Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add network configuration to prevent clear text #541

Open
ryjen opened this issue Feb 20, 2024 · 1 comment
Open

Add network configuration to prevent clear text #541

ryjen opened this issue Feb 20, 2024 · 1 comment
Assignees
@vanichitkara
Labels
bug Needs QA Should be done now, please test! Priority: High
Milestone
Critical Bugs

Comments

@ryjen
Copy link

ryjen commented Feb 20, 2024

SDKs before 27 allow clear text (non-https) by default. This is a security vulnerability since the minimum SDK is 21.

Basically, it allows man-in-the-middle attacks.

Steps to reproduce:

  1. Identify an API being called in the app
  2. Poison the networks ARP with non-https
  3. Steal credentials

Expected behavior
All network traffic restricted to HTTPS

Screenshots

This is discussed more here: https://developer.android.com/privacy-and-security/risks/cleartext

Environment (please complete the following information):

  • OS version: less than 27
  • Device: any
  • App Version: 0.3.1

Additional context
If no HTTPS becomes an issue for testing, we must add flavour configurations instead.
@ryjen ryjen moved this to In Progress in OpenArchive Tech Feb 20, 2024
@ryjen ryjen self-assigned this Feb 20, 2024
ryjen added a commit that referenced this issue Feb 20, 2024
@ryjen
Merge pull request #546 from OpenArchive/feature/541-restrict-clear-t…
d13c0c9 
…ext-traffic

fix(network config): restrict clear text by default #541
@ryjen ryjen moved this from In Progress to Awaiting QA in OpenArchive Tech Feb 20, 2024
@ryjen ryjen removed this from OpenArchive Tech Feb 21, 2024
@foundscapes foundscapes added this to the Sprint - Critical Bugs milestone Feb 23, 2024
@ryjen ryjen added Needs QA Should be done now, please test! and removed Needs QA Should be done now, please test! labels Feb 27, 2024
@ryjen ryjen assigned vanichitkara and unassigned ryjen Mar 6, 2024
@ryjen
Copy link
Author

ryjen commented Mar 6, 2024

Hi @vanichitkara this would be extremely hard to test explicitly, but is available in an internal test build (version 0.3.2)

I would recommend exercising any features that use the web (storage, uploads)

If you have a proxy such as Charles or mitmproxy to log http traffic that would be a bonus.

Feel free to close if you do not experience any issues related to networks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vanichitkara vanichitkara

Labels
bug Needs QA Should be done now, please test! Priority: High
Projects
Android (with some iOS oct 24 sprint in there)
Archived in project
Milestone
Critical Bugs
Development

No branches or pull requests
3 participants
@ryjen @foundscapes @vanichitkara