Briar: Privacy Messenger

Posted on By greys3c

In the wake of the Snowden leaks, there has been an explosion in technologies which seek to protect their users from passive surveillance through privacy features. As a result, there are many messengers and services out there which tout themselves as private, secure or anonymous. Whether or not this is really the case is a topic for testing, analysis and future posts, but it goes without saying that the most popular among them are those which are featured on the Google Play and Apple iStore, or marketed by the mainstream/social media.

Within the category of privacy, a smaller, almost niche market of the sector is a series of apps and technologies created to protect activists, journalists and political dissidents – or those with the most to lose.

Purpose: This post will serve as a general overview of the features of the Briar messenger app, as well as it’s differentiators from other popular apps. In later posts on Briar, I will dive into portions of the source code to see what it’s actually doing behind the scenes and attempt to capture an encrypted message using only FOSS.

Differences Between Briar & Signal

A lot of the initial questions that I receive are about how similar Briar is to Signal or WhatsApp messenger applications, which have become pretty common over the past 3 – 5 years. In a general sense, I would say that this is almost an apple’s to oranges comparison, which is not to advocate that you give up Signal accounts, as it is probably the best bread and butter app to use for your less-than-tech-savy family and colleagues; but Briar was designed with a completely different use case in mind, being that of activists, dissidents and journalists as mentioned above.

Because of this, they have taken several steps, some of which serve as redundancies, to ensure privacy, anonymity and deniability. This becomes evident as early as the first steps to setting up an account.

Setting up an Account

Whereas signal requires an active phone number, SMS account verification and a ton of other permissions, Briar simply ask what you want your standard name to be and what you would like for your password to be. No verification steps, email confirmation, extra permissions, etc. Just pick a name, and you’re ready to start adding contacts.

Adding Contacts

Before we get into this section, it’s worth mentioning that while I was attempting a screen capture of the menu shown below, from my GrapheneOS phone, it would only capture a blank black screen. To verify that this was a security feature rather than a flaw in the app, I attempted a screen capture of a conversation with a contact – again it saved as blank, so it looks like there is something preventing screen captures. I will test this feature further in a future post. Ok, lets get into it.

Unlike Signal, Briar uses either QR codes which appear on your device screen, or allows you to copy/paste Briar ID links to add contacts from a distance (or over the internet). I’ve seen a lot of guys argue as to whether they should only add people in person but I’m pretty neutral on this topic for the following reasons:

  • The QR scan is requesting that your phone exchange Briar ID links through the internet anyways.
  • Your new contact does not necessarily know your real identity if you practiced basic OPSEC procedure with nicknames etc.
  • Just because someone has your Briar code, does not mean that they can see which groups you are in, message you or your phone number. You have to swap codes for them to start contacting you, and vise-versa (again unlike signal).

This brings us to another point where, again unlike Signal: Briar does not require that your contacts exists within your phone book prior to adding them; nor will adding a contact through Briar create a contact within your contacts folder.

As of the most recent update (October 2022), the Briar team has added the ability to verify contacts (which I have not tried) as well as the ability to introduce one of your contacts to another. These introductions are definitely a step in the right direction when trust is not an issue because one could, in theory, introduce newcomers to the broader network.

Noteworthy mentions: Briar is Text and image only – no voice or video calls. Additionally, sharing a link will be in text format, instead of an executable hyperlink, though I’ve not had a problem with this at all, since you could use your systems clipboard.

How Briar Communicates with Contacts

When you start the app and if you choose to connect over the internet (versus directly over Bluetooth or WiFi) Briar establishes direct tor connections to your active contacts, who are also using the Tor Network. This is in addition to unique E2E encryption keys that you exchange with your Briar ID links.

Image courtesy of https://briarproject.org/how-it-works/

Now Tor is a great technology for privacy, but I would be remiss to breeze over the fact that anyone can set up a node and can capture packets at the exit noted – and I would imagine that most state intelligence agencies probably do. So in example, if you’re a journalist critical of the Iranian regime in present day Iran, know that there is a pretty good chance that they are doing this.

The Briar team understood this, which is likely the reason that they developed the and WiFi connection features.

Forums & Blogs

Beyond private messaging, Briar provides the ability to participate in public or private forums and blogs which are protected against censorship in a number of ways that can be found here: https://briarproject.org/how-it-works/. However, the most interesting to me were the following:

  • Protection from Take-down Orders: Every user who subscribes to a forum keeps a copy of its content, meaning that there is no single point where content can be deleted.
  • DoS Attacks: Since Briar does not use centralized servers, every subscriber has access to the forums content, even while they are offline.
  • Internet blackouts. Briar can operate over Bluetooth and WiFi to keep information flowing during blackouts, which is great if at least one of your contacts was able to view the blog or forum and return to your area prior to the blackout.

RSS Feeds

You can use Briar to read any blog or news site that publishes an RSS feed. The articles are downloaded through the Tor network (as with all Briar communications) to protect your privacy. You can then reblog and comment on articles from RSS feeds, just like you can with blog posts, or add to a forum.

Let walk through it:

  1. Click the menu (three lines) button in the upper left.
  2. Click blogs then the 3 dots in the upper right of the Blogs menu.
  3. Select RSS feeds, then click the plus sign, again in the upper right.
  4. “Enter the URL of the RSS Feed should appear. Lets use https://www.greys3c.com/feed, then click the green check mark in the bottom right of your screen.
  5. GreyS3c Should Appear.

You can copy/paste repeat this with as many websites as you like and their RSS feed will shoot the latest posts strait to your phone.

Words of Caution

Messages in Que

Since there is no exchange server, messages wait on your device until the target recipient is online. You’ll see a little spinning clock icon in this case, or double check marks for messages delivered. Both users must be online to exchange information. In example, if I sent Johnny Rico 5 messages and a photo while he was online, and he sent the same my way while I was offline, everything will flood in the next time we are both online.

Battery Use

The app does run constantly in the background and this will draw on your battery. What I do to mitigate this is ‘Force Quit” the app if I am out and about, if my battery gets below 30% or if I am planning an extended trip without a way to charge. With my use-case, this issue is a minor inconvenience at worst.

Which Phone to Use

The app does not run on Apple devices and I would not use a regular Google Android – period or for this app. I do know people who use Briar through a Google Android OS and you could do this if you wanted, but be aware that simply using a regular android distribution could negate many of the security features of the application.

Further, these same ‘regular’ android users have complained that their phone will not allow the app to run in the background or foreground for at a certain battery capacity, and that Google is apparently blocking notifications. I’m currently using GrapheneOS as my daily driver, and the app runs great aside from the noticeable battery drain.

Modern Day Use-Cases

With the above capabilities, its easy to draw an immediate use-case to the people of Ukraine (as well as many other countries), where rocket, artillery, suicide drones, sabotage or cyber-warfare has rendered much of their communications infrastructure inoperable. It seems that while there are shortages of many goods and services, there is no shortage of cell phones and tablets in the hands of soldiers (or conscripts).

This makes Briar without a doubt the fastest, safest and most redundant (reference to security) way to pass the unaltered word of the nation, as well as your family and friends to everyone on the front lines and in between. If a ‘messenger/courtier’ (which is now anyone subscribed to your same blogs and forums) were able to frequent areas with internet, they could return and update your information automatically just by passing within router or Bluetooth range of your device – even if there is no internet access.

Let that sink in for second. During the Texas Ice storms, no one was worried because we thought that the power could come back on within hours. After about a day, many of my neighbors started losing cell phone service, and “the word” was passed in parking lots by people who had service not long ago. After the 2nd day, people started getting strange look in their eyes and taking up weird projects which would last for several more days until power was restored.

Bottom Line

Nothing replaces OPSEC, trade-craft or in-person communications, but it is my opinion that the Briar team took an end-goal oriented approach to protecting universal free-speech and sharing of information among friends at the start of their project, then consistently measures the apps capabilities and future development against this; rather than building security or privacy based features to an otherwise standard messenger. Here is a screen shot of the assumptions they made while developing the app, available on their How it works page.

Now, I’ve used this app on a daily basis for about 2 years now and have made recommendations that many of my friends, clients and partners do the same given a specific spectrum of use cases. This said, I would recommend that everyone install and play around with the app to test its features against your use case.

As always, I hope that you’ve taken something useful away from the post and that you’ll feel free to reach out to me via Twitter or the Contact Form in this site if you have any feedback or questions. I do ask that if you believe that your question may have some training value, that you post in the public forum.

Recommendations

  • Note to Briar: Add file sharing capabilities to all connection types: Internet(TOR)/Bluetooth/WiFi. To this end, I would also add a toggle to limit the size of the file that can be transferred while using wireless data – say 25MB like an email.
  • Note to Readers: If you use this app or believe that its important, donate. It’s important to support opensource projects and research, but many times more-so in this category. You can also follow their team on Twitter, via @BriarApp

Planned Posts on Briar

  • Analysis: Can a keylogger exfiltrate text entered into Briar on a Google Android device?
  • Analysis: Can we capture packets being sent between Briar contacts with FOSS tech?
Privacy, Security Tags:, , ,