Geph is a cross-platform, open-source program that provides secure and reliable access to the open, censorship-free internet. Unlike traditional VPNs and proxies, Geph is designed from the ground up to be resilient even against powerful national censorship systems.
Through OTF’s Red Team Lab, Include Security performed a remediation test of Geph’s mobile and web applications to check the safety of Geph’s censorship circumvention system, and to confirm if the tool can be trusted by those living in repressive censorship environments.
This assessment consisted of two main components: a security assessment and a holistic security analysis of the Geph project. The objective of the security assessment was to identify and confirm potential security vulnerabilities within targets in-scope of the SOW. The team assigned a qualitative risk ranking to each finding. Recommendations were provided for remediation steps which Geph could implement to secure its applications and systems.
The objective of the holistic security analysis was to formulate a set of prescriptive steps that the Geph team can implement to ensure that security is built into every facet of the Geph software development lifecycle (SDLC).
This security audit discovered several medium-rated risk factors that have since been addressed and or accepted by Geph. Notably, the client accepted several risks with the app:
- No Binary Authentication in Auto Update: The bridge is not seen as a trusted party, while Backblaze B2 (the cloud service for Geph) is considered heavily guarded (so the bridge trusting B2 is not seen as a big issue).
- Application Executable Signed with v1 Signature Scheme (JANUS Vulnerability) – The JANUS vulnerability is found to inject malicious code into reputable Android apps, affecting older versions of Android. However, as Geph says JANUS is unavoidable as they must support very old, insecure Android devices largely due to their popularity in certain countries.
- Security Relevant User Data Stored in Clear Text – This risk is accepted by the client as they believe an additional effort, as a rooted phone can easily read passwords out of the WebView’s local storage.
All remaining issues were addressed by the Geph mobile and desktop clients.
The full security audit:
A summary of the remediation test of Geph’s mobile and web applications: