Bridgefy

Bridgefy is a Mexican software company with offices in Mexico and California, the United States, dedicated to developing mesh-networking technology for mobile apps. It was founded circa 2014 by Jorge Rios, Roberto Betancourt and Diego Garcia who conceived the idea while participating in a tech competition called StartupBus. Bridgefy's smartphone ad hoc network technology, apparently using Bluetooth Mesh, is licensed to other apps. The app gained popularity during protests in different countries since it can operate without Internet, using Bluetooth instead. Aware of the security issues of not using cryptography and the criticism surrounding it, Bridgefy announced in late October 2020 that they adopted the Signal protocol, in both their app and SDK, to keep information private, though security researchers have demonstrated that Bridgefy's usage of the Signal Protocol is insecure.

Usage
The app gained popularity as a communication tactic during the 2019–2020 Hong Kong protests and Citizenship Amendment Act protests in India, because it requires people who want to intercept the message to be physically close because of Bluetooth's limited range, and the ability to daisy-chain devices to send messages further than Bluetooth's range.

Security
In August 2020, researchers published a paper describing numerous attacks against the application, which allow de-anonymizing users, building social graphs of users’ interactions (both in real time and after the fact), decrypting and reading direct messages, impersonating users to anyone else on the network, completely shutting down the network, performing active man-in-the-middle attacks to read messages and even modify them.

In response to the disclosures, developers acknowledged that "no part of the Bridgefy app is encrypted now" and gave a vague promise to release a new version "encrypted with top security protocols". Later developers said they plan to switch to Signal Protocol, which is widely recognized by cryptographers and used by Signal and WhatsApp. The Signal Protocol was integrated into the Bridgefy app and SDK by late October 2020, with the developers claiming to have included improvements such as the impossibility of a third person impersonating any other user, man-in-the-middle attacks done by modifying stored keys, and historical proximity tracking, among others.

However, in 2022, the same security researchers, now including Kenny Paterson, published a paper describing how Bridgefy's usage of the Signal Protocol was incorrect, failing to remedy the previously discovered issues. The researchers performed a demonstration, showing that it was possible for users to intercept messages intended for others without the sender noticing. The researchers disclosed the vulnerabilities to the developers of Bridgefy in August 2021, but, according to the researchers, the developers had yet to resolve the issues as of June 2022.

On July 31, 2023, the security firm 7asecurity released a blog post and pentest report of a white box penetration test and overall security review of the Bridgefy app in collaboration with the platform's developers. Their review, which began in November 2022 and concluded in May 2023, identified multiple critical vulnerabilities throughout the application. Many of the issues were fixed, or partially fixed, before the end of the audit, including user impersonation and biometric bypass. Bridgefy also published a blog post on August 8 2023 announcing the audit results.