The Nothing CMF watch app was also discovered to have security flaws

0comments
The Nothing CMF watch app was also discovered to have security flaws
The Nothing Phone (1) and (2) have been praised in the past for having clean — almost stock Android-ish — software with great home screen customization, and that has been the case since the company's first foray into the smartphone OEM arena. However, as promising as that has been, the company hasn't had a great month when it comes to security.

Following the Nothing Chats debacle that unleashed an avalanche of issues for the company, Nothing faces yet another security challenge. Under the microscope this time is Nothing's recently launched sub-brand, CMF, which focuses on affordable products such as smartwatches, earbuds, and chargers. The issue stems specifically, from the CMF Watch app, which was found to have had a vulnerability that could expose user email addresses and passwords.

Just as with Nothing Chats, the vulnerability with the CMF Watch app was discovered and expeditiously reported to the company by Dylan Roussel, who regularly posts his findings on X/Twitter and 9to5Google. In this case, he found the issue back in September, as he painstakingly documented in the below thread. 


The CMF Watch app required users to create an account with an email address and password, and the app then encrypted that data. However, the app also left the decryption method for that data available within the app itself. This meant that a malicious actor could easily access that sensitive information.

The company has since partially fixed the problem by updating the encryption method for the password, but the email address is still technically at risk. However, in a statement to 9to5Google, Nothing stated that it is "currently working" to fix the remaining issues and has since opened up a point of contact for security vulnerabilities.



While it is great news that Nothing has acknowledged the issue and is taking the necessary steps to correct it, it is somewhat worrying that the company keeps finding itself in this position. As a relatively new OEM, and especially one that is trying to get a new sub-brand off the ground, having lapses in their security is not a good look. Hopefully, Carl Pei and his team have learned from this experience and do a better job of making sure their apps are secure, especially when a third party company is involved in the process.

Header image credit: https://intl.cmf.tech/
Create a free account and join our vibrant community
Register to enjoy the full PhoneArena experience. Here’s what you get with your PhoneArena account:
  • Access members-only articles
  • Join community discussions
  • Share your own device reviews
  • Build your personal phone library
Register For Free

Recommended Stories

Loading Comments...
FCC OKs Cingular\'s purchase of AT&T Wireless