A few weeks ago the Nothing Chats app that offers iMessage features on Android was pulled from the Play Store due to various security and privacy issues. The latest CMF Watch application which is also developed by Nothing also has the same issue.
CMF Watch is an application to manage CMF by Nothing Watch Pro smart watches. This application developed together with Jingxun is supposed to encrypt all user emails and passwords but they all use the same decryption key. So if the database is leaked, all of it can be easily decrypted by hackers.
This issue is serious because Nothing has no official channel for users to report security vulnerability issues to them. This forces people to contact Nothing with user-unfriendly methods.
Nothing released an official statement saying they are aware of this security issue and promised an OTA update will be distributed to all Watch Pro users when it is patched. In addition they provide an email address for users to report security vulnerabilities found in the future.