C. Scott Brown / Android Authority
TL;DR
- Nothing’s CMF Watch app encrypted emails and passwords suboptimally, allegedly allowing for decryption using the same decryption keys.
- The issue was partially fixed, as the encryption method of the passwords was updated, but not that of emails.
Nothing has had some good success with the Nothing Phone 2, considering the novelty of the phone and the nascent brand image. To win over some of the iPhone audience, Nothing partnered with Sunbird to launch an iMessage-for-Android app called Nothing Chats. The app lasted about a day in the wild before being pulled down due to glaring security oversights. But there seem to be more skeletons in Nothing’s closet, as two more vulnerabilities have emerged.
Android developer and reverse engineer Dylan Roussel posted on X that he found two vulnerabilities centered around Nothing. The first was found in September in the CMF Watch app, which was built in partnership with a company called Jingxun. The CMF Watch app encrypted email usernames and passwords, but the encryption method allegedly left the door open for decrypting the same with the same decryption keys, defeating the purpose of encryption.
Nothing/Jingxun fixed this vulnerability, but curiously, only for the password. You could still allegedly decrypt the email that is used as the username.
The second vulnerability has not been publicly detailed, but it relates to Nothing’s internal data. Nothing was informed of the same in August, but it hasn’t been fixed yet.
Nothing has no mechanism for vulnerability disclosure or reporting of security issues. Users who find these issues have to resort to contacting the company through other channels, which isn’t ideal. Considering how much soup Nothing has found itself in recently, it would be a good idea to make it easier to report these issues to the company.
We’ve reached out to Nothing for comments. We’ll update this article once we hear back from them.
