Last year Kudelski Security’s JP Aumasson and X41 D-Sec‘s Markus Vervier were hired to audit Wire‘s cryptography core, the Proteus library. After this audit of the crypto, Wire wanted a security assessment of the client applications, which are also a security-critical component of a messaging application, with an even broader attack surface. JP and Markus teamed up again to perform this work.
We are therefore releasing three new reports, covering the following components:
The Android and iOS reports include a general inventory of the security and privacy characteristics as well as a list of specific bugs found in the source code.
All issues reported have been rapidly addressed by Wire. We sometimes helped in choosing a mitigation, and always reviewed the fixes implementation. The reports include links to relevant pull requests for most of the bugs fixed.
We would like to thank Wire for trusting us to perform these work.
(See also Wire’s post.)