Jack Dorsey claims his new Bitchat app is secure, though it hasn't undergone security testing

Jack Dorsey's Bitchat app promises security without testing, raising scrutiny.

: Jack Dorsey launched a new chat app, Bitchat, promising secure, private messaging through a decentralized approach using Bluetooth and encryption. Despite these claims, security researchers found the app has vulnerabilities and potential impersonation issues, which Dorsey himself acknowledged by adding warnings to its GitHub page. Researcher Alex Radocea highlighted critical flaws, stating users should not rely on the app for security, as the issues could pose dangers. Dorsey didn't address media inquiries, but his responses on GitHub have been criticized for lacking clarity on problem resolution methods.

Jack Dorsey, the CEO of Block and known for co-founding Twitter, has unveiled an open-source chat application named Bitchat. This app is touted as offering secure and private communications, steering clear of traditional internet-reliant messaging platforms by utilizing Bluetooth and end-to-end encryption. While Dorsey’s claims are ambitious, they come under scrutiny due to the app not having undergone any external security validation, a fact admitted in its white paper.

Security researchers, including Alex Radocea, have criticized Bitchat's security claims. Radocea pointed out a flaw within the app allowing for identity impersonation and miscommunication, warning users not to trust its current security protocols. This feedback has led Dorsey to update Bitchat’s GitHub documentation with disclaimers regarding its unresolved vulnerabilities, urging users against using the app for secure communication until it has been properly vetted.

Further analysis by Radocea identified deficiencies in the app’s identity verification system, permitting attackers to hijack an identity handshake intended to assure connection authenticity between contacts. This critical security lapse could expose users in high-risk situations. Despite these findings, Dorsey’s response to GitHub issues has been deemed insufficient by experts, who feel proper transparency and problem-solving actions are lacking.

Additional concerns have been raised regarding the app's claim to incorporate ‘forward secrecy,’ a cryptographic measure ensuring message safety even when encryption keys are compromised. The efficacy of Bitchat’s forward secrecy and its approach to preventing buffer overflow bugs were questioned by users, marking significant areas requiring further enhancement before the app can be considered secure for public use.

Radocea’s experience with approaching these security matters on GitHub highlighted the need for a more structured and responsive development strategy from Dorsey and his team. The current state of Bitchat is comprised of vulnerabilities that could mislead users relying on it for protection, especially when considering Dorsey’s high-profile backing.

Sources: Jack Dorsey, TechCrunch, Alex Radocea, GitHub