OpenKeychain helps you communicate more privately and securely.

OpenKeychain uses high-quality modern encryption to ensure that your messages can be read only by the people you send them to, others can send you messages that only you can read, and these messages can be digitally signed so the people getting them are sure who sent them. OpenKeychain is based on the well established OpenPGP standard making encryption compatible across your devices and operating systems.

This penetration test and source code audit against the OpenKeychain mobile application took an entirety of twelve days and was performed by five testers of the Cure53 team. The test yielded an overall of eighteen issues, of which twelve were classified as vulnerabilities and six as general weaknesses. The test was performed over a dedicated release tag created by the project maintainers in the public Github repository. The Cure53 team audited the available sources and performed tests against the running application on both emulators and actual Android devices for maximum coverage. In addition to the core library, certain parts of the involved third party libraries were also audited.

The full audit and summary of findings can be found below.

OpenKeychain Penetration Test