TextSecure was an encrypted messaging application for Android that was a predecessor to Signal.

This source code audit and a penetration test against the Signal-Browser extension was carried out by four testers from Cure53. In terms of the scope of the test the focus was placed on a specially created tag available in the public Github repository for the extension. The test covered injection attacks, cryptographic implementations, security issues specific to browser extensions, as well evaluated robustness and transport security. The underlying cryptographic library libaxolotl – was explicitly beyond the scope within this particular assignment.

The full audit and summary of findings can be found below.

TextSecure Penetration Test