Open Kamul-PL opened 7 years ago
xmikos
commented
7 years ago Hello,
I don't know about any vulnerability and nobody from F-Droid notified me about this :-/ Maybe they are flagging all apps that use Device Admin privilege and/or need root access? I will try to ask them...
xmikos
commented
7 years ago Looking at F-Droid wiki app page for SnooperStopper, there is also listed DisabledAlgorithm Antifeature, which is explained as:
Since April 2017, APK signatures that use MD5 are no longer considered valid,
jarsignerandapksignerwill return an error when verifying.
But I cannot resolve this by myself, F-Droid builds and signs APKs by themselves. I have my own F-Droid repository (with APKs signed by me) at https://fdroid.eutopia.cz/
licaon-kter
commented
7 years ago It's WIP so far, more info here: https://gitlab.com/fdroid/fdroidclient/issues/1070
Kamul-PL
commented
7 years ago @xmikos: I supposed it could be a false positive. If you will know more, tell about the reason, please.
@licaon-kter: Could you write in a few words, what does it really mean? Should I fear about that or I should simply ignore that?
licaon-kter
commented
7 years ago From the link:
Right now the server tools support looking for apps which compile against an old and known vulnerable version of OpenSSL. In the future, we can improve this scanning on the server to find apps with other vulnerabilities. (eg. track a CVE-xxxx if applicable)
Basically, the UI part was done since it's simpler, everything else is open to discussion there.
The MD5 part can be solved by disabling the last build, wait for a F-Droid refresh (
Ciaran Gultnieks committing Stats, etc and Update known apks ), then enable it again. I'll do that after I can confirm the app builds ok locally.
@Kamul-PL I'm not seeing the warning in 1.0-alpha1, but the last build is pretty old so it's probably the MD5 signature issue.
cannycartographer
commented
6 years ago Hi, I also came here via F-droid. The wiki page as I understand it says that this is about OpenSSL:
"uses a version of OpenSSL that has known vulnerabilities update the app to OpenSSL 1.0.2f/1.0.1r or higher. For more info, see How to address OpenSSL vulnerabilities in your apps"
Page here: https://f-droid.org/wiki/page/AntiFeature:KnownVuln
I think the issue discussed above is separate and marked as 'disabled algorithm'
But I'm not sure - don't really understand why snooperstopper would need openssl?
Cheers for the app!
DJCrashdummy
commented
6 years ago i assume this issue is solved, because the antifeatures-flags are gone at the f-droid client so everything is/seems fine to me... BUT the only thing which confuses me is, that in the wiki both anti-flags are still there?!? :confused:
cannycartographer
commented
6 years ago I've just been looking using the client and the flags are still there for me...
licaon-kter
commented
6 years ago Not sure why one would think this was fixed when the last build was in 2016-03 ?!
DJCrashdummy
commented
6 years ago i wrote incidentally with an fdroid-developer about this topic and he explained, that the wiki shows all flags collected for all versions, and the client only for the latest/suggested.
the interesting part started here: https://gitlab.com/fdroid/fdroiddata/merge_requests/2658#note_47478332
@nickmdowson maybe try to clear the index by disabling all repos, and then enabling again. - i also had to do this some time ago because f-droid got "confused"... this can happen especially if you already used fdroid for a long time, and also the index got changed around the 1.0-version, as i read somewhere...
@licaon-kter more or less i just confirmed (and interpreted) what you already said in your https://github.com/xmikos/SnooperStopper/issues/23#issuecomment-327034437:
I'm not seeing the warning in 1.0-alpha1,...
cannycartographer
commented
6 years ago Hmm, no, that doesn't explain it - I installed F-droid yesterday!
On 16 November 2017 at 14:09, DJCrashdummy notifications@github.com wrote:
i wrote incidentally with an fdroid-developer about this topic and he explained, that the wiki shows all flags collected for all versions, and the client only for the latest/suggested.
the interesting part started here: https://gitlab.com/fdroid/ fdroiddata/merge_requests/2658#note_47478332
@nickmdowson https://github.com/nickmdowson maybe try to clear the index by disabling all repos, and then enabling again. - i also had to do this some time ago because f-droid got "confused"... this can happen especially if you already used fdroid for a long time, and also the index got changed around the 1.0-version, as i read somewhere...
@licaon-kter https://github.com/licaon-kter more or less i just confirmed (and interpreted) what you already said in your #23 (comment) https://github.com/xmikos/SnooperStopper/issues/23#issuecomment-327034437 :
I'm not seeing the warning in 1.0-alpha1,...
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/xmikos/SnooperStopper/issues/23#issuecomment-344933150, or mute the thread https://github.com/notifications/unsubscribe-auth/ADS9C0gG0g2ifyvC1ITsUfJCtYto5wNTks5s3EINgaJpZM4PMHgs .
Hello! I've noticed at page: https://f-droid.org/wiki/page/cz.eutopia.snooperstopper an information: This app has the KnownVuln Antifeature. What exactly does it meant? Does SnooperStopper has some Vulnerabilities discovered?