Tweaking iMessage is definitely a bad idea © Nothing
It won’t take long. Barely 24 hours after its launch, Nothing’s DIY iMessage app was removed from the Google Play Store due to security concerns.
Predictably, bypassing Apple’s restrictions to try to launch an iMessage client on Android is a bad idea. The London company Nothing, which markets the Phone (2), caused a stir last week by announcing that it was going to officially make its mobile compatible with Apple’s messaging thanks to a dedicated application. The day after its launch, the software disappeared from the Play Store and Nothing indicated “delay the launch […] to fix bugs”.
A privacy nightmare
As the community notes under Nothing’s tweet indicate, the term “bug” is a nice understatement here. In a long explanatory thread, developer Dylan Roussel pilloried the Nothing Chats application because of its very (very) lax conception of data security.
Sunbird, Nothing’s partner for the launch of the application, has access to all messages sent and received from the application. The company, which relays messages thanks to the virtualization of macOS machines on its servers, abuses its logging policy (designed to identify potential bugs) to record the content of messages passing through its platform. This is not just limited to text content, photos, videos and other multimedia content are also saved on Sunbird’s servers.
GDPR in ambush
To make matters worse, the media of all users was actually accessible publicly and in real time, for anyone who knew where to look. Yes, yes, you read correctly, all the content of messages passing through Sunbird (even those from third parties) was publicly available. This also concerns vCards, personal data exchanged when initiating a conversation and which contain the telephone number and iCloud address of the sender and recipient of the messages.
Contrary to what Sunbird and Nothing asserted, the content of the messages is absolutely not encrypted and the application therefore leaked personal information in all directions (using, among other things, HTTP requests), in addition to keeping a copy of messages sent and received. Deleting the application was therefore the least that could be done and there is no doubt that the two companies will quickly become familiar with the sanctions provided for by the GDPR for this type of practice.
Source: AppleInsider, Dylan Roussel – Twitter