search

emansih / FireflyMobile

Mobile Application for Firefly III written in Kotlin
GNU General Public License v3.0
323 stars 48 forks source link

Cryptographic APIs misuses #191

Closed misterAnderson90 closed 2 years ago

misterAnderson90 commented 2 years ago

Firefly III Mobile Version: 4.14.2

I'm a PhD student exploring the state-of-the-art of Static Analysis tools for detecting vulnerabilities due to crypto-API misuses. This issue has not been generated automatically.

I have detected 35 warnings that reveal possible incorrect usages of the JCA library on FireflyMobile (or its library dependencies). I documented these issues in private gists for the sake of non disclosure. How should I proceed to share these issues? I hope we can evaluate the severity of these warnings and thus improve the FireflyMobile security.

The tool that I have used for the analysis is: CogniCrypt

emansih commented 2 years ago

My email can be found in my profile

emansih commented 2 years ago

My public GPG key can be found in my github profile too. (Key ID: 1512CF86EC5FDA00)

emansih commented 2 years ago

For the interest in public development I am posting the full email here:

Hi Daniel,

This is Luis that opened issue 191 on project FireflyMobile. I'm sending this email to share with you the gists we have documented.

From the 35 warnings that CogniCrypt reported, 9 were related to your code. The remaining 26 are related to its library dependencies. If you are interested, we can share the report with all warnings. 

We combine the 9 warnings in 4 gists:
  Gist 01 - [SSL.Context](https://gist.github.com/misterAnderson90/1a8107d45e5d427c41f2e55b747409f0)
  Gist 02 - [KeyManagerFactory ](https://gist.github.com/misterAnderson90/9f84ba24e61b8b5bce9bd1dcd74a142e)
  Gist 03 - [KeyStore](https://gist.github.com/misterAnderson90/62fa9df3f10c1b9581ac133bf351685c)
  Gist 04 - [TrustManagerFactory](https://gist.github.com/misterAnderson90/01da4baef2ee5612b0ee56279eddefd6)

For any doubts, you can comment directly in the gists and we can clarify the issues.  

Best regards,

I have fixed 1 to use the default SSL instead of instantiating a custom TLS. As for 2,3,4,5 I doubt they matter because keystore is specific to my app and no other apps can access them unless they have UID 0 (essentially root). Correct me if I am wrong.