- Nothing’s CMF Watch app encrypted emails and passwords suboptimally, allegedly allowing for decryption using the same decryption keys.
- The issue was partially fixed, as the encryption method of the passwords was updated, but not that of emails.
Nothing has had some good success with the Nothing Phone 2, considering the novelty of the phone and the nascent brand image. To win over some of the iPhone audience, Nothing partnered with Sunbird to launch an iMessage-for-Android app called Nothing Chats. The app lasted about a day in the wild before being pulled down due to glaring security oversights. But there seem to be more skeletons in Nothing’s closet, as two more vulnerabilities have emerged.
Android developer and reverse engineer Dylan Roussel posted on X that he found two vulnerabilities centered around Nothing. The first was found in September in the CMF Watch app, which was built in partnership with a company called Jingxun. The CMF Watch app encrypted email usernames and passwords, but the encryption method allegedly left the door open for decrypting the same with the same decryption keys, defeating the purpose of encryption.