Vulnerabilities still exist in Nothing’s CMF Watch app, (come on, Carl Pei)

Hotstar in UAE
Hotstar in UAE

Nothing’s CMF Watch app really contradicts the success that Nothing has achieved with the Nothing Phone (1) and Nothing Phone (2). The iMessage-for-Android app, built in collaboration with Sunbird, housed a vulnerability related to the company’s internal data. This vulnerability hit the headlines back in August, but it remains unresolved. Android developer and reverse engineer Dylan Roussel discovered two security issues related to Nothing. The first vulnerability was identified in September within the CMF Watch app, a product of Nothing’s collaboration with Jingxun.

The vulnerabilities still remain in the CMF Watch app

Although the app encrypts email usernames and passwords, Roussel found that the encryption method had a flaw, allowing potential decryption using the same keys. This essentially nullified the intended security provided by encryption. Nothing and Jingxun addressed the vulnerability concerning passwords. However, the ability to decrypt the email used as a username remained.

The second vulnerability, not publicly disclosed in detail, pertains to Nothing’s internal data. Although Nothing has been aware of this issue since August, the flaw has not been rectified to date.

Nothing’s recent security challenges also include the short-lived Nothing Chats app, an attempt to cater to iPhone users by offering an iMessage-like platform for Android. The app faced immediate removal from circulation due to serious security oversights.

Nothing promises to roll out a fix to the app via a future OTA update

In response to these concerns, Nothing has issued a statement to Android Authority. The company informed AA about the ongoing investigation into the security issues related to the CMF Watch app.

The company promises a fix for the identified security issues and plans to roll out an OTA update for CMF Watch Pro users once they implement a solution. Additionally, Nothing has taken a step towards streamlining the reporting process for security issues by providing a portal for vulnerability reports.

2023-12-05 15:04:28