banasiak
commented
8 months ago @wordeater Thanks for this report! I take security and privacy very seriously, so I appreciate you taking the time to provide this information. Allow me to opine on these findings and please let me know if you disagree.
Security Risks Summary
- This application certificate has been signed with a weak APK Signature Scheme.
- This is true. I'm still using the original signing key from 2011. I will investigate migrating to Android App Bundles (AAB) and a Google Play managed app signing key, which is the modern day recommended signing mechanism.
- A hardcoded secret has been detected.
- The report references the Kotlin standard and coroutines libraries, so I believe this is a false positive.
- This app uses Java code reflection. Reflection enables a Java program to analyze and modify itself. An attacker can create
unexpected control flow paths through the application, potentially by-passing security checks. Exploitation of this weakness
can result in a limited form of code injection.
- The report references the Kotlin standard and coroutines libraries, so I believe this is also a false positive.
- The application is using an insecure random number generator.
- I've wondered about this myself. Again, the report references the Kotlin libraries, but the RNG used by the actual coin flipping mechanism is
kotlin.random.Randomas opposed tojava.security.SecureRandom. I will investigate the differences here.
- I've wondered about this myself. Again, the report references the Kotlin libraries, but the RNG used by the actual coin flipping mechanism is
Privacy Risks Summary
- The application writes information to the system log. This can result in unintended information leakage, however it cannot be automatically determined whether the logged data is sensitive.
- Debug builds use the Timber library for logging, but this is not implemented in Release builds. I believe this is not a risk.
Backup
- This app has enabled the backup feature in Android. The backup data may expose sensitive information
which potentially could be accessed by an adversary.
- This is true. This allows for settings as well as the statistics to be restored when upgrading to a new phone. As there isn't any sensitive information collected or stored by the app, I chose to enable this feature for user convenience.
Binary Protections Testing
- The app can be tampered with easily.
- I have a strong opinion about the importance of code obfuscation tools in general. But, given this app is open-source, it isn't applicable to this situation.
- This application does not make a check to determine if the device the app is running on is rooted.
- This is true. I chose not to implement the Google Play Integrity API.
Network Security
- The application is not implementing certificate pinning on any domain it communicates with.
- Although true, the app doesn't request the
android.permission.INTERNETpermission, so it is unable to communicate with any domain.
- Although true, the app doesn't request the
Network Communications Summary
- Given the app doesn't communicate with any server, I believe the URLs listed were determined by static code analysis.
- jetbrains.com
- Jetbrains is the author/maintainer of the Kotlin language, which is the language Google recommends using for modern Android app development. I believe this URL is included in the Kotlin license files.
- eff.org
- There is a button on the About screen which encourages users to donate to the Electronic Frontier Foundation.
- w.wiki
- The Diagnostics screen includes a link to Wikipedia that the user can tap on to learn more about Random Number Generation.
Sentinel One detects this as Malicious but has a Low Privacy Risk and Low Security Risk. The file hash for the APK is: 04ae8a60c75e139e40ce06e347630d46 It seems to be upset about a few insecure coding practices which can you read about in the PDF. We've opened a Case with SentinelOne to try to get details on why it thinks the APK is malicious.
S1-Simple Coin Flip-Technical Report.pdf