Briar is an open source messaging app designed for activists, journalists, and anyone else who needs a safe, easy, and robust way to communicate.
Unlike traditional messaging tools such as email, Twitter or Telegram, Briar doesn’t rely on a central server – messages are synchronized directly between the users’ devices. If the Internet’s down, Briar can sync via Bluetooth or Wi-Fi, keeping the information flowing in a crisis. If the Internet’s up, Briar can sync via the Tor network, protecting users and their relationships from surveillance.
Cure53 conducted a penetration test and source code audit against the Briar secure messenger app. The audit was conducted in March 2017 and revealed several security-relevant issues, all of which have since been addressed by Briar.
The core application in scope was the Briar messenger application for Android, which was complemented with the review of the protocols specified and used by the Briar product, notably BQP, BSP, and BTP. Methodology-wise, the assessment followed a white-box approach, meaning that the testing team had access to the Android application’s full sources and could take advantage of the provided debug builds. The Briar team has further supplied the Cure53 testers with several APKs, specifically tweaked to enable more efficiency within the testing process, especially for the scenarios linked to the use of the Tor network. All components positioned in the scope of this test have undergone thorough reviews and audit of the code, while respective implementations were additionally examined when applicable.
The full audit and summary of findings can be found below.