search

nextcloud / android

📱 Nextcloud Android app
https://play.google.com/store/apps/details?id=com.nextcloud.client
GNU General Public License v2.0
4.25k stars 1.76k forks source link

Security Risk: auto downloading file to device and Google's built in file explorer or any file explorer #223

Open mwpow3ll opened 8 years ago

mwpow3ll commented 8 years ago

Actual behaviour

My Nextcloud application is setup to require a password on start before accessing any data, but when I click on a file, the application is caching the file to the device permanently despite not checking "make this file available offline" in the settings menu. The cached data can then be accessed without a password through Google's integrated file browser found in Settings>Storage>Explore. Android will not allow viewing of the file because it's not within the Nextcloud app, but I can email or text the file to anyone and it can be opened like any other file.

Desired behaviour

The Nextcloud application should have a global setting, "Cache data locally", with each file having their own setting, "make available offline".

  1. If the global setting is disabled, any data downloaded via the Nextcloud application should be stored in RAM ONLY and purged once the application is closed. This global setting, if enabled, would also permanently disallow individual file, "make available offline".
  2. If the global setting is enabled, any data downloaded via the Nextcloud application should be stored locally on the device, as it is now, but purged once the application is closed unless the user sets "make available offline" and then ONLY those files are retained on the device.

    Steps to reproduce

  3. Open Nextcloud
  4. Set password required
  5. Click on a file: document, picture, video, whatever
  6. Open Settings>Storage>Explore
  7. Navigate to the Nextcloud folder and find the file previously accessed file
  8. Push and hold on the file and select to share
  9. E-mail the file to yourself
  10. View the file

    Environment data

Android version: 7.0 nougat (NRD90M)

Device model: Nexus 6P

Stock or customized system: Stock Google Android ROM (NRD90M)

Nextcloud app version:1.2.0

Nextcloud server version: 9.0.53

Mythos commented 8 years ago

This is the major issue which prevents me from using the Android app for other stuff than "Instand Upload" images/videos. When I open a file/image (not sharing it) it is permanenly available in the Gallery of the phone. For me this completely bypasses the PIN lock of the app, because why should I set up a PIN to protect my data if it is permanently available on the phone anyway? Also I didn't find any option to make files available offline which @mwpow3ll mentioned.

AndyScherzinger commented 8 years ago

Hi @Mythos, as for the making files available offline, just long press a file (or several), click the 3-dot menu in the top bar and choose "set as available offline". As for the "open file leads to permanent download" what do you think @tobiasKaminsky can we do a check here if PIN is active on the currently used account and then not write the file to disk/cache?

tobiasKaminsky commented 8 years ago

Until now I understood the pin protection to prevent other people to share files or mess files on the server. I did not thought as of protection files against other people using the phone. <- this can easily provided by a screenlocker? Similar would then be needed for e.g. K9 (email client).

I do understand your security constraints but I just never thought of it this way and I am unsure whether the app should support this feature...

Mythos commented 8 years ago

Hi @AndyScherzinger and @tobiasKaminsky thanks for the fast reply. I thought the PIN protection is to prevent unauthorized access, like I lend someone my mobile "because he has to make a call" so he can't access Nextcloud. This is how the PIN works in Dropbox. Also there's no option to disable saving images to the phone. If I open one it'll get saved on the phone and is accessible via the Gallery app of the phone. Dropbox for example only stores it in the RAM or Cache. (I don't know exactly, but it's not visible in any other app)

mwpow3ll commented 8 years ago

@tobiasKaminsky: The idea that the PIN is ONLY to protect against unwanted sharing is flawed. Why would I want ANYONE that has my phone being able to see ANY of the data I have accessed using the Nextcloud application if I set a PIN? What that thought process is akin to is your banking application having a PIN to stop people from accessing your account directly, but then it downloads the banking data to a cached file that anyone can open. For the sake of argument, lets just assume the banking application isn't dumb enough to store account numbers, but do you want anyone being able to open those files and see your current balance, or the last transaction you made to pay off your credit card, or what institutions you have linked to that bank? NO...

This is a major security flaw with the design and use of the application / PIN and it needs to be fixed ASAP.

This is down-right dangerous, because some people might be storing tax documents or other personal, private data they wouldn't share on Google Drive, Dropbox, etc, but if they lose their phone, ANYONE could access it if it was previously accessed via the Nextcloud application.

PontusTideman commented 7 years ago

Hi all!

Finally I got time to test Nextcloud out, and I´m not happy with what I´ve found. :/ Testing it right now localy just to see how it performs, and when I saw that the app is downloading the files to the device I thought this is not correct. Searched and found this topic, and as others is writing, this is not a good behaviour and I think I will stick with Google Drive until this is fixed.

Have tested alot of different cloud storage, and one thing that´s a MUST for me is the ability to preview GIF and animated JPG´s correctly. But not downloading them to the phone as in this case.

Why come that Google Drive don´t do it? ;)

AndyScherzinger commented 7 years ago

Hi @kodapaio,

to some extend or at least for the use cases you mentioned (images) #69 will fix this (still open since it needs a server side fix too). As for the more general approach as in don't download&store files that have just been "opened" but not "downloaded" that needs to be discussed with the whole project as to what Nextcloud in general prefers to be the behavior since this impacts all clients not just the Android client.

cc: @schiessle @jancborchardt @nickvergessen @LukasReschke @tobiasKaminsky @rullzer

mwpow3ll commented 7 years ago

@AndyScherzinger Can this issue receive an update? Has the discussion you mentioned taken place? Issue #69 does not address the security flaw and this has been an issue for almost a year now.

jancborchardt commented 7 years ago

@LukasReschke mind commenting here?

AndyScherzinger commented 7 years ago

@mwpow3ll waiting for @LukasReschke to comment.

tobiasKaminsky commented 7 years ago

@LukasReschke ping :-)