November 11, 2024

Security audit of Awala: Part 1

By Gus Narea (Awala architect and Relaycorp CEO).

The Open Technology Fund commissioned an independent security audit of Awala from Radically Open Security. The first half of the assessment focused on the core of Awala, and is now complete. This blog post summarises the findings in my own words. You’re welcome to read the full report.

TL;DR: No major issues were found. There’s nothing that should prevent Awala from being used in production, although I do agree with the recommendations made and intend to address them.

Assessment scope

The audit covered the protocol suite specifications, and their implementation and integration in the software used by end users, couriers and software vendors. The focus was on the cryptographic operations (e.g. end-to-end encryption), key management, and the overall security of the system.

Part 2 of the audit will involve a more thorough review of the integration of the core Awala libraries in the apps used by end users, couriers and software vendors.

Findings

The assessment found no critical vulnerabilities that would prevent Awala from being used in production. They did find the following issues:

Inconsistencies in the documentation of the protocol suite, which had no impact on the security of the implementation and were fixed promptly.
Awala doesn’t provide a built-in mechanism for centralised and hybrid services to verify the authenticity of the Internet endpoints (e.g. third-party-service.com) to which their apps connect. This means that services like Letro have to implement their own mechanisms when initiating a connection to such a type of peer, making this part of the system unnecessarily centralised. This is a known limitation, and it doesn’t affect decentralised services or the contact pairing in Letro.

On the positive side, they found that the system is built on well-analysed cryptographic primitives, makes extensive use of cryptographic standards, and the code review found no security issues.

Recommendations

The auditors made several recommendations to further strengthen the security:

Reduce trust on third parties for domain name authentication, per the issue mentioned above.
Conduct formal analysis of the protocol.
Perform a more comprehensive code review. (This will be done in part 2 of the audit.)
Perform additional security audits in the future, as the system evolves.

Conclusion

The security audit validates that Awala’s core design and implementation are fundamentally secure. Whilst there are some minor improvements that can be made, there are no major security issues that would prevent its use in production environments. The recommendations provided will help further harden the system as it continues to mature.

About Gus Narea

Gus invented Awala at the University of Oxford, and later founded Relaycorp to lead the project. He's also the host of the Inside Awala podcast. Before Awala, he worked in the core engineering team at Auth0, responsible for the company's flagship product. Learn more on gus.engineer.