Tella is an open-source platform intended to be used by individuals and organizations to collect data on human rights violations in potentially dangerous environments. The Tella project is based primarily on two mobile apps – one for Android, and one for iOS. These apps support the collection of photos, videos, audio, and other types of data, and support the submission of such data to remote servers, including servers running the Tella Web tool.
Tella Web is an open-source backend for the Tella clients. Both Tella Android and Tella iOS can submit data to a Tella Web server configured in the application.
To make the apps safer to use, Tella has added data protection (encryption), camouflage, secondary authentication for the app, and other security mechanisms. To further enhance the safety of the app, Tella engaged Subgraph through the OTF Red Team Lab to perform security testing of the Tella applications and backend components.
Subgraph performed tests on the latest versions of the applications. Both run-time testing and source code review were employed. The objectives of this security audit were to assess the risks of unauthorized access or tampering with the Tella-hosted devices and assess the risk of confiscation of the data by assessing the shutdown and quick-delete features of the apps. The audits included a standard security review.
The audit of the Tella web implementation followed that of a standard web-based application/API backend, with a focus on the authentication mechanism, role-based access control, session management, use of cryptography, and more.
The security audit uncovered several low to medium risks across the Tella apps. As part of Subgraph’s reporting, remediation recommendations were provided to Tella, which are currently being deployed.
The full report can be found below.