Reverse Engineering Proves Journalist Security App Is Anything But Secure | Motherboard

On Friday, Motherboard reported that the new Reporta app, billed as “the only comprehensive security app available worldwide created specifically for journalists,” may not be secure at all.

After we published our story, Frederic Jacobs, Open Whisper Systems’s lead developer for their secure messaging app, Signal, spent his Friday night at home reverse engineering the Reporta binary for iOS. He published the results here. His conclusion was, in a tweet, “Sloppy engineering. Reporta is forensics & analytics rich.”

“Every action is logged,” he wrote in his report. Google Analytics is built into the app, which stores the logs in a local cache before uploading them to Google’s servers. Reporta also uses Twitter’s Crashlytics crash-reporting framework, he explained.

“If you’re building an app for journalists in ‘potentially dangerous conditions,’” Jacobs wrote in a Twitter direct message, “you shouldn’t be tracking your users that much. And certainly not giving out that information to third parties without asking for consent of their users.”

Read more on Motherboard

reportadigital securitynewsjournalismMotherboard