Everything We Know About Bitchat, the Offline Messaging App
Jack Dorsey, co-founder of Twitter and Square, and founder of Bluesky, is back with another potential decentralized app: “bitchat.”
Like Twitter and Bluesky, Bitchat is a social app, but it’s not a social networking platform. It’s a peer-to-peer messaging app, unique among the many messaging options available because it doesn’t work over the internet. Instead of relying on Wi-Fi or cellular data, Bitchat works over Bluetooth, specifically Bluetooth Low Energy (BLE) mesh networks. This would theoretically allow Bitchat to work even when the network is down. In other words, even if you can’t connect to either a cellular network or Wi-Fi, Bitchat will still work. ( Although the rise of satellite communications could give Bitchat a competitor.)
How does BitChat work?
According to the app’s technical description , Bitchat uses Bluetooth to communicate with the devices it’s installed on. So your device connects to another user’s device within Bluetooth range, their device connects to another device within Bluetooth range, and so on.
Since its inception, however, Bitchat has changed its approach. It originally relied on “local clusters” — devices within Bluetooth range (usually 33 feet, though the white paper says about 30 feet) — and “bridge nodes” that connected these clusters when they crossed paths. The app still sends messages directly between users in range, with encryption. However, for devices out of range, the app’s white paper has updated its claim that the app operates on “flooding” or “gossip” protocols. The idea is this: You send a new message, which is sent as a packet of information. When a peer receives a packet of information, it checks to see if the packet is new and not one that was sent before. If the packet is new, it broadcasts it to all users except the one it was sent from. This method of relaying messages increases the likelihood that the packet and the message it contains will reach its intended recipient.
While the new build doesn’t appear to support group chats, at least according to the official doc, it does bring some new features. Users can now favorite other users to verify their identity for future conversations. Additionally, you can block other users, which ensures that messages from those users don’t reach your device — all without the user notifying you that you’ve blocked them.
Bitchat may not be secure at this time.
While Dorsey claims that the app is concerned about user privacy and security, it’s not perfect. The app’s GitHub page even has a warning at the top: “Private messaging and channel features have not been externally reviewed for security and may contain vulnerabilities. Do not use the app for sensitive use cases or rely on its security until it has been reviewed. The Noise protocol is now used for authentication and encryption. Public local chat (the core feature) does not pose any security issues.” According to a July 9 TechCrunch article , this warning was not present when the app first launched. The Noise protocol integration is also relatively new and had not been implemented when I first wrote about Bitchat. Noise is a framework designed to build crypto protocols and provides features like forward secrecy, identity obfuscation, and zero-round trip encryption. For Bitchat in particular, it provides the app’s authentication and encryption features.
A TechCrunch article highlights a number of security issues that testers have found while using Bitchat. One found that it was possible to impersonate another user’s contact and trick them into adding them to their Favorites, a feature that’s supposed to ensure that the contact is who they say they are. Another user pointed out a problem with the app’s “forward secrecy” feature, which is supposed to prevent attackers from breaking your encryption even if they have access to your message’s encryption key. Another user found a security vulnerability that could allow an attacker to overflow memory and gain access to another address, potentially leading to a hack.
To be fair, these discoveries were made weeks ago, before Bitchat was publicly launched on the iOS App Store and before the app was adopted by Noise. The company may have patched some of these vulnerabilities by now, but I still recommend caution when using the app to send sensitive information.
How to try bitchat
If you don’t mind the potential security risks, you can try Bitchat today. If you have an iPhone, all you need to do is download Bitchat from the App Store . However, if you have an Android device, you will need to download the app from the platform’s GitHub page . At the time of writing, Bitchat is not available in the Google Play Store. All the Bitchat apps you see here are fakes, including the first result, which already has thousands of reviews. Do not download Bitchat for Android from any source other than the official GitHub, as you never know if an app posing as this service contains malware.
The app itself is pretty simple. When I downloaded it to my iPhone, all I had to do to set it up was allow Bluetooth. After that, it assigned me a random username, but you can change it by tapping it. The app’s interface is pretty simple: you can write a message and send it to everyone nearby, and in the upper right corner you can see how many users there are in your area. (Mine are exactly zero.)
If you see someone nearby, you can click on their name to start a private chat. Keep in mind that the security features have not been independently verified, so while these chats are supposed to be encrypted, they may have vulnerabilities.