
Reverse Engineering Proves Journalist Security App Is Not Secure - secfirstmd
https://gist.github.com/FredericJacobs/b1b518125b7066880359
======
ge0rg
Original article by Frederic Jacobs:
[https://gist.github.com/FredericJacobs/b1b518125b7066880359](https://gist.github.com/FredericJacobs/b1b518125b7066880359)

~~~
dang
Good catch. We've changed the URL from
[http://motherboard.vice.com/en_uk/read/reverse-
engineering-p...](http://motherboard.vice.com/en_uk/read/reverse-engineering-
proves-journalist-security-app-unsafe). If anyone suggests a better (more
accurate and neutral) title, we can change that too.

~~~
danso
I actually think the original URL is worth pointing to, because it gives the
social context of the app. In the gist here, there is no link back to the VICE
story that preceded it [1]...so we're left with an autopsy of a crappy
app...but, IMO, it's more interesting _how and why_ such a crappy app was
allowed to go into production, and for whom.

In this case, the technical details are less interesting than the overview:
that an app designed to protect reporters' sources is inexplicably talking to
Google Analytics and Twitter. The lack of transparency had been noted by VICE
in its earlier story.

Not attacking the gist...just wanting to point out that the VICE article is
not merely blogspam.

[1] [http://motherboard.vice.com/read/this-new-secure-app-for-
jou...](http://motherboard.vice.com/read/this-new-secure-app-for-journalists-
may-not-be-secure-at-all)

------
danso
Uh, yeah....firms that specialize in security have a hard time getting all the
kinks out. There's no way I would ever trust an app made by journalists to
protect other journalists' security, especially if it were closed-source. This
doesn't have anything to do with the stereotype of journalists not being
computer programmers. It's the notion that a journalists' operational security
"just needs an app"...or even, that journalists need their own special app --
even though most of the features described in Reporta would be useful to just
about anyone. And by targeting mainly journalists, you have a much, much
smaller user base to test it and give feedback on.

The most successful app-by-journalists-for-journalists is probably Django, but
that became big by _not_ tying itself to newsroom conventions.

edit: It's hard to think of anything "designed specifically for a journalist"
that is best-in-class. This includes note-taking and photography apps.

~~~
Zigurd
Don't be too hard on journalists. Humans, in general, think you write a sheet
of vague wishes that you send off to an offshore developer, who will never
tell you your specifications need work, or that you need a security
specialist, or any other bad news.

The "several weeks" to open source the app smells bad, too. What horrors are
being cleaned up? Did this NGO even get the analytics data or was that being
harvested by their contract developers? Did anyone outside the contract shop,
even an on-shore consultant, look at the code? Is the contract shop operating
their back-end? That's deplorable, but also very common.

~~~
LordKano
_Don 't be too hard on journalists. Humans, in general, think you write a
sheet of vague wishes that you send off to an offshore developer, who will
never tell you your specifications need work, or that you need a security
specialist, or any other bad news._

As a developer, I have seen what happens when you try to explain that there's
an issue with the specs.

"Oh, you can't do it? Do I need to find someone else?"

I know of some serious vulnerabilities in a former employer's eCommerce
system. When I brought them to the attention of my manager, I was told(Not in
these exact words but the message was loud and clear) that we were being paid
to add new features and no time would be wasted fixing security issues.

~~~
Zigurd
That's right, and the only cure, really, is smarter, more informed customers.
I'm not blaming developers, especially cost-optimized offshore developers for
not taking a client-protective advisory stance with their customers. They are
not paid to do that. On the contrary, as you point out, the more agreeable
they are to even the most harebrained customer requirements, the better for
them.

------
AdmiralAsshat
When a "secure" app has so many holes I would be tempted to think that it was
designed to lull journalists into a false sense of security, but given that
the app was designed by the IWMF, a nonprofit, I'm more tempted to think it's
simply bad design.

That said, I really hope there aren't any female journalists in sensitive
territory using this.

~~~
01Michael10
"That said, I really hope there aren't any journalists in sensitive territory
using this."

Fixed that for you...

~~~
AdmiralAsshat
I'm not saying that male journalists are somehow not at risk, merely that the
non-profit that distributes this app seems targeted at women.

~~~
01Michael10
No it's not... It's targeted at all journalists who would need the app.

------
droithomme
If this report is correct, it's not that the security app is not secure, it's
that the app has been criminally misrepresented as it is riddled with spyware,
logging and tracking.

------
z3t4
What a minute ... They use Google Analytics in a "secure" app!? I even removed
Google Analytics from a GAME because I was concerned about the player's
privacy.

------
orblivion
> "Every action is logged," he wrote in his report. Google Analytics is built
> into the app, which stores the logs in a local cache before uploading them
> to Google's servers. Reporta also uses Twitter’s Crashlytics crash-reporting
> framework, he explained.

Doesn't TextSecure use Google's crash reporting? I heard that's one reason
Moxie uses the Google ecosystem for app distribution.

------
efm
This needs to be added to the app store reviews.

