How to communicate securely and privately using a messaging app? What about BCM Messenger?

I would like to open a discussion, one that is very important for any privacy minded individual, that is, how to communicate securely and privately using a messaging app and specifically in the review of the messenger below.

I do understand that on Privacytools there is a list of messaging apps to choose from depending upon whether you want a decentralized, p2p or centralized messenger. However, doing my own research on the matter I have come to the conclusion, one that is also shared by Securechatguide that the recommendation on Privacytools of Signal, is that it suffers from certain weaknesses and vulnerabilities https://securechatguide.org/centralizedapps.html#signal the main one of which is that it requires a phone number to use. Edward Snowden may endorse Signal, but the fact that an agency like the N S A could go to Signal HQ which is located in the good ol US of A with your phone number and demand to get access to any and all data they have on you is disquieting, at least for me. But the biggest grip is that a phone number requires the registration of a SIM with a telco and that is a big red flag for a supposed privacy messenger. According to Securechatguide Signal has access to:

  • The phone number used for your registration.
  • SHA-2 Hashes of your contacts’ telephone numbers to check for a match. OWS claims to delete this as soon as it is no longer needed.

What Signal claims to keep:

  • The day you first joined the service
  • The last day you used it.

Disadvantages:

  • People must know your phone number. It is possible to register a burner number or a VOIP number, but this is an advanced-use case.

Alternatives to Signal are few, Keybase is mentioned however not on the list is a new messenger that has received widespread claim by the hacker community. It is opensource, encrypted and available for Android and iOS. The name is BCM Messenger https://bcm.social/index.html

According to their website, "BCM’s encryption method is one of the most secure encryption methods known in the world. The private (one-to-one) chat process uses the X3DH based on the elliptic curve-Curve25519 for key exchange, and implements the Double Ratchet process to ensure that the encryption key of each chat message is different. The chat contents are encrypted by AES-256 symmetric encryption algorithm. " Also, “BCM chat messages pass through the forwarding node (either a user PC node on the P2P network or an officially deployed server). Because the contents are end-to-end encrypted, the forwarding node is only responsible for forwarding the data message and cannot decrypt the forwarded chat content.”

I would request that this messenger is investigated by the community to substantiate their claims and if they are proven valid, that this messenger is included in the recommendation list on Privacytools.

Thanks

To be honest seems interesting, I’m checking it out. Still, I’m a bit sceptic about certain stuff.

First of all, I don’t understand exactly how they apply the blockchain part but this makes my doubt a little since blockchain is forever.
Then, there’s this:

• Will BCM open source?

BCM is planning to open source, and we will gradually disclose source code of BCM to the public.

They aren’t open source yet and it still needs a server to work so I don’t see how this could be any safer than Briar or Jami when they manage to be more stable. Also, where are the servers located and under which jurisdiction is the service based on?

I think Signal is a pretty good service, sure they totally did some shitty things like refusing to add their product on F-droid, but I don’t see BCM there either. I don’t think Signal should be replaced, if anything BCM added but I would feel more safe if someone with more knowledge on encryption and IT security like @infosechandbook or the person behind secure chat guide will give it a look.

1 Like

nope, signal encrypts everything (even metadata) so NSA can not get any good data about you and you can always use that free usa number to sign up and hide your real phone number

why i feel its an ad post, lol

2 Likes

They appear to be working on allowing phone number registration. We are watching that at

I have previously looked at them a few hours ago and I really don’t believe their claims and I would advice avoiding them until they get an indepedent security audit to prove me wrong.

In case you don’t want to click, I will paste my previous comments below:


I am not looking into this further at the moment, but my previous comment from #1059:

I am worried about it being a “blockchain based messenger” which by definition means that all messages are stored forever and are also publicly available just waiting for the day, its encryption can be broken.
The privacy policy also doesn’t reassure me, I am not going to register an account without seeing it.

Q: Does BCM have a privacy policy?
You can view our detailed Privacy Policy when registering for a BCM account.

Q: Will BCM open source?
BCM is planning to open source, and we will gradually disclose source code of BCM to the public.

* https://bcm-im.com/keys_faq/index.html

Please request reopening after at least these two issues are fixed, Telegram has also been promising open sourcing their server for years.


  • BCM appears to be unavailable through F-Droid. bcmapp/bcm-android#2

  • Their git repository is as poor quality as Telegram Android. https://github.com/bcmapp/bcm-android/commits/master , they appear to use git commit as git tag so I don’t think anyone can reasonably audit their code, especially if they are going to keep up doing changes of over a thousand line in one commit.

  • They have a link to iOS app, where is its source code?

  • Their download page has MD5 checksum (broken ages ago) https://bcm.social/download.html while SHA1 (which is a step up) has been broken recently too. They also haven’t signed the hashsum that I can see.

I am not going to read their privacy policy right now, but I recommend avoiding BCM and not listing them on PrivacyTools. Based on all the times I have looked into it, I advice waiting for them to get an indepedent security audit before considering listing them again.


Personally I am actively using Signal + desktop and XMPP (Dino, Conversations) on the secure side for people especially close to me, I might not use Signal if there were better XMPP clients on iOS which one of my contacts is using and while Wire has broken my trust, I am yet to migrate my family out of it.

I forgot to add to my previous comment that I have no coding skills or ability to personally audit the software we list or that I approve (so I have a self-esteem issue about that), but I would be worried about problems that even I can spot such as the use of MD5 to verify the authenticity of the packages.

Welcome @anon76034565!

I agree with you on the phone number requirement, but it may be okay if you are speaking with someone with whom you would share your home address.

Reportedly, Signal is working on a way to use an email address for registration. That would be wonderful.

My bigger concern with Signal is its terms of service and how that could affect its privacy policy. (If I recall, the TOS is referenced as governing the privacy policy, but that might have changed.)

1 Like

Regarding the use of blockchain to store data, this is on their FAQ, although I don’t know if what they are saying means something good since I lack the knowledge:

• Is BCM message stored in blockchain?

No. Actually BCM IM service is not based on blockchain platform, the reason is simple: As each message is strictly encrypted, we do not see a difference between storing a message to a BCM Server and storing it to a blockchain, not to mention the efficiency of blockchain. Furthermore, it is difficult to upgrade the software in each public blockchain node whenever necessary.

However, BCM does have cryptocurrency wallet, and adopt similar technology as Blockchain:

  1. Each BCM account has a locally generated (private key, public key) pairs, and it needs to prove its validity by doing some POW job when registering itself to the platform.

  2. The unique User Id is simply the hash of account public key.

  3. One can communicate to his/her contact in a “talk to public key hash” way, very similar to “pay to public key hash” in Blockchain. – Only the owner of the public key can decrypt the content.

And regarding the opening of the source, this is on their news section, but it is kinda vague and does not clarify if all of their code has been opened or not, since the previous QA that I mentioned is still on their website:

Big News – BCM Open Source at Christmas Day!

BCM team keeps the promise and now open source BCM at https://github.com/bcmapp, the corresponding BCM release is 2.6.0, which is already available in Google Play.
Open source expresses the BCM’s communication concept, BCM will provide the most reliable and safest messenger channel and firmly maintain the communication of freedom.

2019-12-25

1 Like

Now that I re-read this part:

As each message is strictly encrypted, we do not see a difference between storing a message to a BCM Server and storing it to a blockchain, not to mention the efficiency of blockchain.

I feel like it also really ambiguous and does not explain a lot. What I understood, I think, it is that the blockchain part is a waller that it’s built-in the application -to my this is really stupid since you need to focus on two really different things at the same time and there are already options for wallets-.

I think I’m going to send them an e-mail and see if they can answer some questions, to my at least seems like an interesting project but it is kinda fishy at the same time. Does anyone would like me to ask them something in particular?

Approving Questions to Ask All Privacy Companies (QtASK) would be nice, but I guess that is already on your list :slight_smile:

Oh and my previous questions mainly, why are they not using git commit for one thing per commit, why they are trusting MD5 to verify package integrity and do they have plans for PGP/similar (minisign?) signing releases and where the iOS app source is.

Even if phone number (and access to address book) is not required, it is the most user friendly approach and main reason why Whatsapp and Viber succeed where others (e.g. Skype) failed. It’s the same in privacy oriented community. It is much more easier to make Signal account and chat with your contacts than using XMPP or Matrix or whatever else. E.g. even though I used email for Wire account registration (and login), I put my phone number and allowed it access to my contacts in order to find friends who also use it. And it works well. So even if it is not required, IMO phone number login/registration should be default option also in privacy messengers

The main problem I see with BCM and many others - they are phone only. And there are already many other possibilities with larger user base and less bugs. Plus, I find Android the worse OS when it comes to privacy. If we want better (mobile) OS, that respects our privacy, such as PureOS or PostmarketOS, then all those messengers are useless.

Also, adding features like crypto wallet, git, cloud storage or something to IM/VoIP program will only confuse users, be resource-hungry and most likely run as slow as … At least Keybase is like that, even though it looks great when you look at all those features

IMHO - Matrix (Riot) might be THE ONE :smiley: But I think there’s no chance it’ll ever be as popular as Signal. Not to mention WA, Viber, Telegram…

1 Like

The blockchain component of BCM as far as I understand is that it incorporates a blockchain wallet, in the same way that Keybase has a wallet for Stellar Lumens, BCM has a wallet for the crytocurrency, Ethereum I think.

According to Github the android version is opensource, but not the iOS version.

I understand the data is encrypted however, do you really believe that the NSA is not able to crack Curve25519, AES-256 or HMAC-SHA256? The NSA most likely already has at least one quantum computer as they were already working on this since 2014 according to Snowden https://www.scmp.com/news/world/article/1396962/nsa-trying-build-superfast-quantum-computer-says-snowden

It may feel like an ad post but it is a genuine attempt to get the community to explore this messenger and to verify its claims.

It’s good that someone from here has already looked at BCM, however one person is not enough.

They did a presentation, albeit an extremely poor presentation by the worst public speaker i have listened to…ever at the Hack in the Box (HitB) Cyberconference https://www.youtube.com/watch?v=vJ8ihbQydJk

I’m pretty sure that since that conference, a lot of those hackers would have had a look at BCM.

I think that adding a wallet just brings more possible security breaches to the whole thing, and it is kinda useless, it conflicts with compartmentalization, also.
I guess it’s good that the Android version, and I assume that the iOS version is in progress, are open source, but I think that the servers are closed source. I’m not saying they are not going to release it but I will wait some time until someone with more experience can say it’s safe to use.

This is going in a certain conspiracy way, I know there’s a chance that this may be true, but we don’t have proofs about it, and at the same time I think that if it could be cracked then some white or black hat hackers would have find out too, things like WannaCry make you understand that group of hackers wit not so many resources have a lot of power too.
Still, until we can verify such claims we must treat this encryption protocols as secure.

Thanks for the welcome Liz.
Personally I also see nothing wrong with a phone number, but, it should not be the only way to signup. Wire had the option of email registration and phone. Privacy messengers need to be privacy orientated and take a hard stance on the issue of discoverable information.

Signal is not working on an email registration option, but it has been proposed for several years, opened in 2014 according to github and closed with no resolution in April 2018

Another issue I just found while searching the for the developer of Signal, Moxie, is that the NSA most likely has a backdoor implanted

They use the same encryption as Signal

Ease of use or privacy focus. The dilema. If you market yourself as a privacy messenger then I would hope that this is the priority when designing the app and that ease of use is a secondary priority.

Phone only is one way to reduce complexity as there is no need to sync between different devices, which also reduces attack vectors.

i not know Curve25519 but at least i know AES256 and also i know the power of it depends on your password so maybe they cracked it but maybe because owner of it added silly password ? i mean try to add strong random password and try crack it ?


NOTE: im not fighting with you im just thinking out loud with you.

Integrating an opensource wallet that has already been tested and vetter should not be an issue. I am not a coder so I haven’t looked into their Git, but, if everything is encrypted on the phone, I don’t see a problem. Just as a side note, the crypto wallet i think is just an extra feature. A person who seriously wants to use a crypto wallet for ERC20 etc, will use a proper wallet like Atomic or Exodus etc.

I don’t think it is a conspiracy theory to presume that the NSA has the capabilities to crack various encryption schemes using a quantum computer that they may or may not have, but even without, they have massive amounts of computer power at their disposal.

To assume that the NSA does not, is foolish in my opinion. Also, you would have to doubt that Snowden is telling the truth as he is the one who made the statement. However it is just easier for the NSA to force 9 and 14 eyes nations to install backdoors into their programs rather than trying to intercept and crack encryption.

https://www.washingtonpost.com/world/national-security/nsa-seeks-to-build-quantum-computer-that-could-crack-most-types-of-encryption/2014/01/02/8fff297e-7195-11e3-8def-a33011492df2_print.html

On conspiracies, people who said in the pre-Snowden leaks that the NSA was spying on their comms and intercepting telecom data were also called conspiracy theorists.

1 Like

I thought there was a new push to create an email registration option. Maybe I was wrong. Thanks for the info.

Also check out the TOS here. There is one section that really bugs me – especially since the privacy policy says “Please also read our Terms which also governs the terms of this Privacy Policy.” Here’s an excerpt from the TOS:

SIGNAL DOES NOT WARRANT THAT ANY INFORMATION PROVIDED BY US IS ACCURATE, COMPLETE, OR USEFUL…

Basically, the company could be outright lying about everything and not be culpable. I’m not saying that’s the case, but it’s concerning. Maybe they have to have cover in case the U.S. government requires them to work on its behalf?