Security Safety Audits

OTF offers security audits for app developers and maintainers needing an audit of their application, as well as public safety audits, which investigate concerns around applications that may be contributing to human rights violations or widespread surveillance efforts, or about devices that may have been hacked and targeted by spyware. The following are audits for individual apps and tools.

Opaque – Security Audit

Opaque is a JavaScript package to allow secure password-based, client-server authentication without the server ever obtaining knowledge of the password.

Disguiser: An End-to-End Global Censorship Framework – Security Audit

Disguiser is a novel framework that enables end-to-end measurement for accurately and comprehensively investigating global internet censorship practices.

DEfO-2 OpenSSL HPKE PR Security Audit

DEfO is developing an implementation of the Encrypted ClientHello (ECH) mechanism for OpenSSL. This effectively closes a privacy loophole in the Transport Layer Security protocol.

Shira – Security Audit

Shira is a web app that helps human rights defenders, activists, and journalists develop their skills to detect and defeat phishing attacks.

VpnHood! Security Audit Results

VpnHood! is a virtual private network service designed to circumvent deep packet inspection (a type of data processing that inspects, in detail, data being sent over a network and may result in blocking or rerouting).

OpenArchive Save (Android & iOS)

OpenArchive is a free, open-source mobile application that securely uploads media content created on mobile phones to an online archive that is publicly accessible, helping ensure that journalists, activists, and citizens in repressive contexts are able to preserve media before it can be deleted or censored by authorities.

SMSWithoutBorders – Penetration Test

SMSWithoutBorders enables secure communication with online services using SMS text messages in the event of an Internet shutdown.

Geph – Security Audit

Geph provides secure and reliable access to the open, censorship-free Internet.

Tella – Security Testing

Security Testing of the Tella applications and backend components.

Delta Chat – Pentest and Privacy Leak Audit

This report details the scope, results, and summaries of a penetration test and privacy leak audit against Delta Chat's Webxdc implementations for Android, iOS, and desktop, as well as a Webxdc specification review.

minivpn OpenVPN – Go Client

A whitebox security review conducted against the minivpn implementation. minivpn is a minimalistic OpenVPN implementation in Go (an open source programming language) that eliminates privilege escalation attacks by design, as it runs with the permissions of the regular user. A Whitebox security review of the minivpn implementation was solicited by the Open Observatory of Network […]

Amnezia VPN Apps (Mobile & Desktop) – Pentest Report

A whitebox security review conducted against the implementation of the Amnezia VPN clients. AmneziaVPN is a multi-protocol open-source VPN client that allows users to configure their own servers. The primary difference between AmneziaVPN and other VPN solutions is that the AmneziaVPN project is not a VPN service itself, but a supplier of free and open-source […]

Partisan Telegram – Application and Operational Security Assessment

Partisan Telegram (P-Telegram) was developed to meet the needs of high-risk users. P-Telegram is intended for use by political dissidents to facilitate coordination using Telegram in regions controlled by hostile forces. Telegram is one of the world’s most popular cross-platform cloud-based instant messaging services. However, it’s important to remember that on Telegram, private and group […]

Padloc – Penetration Test 2022

Padloc is a secure, encrypted password management system. Padloc, an open-source, end-to-end encrypted password management system, engaged Open Technology Fund’s Red Team Lab to carry out a penetration test for the platform. The cloud-based service was designed to be the first password management system that is truly usable and accessible for everyone, not just the […]

GlobaLeaks – Penetration Test 2022

GlobaLeaks is the first open-source secure submission framework. GlobaLeaks is free, open source software enabling anyone to easily set up and maintain a secure whistleblowing platform. GlobaLeaks, the first open-source secure submission framework, was one of the first projects supported by OTF. Since its creation, GlobaLeaks has been challenged to implement a secure technology with […]

MiniLock

MiniLock is a small, portable file encryption software. The idea behind its design is that a passphrase, memorized by the user, can act as a complete, portable basis for a persistent public key identity and provide a full substitute for other key pair models, such as having the key pair stored on disk media (the […]

Clipperz

Clipperz is an online vault and password manager that knows nothing about you and your data. Everything you submit is locally encrypted by your browser before being uploaded to Clipperz. pentest-report_clipperz

Onion Browser

Onion Browser is a minimal web browser that encrypts and tunnels web traffic through the Tor onion router network and provides other tools to help browse the internet while maintaining privacy Cure53 conducted a penetration test against the Onion Browser in 2014. and yielded an overall result of ten vulnerabilities and seven general weaknesses which […]

OpenPGP

OpenPGP is the most widely used email encryption standard. It is defined by the OpenPGP Working Group of the Internet Engineering Task Force (IETF) as a Proposed Standard in RFC 4880. Cure53 conducted a penetration test on OpenPGP (2014). This penetration test was carried out and coordinated by four testers and yielded an overall of […]

Mailvelope

Mailvelope is a free software for end-to-end encryption of email traffic inside of a web browser that integrates itself into existing webmail applications. Cure53 conducted a penetration test against Mailvelope (2012 – 2013). The test was not a classic penetration test against a static target, but rather a very early evaluation of Mailvelope’s security implementation […]

Nossas Cidades

Non-profit organization that works under the mission of arming and articulating the power to reinvent and rebuild politics , every day. In February, Radically Open Security (ROS) carried out a penetration test for Nossas Cidades in order to assess the security of the Nossas Cidades applications and guide Nossas in attempting to find vulnerabilities. The […]

WEPN

With WEPN, you can setup your own trusted and secure VPN service and protect your data from malicious third parties. OTF Red Team Lab partner 7ASecurity completed a penetration test and whitebox audit of the WEPN solution. Conditions for internet users in many parts of the world are restrictive. Censorship and state-led surveillance are commonplace […]

Uwazi

Uwazi is a free, open-source solution for organising, analysing and publishing your documents. Subgraph performed a security audit of the Uwazi application. This audit consisted of the following: -Automated and manual testing of the application deployed natively and in Docker -Code auditing of the application, with a focus on issues such input validation vulnerabilities, file […]

NetAidKit

NetAidKit is a USB powered “privacy router”. NetAidKit is designed to connect to untrustworthy wired and wireless networks so that the user’s hosts are firewalled within the network and their traffic can be transparently tunneled over Tor and OpenVPN connections. Subgraph tested the security of the application component of the NetAidKit firmware, specifically that which […]

SOAP

SOAP is an XML-based protocol for accessing web services over HTTP. SOAP was originally known as the Simple Object Access Protocol. SOAP is a protocol on how web services talk with one another. Specifically, SOAP is a web-based application for the guided creation of a security policy document specifically tailored for NGOs. SOAP provides a […]

MassBrowser

MassBrowser is a free to use and open source tool designed to circumvent Internet censorship. Subgraph conducted a security assessment of MassBrowser in March 2020. For the purpose of testing, Subgraph deployed an isolated MassBrowser network. The audit was limited in scope to the implementation and configuration of the various MassBrowser architectural components. There was […]

ASL19

ASL19 is an independent technology organisation that works toward practical responses for online access to information. Subgraph conducted a security assessment of ASL19. The base methodology for this audit is the SAFETAG framework (https://safetag.org). ASL19 is an organization that is primarily focused on helping Iranians access the Internet without restrictions. ASL19 is primarily a software […]

EasyCrypt

EasyCrypt is a toolset for reasoning about relational properties of probabilistic computations with adversarial code. EasyCrypt’s main application is the construction and verification of game-based cryptographic proofs. The objective of this security assessment was to identify and confirm potential security vulnerabilities. IncludeSec identified 19 categories of findings. There were 2 deemed a “Critical-Risk,” 1 deemed […]

oLink

oLink is a firewall circumvention open-source tool set. The objective of this assessment was to identify and confirm potential security vulnerabilities. The assessment was conducted in January 2022. IncludeSec identified 11 categories of findings. There were 1 deemed to be “Critical-Risk,” 2 deemed to be “High-Risk,” 1 deemed to be “Medium-Risk,” and 4 deemed to […]

DeltaChat

Delta Chat is a new, unique messaging application that functions like any text messaging tool but is built with an email backend, enabling enhanced user privacy and security with end-to-end encryption via Autocrypt. IncludeSec performed a security assessment of DeltaChat’s RPGP and RustCrypto RSA Libraries in June-July 2019. The objective of this assessment was to […]

NetFreedom Pioneers’ Toosheh Extractor and Viewer

IncludeSec performed a security assessment of NetFreedom Pioneers’ Toosheh Extractor and Viewer Applications. The objective of this assessment was to identify and confirm potential security vulnerabilities. The team assigned a qualitative risk ranking to each finding. IncludeSec also provided remediation steps which NetFreedom Pioneers could implement to secure its applications and systems.

Zom Mobile Apps

Zom is an open-source communication and connection tool with built in privacy features. This report documents the findings of a security assessment of the Zom application, carried out by five members of the Cure53 team in late April and early May of 2016. The scope of the assignment discussed in this report encompassed tests against […]

IJOP Chinese Police App

The Integrated Joint Operations Platform (IJOP) is a policing program based on big data analysis in Xinjiang, one of the most repressive regions in the world. This report documents the findings of a Cure53 assessment targeting the Integrated Joint Operations Platform (IJOP) mobile app. This project was requested by Human Rights Watch (HRW). Cure53 carried […]

Tornaj

This report documents the findings of a penetration test against the Tornaj Android mobile application, carried out in February 2017 by Cure53. The tests, which involved three members of the Cure53 team, yielded seven security-relevant discoveries. The full audit and summary of findings can be found below. Tornaj Penetration Test

TextSecure

TextSecure was an encrypted messaging application for Android that was a predecessor to Signal. This source code audit and a penetration test against the Signal-Browser extension was carried out by four testers from Cure53. In terms of the scope of the test the focus was placed on a specially created tag available in the public […]

“Study the Great Nation”

Study the Great Nation is a smartphone application created around the Communist Party of China and the life of Xi Jinping. This report documents the results of an analysis targeting the so-called “Study the Great Nation” mobile application. Cure53 was tasked with reviewing the premise of this app by the Open Technology Fund and completed […]

Radio Free Asia

RFA is a private, nonprofit corporation that broadcasts news and information to listeners in Asian countries where full, accurate, and timely news reports are unavailable. Radio Free Asia’s mission is to provide accurate and timely news and information to Asian countries whose governments prohibit access to a free press. This penetration test against several selectively […]

Reporta

Reporta was designed to empower journalists working in potentially dangerous conditions to quickly implement their security protocols with the touch of a button. This report documents the findings of the penetration test and source code audit of the Reporta applications and their PHP backend. The assessment of the state of security at Reporta was carried […]

CaseBox

CaseBox is a flexible task, document, and record management system. CaseBox is designed to support the needs of litigation NGOs which are looking for an integrated and web-based application to manage their caseload. CaseBox can also be provided to NGOs at a hosted “software as a service” solution, including technical support, customisations, and upgrades. The […]

PyCIRCLean

PyCIRCLean is the core Python code used by CIRCLean, an open-source USB key and document sanitizer created by CIRCL. The PyCIRCLean module has been separated from the device-specific scripts and can be used for dedicated security applications to sanitize documents from hostile environments to trusted environments. PyCIRCLean is currently Python 3.3+ compatible. This report documents […]

SmartSheriff

Smart Sheriff is a South Korean parental monitoring mobile app. This report describes a follow-up analysis against the Smart Sheriff mobile apps, which is a government-mandated smartphone application compound deployed in South Korea. The project states its purpose as allowing parents to monitor the online activities of their children. The analysis against the version(s) 1.7.7 […]

Peerio

Message contacts and share files simply and securely with Peerio. Two penetration tests were conducted against Peerio. These penetration tests and code audits against several parts of the Peerio software compound took an overall of 10 days. It engaged five testers of the Cure53 team, who were tasked with coverage of different parts of the […]

PCRE

The PCRE library is a set of functions that implement regular expression pattern matching using the same syntax and semantics as Perl 5. The source code audit against the PCRE2 library was carried out by two testers and one test-lead from the Cure53 team throughout September and October 2015. The audit took twenty days to […]

Padlock

Padloc is a secure, encrypted password management system. This report documents the findings of a penetration test and source code audit carried out by the Cure53 team against the Padlock.io password manager application. The test’s scope encompassed the app’s Chrome extension, mobile applications and the server API. Since the tasks were guided by the white-box […]

OpenKeychain

OpenKeychain helps you communicate more privately and securely. OpenKeychain uses high-quality modern encryption to ensure that your messages can be read only by the people you send them to, others can send you messages that only you can read, and these messages can be digitally signed so the people getting them are sure who sent […]

NewsPal Media

This report documents a penetration test against the NewsPal Media application and its connected entities. With regard to the approach and scope, this assessment aimed at tackling the mobile NewsPal Media application, which effectively expanded the coverage to the API server employed by the app and its connected website. The Cure53 testers had access to […]

Monocypher

Monocypher is a compact, portable, opinionated, fast crypto library. This report describes the results of a cryptography audit carried out by Cure53 against the Monocypher library in version 3.1.1. The work was requested by the Monocypher maintainers . Cure53 completed the project in late June 2020. Cure53 examined the Monocypher 3.1.1. Version, available as a […]

FlowCrypt

FlowCrypt is email encryption software. It uses OpenPGP to encrypt outgoing messages on your device with keys only you and your recipient have access to. This report describes the results of a security assessment targeting several parts of the FlowCrypt ecosystem. Carried out by Cure53 in June 2020, the project entailed a penetration test and […]

Firefly

Firefly is a proxy software able to circumvent the Great Firewall in China. This report documents the penetration test and code audit commissioned by Firefly and carried out by security experts from the Cure53 team. The assignment took place over a period of eight days in early February 2016 and involved five Cure53 testers. As […]

Nitrokey

Nitrokey is an USB key to enable highly secure encryption and signing of emails and data, as well as login to the Web, networks and computers. In 2015, Cure53 conducted penetration tests and code audits of Nitrokey’s firmware and storage hardware. The tests were part of a larger series of security assessments, in which security-focused […]

Cyph

Cyph is a revolutionary new secure messenger, created to defend the world from mass surveillance. This penetration test and source code audit against the Cyph codebase and infrastructure was carried out by five testers of the Cure53 team. It took twelve days total to complete and yielded an overall of nine security vulnerabilities, as well […]

GreatFire

GreatFire’s website-mirror-by-proxy is a server-side web proxy designed to host one or multiple dynamic mirror versions of any website. Conducted by Cure53, this penetration test and code audit against the GreatFire censorship circumvention tool. The penetration test was carried out by two testers from the Cure53 team. The test lasted four days and resulted in […]

F-Droid

F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. Conducted by Cure53, this test against several components of the FDroid application service compound occurred in January 2015. The scope of this project was particularly broad, since the assignment covered a server-side implementation (composed in Python), an Android […]

Cupcake

Cupcake is a simple browser extension that creates new Tor bridges with no setup or configuration required. Cupcake uses a tool known as a “flash proxy” to create special Tor bridges that are harder to block. Flash proxies are a new way of providing access to a censorship circumvention system such as Tor. A flash […]

BXAQ

BXAQ is a Chinese “police app” that is often installed at border crossings, specifically on the phones of foreigners. Care53 was engaged to conduct an assessment of the BXAQ mobile application, with the main objective of finding out whether the app violates human rights. Cure53 carried out a source code audit and a dedicated review […]

Briar

Briar is an open source messaging app designed for activists, journalists, and anyone else who needs a safe, easy, and robust way to communicate. Unlike traditional messaging tools such as email, Twitter or Telegram, Briar doesn’t rely on a central server – messages are synchronized directly between the users’ devices. If the Internet’s down, Briar […]

AccessNow OpConsole

Access Now defends and extends the digital rights of users at risk around the world. Cure53 conducted a penetration test and source code audit of OpConsole in May 2015. The AccessNow OpConsole is a web based stand-alone platform used for the work of the AccessNow helpline. The test and audit yielded vulnerabilities and weaknesses that […]

Access My Info (AMI)

Access My Info (AMI) helps you in making data access requests to companies. Cure53 security consultants conducted a penetration test and source code audit of AMI, which tested and evaluated the security of the application. Conducted in April 2016, this test led to a discovery of nine security issues and vulnerabilities that have since been […]

Open Observatory of Network Interference

OONI Probe is free and open source software designed to measure internet censorship and other forms of network interference. The Open Observatory of Network Interference, OONI, is an open source network testing framework and associated tests for detecting internet censorship. Least Authority conducted an audit of OONI. The audit was primarily focused on the ooni-backend […]

GlobaLeaks

GlobaLeaks is the first open-source secure submission framework. GlobaLeaks is free, open source software enabling anyone to easily set up and maintain a secure whistleblowing platform. Radically Open Security (ROS) conducted a penetration test for GlobaLeaks between October 28 and November 28, 2019. The scope of the penetration test was limited to the source code […]

Ushahidi

The Ushahidi platform is a crowdsourcing data mapping tool. Radically Open Security (ROS) performed a penetration test of the Ushahidi platform in February 2016. The scope of the penetration test was limited to: This was a crystalbox penetration test with access to the public (Ushahidi platform) and private (Ansible playbooks) Github Repositories. The full penetration […]

RelayBaton

A pluggable transport to circumvent Internet censorship. Between November 26, 2019 and December 9, 2019, Radically Open Security (ROS) performed a penetration test for Relay Baton, a pluggable transport to circumvent Internet censorship. The objective of this project was to perform a security review on the source code. The full security review and summary of […]

StegoTorus

StegoTorus is a camouflage proxy for the Tor anonymity system. StegoTorus and OTF engaged Radically Open Security (ROS) to review the code of the StegoTorus tool. ROS studied all the findings and fixed most of the issues including those which were concerning dead codes (not running in StegoTorus). The full code review and audit can […]

Ricochet

Ricochet is an open-source project to allow private and anonymous instant messaging. Ricochet and the Open Technology Fund engaged NCC Group to perform an assessment of the Ricochet anonymous messaging application. Two NCC Group consultants performed the assessment between November 16th and 25th, 2016. The engagement was conducted as a source code review with a […]

Olm

Olm is an implementation of the Double Ratchet cryptographic ratchet in C++. In September 2016, Matrix, along with financial support from the Open Technology Fund, engaged NCC Group’s Cryptography Services Practice to perform a targeted review of their cryptographic library Olm. The review covered two major components of the Olm library: the double ratchet used […]

(n+1)sec

A secure group messaging protocol allowing instantaneous communications between any number (n) of people. In Spring 2017, the Open Technology Fund engaged NCC Group’s Cryptography Services Practice to perform a targeted review of the Equalitie cryptographic library, (n+1)sec. The (n+1)sec library aims to provide a secure group chat mechanism that provides secrecy and consistency of […]

Lantern

Lantern is a free peer-to-peer internet censorship circumvention tool that delivers fast, reliable, and secure access to the open internet. It provides a way to bypass state-sanctioned filtration through a network of trusted users. During the summer of 2016, Lantern and Open Technology Fund engaged NCC Group to conduct a security assessment of Lantern. Lantern […]

RedPhone

RedPhone is an encrypted voice calling app. This audit, completed by Veracode, contains a summary of the security flaws identified in RedPhone using automated static, automated dynamic, and manual security analysis techniques. This method is useful for understanding the overall security quality of RedPhone. The full detailed audit is available below. RedPhone Security Audit

Martus (JTor)

Martus is a free, open source, secure information collection and management tool that empowers rights activists to be stronger in their fight against injustice and abuse. This audit of Martus tool JTor (Tor integration tool), completed by Veracode, contains a summary of the security flaws identified in JTor using automated static, automated dynamic, and manual […]

Gibberbot (Guardian Project)

Gibberbot was the Guardian Project’s secure instant messaging app. This audit, completed by Veracode, contains a summary of the security flaws identified in Gibberbot using automated static, automated dynamic, and manual security analysis techniques. This method is useful for understanding the overall security quality of Gibberbot. The full detailed audit is available below. Gibberbot Security […]

GlobaLeaks

GlobaLeaks is the first open-source secure submission framework. GlobaLeaks is free, open source software enabling anyone to easily set up and maintain a secure whistleblowing platform. This audit, completed by Veracode, contains a summary of the security flaws identified in GlobaLeaks using automated static, automated dynamic, and manual security analysis techniques. This method is useful […]

Commotion Android

Commotion is an open-source communication tool that uses mobile phones, computers, and other wireless devices to create decentralized mesh networks. This report contains a summary of the security flaws identified in Commotion using automated static, automated dynamic and/or manual security analysis techniques. This is useful for understanding the overall security quality of an individual application […]

Cryptocat

Cryptocat allows users to engage in encrypted chats within a browser. Several audits have been conducted for Cryptocat. Cryptocat Security Audit This report summarizes the security flaws identified in the application using manual security analysis techniques, useful for understanding the overall security quality of this application or for comparisons between applications. The full report can […]

Tracer

This report contains a summary of the security flaws identified in Tracer using automated static, automated dynamic and/or manual security analysis techniques. This is useful for understanding the overall security quality of an individual application or for comparisons between applications. OTF partner Veracode conducted a security audit for the android app Tracer. The full detailed […]

LeaveHomeSafe App – Security Audit

Update 2022-08-22: 7ASecurity completed a comprehensive retest performed against LeaveHomeSafe 3.4.0, where most issues, including the critical one, were confirmed to remain unfixed. However, some medium severity findings were silently patched without notifying the public. Update 2022-07-29: 7ASecurity has updated their blog post reaffirming their findings following a public statement from the Office of the […]

Security Safety Audits

You are signed up!