Two minor Security Issues
Opened this issue · 5 comments
Hope you're well!
I spent a tiny bit of time so far doing some testing of your app and I'm impressed!
Just have two small issues to tell you about!
- Consider making the Password and Encryption password policies up to par for best practices. This would be minimum 12 (8 if you REALLY want) including upper/lowercase letters, numbers and symbols.
More info: https://cwe.mitre.org/data/definitions/521.html
- The APK is signed with the v1 scheme. Since this is the case, the APK is vulnerable to the Janus Vulnerability. What that means is an attacker can add extra bytes to an APK and DEX file. Although this would require an attacker to trick a target into downloaded the modified and malicious app just figured I'd let you know!
More info: https://medium.com/mobis3c/exploiting-apps-vulnerable-to-janus-cve-2017-13156-8d52c983b4e0
AND https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13156
I'll let you know if anything else comes up!
- isn't this an admin responsibility? ref: https://github.com/bilde2910/Hauk/blob/master/backend-php/include/config-sample.php#L73
- An app update might bump it to v2, also https://f-droid.org/2017/12/13/fdroid-and-janus.html
-
You can leave it up to the admin but it's considered part of the Identification and Authentication Failures OWASP Top 10 categories. Specifically CWE-521: Weak Password Requirements.
-
Interesting, f-droid didn't by default bump it to v2 a few days ago but I grabbed it. But shifting the risk to F-Droid I understand
@J-GainSec f-droid build it back then, it's not rebuild it on and on :) When a new version arrives that one...
Sounds good!
Do I your permission to post/publish about this?
It's not my/f-droid's thing, the dev here decides when/if they publish a new version.
Are we lost in translation?