1.2.0 Immuniweb Security Scan Results

The attached scans were generated for the 1.2.0 b2 builds for Android and iOS.


Summary

  • iOS: 1st time scan.

    • 1 High Risk issue identifed by the scan. This is not a 1.2.0 regression but exised since 1.1.1 at least. SAF-818 raised.

    • Also 1 Medium Risk issue. Not a regression, not a priority.

  • Android: last scan was Safe Paths 0.9.2.

    • No High Risk issues.

    • 5 Medium Risk issues. One minor regression vs. 0.9.2. (a new instance of one of these). SAF-819 raised. Not yet known if this is a regression vs. 1.1.4, though we suspect nor.

    • Another longstanding issue regarding unexpected traffic sent to Youtube & Google. SAF-820 raised.

Analysis - iOS

As far as we know, we had not run this iOS Scan previously.

However to provide a reference, we have just run the same scan over an IPA file from 1.1.1b2 (June 24), which is attached:

The headline of the 1,2.0 scan shows the following assessment vs. OWASP Top 10.

The 1.1.1b2 scan shows exactly the same issues were present in that version, so these veulnerabilities are regressions.

We should investigate the High Ridk vulnerability, and SAF-818 has been raised to investigate this. However since this is not a regression, it is not a blocker for 1.2.0.

Analysis - Android


We had previously run Android scans, as far back as 27 March (on Private Kit). This scan can be found here:
https://github.com/tripleblindmarket/private-kit/files/4391596/pv.27.mar.2020.pdf

(see also this GitHub issue: https://github.com/Path-Check/covid-safe-paths/issues/232 )

We also have a scan from the 0.9.2 version of the Safe Paths app (linked in comments in that GitHub issue, but also duplicated here:)


The 27 March scan only includes static analysis (OWASP Top 10 assessment). The 0.9.2 scan and 1.2.0b2 scans also include some dynamic testing:

  • Mobile Application Behaviour

  • Software Composition Analysis

  • Mobile App External Communications.

Each of these is assessed below.

OWASP Top 10

We have 5 Medium Risk items


4 of these are identical to the issues flagged in the 27 March Private Kit scan.

1 of them was introduced by the 0.9.2 Version of COVID Safe Paths.

Within that, just this section is new since 0.9.2.

The following files using Plain Text databases were also present in 0.9.2 Safe Paths:

  • logback.db

  • RKStorage

  • cordova_bg_geolocation.db

Given that our main Realm database in encrypted, and we have a security principle that data is encrypted at rest, it’s important that we understand what is stored in these plain text databases, and confirm that there is no risk of leakage of sensitive data.

SAF-819 raised to cover this.

 

Note that there are also a series of Low Risk, and Warning items. We should investigate these as well, but at a lower priority. Tickets not raised for these yet.

Mobile Application Behavior

The Dynamic Analysis identified significant external traffic, including traffic to sites such as www.youtube.com, www.googleadservices.com and pagead2.googlesyndication.com

There were a total of 6 traffic destinations in 1.2.0 (of which 1, to rawcdn.githack.com is expected).

This is an improvement on 0.9.2 where there were 36 such traffic destinations. However 5 of the 6 remaining traffic targets are still unexpected and merit investigation.

SAF-820 raised to cover this

Details as follows:

 

Software Composition Analysis

This shows the diffs in software components between 0.9.2 and 1.2.0.

We will ask the Development team to review this to confirm there is nothing unexpected here.

Mobile App External Communications

There are several unexpected targets in Mobile App External Communications.

A comparison with the 0.9.2 report shows that only two of these are new, and we believe that both expected (we will confirm with the Dev team):

  • raw.githubusercontent.com

  • rawcdn.githack.com

The others were in 0.9.2 as well. These were analyzed under https://github.com/Path-Check/covid-safe-paths/issues/232 and we drew the following conclusions:

The link to mindprod.com comes from apktool. There are some forks of apktool that have removed this - e.g. iBotPeaches/Apktool#1166 and we could consider moving to one of these.

The other links (facebook, twitter, pinterest, youtube) come from https://github.com/react-native-community/react-native-share

I believe that this is used for Local Download of JSON data. That function is no longer intended to be used by end users (we have a secure share for location data now), but the function is still useful for diagostic purposes, and is included under a feature flag.

In all cases there don’t appear to be any security issues, just issues of optics. Therefore I am not raising any tickets for these issues.