7ASecurity worked with Bridgefy to complete a whitebox pentest of the mobile app, SDK, cloud infrastructure, and privacy to help improve Bridgefy’s overall security posture.
What is Bridgefy?
Bridgefy, a popular mobile messaging app, allows you to send offline messages by leveraging Bluetooth technology. This app aims to provide secure messaging when infrastructure is not available due to natural disasters or large events where limited infrastructure is available.
The Security Review
7ASecurity performed a white box penetration test and overall security review of the Bridgefy platform between December of 2022 and January 2023. This is Bridgefy’s first comprehensive security review encompassing a broad range of security areas.
The overall goal was to assess the Bridgefy platform as thoroughly as possible in order to find and reduce vulnerabilities, exploits, and provide Bridgefy users with the best possible security. The review covered the Android and iOS app, the SDK, app and server components, cloud infrastructure, and overall privacy. This assessment helps ensure Bridgefy becomes more robust and less susceptible to malicious attacks against the platform.
The assessment determined the Bridgefy platform defended itself well against a broad range of common attack vectors. 7ASecurity found no issues with the peer-to-peer implementation of offline messaging or the Signal Protocol used to protect user messages. Given this is Bridgefy’s first penetration test and security assessment for the platform, several significant vulnerabilities and areas of improvement were identified. The vulnerabilities and recommendations were provided to the Bridgefy team, and following a responsible disclosure period, the results of the assessment were released publicly (see link below).
In general, 7ASecurity determined that the Bridgefy platform had a number of positive aspects that were identified during the assessment which include but are not limited to:
- The mobile and web apps offer relatively little attack surface
- The mobile applications were found to be safe from Denial-of-Service (DoS)
- No significant authentication or authorization issues were identified
The overall security of the Bridgefy platform will benefit with a focus on the following areas:
- TLS Configuration Hardening
- General Hardening
- Input Validation
- Filesystem Protection
- Secure Defaults
- MFA Implementation
- User Lockout
- Removal of unsafe crypto functions
Conclusion
7ASecurity would like to take this opportunity to sincerely thank Jorge Ríos, Gilberto Julián de la Orta, Guillermo Haro, Miguel Tec and the rest of the Bridgefy team, for their exemplary assistance and support throughout this audit.
“Engaging 7ASecurity for our audit was a key move for Bridgefy. They expertly navigated our code and services, uncovering vulnerabilities and offering solutions that refined our approach to safeguarding data and ensuring privacy.
Their hard work enabled a significant enhancement in the resilience of our products. Each insight they provided was a golden opportunity to further our mission of creating reliable, Internet-independent communication.
Thanks to 7ASecurity, we’re now more confident in the robustness of our services and feel empowered to continue our journey to change the world.
We’d readily recommend their stellar work to any tech firm that values user protection above all else. To sum it up, their expertise has brought a remarkable boost to our security measures.”
Jorge Ríos, CEO, Bridgefy
For a full review of findings and recommendations please see the full pentest report linked below.