On Thu, Jun 16, 2016, at 10:37 PM, Tom Ritter wrote: > On 16 June 2016 at 18:45, Amogh Pradeep <[email protected]> wrote: > Is a code audit the most efficient and reliable way to look for proxy > leaks? (At least at this stage?)
I think he means a few things by this, or at least we have a few tasks underway: - mentor (me) reviewing code quality and implementation choices for how proxy features were added - inspection of esr45 Android Java code for new network code and other potentially leaky / deanon features - review of tor browser, noscript and other mobile relevant extensions for portability to android > I would do dynamic analysis by setting up a bridge and a proxy, > exercising lots of different functionality of the app (HTTP, HTTPS, > FTP, update checking, safebrowsing disabling/enabling, extension > installation, extension update checking, extension calls to third > party APIs, etc), and looking for any traffic not going to the single > bridge configured. We use NoRoot firewall on Android for doing this in a quick manner. It is like LittleSnitch. Thanks for the feedback Tom! _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
