Jack Dorsey, co-founder of Twitter and Square and founder of Bluesky, is back with another potentially disruptive and decentralized app: “bitchat.”
Like Twitter and Bluesky, bitchat is a social app, but it's not a social media platform. Instead, it's a peer-to-peer messaging app, and is unique among the myriad of messaging options available already, as it does not operate over the internet. Rather than connect to wifi or a cellular network, bitchat is designed to operate over Bluetooth, specifically Bluetooth Low Energy (BLE) mesh networks. In theory, this would allow bitchat to function even when networks are down. In other words, in the event you can't connect to either cellular or wifi, bitchat would still function. (Though expanding satellite communications may give bitchat a run for its money.)
How does bitchat work?
According to the app's white paper, bitchat relies on the devices running it to communicate with each other over BLE. As such, your device connects to another user's device within Bluetooth range, their device connects to another in Bluetooth range, and so on.
Since its introduction, however, bitchat has changed the way it works. Originally, it relied on “local clusters,” devices within Bluetooth range (typically 33 feet, though the white paper said roughly 30), and “bridge nodes,” which connected those clusters when they overlap in range. The app still sends messages directly between users within range, with encryption. For devices not in range, however, the app's white paper is updated to say the app works on “flooding” or “gossip” protocols. The idea is this: You send a new message, which is sent as an information packet. When a peer receives a packet of information, it checks to see if the packet is new, and not something that has already been sent. If it is new, it will broadcast the packet to all users except the one it originated from. This relay method raises the chances that the packet, and the message contained within, reaches its intended destination.
While the new build does not seem to support group chats, at least per the white paper, there are some new functions. Now, users can favorite other users, to verify their identity for future conversations. In addition, you can block other users, which ensures messages sent from those peers do not reach your device—all without informing the user you blocked them.
Bitchat might not be secure at this time
While Dorsey suggests the app has user privacy and security in mind, it isn't perfect. The app's GitHub page even presents a warning at the top, reading: “Private message and channel features have not received external security review and may contain vulnerabilities. Do not use for sensitive use cases, and do not rely on its security until it has been reviewed. Now uses the Noise Protocol for identity and encryption. Public local chat (the main feature) has no security concerns.” According to a July 9 article from TechCrunch, that warning was not present when the app first launched. Noise Protocol integration is also relatively new, and wasn't present when I first covered bitchat. Noise is a platform designed to build crypto protocols, and enables features like forward secrecy, identity hiding, and zero round-trip encryption. For bitchat in particular, it's what powers the app's identity and encryption features.
TechCrunch's coverage highlights a number of security concerns testers discovered while using bitchat. One found that it is possible to pretend to be another users' contact, and trick the app into marking them as a “Favorite” contact—a feature that is supposed to guarantee the contact is who they say they are. Another user raised an issue with the app's “forward secrecy” feature, which is supposed to prevent bad actors from successfully breaking encryption even if they access the encryption key for your message. Still another found a security flaw that might allow a bad actor to overflow memory to another location, which could enable hacking.
What do you think so far?
To be fair, these discoveries were made weeks ago, before bitchat publicly launched on the iOS App Store, and before it adopted Noise. It's possible the company has patched some of all of these vulnerabilities, but I'd still recommend caution using the app to send sensitive information.
How to try bitchat
If you're okay taking on potential security risks, you can try out bitchat today. If you have an iPhone, all you have to do is download bitchat on the App Store. If you have an Android device, however, you'll need to download the app from the platform's GitHub page. As of this article, bitchat is not available on the Google Play Store. Any bitchat apps you do see here are dupes, including the first result—which already has thousands of reviews. Do not download bitchat for Android from any source other than the official GitHub, as you never know if the app impersonating the service includes malware.
The app itself is quite basic. When I downloaded it on my iPhone, all I had to do to set it up was give it permission to use Bluetooth. From there, the app assigned me a random username, but you can change that by tapping on the username. From here, it's a simple UI: You can type and send a message to the general vicinity, and observe the number of users in your area in the top right. (I'm at exactly zero.)
If you do see a peer in your area, you can tap their name to start a private chat. Just remember, the security features have not been independently verified, so while these chats should be encrypted, it's possible there are vulnerabilities.
