The Alexandra Institute has conducted a security
review of the Zafepass system. The review consisted
of three activities: An analysis of the design of the
cryptography used, a code review of the Zafepass
backend source code and a review of the security
revolving the "menu of resource".
The code review has examined relevant parts of the
codebase, i.e. the security relevant parts of the
backend has been evaluated. We note that the
client code due to obfuscation techniques, as well as
parts of the deployed back-end, e.g.~configurations,
has not been reviewed. Additionally, we note that we
did not try to break the obfuscation techniques
applied in Zafepass.
The other parts of the review have been performed
as a series of interviews, describing how the system
is designed, choices made, etc. As a consequence,
we have not verified, outside the scope of the code
review, that the system is implemented as
described.
As a consequence, we have not verified, outside the
scope of the code review, that the system is
implemented as described.