Open Source Technology Improvement Fund (OSTIF), K-9 Mail, and 7ASecurity collaborated on a security audit of the Mozilla K-9 email application. K-9 is an open source email application and runs on most Android phone systems. Ideally, the application is reliable, intuitive, and secure to use. Not only critical to Android products, K-9 mail is popular as a project on Github and with non-contributing users. Many people therefore have a vested interest in the security health of this application. 

The assigned team of six auditors used whitebox methods for this audit. The scope of the audit consisted of multiple aspects including threat modeling, fuzzing, and supply chain analysis. A thorough review to identify, test, and remediate as many security issues as possible within scope was 7ASecurity’s stated goal. They combed through the code, and adjusted focus as the project led them. The final report linked below includes details of the work; such as implementing ossfuzz fuzzers along with semgrep and CodeQL rules, as well as how the team responded to the updated SLSA framework released during the 46 person day engagement.

Uncovered during the security audit were seven medium and three low risk vulnerabilities, along with nine miscellaneous hardening recommendations. Of the 19 total issues, the K-9 Mail team fixed nine and partially resolved two more. By following the recommendations of the report, K-9 Mail can grow its security posture as it begins to become Thunderbird for Android. It has an incredible foundation to begin this new chapter with, as the report notes seven wide-ranging points of secure and healthy practices and conditions of K-9 Mail they saw evidenced during the engagement. 

The K-9 team did an exceptional job communicating and sharing information that allowed 7ASecurity to perform as comprehensive an audit as possible. Our gratitude to Christian Ketterer, Lisa McCormack, Ryan Sipes, Wolf-Martell Montwé and the rest of the K-9 Mail team. And to 7ASecurity, particularly Abraham Aranguren, Dariusz Jastrzębski, Daniel Ortiz, Dr. Miroslav Štampar, Óscar Martínez, and Patrick Ventuzelo- thank you for your hard work. We are thankful as well to our sponsor, Mozilla, for their support of K-9’s current and future security. 

“OSTIF has a strong understanding of how open source projects operate and we really appreciated that they were able to jump in and help us coordinate an audit of the K-9 Mail software. OSTIF were great partners that made the process of doing the audit a breeze and provided a helpful guiding hand. We really appreciated their professionalism and expertise. I can confidently say that we plan on working with OSTIF again. “

  • Ryan Sipes, Mozilla Foundation

 

Read 7A’s report on K-9 Mail here: https://ostif.org/wp-content/uploads/2023/07/K9-Mail-Audit-Final-Report.pdf   

and 7A’s blog here: https://7asecurity.com/blog/2023/07/mozilla-k9-mail-audit/