About CoverDrop
Whistleblowers need a secure method to initiate contact and build trust with journalists. Existing tools often cater to later-stage correspondence, leaving crucial, early touch-points vulnerable to surveillance. In addition, many of these tools are difficult to find on newspaper websites, hard to use securely, and offer insufficient user guidance.
After conducting workshops with journalists and IT staff at news organizations, a group of developers, in collaboration with The Guardian newspaper, designed CoverDrop—a new, two-way, secure system for initial contact and trust establishment between sources and reporters.
CoverDrop can be integrated into existing news apps, enabling users to contact journalists at a publication. Traffic generated by all the regular users of the app “hides” or “covers” whistleblowers’ communication. In addition, a small amount of “cover” traffic is constantly sent to a CoverNode hosted in the news organization’s infrastructure. When a whistleblower uses the system, this cover traffic is replaced with the message contents from that individual—so an adversary cannot tell which, if any, users are currently sending messages to journalists. The CoverNode software operates without storage and runs inside a Trusted Execution Environment (TEE); these two features reduce the attack surface for a malicious actor.
Audit Description
Through OTF’s Security Lab, 7ASecurity conducted the first comprehensive third-party security review of CoverDrop in January and February 2024. This penetration test and “white box” audit (a form of testing in which auditors have complete knowledge of the item being tested) focused on the reference Android and iOS app builds, which are open source applications that allow any newspaper to fork and integrate CoverDrop into their news apps.
Scope
The scope of the security review included:
- Whitebox tests against CoverDrop Protocol and Library Implementation
- Mobile Security tests against CoverDrop Implementation on Android & iOS
- Whitebox tests against CoverDrop Implementation on Backend Services
- Whitebox tests against CoverDrop Servers & Configuration via SSH
- Whitebox tests against CoverDrop AWS & Kubernetes Infrastructure
- CoverDrop Lightweight Threat Model documentation
- Whitebox Tests against CoverDrop Supply Chain Implementation
NOTE: The Guardian implemented CoverDrop in its own Android and iOS apps, but these implementations were not included in the 7ASecurity audit.
Findings
Overall, the auditors found that CoverDrop defended itself well against a broad range of attack vectors. No critical or high-severity issues were identified during the audit. 7ASecurity uncovered seven “Medium”-level vulnerabilities that were recommended for remediation:
- A vulnerability to Task Hijacking attacks in the Android app (this type of attack allows a malicious app to take over a vulnerable app’s “back stack” and launch itself instead of the intended target app when a user tries to access it)
- A vulnerability in the Android and iOS apps to DoS attacks, via spoofing of the DNS domains used for sending messages
- The lack of a passphrase prompt for accessing messages in some scenarios
- Lax permission settings for a number of files and directories, which could allow attackers to gain read and write access to sensitive CoverDrop files
- A lack of encryption on some security-relevant files on the host server, which could permit exposure of journalists’ Personally Identifiable Information (PII)
- Retention of the user passphrase in memory in the Android app, which could be accessed by a malicious actor with physical or memory access
- A vulnerability in how the system communicates with the Signal infrastructure that could allow an attacker to abuse the Signal attachments function to disrupt the system
In addition to these vulnerabilities, the security review identified 26 less significant weaknesses that were recommended for resolution to improve CoverDrop’s overall security posture and protect users in “edge-case” scenarios.
Remediation
The CoverDrop team fixed all seven of the main vulnerabilities detected during the security audit; 7ASecurity confirmed the remediation via retesting. Of the 26 less significant weaknesses identified, 21 have been resolved in full or had their principal issues addressed, with the remaining five issues slated for resolution in a future release or set aside by the CoverDrop team.