[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-dev] [GSoC 2016] Orfox - Report 2
On 16 June 2016 at 18:45, Amogh Pradeep <amoghbl1@xxxxxxxxx> wrote:
> Hey guys,
>
> This is my second status report for GSoC 2016.
>
> Iâve finally managed to rebase things to ESR 45.2.0 :D [0].
> But unfortunately, I think that what it is build on is unstable, so we donât have an ask ready yet.
> I will continue to work on this, and hopefully have a successful build soon.
>
> Next up is a code audit. Once we have a stable application built on ESR 45, I can move on to the code audit phase.
> In this phase, I would go through the android code, looking for all the network code, and making sure that it is proxied fine.
Is a code audit the most efficient and reliable way to look for proxy
leaks? (At least at this stage?) I think it would be useful and it's
good to be thorough, but it seems like it would be more efficient to
do a dynamic analysis for a first-pass effort, and to leave a code
audit to later in the game while you focus on some of the other tasks
you'll have.
I would do dynamic analysis by setting up a bridge and a proxy,
exercising lots of different functionality of the app (HTTP, HTTPS,
FTP, update checking, safebrowsing disabling/enabling, extension
installation, extension update checking, extension calls to third
party APIs, etc), and looking for any traffic not going to the single
bridge configured.
My 1 cent.
-tom
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev