Wire shares results of independent security audit of its secure messaging apps

eBook: The DevOps Roadmap for Security - Tips and tools for bridging the security tribe into DevOps. Download →

When I last spoke to Alan Duric, co-founder and (at the time) CEO of the company developing secure messaging application Wire, he stressed the importance of independent and regular security audits of software.

wire app security audit

The company had already previously engaged outside experts to audit its Proteus cryptographic protocol implementation, and now has revealed the results of a security and privacy audit of its iOS and Android apps, its web app, and the signalling components of the calling protocol.

Audit result

The audit has, once again, been performed by Jean-Philippe Aumasson from Kudelski Security and Markus Vervier from X41 D-Sec GmbH.

In the mobile apps’ case, the review of the security and privacy features was mainly based on the source code review, but the auditors also performed a dynamic analysis of the iOS and Android apps using device emulators, jailbroke/rooted devices, and test devices.

They discovered a number of security bugs and potential privacy leaks, and they have been detailed here and here.

The test of the web app and the calling components revealed a total of seven vulnerabilities (one high severity, five medium, and one low).

“No observations without a direct security impact have been made,” the auditors noted.

“The issue with the highest severity was an outdated JavaScript framework that could potentially allow injection attacks against the application. All identified vulnerabilities except for a DoS issue require preconditions to be exploited successfully.”

A commitment to transparency

Wire noted that all the issues that have been discovered have been either fixed or mitigated.

“We sometimes helped in choosing a mitigation, and always reviewed the fixes implementation. The reports include links to relevant pull requests for most of the bugs fixed,” Aumasson shared.

“It is not good enough to advertise audits from years ago when the whole code base of your product has changed,” Wire concluded.

“We want to drive a change in the communication industry where regular security audits become not only the best practice but a new norm. We believe that security is not a project but a process — therefore we look forward to publishing audit updates as our apps and platform develop.”