7ASecurity had the privilege to collaborate with the Open Source Technology Improvement Fund (OSTIF), as well as the K-9 Mail and Thunderbird teams at Mozilla, in a recent security audit of the Mozilla K-9 Mail application.
What is K-9 Mail?
K-9 Mail is an open source email application that runs on most Android devices. Ideally, the application is reliable, intuitive and secure to use. Not only critical to Android products, K-9 Mail is popular as a project on Github and with non-contributing users. Many people therefore have a vested interest in the security health of this application.
The Test
7ASecurity assigned a team of six auditors to perform a number of whitebox tests for this audit (Mozilla K-9 Mail Audit). The scope consisted of multiple aspects including threat modeling, fuzzing, and supply chain analysis. A thorough review to identify, test, and remediate as many security issues as possible within scope was 7ASecurity’s stated goal.
The final report linked below includes details of the work; such as implementing ossfuzz fuzzers along with semgrep and CodeQL rules, as well as how the team responded to the updated SLSA framework released during the 46 person day engagement.
We are happy to report that zero high-risk vulnerabilities were found. The security audit did uncover a handful of low-to-medium risk vulnerabilities, the majority of which the K-9 Mail team has already resolved or is in the process of addressing.
By following the recommendations of the report, K-9 Mail can grow its security posture as it begins to become Thunderbird for Android. It has an incredible foundation to begin this new chapter with, as the report notes seven wide-ranging points of secure and healthy practices and conditions of K-9 Mail evidenced during the engagement.
Conclusion
The K-9 Mail team did an exceptional job communicating and sharing information that allowed 7ASecurity to perform as comprehensive an audit as possible. Our gratitude to Christian Ketterer, Lisa McCormack, Ryan Sipes, Wolf-Martell Montwé and the rest of the K-9 Mail team. We are thankful as well to Mozilla, for their support of K-9 Mail’s current and future security.
The team at 7ASecurity would like to take this opportunity to extend our deepest thanks to everyone at OSTIF, including Amir Montazery, Ashley Leszkiewicz, and Derek Zimmer, who were instrumental in orchestrating a smooth experience.
“OSTIF and 7ASecurity were amazing partners that provided a helpful guiding hand, and made the process of doing the audit a breeze. We really appreciated their professionalism and expertise. I can confidently say that we plan on working with them again.”
Ryan Sipes, Thunderbird’s Product and Business Development Manager, Mozilla Foundation
You can read the full report here.