Jack Dorsey says his ‘secure’ new Bitchat app has not been tested for security

Jack Dorsey, CEO of Block and co-founder of Twitter, has unveiled Bitchat, an open-source messaging app that emphasizes privacy and security. This innovative platform aims to facilitate secure communication without relying on centralized internet infrastructure. Instead, Bitchat utilizes Bluetooth technology alongside end-to-end encryption, potentially offering a safer alternative in environments where internet access is limited or monitored. Despite its bold claims, Bitchat is already encountering skepticism from security experts. Dorsey himself acknowledged that the app's code has not undergone any external security evaluations. Consequently, he has added a cautionary note on Bitchat’s GitHub page, stating, "This software has not received external security review and may contain vulnerabilities. Do not use it for production use, and do not rely on its security whatsoever until it has been reviewed." This advisory has become increasingly relevant after security researcher Alex Rodocea discovered a significant vulnerability in the app's identity authentication system. Rodocea's analysis revealed that the app allows an attacker to impersonate legitimate users, misleading their contacts into believing they are communicating with the real person. This flaw stems from a broken identity verification process that can expose a user's identity key and peer ID pair, which are intended to ensure a trusted connection between users. In response to these findings, Rodocea filed a ticket on GitHub to report the security issue, although Dorsey initially marked it as completed without comment. The ticket was later reopened, allowing users to report security flaws directly on GitHub. Further concerns were raised regarding Dorsey’s assertions of Bitchat’s “forward secrecy,” a critical cryptographic feature designed to protect past messages, even if an encryption key is compromised. Another reported issue involved a potential buffer overflow vulnerability, which could enable attackers to exploit device memory in a way that compromises user data. Rodocea expressed his apprehensions, highlighting the danger of prematurely trusting an app that claims to prioritize security. He stated, "While security is an attractive feature for user adoption, basic tests are essential to validate claims like these. There are individuals who might take these assurances seriously, putting their safety at risk in the process." The current state of Bitchat raises significant questions about the app’s security integrity, with Rodocea stressing that the project has effectively undergone external scrutiny—and the results are troubling.