search

zoho / salesiq-mobilisten-android-sample

Sample App to integrate SalesIQ Android SDK (Mobilisten)
https://mobilisten.io/
14 stars 4 forks source link

Security issues #38

Closed mr-africa closed 4 months ago

mr-africa commented 2 years ago

Hello!

My company bought a subscription to security analyze platform. I scaned our Android application that uses salesiq plugin and it found a lot of security issues. I suppose some of them is falsy positive, but kindly check it please. This service has very unpleasant interface, so I can miss something in copy/paste process.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description: This database query contains a SQL injection flaw. The call to android.content.ContentResolver.update() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The second argument to update() contains tainted data. The tainted data originated from an earlier call to java.net.HttpURLConnection.getInputStream. Remediation: Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.

Affected files

com\zoho\livechat\android\provider\CursorUtility.java

com\zoho\livechat\android\ui\fragments\ChatFragment.java

com\zoho\livechat\android\api\JoinProActiveChat.java

com\zoho\livechat\android\utils\LDPEXUtil.java

com\zoho\livechat\android\utils\LiveChatUtil.java

com\zoho\livechat\android\api\ReOpen.java

Improper Output Neutralization for Logs

Description: This call to android.util.Log.i() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The second argument to i() contains tainted data from the variable p0. The tainted data originated from earlier calls to java.net.HttpURLConnection.getInputStream, java.net.HttpURLConnection.getErrorStream, and android.widget.EditText.getText.

Remediation: Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.

Affected files

com/zoho/livechat/android/utils/LiveChatUtil.java

LiveChatUtil.java: 2486

Insertion of Sensitive Information Into Sent Data

Description: The application calls the java.util.zip.GZIPOutputStream.write() function, which will result in data being transferred out of the application (via the network or another medium). This data contains sensitive information. The first argument to write() contains potentially sensitive data. The potentially sensitive data originated from an earlier call to java.io.File.!ctor. The potentially sensitive data is directed into an output stream returned by javax.net.ssl.HttpsURLConnection.getOutputStream, java.net.HttpURLConnection.getOutputStream, and java.io.File.!ctor.

Remediation: Ensure that the transfer of the sensitive data is intended and that it does not violate application security policy. This flaw is categorized as low severity because it only impacts confidentiality, not integrity or availability. However, in the context of a mobile application, the significance of an information leak may be much greater, especially if misaligned with user expectations or data privacy policies.

Affected files

com/zoho/livechat/android/ui/fragments/ChatFragment.java

com\zoho\livechat\android\api\ChatTranscriptEmailExport.java

com\zoho\livechat\android\api\ChatTransfer.java

com\zoho\livechat\android\api\CloseChat.java

com\zoho\livechat\android\utils\FileDownload.java

com/zoho/livechat/android/utils/FileUpload.java

com\zoho\livechat\android\api\GDPRTranslationConsent.java

com\zoho\livechat\android\utils\GetArticles.java

com\zoho\livechat\android\utils\GetVisitorTranscriptUtil.java

com/zoho/livechat/android/utils/LiveChatUtil.java

com\zoho\livechat\android\ui\adapters\viewholder\MessagesLocationViewHolder.java

com\zoho\livechat\android\api\MissedVisitor.java

com\zoho\livechat\android\image\MobilistenImageUtil.kt

com\zoho\livechat\android\api\PredictMessageStatus.java

com\zoho\livechat\android\api\ReOpen.java

com\zoho\livechat\android\operation\SalesIQApplicationManager.java

com\zoho\livechat\android\api\SendMessage.java

com\zoho\livechat\android\api\SendVisitorFeedBack.java

com\zoho\livechat\android\utils\VoteApiUtil.java

com/zoho/livechat/android/utils/VoteApiUtil.java

com\zoho\livechat\android\messaging\wms\common\websocket\WebSocketV13.java

com\zoho\livechat\android\ZohoLiveChat.java

Cleartext Storage of Sensitive Information

Description: The apply() method stores sensitive information in unencrypted form, making the data more susceptible to compromise. Generally an attacker needs local access to the system in order to exploit this type of flaw, but if the application is running on a mobile device, files and other resources might be synchronized off the device to locations where they may be compromised through other means.

Remediation: Store all sensitive information in encrypted form.

Affected files

com/zoho/livechat/android/utils/LiveChatUtil.java

Insufficient Entropy

Description: Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand().

Remediation: If this random number is used where security is a concern, such as generating a session key or session identifier, use a trusted cryptographic random number generator instead. These can be found on the Windows platform in the CryptoAPI or in an open source library such as OpenSSL. In Java, use the SecureRandom object to ensure sufficient entropy.

Affected files

com\zoho\livechat\android\utils\LiveChatUtil.java

com/zoho/livechat/android/NotificationService.java

com\zoho\livechat\android\messaging\wms\common\websocket\WebSocketQueryV13.java

com\zoho\livechat\android\messaging\wms\common\websocket\WebSocketV13.java

Improper Resource Shutdown or Release

Description: The program fails to release or incorrectly releases the variable br1, which was previously allocated by a call to java.io.BufferedReader.!operator_javanewinit().

Remediation: Ensure that all code paths properly release this resource.

Affected files

com\zoho\livechat\android\api\AutoCompleteZohoMaps.java

com\zoho\livechat\android\api\ChatTranscriptEmailExport.java

com\zoho\livechat\android\api\ChatTransfer.java

com\zoho\livechat\android\utils\ClearNotification.java

com\zoho\livechat\android\api\CloseChat.java

com\zoho\livechat\android\utils\FileDownload.java

com\zoho\livechat\android\utils\FileUpload.java

com\zoho\livechat\android\api\GDPRTranslationConsent.java

com\zoho\livechat\android\api\GetAndroidChannel.java

com\zoho\livechat\android\api\GetAppStatus.java

com\zoho\livechat\android\utils\GetArticleCategories.java

com\zoho\livechat\android\utils\GetArticleCSSUtil.java

com\zoho\livechat\android\utils\GetArticleInfoUtil.java

com\zoho\livechat\android\utils\GetArticles.java

com\zoho\livechat\android\utils\GetConversationsUtil.java

com\zoho\livechat\android\api\GetFormConfiguration.java

com\zoho\livechat\android\comm\GetLocationSuggestions.java

com\zoho\livechat\android\utils\GetVisitorTranscriptUtil.java

com\zoho\livechat\android\api\GetWmsIdDetails.java

com\zoho\livechat\android\comm\JoinChat.java

com\zoho\livechat\android\api\JoinProActiveChat.java

com\zoho\livechat\android\api\LeaveMessage.java

com\zoho\livechat\android\api\MissedVisitor.java

com\zoho\livechat\android\api\PredictMessageStatus.java

com\zoho\livechat\android\api\QueuePosition.java

com\zoho\livechat\android\utils\RegisterUtil.java

com\zoho\livechat\android\api\ReOpen.java

com\zoho\livechat\android\utils\RequestLogUtil.java

com\zoho\livechat\android\utils\SearchArticlesUtil.java

com\zoho\livechat\android\comm\SendFormMessageAPI.java

com\zoho\livechat\android\api\SendMessage.java

com\zoho\livechat\android\api\SendVisitorFeedBack.java

com\zoho\livechat\android\api\UserTypingStatus.java

com\zoho\livechat\android\utils\WavAudioRecorder.java

Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

Description: Explicitly weaker protocol is used as channel encryption protocol. This downgrade to a weaker protocol, could make it easier for attackers to compromise the system.

Remediation: Based on the implementation used, make sure the channel communication is over at least TLS protocol. TLS 1.2 being the most secured option.

Affected files

com\zoho\livechat\android\messaging\wms\common\websocket\WebSocketQueryV13.java

bhahirathan-mb-11956 commented 2 years ago

Hi @mr-africa,

Thank you for reaching out to us. We are validating the reported issues as a high priority. We will update you in this thread once we address the issues.

Regards, Bhahirathan M Zoho SalesIQ team

bhahirathan-mb-11956 commented 4 months ago

Hi @mr-africa,

Thanks for your patience. We have made the necessary changes for the important cases in the current latest version and also we are working on the other low level cases and get them fixed in the upcoming releases.

Regards, Bhahirathan M, Zoho SalesIQ.