The Nothing Phone (1) and (2) have been praised in the past for having clean — almost stock Android-ish — software with great home screen customization, and that has been the case since the company's first foray into the smartphone OEM arena. However, as promising as that has been, the company hasn't had a great month when it comes to security.
Following the Nothing Chats debacle that unleashed an avalanche of issues for the company, Nothing faces yet another security challenge. Under the microscope this time is Nothing's recently launched sub-brand, CMF, which focuses on affordable products such as smartwatches, earbuds, and chargers. The issue stems specifically, from the CMF Watch app, which was found to have had a vulnerability that could expose user email addresses and passwords.
Just as with Nothing Chats, the vulnerability with the CMF Watch app was discovered and expeditiously reported to the company by Dylan Roussel, who regularly posts his findings on X/Twitter and 9to5Google. In this case, he found the issue back in September, as he painstakingly documented in the below thread.
Source - Dylan Roussel | X
The CMF Watch app required users to create an account with an email address and password, and the app then encrypted that data. However, the app also left the decryption method for that data available within the app itself. This meant that a malicious actor could easily access that sensitive information.
The company has since partially fixed the problem by updating the encryption method for the password, but the email address is still technically at risk. However, in a statement to 9to5Google, Nothing stated that it is "currently working" to fix the remaining issues and has since opened up a point of contact for security vulnerabilities.
CMF takes privacy issues very seriously and the team is investigating security concerns regarding the Watch app. We rectified initial credential concerns earlier in the year and are currently working to resolve the issues raised. As soon as this next fix is complete, we will roll out an OTA update to all CMF Watch Pro users. Security reports can now be more easily submitted via https://intl.cmf.tech/pages/vulnerability-report.
Recommended Stories
While it is great news that Nothing has acknowledged the issue and is taking the necessary steps to correct it, it is somewhat worrying that the company keeps finding itself in this position. As a relatively new OEM, and especially one that is trying to get a new sub-brand off the ground, having lapses in their security is not a good look. Hopefully, Carl Pei and his team have learned from this experience and do a better job of making sure their apps are secure, especially when a third party company is involved in the process.
Header image credit: https://intl.cmf.tech/
Create a free account and join our vibrant community
Register to enjoy the full PhoneArena experience. Here’s what you get with your PhoneArena account:
Johanna 'Jojo the Techie' is a skilled mobile technology expert with over 15 years of hands-on experience, specializing in the Google ecosystem and Pixel devices. Known for her user-friendly approach, she leverages her vast tech support background to provide accessible and insightful coverage on latest technology trends. As a recognized thought leader and official member of #TeamPixel, Johanna ensures she stays at the forefront of Google services and products, making her a reliable source for all things Pixel and ChromeOS.
Recommended Stories
Loading Comments...
COMMENT
All comments need to comply with our
Community Guidelines
Phonearena comments rules
A discussion is a place, where people can voice their opinion, no matter if it
is positive, neutral or negative. However, when posting, one must stay true to the topic, and not just share some
random thoughts, which are not directly related to the matter.
Things that are NOT allowed:
Off-topic talk - you must stick to the subject of discussion
Offensive, hate speech - if you want to say something, say it politely
Spam/Advertisements - these posts are deleted
Multiple accounts - one person can have only one account
Impersonations and offensive nicknames - these accounts get banned
Moderation is done by humans. We try to be as objective as possible and moderate with zero bias. If you think a
post should be moderated - please, report it.
Have a question about the rules or why you have been moderated/limited/banned? Please,
contact us.
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed: