They made no reference to Jacobs's analysis, but added, "We are confident in the rigor of the security audits conducted on Reporta." (Full statement here.)Eleanor Saitta, an independent security researcher critical of the Reporta app, worries that the IWMF still doesn't get it."I know they're good folks and they care," she wrote in an encrypted email. "Regarding the open sourcing, this is obviously a welcome step. That said, their announcement leaves significant doubts that they actually understand why this is happening."
Since its launch, we have received a lot of constructive feedback on Reporta. Some IT security experts have recommended that we make the app's code open-source to increase transparency. We agree. We plan to place the code in a public repository. Our developers estimate this process will take a few weeks.
"They're not releasing their audit reports … nor are they apparently planning to fix their fundamentally broken model where they have access to all their users' information," she added. "Even assuming their code is completely clean, until they do both of these things, it's still a complete security risk and should never be used."Jacobs was equally concerned. In a Twitter DM, he wrote, "Open-sourcing client apps is a good move. But my worry is the server-side …That's a goldmine of personal data that is sitting there unencrypted.""Think of the consequences that a database dump of that app might have," he wrote. "All the journalists revealing geolocation information about where they are meeting sources. That would be a disaster."
"Think of the consequences that a database dump of that app might have."