![]() ![]() Understandably, plenty of privacy enthusiasts, journalists, activists, and other groups have been waiting for Session to be audited before they gave it their full support. What’s next? Well, this is a really big day for Session. While they are valid recommendations, things like being able to copy your recovery phrase to your clipboard, take screenshots in the app, and default notification configurations are deliberate design decisions made to improve the functionality and user experience of Session. Many of the ‘unfixed’ issues are actually intended Session functionality. It related to TLS verification when gathering information about the service node list, leaving a potential vulnerability to malicious certificate authorities attacks. Only one of the issues raised was considered severe by Quarkslab, and only pertained to Session on Android. Many of these issues have already been fixed, leaving the outstanding issues raised being 1 on Desktop, 4 on iOS, and 4 on Android. ![]() In total, Quarkslab raised 2 issues with the Desktop client, 7 issues with iOS, and 7 issues with Android. What were the issues raised in the audit? Now - the audit shows we’ve done that, at least up until now. Assuming you weren’t a master coder with endless free time to check the code yourself, you had to hope we were being honest and acting in good faith. You need to trust that Session is actually what we say it is, that we’ve built the app in the way it was designed, and there are no monsters hiding under the bed. But there is still one aspect of Session that requires trust: The Session Team. Session is designed to reduce the amount of trust you need to place in your messenger. Other than that, the audit is about trust. The security audit includes analysis of Session’s actual code, as well as considerations about the functionality and design of the app and how that relates to its security. The security and integrity of the Session code has been verified by a trusted third party, and we can now more safely say that Session’s codebase is sound. And mistakes can open Session up to attacks from all kinds of different adversaries.Ī code audit gives you (and us) peace of mind. As skilled and experienced as our engineering team might be, writing foolproof code for a hardcore private messenger like Session is a painstaking, precise process which demands current and detailed knowledge of the use and limitations of different libraries, hardware and devices, operating systems, and more. ![]() Writing code is hard - even for the experts. Why does having a Session code audit matter? A couple of low impact issues remain, but they were mostly related to deliberate design choices - we will explain those below. Quarkslab only raised a few issues with Session, most of which have already been patched. But the major takeaway is this: Session’s cryptographically sound. The audit itself is quite long and complex, and it’ll be difficult to read if you’re not technically minded. For those who have been waiting for an audit to try Session, recommend Session, or just wanted some extra assurance around the app: today’s the day. An audit of Session’s Android, iOS, and Desktop versions has been completed by the cybersecurity research company Quarkslab. Take back your online privacy today - download Session.Completing a Session code audit has been in the works for a long time, and now it’s finally here. Session is built and maintained by the OPTF, Australia’s first privacy tech not-for-profit organisation. Session is free as in free speech, free as in free beer, and free of ads and trackers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |