On Friday, Motherboard reported that the new Reporta app, billed as "the only comprehensive security app available worldwide created specifically for journalists," may not be secure at all.
After we published our story, Frederic Jacobs, Open Whisper Systems's lead developer for their secure messaging app, Signal, spent his Friday night at home reverse engineering the Reporta binary for iOS. He published the results here. His conclusion was, in a tweet, "Sloppy engineering. Reporta is forensics & analytics rich."
"Every action is logged," he wrote in his report. Google Analytics is built into the app, which stores the logs in a local cache before uploading them to Google's servers. Reporta also uses Twitter's Crashlytics crash-reporting framework, he explained.
"If you're building an app for journalists in 'potentially dangerous conditions,'" Jacobs wrote in a Twitter direct message, "you shouldn't be tracking your users that much. And certainly not giving out that information to third parties without asking for consent of their users."
Worse, according to his analysis, the Reporta data on a user's device is "only encrypted at some moments for reasons that are not clear," he explained in the DM.
"Free forensics!" he wrote in his report.
"Another useful aspect," he added, "is that they store the last locations in plaintext." Making it easy for authorities with access to a journalist's phone to trace that user's prior movements.
Jacobs also faulted the Reporta app for using an insecure encryption protocol when connecting to the reportaapp.org server. "An app review can't be done without a screenshot from SSLLabs," he wrote. "No PFS or TLS1.2 support."
In response to these revelations, the International Women's Media Foundation (IWMF), who created Reporta, announced that they will be releasing the source code under an as-yet-unspecified open-source license. In a statement on their website, the group wrote:
Since its launch, we have received a lot of constructive feedback on Reporta. Some IT security experts have recommended that we make the app's code open-source to increase transparency. We agree. We plan to place the code in a public repository. Our developers estimate this process will take a few weeks.
They made no reference to Jacobs's analysis, but added, "We are confident in the rigor of the security audits conducted on Reporta." (Full statement here.)
Eleanor Saitta, an independent security researcher critical of the Reporta app, worries that the IWMF still doesn't get it.
"I know they're good folks and they care," she wrote in an encrypted email. "Regarding the open sourcing, this is obviously a welcome step. That said, their announcement leaves significant doubts that they actually understand why this is happening."
"Think of the consequences that a database dump of that app might have."
"They're not releasing their audit reports … nor are they apparently planning to fix their fundamentally broken model where they have access to all their users' information," she added. "Even assuming their code is completely clean, until they do both of these things, it's still a complete security risk and should never be used."
Jacobs was equally concerned. In a Twitter DM, he wrote, "Open-sourcing client apps is a good move. But my worry is the server-side ...That's a goldmine of personal data that is sitting there unencrypted.""Think of the consequences that a database dump of that app might have," he wrote. "All the journalists revealing geolocation information about where they are meeting sources. That would be a disaster."