The Nothing CMF watch app was also discovered to have security flaws

The Nothing CMF watch app was also discovered to have security flaws،

The Nothing Phone (1) and (2) have been praised in the past for having clean software – almost stock Android – with excellent home screen customization, and this has been the case since the first foray of the company in the smartphone OEM arena. However, as promising as that may be, the company hasn't had a good month when it comes to security.

Following the Nothing Chats debacle that triggered an avalanche of problems for the company, Nothing faces another security challenge. This time under the microscope is Nothing's recently launched sub-brand, CMF, which focuses on affordable products such as smartwatches, earphones and chargers. The issue specifically stems from the CMF Watch app, which had a vulnerability that could expose users' email addresses and passwords.

Much like Nothing Chats, the vulnerability in the CMF Watch application was discovered and quickly reported to the company by Dylan Roussel, who regularly publishes his findings on X/Twitter And 9to5Google. In this case, he discovered the problem in September, as he thoroughly documented in the thread below.

Source – Dylan Roussel | X

The CMF Watch app required users to create an account with an email address and password, and then the app encrypted that data. However, the app has also left the method of decrypting this data available within the app itself. This meant that a malicious actor could easily access this sensitive information.

The company has since partially resolved the issue by updating the password encryption method, but the email address remains technically at risk. However, in a statement to 9to5Google, Nothing said it was “currently working” to resolve the remaining issues and has since opened a point of contact for security vulnerabilities.

CMF takes privacy issues very seriously and the team is investigating security issues regarding the Watch app. We resolved initial issues regarding credentials earlier in the year and are currently working to resolve the issues raised. As soon as this next patch is complete, we will roll out an OTA update to all CMF Watch Pro users. Security reports can now be submitted more easily via https://intl.cmf.tech/pages/vulnerability-report.

While it's great news that Nothing has recognized the problem and is taking the necessary steps to correct it, it's somewhat concerning that the company continues to find itself in this position. As a relatively new OEM, and especially one trying to get a new sub-brand off the ground, having vulnerabilities in your security is not a good idea. Hopefully, Carl Pei and his team have learned from this experience and do a better job of ensuring the security of their applications, especially when a third-party company is involved in the process.

Header image credit: https://intl.cmf.tech/