Has there been a security review / audit of Cryptomator?

The desktop application Cryptomator has been peer-reviewed by the community. Its cryptographic libraries use only cryptographic primitives of well-known open source libraries like JCA, OpenSSL, and Common Crypto. Except SIV Mode, which is the only self-implemented cryptographic primitive.

All cryptographic libraries have been reviewed by Cure53. The pentesting report can be found here. The reported issues are commented in the corresponding GitHub respositories.

SIV-Mode has been reviewed by Tim McLean. The report on SIV Mode 1.0.8 can be found here and the issues found have been fixed with version 1.1.0.

5 Likes

Why this report is not mentioned on cure53 website? https://cure53.de/#publications

Citing the first sentence over the pentest reports

Note that all those reports have been proudly published upon explicit request by the project maintainers, or the party that sponsored the penetration test in coordination with the project maintainer

We didn’t made an explicit request.

2 Likes

may i ask why the audit report for cryptomator has not been explicitly requested by the project maintainers? wont the publication help enhancing the credibility of cryptomator app ?

1 Like

Due to the website relauch, the audits are also now available: Encrypt Cloud Storage: How Open Source Strengthens Security

The ultimate test is to see governments unable to get into the vaults. Anyone find any court cases about the use of Cryptomator?