Designed to provide an Android version of Apple's iMessage, Nothing's recently announced new messaging app, Nothing Chats, has failed like a lead balloon: just one day after its release on the Google Play store, Nothing shut down the app due to serious security concerns. Now, two more vulnerabilities have reportedly come to light.

As discovered by Android Authority, Android developer and reverse engineer Dylan Roussel, who previously made an internal accusations, and recently shared two additional vulnerabilities centered around Nothing's infrastructure on X. [The first vulnerability, discovered in September, was found in the CMF Watch app, which was allegedly developed jointly by Nothing and a company called Jingxun; according to Roussel, the app successfully encrypted both email and password information, but the used encryption method was not secure. Anyone with access to the same decryption key would have all the tools to decrypt the information, thus defeating the purpose of encrypting the information in the first place.

According to Roussel, Nothing/Jingxun has since addressed this vulnerability, but the fix only works for passwords. It is said that it is still possible to decrypt an e-mail address used as someone's user name.

The second vulnerability is said to be related to Nothing's internal data, although exact details have not been disclosed. The company was made aware of the issue in August, but has not yet patched it.

In a statement to Android Authority, a spokesperson for Nothing said that the company is currently working to resolve the issue:

"CMF takes privacy issues very seriously and the team is investigating security concerns regarding the Watch app. We are investigating the issue. We fixed the initial credentialing concerns earlier this year and are currently working to resolve the issues raised. We plan to distribute an OTA update to all CMF Watch Pro users as soon as this next fix is complete."

The representative added that it is now easier to file security reports on CMF's Security Vulnerability Report page.

Roussel previously exposed how Sunbird, the Nothing Chats platform, decrypts messages via HTTP and sends them to Firebase's cloud sync server, where they are stored in unencrypted plain text. Therefore, Sunbird's messages are publicly available and unencrypted through Firebase's real-time database. He also noted that Sunbird also has access to these messages because they are logged as errors by the debugging service Sentry.

Nothing Chats' official page confirms that the beta version of the app has been pulled from the Play Store, and the company now says that it is "delaying the launch until further notice" until "some bugs" are fixed.

One of iMessage's biggest selling points is that it offers end-to-end encryption by default. Apple cites additional security as one of the reasons it will adopt the RCS messaging standard next year. In both cases, your messages are secure and inaccessible to third parties, including Apple. Instead, Nothing promised end-to-end encryption and only stored texts publicly in plain text; it remains to be seen if Nothing can recover from this blunder.