Through OTF’s Red Team Lab, Trail of Bits conducted a security review of the OpenArchive Save application for iOS and Android. This included a review of the client-provided source code. The testing efforts were focused on the identification of flaws that create a risk to user privacy or may result in a compromise of confidentiality, integrity, or availability of the target system. This audit was conducted with full knowledge of the target system, including access to source code and documentation. The testers performed static and dynamic testing of the target system and its codebase, using both automated and manual processes.

Trail of Bits’ audit of OpenArchive sought to provide a security assessment of the Save Android app, with an emphasis on user privacy. Specifically, they sought to answer questions on the safety of data stored by the application, if personal information could be retrieved by malicious or state actors, if errors are handled safely, and more.

The audit of the Android application uncovered five high-severity findings that put data confidentiality at risk. Due to several errors, user data could be leaked either in transit through the internet to an attacker who obtains physical access to the device, or through social engineering attacks. Several Android operating system APIs could also be better configured to protect against a variety of attacks that could allow attackers to steal user data.

The audit of the iOS application did not uncover any significant flaws or defects that could impact system confidentiality, integrity, or availability. However, the audit did uncover a significant flaw that creates a privacy risk for users and uncovered opportunities for improvement from a code maturity perspective.

OpenArchive has since resolved or addressed the findings for both the iOS and Android applications. All high-severity findings from the report were fully resolved.

The security assessments for both applications can be found below.