Cirabit: Bluetooth Mesh Chat with IRC Vibes
André and I forked Bitchat for Android, added the features we actually wanted, and shipped it. Here's what we built and why.
I have a specific kind of appreciation for software that does one thing and does it without asking for your email address, your phone number, your location, or your agreement to seventeen pages of terms. That kind of software is increasingly rare, and when I found Bitchat, I immediately thought: this is the right idea. And also: I want to change a bunch of things about it.
So André and I forked it.
Meet Cirabit: a Bluetooth mesh chat app for Android with IRC vibes, end-to-end encryption, and absolutely zero servers involved. You can download it from cirabit.smaia.dev/download or grab the APK from the GitHub releases page. Source is at sarahsec/cirabit-android.
Fair warning upfront: this has not received external security review yet. We say so clearly in the README. Don’t use it for anything genuinely sensitive until that changes. But as a privacy-first, serverless mesh chat for everyday use? It works, and I genuinely love it.
Why I care so much about this
I need to tell you about Nepal first, because that’s where this gets real for me.
In September 2025, young Nepalis started posting on social media about corruption, about politicians’ children flaunting designer clothes and luxury vacations while ordinary people struggled. The hashtag #NepoKids started trending. The government responded by blocking Facebook, YouTube, X, and LinkedIn. Then protests broke out. Then parliament was set on fire. Then the prime minister resigned.
And throughout all of that, people were using Bitchat.
When the internet blocks went up and fears of a total shutdown spread, Nepalis flooded to the only communication tool that genuinely couldn’t be turned off. Not because the government was nice about it, not because a company promised to protect their data, but because the architecture made it structurally impossible to shut down. Tens of thousands of downloads in a single day. A mesh of Bluetooth signals passing messages through crowds, across city blocks, phone to phone to phone, with no server in the middle for anyone to pull the plug on.
Then in January 2026, Uganda imposed a nationwide internet blackout two days before elections. The opposition leader Bobi Wine had been telling his supporters for weeks to download Bitchat specifically because he knew the shutdown was coming. When it hit, Bitchat became the most downloaded app in the country overnight. Over 400,000 Ugandans had it installed. The government’s communications regulator looked at this and said, publicly, “Don’t be excited by Bitchat, it’s a small thing.” The developer’s response: “You can’t stop Bitchat. You can’t stop us.”
Iran. Madagascar. Nepal. Uganda. In each case, the moment a government tried to cut off communication, people reached for the tool that is structurally resistant to that kind of interference. Not because of a policy. Not because of a promise. Because of how the protocol works.
I am a software developer. I work in cybersecurity. I think about these things a lot. And when I found Bitchat and understood what it was, I felt something I don’t feel very often about software: this matters. Not “this is useful” or “this is well-designed.” This matters.
That’s why I forked it. That’s why I’m putting time into it. That’s why I’m writing this post at unreasonable length on a Sunday.
What Cirabit does
Your phone discovers nearby Cirabit devices automatically over Bluetooth LE, connects, and messages relay through the mesh up to 7 hops. Someone across a building can receive your message even without a direct connection, as long as there are enough devices between you acting as relays. No internet, no cell service, no infrastructure. Just the devices in the room and the math that connects them.
Geohash channels also exist, using internet to connect you with people in your geographic area. But the core experience is offline-first.
The interface is IRC-style, which I love, and which I will not apologize for:
/j #general join or create a channel
/m @andre hey send a private message
/w list who's online
/channels see all discovered channels
/pass secretword set a channel password (owners only)
/save toggle message retention (owners only)
/transfer @andre hand off channel ownership
/block @spammer block a peer
/clear clear chat historyNo accounts, no phone numbers, no server that knows you exist. Auto-generated identity or your own nickname. That’s it. That’s the whole onboarding process.
What the upstream Bitchat team built
I want to be clear about what André and I didn’t write, because it matters for honesty and because the Bitchat team deserves the credit.
The foundation is theirs: the BLE mesh networking core, the binary protocol with TTL-based routing and store-and-forward delivery, the encryption stack (X25519 key exchange + AES-256-GCM + Ed25519 signatures with per-session forward secrecy), the channel system, the battery-adaptive scanning. That’s the bulk of the codebase. We forked it because it’s good work, and we wanted to build on top of it rather than around it.
What André and I actually built
Our contributions are focused, and I’d rather be specific about them.
App lock is the one I’m most personally happy about. You can now lock Cirabit behind your device’s biometric authentication or PIN/password. This felt like an obvious gap from the moment I started using the app seriously. A privacy-focused messenger that anyone can open just by picking up your unlocked phone is a gap. It’s the kind of feature where you ask “why doesn’t this exist yet?” and then you go build it yourself at 11pm on a weeknight because it’s bothering you.
The auto-update system was the other big addition. The app checks for new versions every 12 hours, shows a one-time dialog per release when something’s available, and links directly to cirabit.smaia.dev/download. There’s a toggle in About settings to turn it off. This matters specifically because we’re not on the Play Store yet, which means without this there’s no update mechanism at all. Nobody manually checks for APK updates. The in-app check is the only reason you’ll actually know when there’s something new.
Portuguese (Brazil) is now an official supported language. Obviously. Did you expect anything else from the two Brazilians maintaining this?
And the site: cirabit.smaia.dev with a proper download page, which is what the auto-update system points to.
The security model
Private messages: X25519 key exchange, AES-256-GCM encryption, Ed25519 signatures, new key pairs per session for forward secrecy. Channel messages: Argon2id password derivation into AES-256-GCM. A channel without a password is public and unencrypted, which is the correct default for a public channel.
No server means nothing to subpoena and no account database to breach. Cover traffic (random delays and dummy messages) makes traffic analysis harder. Emergency wipe is triple-tap on the logo, clears everything instantly. Tor is bundled for the internet-connected features.
There is one real limitation I want to be honest about: Bluetooth signals are physically detectable. A government with frequency scanners can identify that Bitchat is being used in an area, even without reading the content. The encryption protects what you’re saying. It doesn’t hide that you’re saying something. In a truly hostile environment, that distinction matters. This isn’t a reason not to use it. It’s something to understand.
Distribution
Not on the Play Store yet. Website and GitHub releases, which means enabling “Install from unknown sources.” The upside: the source is public, the APK is signed, and you can build it from the repo yourself if you’d rather verify exactly what you’re running. For a privacy-focused app, that’s not a bad property to have. F-Droid and Play Store are both on the roadmap.
The part where I get a little sincere
Here’s the thing I keep thinking about.
Most messaging apps ask you to trust them. Trust that they won’t read your messages. Trust that they’ll resist government requests. Trust that their privacy policy means what it says. Some of them are genuinely trustworthy. I use Signal. I trust Signal. But that trust is based on a track record, on open protocols, on a nonprofit structure designed to resist exactly the kind of pressure that would compromise it.
Bitchat, and by extension Cirabit, is a different kind of claim. The claim isn’t “trust us.” The claim is: “there is no us to trust.” There’s no server. There’s no company in the middle. There’s no infrastructure to compel. The privacy property is structural, and structure doesn’t change when a government sends a letter.
That’s what I saw in Nepal. That’s what Ugandans reached for when the internet went dark. That’s what Iranians were using in January when Tehran pulled the plug on the whole country’s connectivity. Not because these tools are perfect, but because when every other option requires trusting an institution that can be pressured or shut down, a mesh of Bluetooth signals between phones in a crowd is what’s left. And it worked.
I’m a developer building a fork of this thing and adding features to it. That’s not a dramatic statement. But the reason I care enough to do it, to maintain it, to write this post, is that I’ve seen what happens when communication infrastructure gets shut down and what it means to people that some tools can’t be. That’s worth contributing to, even in a small way.
Go get Cirabit at cirabit.smaia.dev/download. Repo at sarahsec/cirabit-android, GPLv3. Contributions welcome, seriously.