Nothing CMF Watch app remains a security risk

Nothing Phone (2) with its back Glyph lights illuminated
(Image credit: Nicholas Sutrich / Android Central)

What you need to know

  • Nothing's CMF Watch app has a serious vulnerability regarding its supposed encrypted user data,
  • Discoveries show the Nothing's encryption of a user's email and password doesn't actually work as the keys aren't hidden well, increasing the risk of exposure.
  • Nothing has only upgraded the encryption strength behind user's passwords but emails are still at risk.

It appears that Nothing is wrapped in another vulnerability problem that is putting users' information at risk of exposure.

According to Android developer Dylan Roussel, Nothing has yet to correct a critical vulnerability problem within its CMF Watch app (via Android Authority). The problem is with the app's encryption of a user's email and password, as it doesn't offer total protection.

From what was discovered, the method Nothing used, in partnership with the company Jingxun, makes it easy for anyone to access a person's sensitive information using the decryption data within the app, which "essentially made the encryption useless."

Roussel came across this vulnerability back in September, and their evidence of it showed how "badly" Nothing hid the ever-so-important keys required to decrypt a user's information.

Since its initial discovery in September, Nothing has worked to rectify its odd encryption problem — but only for passwords. Roussel adds a user's email is still at risk of exposure despite the password encryption receiving an upgrade.

They state, "Nothing replied to my initial report, but stopped replying afterward."

There is another vulnerability, reported back in August, that wasn't disclosed. Allegedly, this has something to do with Nothing's internal data and has yet to be fixed.

Android Central has reached out to Nothing about the problematic encryption problems users are facing in the CMF Watch app.

The company's struggles with the privacy and dependability of its software continue following a recent blunder with the Nothing Chats app. Following a surge of reports, the app was found to not have any encryption for user's media or messages, which went directly against what Nothing claimed.

Moreover, further digging showed that a user's information was readily available to read as it was being stored on a server. Nothing created its "bridge" between Android and iMessage with Sunbird; however, the latter apparently "has access to every message sent and received through the app."

Users who've used in the app are advised to take serious measures to safeguard their sensitive Apple ID information.

Nickolas Diaz
News Writer

Nickolas is always excited about tech and getting his hands on it. Writing for him can vary from delivering the latest tech story to scribbling in his journal. When Nickolas isn't hitting a story, he's often grinding away at a game or chilling with a book in his hand.

  • Daniel Gomes
    They state, "Nothing replied to my initial report, but stopped replying afterward."

    When will these companies learn that they cannot ignore this stuff? It WILL come out and they will look like idiots.
    It's very worrying that Nothing aren't taking security seriously - especially for a new company. Looks like they are imitating Apple in this area too...Apple are notorious for ignoring security reports and only fixing them when it goes public.