I actually think the original URL is worth pointing to, because it gives the social context of the app. In the gist here, there is no link back to the VICE story that preceded it [1]...so we're left with an autopsy of a crappy app...but, IMO, it's more interesting how and why such a crappy app was allowed to go into production, and for whom.
In this case, the technical details are less interesting than the overview: that an app designed to protect reporters' sources is inexplicably talking to Google Analytics and Twitter. The lack of transparency had been noted by VICE in its earlier story.
Not attacking the gist...just wanting to point out that the VICE article is not merely blogspam.
Uh, yeah....firms that specialize in security have a hard time getting all the kinks out. There's no way I would ever trust an app made by journalists to protect other journalists' security, especially if it were closed-source. This doesn't have anything to do with the stereotype of journalists not being computer programmers. It's the notion that a journalists' operational security "just needs an app"...or even, that journalists need their own special app -- even though most of the features described in Reporta would be useful to just about anyone. And by targeting mainly journalists, you have a much, much smaller user base to test it and give feedback on.
The most successful app-by-journalists-for-journalists is probably Django, but that became big by not tying itself to newsroom conventions.
edit: It's hard to think of anything "designed specifically for a journalist" that is best-in-class. This includes note-taking and photography apps.
Don't be too hard on journalists. Humans, in general, think you write a sheet of vague wishes that you send off to an offshore developer, who will never tell you your specifications need work, or that you need a security specialist, or any other bad news.
The "several weeks" to open source the app smells bad, too. What horrors are being cleaned up? Did this NGO even get the analytics data or was that being harvested by their contract developers? Did anyone outside the contract shop, even an on-shore consultant, look at the code? Is the contract shop operating their back-end? That's deplorable, but also very common.
Don't be too hard on journalists. Humans, in general, think you write a sheet of vague wishes that you send off to an offshore developer, who will never tell you your specifications need work, or that you need a security specialist, or any other bad news.
As a developer, I have seen what happens when you try to explain that there's an issue with the specs.
"Oh, you can't do it? Do I need to find someone else?"
I know of some serious vulnerabilities in a former employer's eCommerce system. When I brought them to the attention of my manager, I was told(Not in these exact words but the message was loud and clear) that we were being paid to add new features and no time would be wasted fixing security issues.
That's right, and the only cure, really, is smarter, more informed customers. I'm not blaming developers, especially cost-optimized offshore developers for not taking a client-protective advisory stance with their customers. They are not paid to do that. On the contrary, as you point out, the more agreeable they are to even the most harebrained customer requirements, the better for them.
As a journalist, I agree with your sentiment :). I try to push my colleagues to adopt a more Unix-like mindset: use tools that are best at the one/few things they do...and stop thinking that technology can solve problems that you know to be intractably difficult. I'm not talking about recognizing the traveling salesman problem, I mean, if it seems complicated to keep your network of confidants both easily accessible and safe and hidden from outsiders...what is it about a piece of technology that makes you think it can all be wrapped up in a general-purpose user-friendly app?
But to be fair, that's a difficult question for many engineers and developers to grasp as well...
When a "secure" app has so many holes I would be tempted to think that it was designed to lull journalists into a false sense of security, but given that the app was designed by the IWMF, a nonprofit, I'm more tempted to think it's simply bad design.
That said, I really hope there aren't any female journalists in sensitive territory using this.
If this report is correct, it's not that the security app is not secure, it's that the app has been criminally misrepresented as it is riddled with spyware, logging and tracking.
What a minute ... They use Google Analytics in a "secure" app!? I even removed Google Analytics from a GAME because I was concerned about the player's privacy.
> "Every action is logged," he wrote in his report. Google Analytics is built into the app, which stores the logs in a local cache before uploading them to Google's servers. Reporta also uses Twitter’s Crashlytics crash-reporting framework, he explained.
Doesn't TextSecure use Google's crash reporting? I heard that's one reason Moxie uses the Google ecosystem for app distribution.
