On 16 June 2016 at 18:45, Amogh Pradeep amoghbl1@gmail.com wrote:
Hey guys,
This is my second status report for GSoC 2016.
I’ve finally managed to rebase things to ESR 45.2.0 :D [0]. But unfortunately, I think that what it is build on is unstable, so we don’t have an ask ready yet. I will continue to work on this, and hopefully have a successful build soon.
Next up is a code audit. Once we have a stable application built on ESR 45, I can move on to the code audit phase. In this phase, I would go through the android code, looking for all the network code, and making sure that it is proxied fine.
Is a code audit the most efficient and reliable way to look for proxy leaks? (At least at this stage?) I think it would be useful and it's good to be thorough, but it seems like it would be more efficient to do a dynamic analysis for a first-pass effort, and to leave a code audit to later in the game while you focus on some of the other tasks you'll have.
I would do dynamic analysis by setting up a bridge and a proxy, exercising lots of different functionality of the app (HTTP, HTTPS, FTP, update checking, safebrowsing disabling/enabling, extension installation, extension update checking, extension calls to third party APIs, etc), and looking for any traffic not going to the single bridge configured.
My 1 cent.
-tom