Nothing Phone 3a security review

Nothing Phone security research — Image by Cybernews.

Nothing Phone 3a smartphone is one of the best value-for-money propositions on the market, but how secure is it? Our researchers analyzed the device and found some exposed weaknesses that could be abused to deny services, and the same privacy concerns as with all Android phones.

Nothing Phone 3a’s physical security is nearly excellent: it blocks USB connection when locked, for example. However, some options remain accessible.
The device periodically sent telemetry data to Google, Nothing, and Qualcomm servers in the EU and the US.
Identified weaknesses enable attackers to attempt denial of service attacks and abuse third-party API.

The Cybernews research team acquired Nothing Phone 3a on June 11th, 2025, and first tested it in default out-of-the-box configurations. It was running Android 15. However, a newer version of the OS will soon be rolled out.

Physical examination: not many ways to get in

Many physical attackers, including authorities, first try to exploit the USB port to unlock the device and gain access to its data.

The good news is that Nothing Phone disables USB port data signaling in a locked state – it is locked to charging only. Google introduced this USB port locking feature with Android 16. It means that external physical attackers cannot unlock the device using various existing or zero-day exploits.

Next, Cybernews researchers tested various features available while the device is locked, and found some concerning shortcomings present on all Android devices: quick settings, available in the locked phone state, can be quite sensitive in many cases.

Physically present attackers can enable the mobile hotspot feature, potentially exposing the WiFi chipset to zero-day exploits. While active, the feature can also be used to track the user’s location – active WiFi hotspots are mapped by public location tracking systems.

Without unlocking the phone, external attackers can enable or disable do-not-disturb mode, access the calculator app and its history, wipe notifications, take pictures, etc.

“Individuals with questionable intentions can definitely make your day worse if they get their hands on your device when you’re not looking,” said Aras Nazarovas, an information security researcher at Cybernews.

“Imagine this: you’re expecting an important call, notification, or alert, but someone silences your phone and clears notifications while you’re making coffee.”

Users themselves can easily mitigate this by removing these settings from the quick settings menu entirely – they will also be removed from the locked state of Android 15 and 16 devices.

Evaluation: Passed

Data transmissions: no switch will disable them completely

Next, our researchers analyzed the device for potential security or privacy issues by analyzing its communication with external servers using a “man-in-the-middle” approach to intercept and decrypt the traffic. This requires rooting the device, which might affect the integrity of its services and default behavior.

With both the default options and with all data collection options disabled, the device periodically sent extensive telemetry data to Google and some metadata to Nothing developers. Additionally, the phone connected to Qualcomm’s Mobile Device Management (MDM) server, sending chipset serial code, OS version, and other telemetry data, and receiving network configurations for the baseband chipset.

It was previously demonstrated that Google-certified Android devices commonly transmit private user data. This telemetry includes lists of installed apps, phone numbers, email addresses, and other identifiers.

While this raises privacy concerns, tech companies justify these transmissions as necessary for legitimate services like software updates, on-demand features, or personalized experiences.

Stay informed and get our latest stories on Google News

“The inherent architecture of Google Mobile Services doesn’t give users much choice or control over features Google deems essential. Future updates can even be pushed to devices without the user’s knowledge or action,” Nazarovas said.

“This isn't intrinsically insecure. Google itself continuously works to make its platforms as secure as possible. But it does require users to place a high degree of trust in the platform.”

Nothing Phone 3a was enrolled in Google’s Find Hub network by default. It’s an Android alternative to Apple’s Find My network, which allows users to find lost devices using Bluetooth. Although it exposes the user’s location, this is the only way for the service to work.

The only way to opt out of this service is to find and delete the Find Hub application (no root access required).

“This feature can be both good and bad for security. On one hand, it constantly sends its location to Google’s servers and identifies itself to other Android phones. On the other hand, this information can be obtained by the user in the event that the phone gets lost or stolen,” Nazarovas explains.

What does Nothing Phone send directly to its manufacturer’s servers? We don’t know. The company is using an additional encryption layer to hide network packet contents from any MITM attackers. Cybernews researchers suspect it is telemetry data, potentially including personal information.

Nothing also sends device logs to their AWS (Amazon Web Services) Bucket storage when over-the-air (OTA) updates begin. The data in these logs is also unreadable. However, a different method is used, as it is compressed into password-protected ZIP files.

“Even when the user opted out of additional data collection, the Nothing Phone still sent extensive telemetry and device logs to Google, Nothing, and Qualcomm. Opting out made minimal difference in the amount of packets sent, compared to the default data collection settings,” Nazarovas notes.

“The servers were all located in the EU or the US.”

Evaluation: Passed for general use. Individuals with strong privacy concerns may find the constant data transmissions unsuitable.

Weaknesses identified

When looking for any exposed weaknesses, Cybernews researchers discovered that the implementation of connections to Qualcomm’s MDM server uses weak cryptography.

The phone is authenticated using MD5 hashes, which have well-documented weaknesses and should be deprecated.

“MD5 is vulnerable to collision attacks. However, Qualcomm’s hashes also used nonces (unique elements used once), which makes them slightly more secure than regular MD5 and harder for attackers to perform impersonation attacks,” Nazarovas explains.

Attackers could still exploit this weakness to impersonate other devices. However, the impact would be limited to incorrect configurations being sent to the wrong devices, resulting in decreased network performance or disconnections/denial of service.

Users themselves cannot address this weakness, and Cybernews researchers recommend Qualcomm to switch to a more secure hashing algorithm such as SHA-256, SHA-512, bcrypt, PBKDF2 or Argon2.

Another vulnerability affects the weather app's implementation. Cybernews discovered a hardcoded API key with the same structure as AccuWeather’s API keys.

Nothing’s Weather app sent its AccuWeather API key from the client (phone running the app) to Nothing’s proxy server. The same authentication and licence key is used between all instances of the app.

This means that threat actors, knowing the keys, can abuse the service by sending unlimited requests to AccuWeather’s API, exhausting Nothing’s API quota, or increasing the costs for using the service.

“Malicious actors may also just use the API key for their own benefit without paying for API access,” Nazarovas said.

Cybernews disclosed the issue to Nothing, but did not receive a response. The company should remove the API Key from its client application to prevent exposure and abuse.

“AccuWeather’s terms and conditions highlight that API keys are meant to be kept private. They are used for metering and billing, meaning that a malicious actor can send millions of requests to the API using Nothing’s API Key to cause potential damage, quota exhaustion, which potentially can affect users,” Nazarovas said.

Overall, Nothing Phone comes with a very limited number of apps preinstalled, which is commendable because it lowers the potential attack surface.

One of the few preinstalled apps, “Essential Space,” is an AI-enabled note-taking app for audio recordings, images, and AI transcriptions.

“By default, this app kept notes only on the device and didn't send any data over the internet,” Nazarovas noted.

The researchers did not discover any known or obvious critical or severe flaws that could put users in danger.

Evaluation: Passed

Methodology

Our researchers used a “man-in-the-middle” approach to decrypt the traffic: the Man in the Middle Certificate Authority was placed in the trusted “System” Certificate (root store) list, ensuring that SSL pinning can be bypassed in most cases. This allowed the research team to intercept and read SSL-encrypted traffic that would normally be unreadable.

Please note that this analysis is not exhaustive, and while we checked for some common flaws, other potential weaknesses or vulnerabilities may exist beyond those discussed.

Nothing is a London-based consumer electronics company founded in 2020. It quickly rose in popularity due to its unique device designs and its CEO, Carl Pei’s, previous role in the industry as the director of OnePlus Global. Nothing Phone 3a is the company's fourth smartphone model.

The company has been involved in a few public cybersecurity incidents in the past. In December 2022, a vulnerability impacted email addresses belonging to community members. In 2023, Nothing Chats, a messaging app, was pulled from the Play Store following investigations into serious security flaws.