Proton Technologies makes the code of ProtonMail iOS App open source

Pierluigi Paganini November 02, 2019

Proton Technologies announced this week that it has made available the source code of its popular ProtonMail iOS App.

The Proton Technologies firm continues to propose initiatives aimed at ensuring the transparency of its ProtonMail applications, this week it announced the availability of the source code of its popular ProtonMail iOS App.

Recently the cybersecurity firm SEC Consult reviewed the source code of the ProtonMail iOS App and found seven low-risk vulnerabilities in the popular mobile mail client.

“During the initial code review, SEC Consult found seven low-risk vulnerabilities in the reviewed source code and the mobile app.” reads the report published by SEC Consult. “Although issues with certificate validation have been identified within the encrypted communication between the mobile application and the backend system, the inner layer of end-to-end encryption could not be broken.”

The vulnerabilities found by the researchers include hardcoded credentials, missing certificate pinning, account upgrade bypass methods, debug messages being enabled and leaking user data.

In addition to the source code, Proton Technologies has made available some documentation, including its iOS security and trust models, that should make it easier for interested parties to review the code.

“Already there are third-party audits for OpenPGPjs and GopenPGP, our open source cryptographic libraries. Earlier this year, we engaged the renowned security firm SEC Consult to conduct an independent audit of ProtonMail’s iOS application.” reads the blog post published by the company. “We are now making our iOS app open source now that it has been independently vetted. For more information, read the full iOS app audit report.”

“In pursuit of this goal, independent third-party audits of all our other clients are underway, and we look forward to open sourcing even more of our code,” continues the post.

The company explained that developers are free to implement and build upon the methods that it has documented and published. The contribution of the cyber security community could help the company to solve real-world privacy challenges, making popular privacy-focused applications safer and more robust.

In May, the email service ProtonMail has been accused of offering voluntarily real-time surveillance assistance to law enforcement.

On May 10, while Stephan Walder, a public prosecutor and head of the Cybercrime Competence Center in Switzerland’s Canton of Zurich, was giving a presentation at an event when the Swiss lawyer Martin Steiger live-tweeted from the event that Walder incidentally mentioned ProtonMail as a service provider that voluntarily offers support to law enforcement.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – ProtonMail, privacy)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment