Nothing Phone Security Issue
The Nothing Phone (1) and (2) have been praised in the past for having clean — almost stock Android-ish — software with great home screen customization, and that has been the case since the company’s first foray into the smartphone OEM arena. However, as promising as that has been, the company hasn’t had a great month when it comes to security.
Following the Nothing Chats debacle that unleashed an avalanche of issues for the company, Nothing faces yet another security challenge. Under the microscope this time is Nothing’s recently launched sub-brand, CMF, which focuses on affordable products such as smartwatches, earbuds, and chargers. The issue stems specifically, from the CMF Watch app, which was found to have had a vulnerability that could expose user email addresses and passwords.
Just as with Nothing Chats, the vulnerability with the CMF Watch app was discovered and expeditiously reported to the company by Dylan Roussel, who regularly posts his findings on X/Twitter and 9to5Google. In this case, he found the issue back in September, as he painstakingly documented.
The CMF Watch app required users to create an account with an email address and password, and the app then encrypted that data. However, the app also left the decryption method for that data available within the app itself. This meant that a malicious actor could easily access that sensitive information.
The company has since partially fixed the problem by updating the encryption method for the password, but the email address is still technically at risk. However, in a statement to 9to5Google, Nothing stated that it is “currently working” to fix the remaining issues and has since opened up a point of contact for security vulnerabilities.
CMF takes privacy issues very seriously and the team is investigating security concerns regarding the Watch app. We rectified initial credential concerns earlier in the year and are currently working to resolve the issues raised. As soon as this next fix is complete, we will roll out an OTA update to all CMF Watch Pro users. Security reports can now be more easily submitted via pages/vulnerability-report.
While it is great news that Nothing has acknowledged the issue and is taking the necessary steps to correct it, it is somewhat worrying that the company keeps finding itself in this position. As a relatively new OEM, and especially one that is trying to get a new sub-brand off the ground, having lapses in their security is not a good look. Hopefully, Carl Pei and his team have learned from this experience and do a better job of making sure their apps are secure, especially when a third party company is involved in the process.
Header image credit: