Incorrect permissions allow access from any other app

[GoogleCodeExporter]

This app stores many of its files in the /data/data/org.sshtunnel.[appname]/ 
directory with permissions accessible to other apps on the device. For example, 
in the sshtunnel beta version, ssh.sh is editable and in the sshtunnel 
(production) version, socks.sh is editable.

By doing so, a malicious app has the ability to modify these files and steal 
whatever profile information is stored including usernames, passwords, and 
hostnames. Possibly private keys as well but unverified.

A PoC has been created that exploits this vulnerability. More details can be 
given if emailed directly. antitree %at gm--;ail

Original issue reported on code.google.com by antitree on 6 Oct 2011 at 4:19

[GoogleCodeExporter]

The permission issue will be fixed in the next version.

However, we will continue to store sensitive information in the plain text 
(serialized in the preference file). Because this app is actually designed for 
users in China to tunnel through GFW with a limited user account on the remote 
servers outside China (typically without permission to execute commands). In 
the future versions, maybe we will try to warn users about this security issue.

As a best practice, we suggest users only install apps from Android Market.

Original comment by max.c...@gmail.com on 7 Oct 2011 at 2:52

• Changed state: Accepted

[GoogleCodeExporter]

Nice job on the quick response. 

WRT passwords in the clear: I understand the idea that some users will create 
tunnels using unprivileged accounts, but it's your job as the developer to 
secure that information either way. Usernames and passwords are sensitive 
information whether or not those accounts are root or unprivileged. 

It's very easy to encrypt any of that text information inside of the profile. 
Here's an example of implementing Android's AES libraries to encrypt and 
decrypt a string on the fly. 
http://www.androidsnippets.com/encryptdecrypt-strings

Original comment by mark.man...@gmail.com on 7 Oct 2011 at 2:26

[GoogleCodeExporter]

SSHTunnel is an open source software. If we encrypt information using a AES 
password, we have to write this password in our codes. And, with this password, 
anyone can decrypt profile info easily.

Original comment by max.c...@gmail.com on 7 Oct 2011 at 2:41

[GoogleCodeExporter]

You would not use static keys to implement AES. But I digress. 

I don't agree with the fact that everyone should be using an unprivileged 
shell, but where and how to store information is debatable so it seems this is 
basically the discussion it's turned into. 

http://stackoverflow.com/questions/785973/what-is-the-most-appropriate-way-to-st
ore-user-settings-in-android-application

Fix the permissions first and then it's up to you how you store the other 
information. 

Original comment by antitree on 7 Oct 2011 at 6:46

[GoogleCodeExporter]

could the file encrypted by master password (on every login) like vpn ?

Original comment by kdman...@gmail.com on 28 Nov 2011 at 3:02

[GoogleCodeExporter]

Original comment by max.c...@gmail.com on 18 Jan 2012 at 6:20

• Changed state: Fixed