Delta Chat is a messenger application that operates over email and enables opportunistic encryption for its users. In mid-2022, Delta Chat launched a ‘web apps shared in chat’ (Webxdc) feature, which allows for privacy-preserving, interactive content in a chat environment.

A security assessment for Delta Chat was requested by the Delta Chat team in February 2023 and initiated by Cure53 in March 2023. The testing conducted for this audit was divided into two distinct work packages:

* Verification of Delta Chat Webxdc privacy assurances
* Detailed security review against Webxdc specification.

Cure53, an OTF Red Team Lab partner, was provided with an example web application, sources, specifications, threat models, and any alternative means of access required to ensure a smooth review completion. The testing methodology was white-box, a form of application testing that provided Cure53 with complete knowledge of the application, such as access to source code and design documents.

The overall findings were moderate in comparison with similarly scoped audits, which reflects favorably on Delta Chat Webxdc’s perceived security offering. Between the two work packages, Cure53 detected a total of seven vulnerabilities, five of which were categorized as “security vulnerabilities”, and two were deemed general weaknesses with lower exploitation potential. Most of these primarily pertained to the desktop application of Delta Chat, whereas the mobile applications proved sufficiently resilient against a multitude of attack and threat scenarios.

Following the completion of the security audit, Delta Chat implemented additional security regarding the Delta Chat Webxdc platform on Android and iOS, and addressed additional issues discovered in the audit. The full report can be found in the link below.