Security vulnerabilities notification

[TheFuzzStone]

Screenshot from NeoStore:

---

1. Where can we can read more about this vulnerability to understand how to protect ourselves?

2. When should we expect a fix?

[haansn08]

F-Droid suggested to uninstall this app immediately, which I did. Sadly they did not provide any further information on this vulnerability.

[TheFuzzStone]

which I did

Same here.

[SpaceXCheeseWheel]

Seems to be because of this issue from 2022, but I'm confused because the issue was closed: https://github.com/SimpleMobileTools/Simple-File-Manager/issues/619. I found this in the comments left at the bottom of the metadata file here: https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/com.simplemobiletools.filemanager.pro.yml#L578

[gbdomubpkm]

Just saw this message, and I agree. However, personally, I disconnect from the internet network (including File Manager) by default all the apps that do not have to be connected (mobile data and wifi of the app). So, since there is no sharing/transfer of data, what risk can there be?

[Roy-Orbison]

@gbdomubpkm The vector appears to be malicious PDFs, which can arrive from anywhere. These exploit the vulnerabilities in the PDF library this app uses. This app does not itself need to be Internet connected to be affected.

I uninstalled all of his apps after reading this comment.

[SpaceXCheeseWheel]

this comment.

Concerning.

What I am trying to understand is why this notification came in today. According to the git blame, the package was updated to include the security vulnerability antifeature several months ago, and only on version 6.14.3. Now this appears on the most recent version. Is there some sort of staging metadata server that fdroid, or maybe is it because NeoStore is pulling metadata from a different repository that has marked as having a vulnerability?

Anyway, pinging @tibbi, hopefully you might be able to look into this.

[ChaosNicro]

I actually really like the clean-cut design. Hopefully the pdf-feature can be carved out for real this time. Raw-Text is really one of the only things that benefits from an internal viewer and even there you could delegate to something like Markor. Archives are convenient to view in files, but I usually work with Termux there, since everything other than zip needs it anyway. Long story short, don't burden yourself with maintaining extension features and do the main task well instead. For file-operations this does incredibly well.

[RasheedAZ]

or maybe is it because NeoStore is pulling metadata from a different repository that has marked as having a vulnerability

I got the vulnerability notification on F-droid.

[WessellUrdata]

Relevent discussion from F-Droid's merge request on GitLab: https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496#note_1208626843

and if you check the metadata on F-Droid: https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/com.simplemobiletools.filemanager.pro.yml?ref_type=heads#L530

The knownVuln flag is for an older version of the app. The current version does not have it. It's probably just a false positive by F-Droid.

Is there some sort of staging metadata server that fdroid, or maybe is it because NeoStore is pulling metadata from a different repository that has marked as having a vulnerability?

I'm guessing the metadata is pulled from here: https://monitor.f-droid.org/anti-feature/KnownVuln

my two cents: those who uninstalled the app because of the scary "We recommend uninstalling this app immediately" warning really should give the benefit of the doubt and find out what the vulnerability actually is instead of having the knee-jerk reaction of uninstalling without giving a second thought.

[summersab]

I'm leaving a comment so I get notifications.

I'm interested to understand what triggered the notification. It SOUNDS like the vuln was fixed months ago, so I'd like to understand why F-Droid and/or NeoStore decided to freak people out and make the dev look like they did something sketchy. Also, I have both F-Droid and NeoStore installed, but only Neo showed a notification.

Security is very important to me, but as we often say in the industry, "seek first to understand."

[J053Fabi0]

@summersab, you could've just clicked this button

[summersab]

True, but I also thought it was worth leaving a comment that a) takes some blame off of the dev and b) mentioned that we should figure out why certain stores sent notifications so we can better investigate. Others have mentioned F-Droid metadata, but I'd like to have this confirmed as a false positive if that is indeed the case.

I've never had a "security vulnerability" notification for an app, and I assume most people haven't, either. I think it's important to calm people down, curb any mass-abandonment, and address what happened and why.

[WessellUrdata]

True, but I also thought it was worth leaving a comment that a) takes some blame off of the dev and b) mentioned that we should figure out why certain stores sent notifications so we can better investigate. Others have mentioned F-Droid metadata, but I'd like to have this confirmed as a false positive if that is indeed the case.

I just did some furthur digging in Shattered Pixel Dungeon, an app also flagged with knownVuln by F-Droid. Yet, if you take a quick glance at the metadata, there is simply no trace of "knownVuln" flag there: https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/com.shatteredpixel.shatteredpixeldungeon.yml

Something must have gone very wrong at F-Droid for this to happen.

[summersab]

@WessellUrdata, can we tag an F-Droid dev to have them weigh in? If something is broken on their end, they should know so they can investigate.

[WessellUrdata]

@WessellUrdata, can we tag an F-Droid dev to have them weigh in? If something is broken on their end, they should know so they can investigate.

Unfortunately, I don't personally know a F-Droid dev, and it seems that they operate at GitLab instead. Sorry.

[SpaceXCheeseWheel]

This issues page is where you can submit issues about fdroid metadata, and might be a good place to start. Glancing at it, it seems that this isn't the only project that has been hit with a oddball vulnerability notice. I know that fdroid has been experimenting with automated dependency checking for a bit now; no clue if that's been deployed or not, but maybe there is an issue with one of the dependencies here? Wish fdroid would tell us what security vulnerability.

[Ilav1]

@gbdomubpkm The vector appears to be malicious PDFs, which can arrive from anywhere. These exploit the vulnerabilities in the PDF library this app uses. This app does not itself need to be Internet connected to be affected.

I uninstalled all of his apps after reading this comment.

I also don't understood the comment by a developer. Do you have any good alternatives for the file manager, Gallerie and phone app?

I really hope that the pdf reader will be deleted this time.

[SpaceXCheeseWheel]

I looked into trying to figure out what was getting flagged as the security vulnerability. According to https://f-droid.org/docs/Anti-Features/#KnownVuln, a program called fdroidserver is responsible for scanning app source code before they are deployed to the site. I downloaded the most recent git revision of fdroidserver, set it up. Then, I scanned and built SimpleFileManager using it; the same way that fdroid would do it on their backend. Unfortunately, this did not yield any helpful information, the source was scanned with no error report, and built without a problem. At this point, I am stumped.

[TheFuzzStone]

The knownVuln flag is for an older version of the app.

Then everything becomes more interesting, because for previous versions of 'Simple File Manager Pro' I did not get any notifications, and just updated as soon as the update came.

my two cents: those who uninstalled the app because of the scary "We recommend uninstalling this app immediately" warning really should give the benefit of the doubt and find out what the vulnerability actually is instead of having the knee-jerk reaction of uninstalling without giving a second thought.

Since it was not clear what type of vulnerability it was, my action was not panicked, but deliberate - delete the app. Because I do care about my security/privacy.

I am grateful to the main developer and the other contributors for their efforts, work, and time spent on Simple intuitions, but I personally did not like this point.

[RasheedAZ]

Looks like F-droid is not showing Simple File Manager in search results any longer if you have the 'hide apps with known vulnerabilities' filter on.

[bene64]

It seems like it's a bug within F-Droid, the current version is not affected by the original vulnerability. It just displays the warning for all versions instead of only the affected.

The bug was found and fixed and the message will hopefully disappear after the next index update (on the server).

[Roy-Orbison]

@Ilav1

Do you have any good alternatives for the file manager, Gallerie and phone app?

For a file manager, Files works well enough. I know it's not open source but it has no permissions and (after a sneaky peek in the APK) all I can see is starting an activity that launches the inbuilt file manager. This changes depending on your Android version:

• content://com.android.externalstorage.documents/root/primary
• com.google.android.documentsui
• com.android.documentsui.FilesActivity
• android.provider.action.BROWSE
• android.provider.action.BROWSE_DOCUMENT_ROOT

It's not the the same thing as the "Files by Google" app, I have that disabled. It would be nice if someone could make an open source version of it :wink:

For calls, Emerald Dialer still works.

Haven't found a gallery equivalent, in terms of simplicity.

[gbdomubpkm]

So we agree on the fact that to summarize, there is no vulnerability in File Manager? if that's right, that's the main thing because this app is really great, at least for me.

[nikossvnk]

@gbdomubpkm The vector appears to be malicious PDFs, which can arrive from anywhere. These exploit the vulnerabilities in the PDF library this app uses. This app does not itself need to be Internet connected to be affected. I uninstalled all of his apps after reading this comment.

I also don't understood the comment by a developer. Do you have any good alternatives for the file manager, Gallerie and phone app?

I really hope that the pdf reader will be deleted this time.

this was very concerning and it actually made it clear that the developer's intentions are exactly what the name suggests: "simple". The focus never was on security and/or privacy and it looks like it was more like an assumption. Sure, there is no tracking or other intrusive stuff, in this aspect yes, it respects user privacy.

also for file manager, I'm using https://f-droid.org/en/packages/com.ghostsq.commander/ oldschool approach, not sure if it fits everyone

[Hillside502]

For calls, Emerald Dialer still works.

Last updated nearly 2 years ago and with 33 open issues, some outstanding for 5 years:- https://github.com/HenriDellal/emerald-dialer/releases https://github.com/HenriDellal/emerald-dialer/issues

[HFPasfho]

I came here yesterday morning a little worried by the f-droid warning. I wasn't scared, I wasn't rushing, just trying to get some information about the issue. I even thought to myself that this could be a false warning about this old vulnerability that was fixed some time ago. And it looks I was right. Actually I was kind of proud of myself that I took it so calmly and didn't panic because of some scary warning.

BUT THEN I HAVE READ THIS COMMENT

I dont understand those geeky things there, what can happen to an app without internet access?

written by the author himself. And I am still shocked to this very moment. I can't get my head around how someone capable of creating an app even slightly more complex than simple hello world could possibly ever say something this incompetent and ignorant. Let alone in public under his name. I immediately UNINSTALLED ALL of his apps from my device. It may seem a little bit drastic but I can't and never will be able to trust someone who is so irresponsible and isn't even ashamed of his ignorance. I'm actually second-hand embarrassed of him.

If someone thinks this post isn't constructive because it's basically a rant on author well, you may be right... But it wasn't my intention in the first place! I planned this comment differently but I just can't put it more gently. And the constructive conclusion is: if you value your security and privacy DON'T USE ANY APP CREATED BY THIS GUY. Who knows what other past and future omissions he has downplayed.

[b9AcE]

It's "funny" how the reason I chose Simple File Manager in 2017 and recommended it to thousands of people since was that it was just that, a file manager that was simple, no bloatware or other superfluous "cool" features that would just add risk and clutter without adding functionality desired for the app, but now I find myself looking for a replacement specifically because of a bloatware "feature" that isn't even listed in the app's description on the app-stores, that has nothing to do with file management and that I use a separate dedicated app for anyway, that "feature" has either now or in the past caused security issues.

I wish there was an "Actually Simple File Manager" being exactly this app, but with all functionality not actually file management removed, because apart from the bloatware, it would have remained nearly perfect.

[Pi-Cla]

All i'm gonna say is that I see people harping on someone for a single comment who went out of their way to make a FOSS app for us all to enjoy. Seeing as how the issue was all on F-Droid's end I hope when the dev has time they will close this issue. I will keep using their apps, they have been doing a great job.

[summersab]

Guys, the author is from Slovakia. His English likely isn't perfect, and I don't read his comment as "flippant." I read it as, "Hey, I'm a bit of a n00b when it comes to things like CVEs. Could someone explain why using this library is a problem if your app doesn't have internet connection?"

I don't think it's fair for everyone to be so eager to dump on a dev who has built some pretty awesome and useful apps.

[Roy-Orbison]

@Hillside502 most of those issues are cosmetic, or feature requests. It works for me. If it doesn't work for you, don't use it.

[Hillside502]

most of those issues are cosmetic, or feature requests

I wouldn't describe multiple crashes as "cosmetic".

[octvs]

Guys, the author is from Slovakia. His English likely isn't perfect, and I don't read his comment as "flippant." I read it as, "Hey, I'm a bit of a n00b when it comes to things like CVEs. Could someone explain why using this library is a problem if your app doesn't have internet connection?"

I don't think it's fair for everyone to be so eager to dump on a dev who has built some pretty awesome and useful apps.

There are many, many people from Non-English speaking countries here that don't require this level of wishful-thinking while reading their comments. Don't mistake an attitude for something else, otherwise it sounds condescending.

[summersab]

I prefer to see the best in people and give them the benefit of the doubt, @octaskin.

[sinkaf]

I've just heard about it and it's not nice. Because I use almost all of your apps, so should I uninstall them all?

[czadikem]

The thing you hear in the security world is it is not when will you get hacked it is when. Everyone has their own thoughts and actions but considering the security flag in the app has already been fixed I will continue to use his apps.Tibor has built solid apps that I can see work well and is constantly updating them unlike quite a bit of other software devs with great fdroid software. So Tibor thank you for your time and effort on these apps and keep it up. PS Tibor I thought the same thing as you about no internet no issue but there are many security holes and things you can do even when an app or device is offline so maybe research it. One example is that a bad actor could go through file manager a trusted android program with full file access and go through through and copy data out of apps.

[ozankiratli]

I agree that Tibor makes really good apps and I will continue to use them as well. However, we cannot expect an average end-user to understand if the app is secure or not. They will put their trust on the distributors such as F-Droid and NeoStore.

First of all, even though I see Tibor's point to use the built-in libraries to open PDF files, I agree with the people that this function causes problems as the app gets flagged, and this damages the reputation of simple mobile tools. For this reason, maybe it is for the best if the PDF viewer is separated from the file manager. Maybe an add-on app can be made for people who want to use built-in PDF viewer. I don't know what could be a good solution.

Also we need to understand that there are cultural and personal differences in communication styles on top of being non-Native speakers, this does not make a developer "incompetent" or "evil". People have been pointing to a single comment and they take it out of context. After that comment, when the possible offline ways to exploit the PDF viewer were explained, Tibor added the " bug" label and addressed the problem. I see this as being responsive and acting in good faith.

[genodeftest]

@HFPasfho (answering to this comment)

SimpleMobileTools is Open Source software. The main developer, as well as other contributors here, do this in their free time, out of good will. You are not their employer, so they don't have any obligation to you whatsoever. (And even if you were their employer, I hope you had chosen a less negative tone). Please choose a more friendly tone next time. Volunteering works fine as long as you get constructive feedback. As soon as the volunteers get very negative feedback, they probably stop enjoying their work and will go away searching for something else. This would probably be not in your interest or anyone else in the community.

If you think you know better about security, please feel free to offer to teach the developer(s) or send them a link explaining it, not with harassing.

[abochmann]

According to https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496#note_1208626843, the KnownVuln flag should have been removed months ago after the author replaced the actual PDF viewing component in their fork of AndroidPdfViewer with Google's own androidx.viewpager2 - the corresponding change change seems to be in https://github.com/tibbi/PdfViewPager/commit/c92e27ed02caf75c7314b9b62bfc3e46bd7a72f7...

It's quite strange that this reappears now, and looks more like an error on F-Droid's part.

[HFPasfho]

Guys, the author is from Slovakia. His English likely isn't perfect, and I don't read his comment as "flippant." I read it as, "Hey, I'm a bit of a n00b when it comes to things like CVEs. Could someone explain why using this library is a problem if your app doesn't have internet connection?"

I really don't know why you're making such a far-fetched argument. Author's English is good. Heck, my posts are mostly created by translator and I have no difficulty understanding what this case is about. Also this "Hey, I'm a bit of a n00b when it comes to things like CVEs. Could someone explain why using this library is a problem if your app doesn't have internet connection?" is the is the core of the problem. This is what stunned so many people. The sheer lack of knowledge not an unfortunate choice of words.

[HFPasfho]

@genodeftest Why are you so eager to be offended on author's behalf that you put words in my mouth that I didn't say? Where did I say or act as if I was his employer? Where did I say he was obligated to do something? Where did I demand that he do what I wanted? Your attempt to twist my words and put yourself in a position of moral superiority defending the author from imaginary attacks is truly disgusting.

My as you said "negative feedback" isn't an attack of any kind but a warning to other users and a reasonable reaction to losing trust. I'm sorry, I just don't like when someone nonchalantly puts my security and privacy at risk.

[RDS5]

absolute warfare this comment section is anyways, why doesnt someoone fork it and remove PDF viewer (and other bloats if there are) until the main dev removes it?

[WessellUrdata]

Guys, stop the flame war.

The current problem of "security vulnerabilities notification" is caused by F-Droid, not by Simple File Manager itself.

The built-in PDF reader is not even part of this specific problem to begin with. Go move your discussion on the removal of PDF reader somewhere else (maybe with a new issue) because the ongoing discussion is rapidly going out of the scope of this issue and devolving into a flame war.

[summersab]

absolute warfare this comment section is anyways, why doesnt someoone fork it and remove PDF viewer (and other bloats if there are) until the main dev removes it?

...or submit a PR.

[Roy-Orbison]

@Hillside502

I wouldn't describe multiple crashes as "cosmetic".

Nor did I, try not to use straw men. Have you even tried it? I'm being you haven't.

[unchaineddev]

Same here. Is this an issue with the file manager only or other apps too?

[JulianGmp]

F-Droid suggested to uninstall this app immediately, which I did. Sadly they did not provide any further information on this vulnerability.

I find it very odd that fdroid will yell and screech at us that a piece of software has a known vulnerability but then doesn't give out ANY information what it even is...

[genodeftest]

The security vulnerability is a known bug in f-droid, see https://gitlab.com/fdroid/fdroidserver/-/issues/1103 and https://gitlab.com/fdroid/fdroidclient/-/issues/2614 There is no indication that there is a security vulnerability in Simple File Manager, it looks like a false flag from fdroiddata/fdroidserver instead.

This bug is known to the f-droid team that their server misbehaves related to antifeatures (or at least known security vulnerabilities in older versions displayed for newer versions): https://gitlab.com/fdroid/fdroidserver/-/issues/1103#note_1413478639 Upstream (fdroidserver) has already fixed this bug: https://gitlab.com/fdroid/fdroidserver/-/merge_requests/1370 It will take a few days until their change is propagated to the package list and mirrors of the f-droid repository. Please wait for a few days until this happened.

I hope this makes it clear that there is no need to spread more fear, uncertainty or doubt.

@JulianGmp and @haansn08 wrote:

Sadly they did not provide any further information on this vulnerability.

I find it very odd that fdroid will yell and screech at us that a piece of software has a known vulnerability but then doesn't give out ANY information what it even is...

I guess it would be contacting fdroid developers to suggest this feature of having more details on why the repo considers any app having a security vulnerability. I'm unsure whether this is for fdroiddata or fdroidserver or somewhere else though.

[summersab]

The security vulnerability is a known bug in f-droid, see https://gitlab.com/fdroid/fdroidserver/-/issues/1103 and https://gitlab.com/fdroid/fdroidclient/-/issues/2614 There is no indication that there is a security vulnerability in Simple File Manager, it looks like a false flag from fdroiddata/fdroidserver instead.

If this is true, I really think some sort of apology is in order from the F-Droid team. The developer likely lost hundreds of users of this and other apps he has worked so hard to develop. The reputational damage is hard to dismiss.

F-Droid doesn't keep records of who has (or had) a particular app installed, so putting out a notification to users who removed the app isn't an option. Still, something should be done.

[WessellUrdata]

Update: the latest update from F-Droid repo has removed the knownVuln flag for Simple File Manager.

Source: https://monitor.f-droid.org/anti-feature/KnownVuln

[tibbi]

it is a bug on F-droid, we aren't using that library for ages...