Following the audit of Wire's cryptography core, and the Proteus library, X41 D-Sec's Markus Vervier and Kudelski Security's JP Aumasson reviewed selected parts of the Wire application stack. The scope includes the Wire mobile applications for Android and iOS, the Wire web application, and parts of the calling and signaling code.
Wire is an application for mobile and desktop systems that provides end-to-end encrypted messaging, and Proteus implements a protocol combining the X3DH key agreement protocol and the double ratchet algorithm in order to provide high security guarantees to Wire's users.
Our results are available in the following reports:
Wire rapidly fixed the issues discovered, none of which were critical. For some of the issues we helped in finding the right kind of mitigation or fix. We also reviewed all fixes and referenced them in the reports.
The Android and iOS reports give a general overview of the security mitigations and characteristics as well as details about implementation level issues that have been identified during the review.
We would like to thank Wire for trusting us to perform this audit!
X41 D-Sec GmbH is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security centric code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41.
If you have questions about advanced attacks, security audits, or other security research, please get in touch with us.