[Vulnerability]: Declared function deleting metadata does not work

[snooppr]

The user is prompted to remove exif, and notified that the tags have been removed. Actually the exif part is not removed, such as "software/Ex.B.Or.". That allows you to identify the user who relied on this application, which failed his anonymity.

Below is a screenshot from Termux, at the top, exifs cleaned with "Simple-Gallery" and below are exifs cleaned with "exiftool". You can see that SG does not remove the "software/EBO" tags. This is critical.

Reproducing the issue: edit image in PhotoDirecor and save, remove exif with SG. The tags have not been removed.

Fix "remove tags" function to clear all tags. Alert users of the SG app that previously uploaded images to the network with cleared tags put them at risk of deanonymization.

version apk 6.26.3

[tswistak]

I've tested on 6.26.5 Pro, and I've noticed that also "User Comment" is not removed:

BTW. I wouldn't care about Exif Byte Order. It only tells if data should be read from left-to-right or right-to-left (little or big endian). Motorola in your case, and Intel in my case is only a tip, that it's ordering used by Motorola or Intel, but it doesn't disclose the phone manufacturer.

[DocSniper]

I would suggest that the app not only removes some entries, but all metadata of a (JPG) image. For example, in addition to "Remove EXIF", there could be a second function called "Remove all metadata" that removes everything but the necessary things. As an example of what I mean, here is a link to the "Scrambled Exif" app, which removes all meta​​data of an image, see: https://gitlab.com/juanitobananas/scrambled-exif