Session code audit: Technical report published by Quarkslab
Completing a Session code audit has been in the works for a long time, and now it’s finally here. An audit of Session’s Android, iOS, and Desktop versions has been completed by the cybersecurity research company Quarkslab. For those who have been waiting for an audit to try Session, recommend Session, or just wanted some extra assurance around the app: today’s the day.
The audit itself is quite long and complex, and it’ll be difficult to read if you’re not technically minded. But the major takeaway is this: Session’s cryptographically sound.
Quarkslab only raised a few issues with Session, most of which have already been patched. A couple of low impact issues remain, but they were mostly related to deliberate design choices — we will explain those below.
Why does having a Session code audit matter?
Writing code is hard — even for the experts. It’s a long, error prone process. As skilled and experienced as our engineering team might be, writing foolproof code for a hardcore private messenger like Session is a painstaking, precise process which demands current and detailed knowledge of the use and limitations of different libraries, hardware and devices, operating systems, and more. And mistakes can open Session up to attacks from all kinds of different adversaries.
A code audit gives you (and us) peace of mind. The security and integrity of the Session code has been verified by a trusted third party, and we can now more safely say that Session’s codebase is sound. The security audit includes analysis of Session’s actual code, as well as considerations about the functionality and design of the app and how that relates to its security.
Other than that, the audit is about trust. Session is designed to reduce the amount of trust you need to place in your messenger. But there is still one aspect of Session that requires trust: The Session Team. You need to trust that Session is actually what we say it is, that we’ve built the app in the way it was designed, and there are no monsters hiding under the bed. Assuming you weren’t a master coder with endless free time to check the code yourself, you had to hope we were being honest and acting in good faith. Now — the audit shows we’ve done that, at least up until now. Quarkslab has read the code for you. They’ve analysed the app for you. You don’t have to take our word for it.
Session is as advertised: Private. Secure. No metadata.
What were the issues raised in the audit?
In total, Quarkslab raised 2 issues with the Desktop client, 7 issues with iOS, and 7 issues with Android. Many of these issues have already been fixed, leaving the outstanding issues raised being 1 on Desktop, 4 on iOS, and 4 on Android.
Only one of the issues raised was considered severe by Quarkslab, and only pertained to Session on Android. It related to TLS verification when gathering information about the service node list, leaving a potential vulnerability to malicious certificate authorities attacks. This issue has already been fixed.
Many of the ‘unfixed’ issues are actually intended Session functionality. While they are valid recommendations, things like being able to copy your recovery phrase to your clipboard, take screenshots in the app, and default notification configurations are deliberate design decisions made to improve the functionality and user experience of Session.
So, now that Session has a code audit…
What’s next? Well, this is a really big day for Session. Understandably, plenty of privacy enthusiasts, journalists, activists, and other groups have been waiting for Session to be audited before they gave it their full support. Like we said before, it’s all about trust, and for things like the Secure Messaging Apps Comparison, having no code audit made it hard to trust Session — now, Session is easy to recommend.
Session has been going from strength to strength, with voice calls on the horizon and 100,000 monthly active users right around the corner.
It’s time for us to really flex our muscles and spread the word of Session.
Behind the scenes: Session network and client update
May 19, 2022 / Kee Jefferys
Holistic privacy: How to remove the target on encryption's back
May 13, 2022 / Alex Linton
What happens if Twitter gets encrypted DMs?
May 06, 2022 / Alex Linton
Hey, I just met you, and this is crazy: Calls beta release
April 25, 2022 / Alex Linton
Does Musk buying Twitter open conversation for decentralised social media?
April 21, 2022 / Wesley Sukh
Just the two of us: Why you should care about private calls
April 14, 2022 / Wesley Sukh