Via Ars Technica
Bridgefy, a messaging app designed for activists and protestors with over 1M users is full of bugs, flaws, and privacy risks that could expose identities and private messages.
Bridgefy, a messaging app that can be used with no internet connection (it relies on Bluetooth and mesh network routing) has heavily marketed and promoted itself as an app to use by protestors and activists who want to hide and encrypt their messaging from any potential interceptors.
Unfortunately, security researches have found that the app can be subject to various attacks that, according to Ars Technica, can lead to the following:
- deanonymizing users
- building social graphs of users’ interactions, both in real time and after the fact
- decrypting and reading direct messages
- impersonating users to anyone else on the network
- completely shutting down the network
- performing active man-in-the-middle attacks, which allow an adversary not only to read messages, but to tamper with them as well
These risks are apparent partly due to the technology used for messaging and the fact that the app has no authentication method in place for user IDs, risking impersonation attacks. The app also uses a very outdated form of encryption to mask messages—one that was deprecated in 1998.
Soon after the researchers reached out to Bridgefy, the company stated that it will rebuild the app and some of its technology from the ground up in order to address these security vulnerabilities. However, currently there are still no fixes in place and the company has cleared up the fact that it doesn’t provide end-to-end encrypted messaging (though its marketing is less clear about that).
If you’re looking for a more secure messaging app, for whatever reason, don’t use Bridgefy. It’s quite vulnerable and will not keep your messages private and may even expose you more than using traditional SMS messaging.
Instead, consider Signal – a messaging app that does provide end-to-end encrypted messaging (as long as both parties are using Signal).
To learn more about Bridgefy and it’s vulnerabilities, check out the Ars Technica article here.