[tor-dev] [GSoC 2016] Orfox - Report 2

Tom Ritter tom at ritter.vg
Fri Jun 17 02:37:11 UTC 2016


On 16 June 2016 at 18:45, Amogh Pradeep <amoghbl1 at gmail.com> wrote:
> Hey guys,
>
> This is my second status report for GSoC 2016.
>
> I’ve finally managed to rebase things to ESR 45.2.0 :D [0].
> But unfortunately, I think that what it is build on is unstable, so we don’t have an ask ready yet.
> I will continue to work on this, and hopefully have a successful build soon.
>
> Next up is a code audit. Once we have a stable application built on ESR 45, I can move on to the code audit phase.
> In this phase, I would go through the android code, looking for all the network code, and making sure that it is proxied fine.


Is a code audit the most efficient and reliable way to look for proxy
leaks? (At least at this stage?)  I think it would be useful and it's
good to be thorough, but it seems like it would be more efficient to
do a dynamic analysis for a first-pass effort, and to leave a code
audit to later in the game while you focus on some of the other tasks
you'll have.

I would do dynamic analysis by setting up a bridge and a proxy,
exercising lots of different functionality of the app (HTTP, HTTPS,
FTP, update checking, safebrowsing disabling/enabling, extension
installation, extension update checking, extension calls to third
party APIs, etc), and looking for any traffic not going to the single
bridge configured.

My 1 cent.

-tom


More information about the tor-dev mailing list