so should expect reduced functionality or a configuration issue or a mistake that could cost me money.
Re: (Score:1)
Why on earth should they get rid of the green bubbles?
Because the EU is a superpower with 448 million people in it. They can make problems for Apple in markets far outside their own. Fortunately the EU tends to represent the interests of it's people rather than grab power for themselves.
Re: (Score:2)
Re: News Flash (Score:4, Informative)
Fortunately the EU tends to represent the interests of it's people rather than grab power for themselves.
If the "interests of the people" are "this bubble should be blue instead of green" and government has the power to compel that, you have too much government.
Re: (Score:2)
That doesn't really explain why they would do it. Don't you think that doing so would be over-reach? A company implementing standards should be able to do something differentiating so long as the standards are fulfilled, shouldn't it? Otherwise, we might as well give up on private businesses and just work for the government.
Re: News Flash (Score:2)
Re: News Flash (Score:2)
Then there are /.â(TM)s bugs where it canâ(TM)t even render currency symbols properly. Perhaps you should focus on the real problem instead of the symptoms.
Re: (Score:2)
Because they use the green bubbles and reduced functionality as a way to lock people into their revenue stream.
Re: (Score:1)
The green bubble is an indication that the message was sent as SMS. That is all.
Re: (Score:2)
Right, so it should go away when sending via RCS. After all, RCS supports media, typing notifications, and other advanced features.
Re: (Score:2)
Apparently it doesn't support encryption. Google's implemented an extension to do this, but that's not part of the standard. So yes, it possibly will be reduced functionality if Apple don't also implement this non-standard extension.
Re: (Score:2)
They would be wise to implement it, if they don't want the EU to take further action.
Re: (Score:2)
Maybe you should just leave your keys in the ignition when you park your car. Never know, someone might want to use it.
I do this. I use a car sharing service, and don't give money to companies who don't allow me to share cars.
Re: (Score:2)
>> the security issues are 50% due to Nothing and 50% Apple
Nope.
It is 100% responsibility of "Nothing" to choose the correct platform.
Re: (Score:1)
It is really, Apple most probably does oneway encryption, so even if their service was hacked, it would be very difficult to retrieve actual passwords. Now a third party vender is storing credentials which are not oneway encrypted, which is a major security flaw in any authentication system.
Re: (Score:2)
The question is not how to do it any other way, the question is why people are stupid enough to...
What am I saying, people are stupid enough to give smart home appliance makers the keys to their house, then ask them nicely to be let into their own homes. Your honor, I withdraw my question.
Re: News Flash (Score:2)
Re: (Score:2)
Re: (Score:2)
They could use some sort token flow like OAuth /w PKCE. You just provision the refresh and access tokens with the service provider and as long as the IDP never expires actively used refresh tokens, then it should work indefinitely as long as you use the service often enough to keep your tokens active. The user's credentials would never pass through the Sunbird servers in that scenario.
Now I don't know if Apple offers 3rd party apps to obtain tokens /w scopes sufficient to send iMessages, but that is how I
Re: (Score:1)
Properly cleaning a toilet is a non-trivial thing, and I suspect that you are overestimating these people by proxy of your overestimation of people in general.
Much ado about Nothing. (Score:3)
This story is much ado about Nothing. On the one hand, what they created was apparently designed in just about the most security-incompetent way possible. On the other hand, people have heard of them now, and I guess that's worth something. :-D
Re: (Score:1)
This story is much ado about Nothing.
*rimshot*
The app's X (formerly Twitter) page (Score:4, Informative)
This illustrates a total failure for X's branding. Every single time X is mentioned anywhere, it is followed by "formerly Twitter". Clearly, reporters are worried that no one will know what "X" is. And they're probably right, and I hope the rebrand--and the company--goes down in flames.
Re: (Score:3)
Re: (Score:2)
Using only one single letter as brand is stupid anyway. Unsearchable.
You have to admit that Musk does "stupid" pretty well. Probably not an act either.
Re: (Score:2)
Don't worry, he also stupidly spent the money to buy the site x.com
No single person except a nun types x into their address bar first and doesn't get a little nervous.
Re: (Score:2)
Re: (Score:2)
This illustrates a total failure for X's branding. Every single time X is mentioned anywhere, it is followed by "formerly Twitter". Clearly, reporters are worried that no one will know what "X" is. And they're probably right, and I hope the rebrand--and the company--goes down in flames.
Hence it's become "the app formerly known as Twitter".
Re: (Score:2)
Here it is mostly called Xitter, a good name for ex-Twitter.
There goes another saying (Score:2)
Remember when we could say "Well, it's better than nothing" and it basically meant that you at least have something?
Can't really say that anymore. Just being better than Nothing means nothing anymore.
Re: (Score:3)
I watched a whole TV series about nothing.
Chap, crappy coding does not cut it (Score:2)
When will people learn? There need to be some C-level firings over this for gross incompetence.
Devil you know (Score:2)
Nothing to see here (Score:2)
well that's how it works (Score:1)