In May, the Augsburg-based encryption software Boxcryptor was tested by the security company Kudelski in an independent audit. The results were consistently positive: There are no critical weaknesses in the software. The few suggestions for improvement have already been implemented.
Augsburg, 2020/07: More and more companies, self-employed and private customers are using Boxcryptor to protect sensitive data – primarily in the cloud. Boxcryptor ensures that nobody but authorised persons have access to the data. Cloud providers and their staff, as well as potential hackers are reliably excluded. The audit verified whether this protection is guaranteed.
During the audit, Kudelski was given access to the source code of Boxcryptor for Windows and to the internal documentation. “All these components were logically correct and did not show any significant weakness under scrutiny. It is important to note that the codebase we audited was not showing any signs of malicious intent.” (Boxcryptor Code Audit – Final Report)
The goal of the audit was to give all interested parties an indirect insight into the software so that they can be sure that no backdoors or security holes are found in the code.
Robert Freudenreich, CTO of Boxcryptor, about the benefits of an audit, said, “For private users, Boxcryptor is a means of digital self-defence against curious third parties, for companies and organisations a way to achieve true GDPR compliance and complete control over business data. With software that is so security relevant, it is understandable that users want to be sure that the software is flawless.”
Kudelski started the audit process at the beginning of May with short communication lines to the developers and managers in the Boxcryptor team. If Kudelski had found a serious security vulnerability, they would not have held it back until the final report, but would have reported the problem immediately.
The Results and the Conclusion of the Security Company
A problem rated as ‘medium’ – The problem rated as medium is a part of the code that affects the connection to cloud providers using the WebDAV protocol. Theoretically, the operators of such cloud storage providers could have tried to inject code into Boxcryptor for Windows. In practice, however, this code was never used by Boxcryptor, so there was no danger for Boxcryptor users at any time. In response to the audit, this redundant part of the code was removed.
Two problems classified as ‘low’ and further observations
One problem classified as low concerns the user password: to protect users with insecure passwords, Kudelski suggested that passwords be hashed even more frequently and that the minimum password length be increased, which we implemented immediately. The second problem classified as low was theoretical and concerned the reading of the Boxcryptor configuration. More information on the results and observations of the security company can be found in our detailed blog post and in the Kudelski audit report itself.
We are happy about the verification of the quality of the software and have gratefully accepted Kudelski’s suggestions for improvement. We hope that the audit and its results also confirm for our users that Boxcryptor is the right choice for protecting your data.
You can read the final report of the audit here.