1.2.0 Immuniweb Security Scan Results
The attached scans were generated for the 1.2.0 b2 builds for Android and iOS.
Summary
iOS: 1st time scan.
1 High Risk issue identifed by the scan. This is not a 1.2.0 regression but exised since 1.1.1 at least. SAF-818 raised.
Also 1 Medium Risk issue. Not a regression, not a priority.
Android: last scan was Safe Paths 0.9.2.
No High Risk issues.
5 Medium Risk issues. One minor regression vs. 0.9.2. (a new instance of one of these). SAF-819 raised. Not yet known if this is a regression vs. 1.1.4, though we suspect nor.
Another longstanding issue regarding unexpected traffic sent to Youtube & Google. SAF-820 raised.
Analysis - iOS
As far as we know, we had not run this iOS Scan previously.
However to provide a reference, we have just run the same scan over an IPA file from 1.1.1b2 (June 24), which is attached:
The headline of the 1,2.0 scan shows the following assessment vs. OWASP Top 10.
The 1.1.1b2 scan shows exactly the same issues were present in that version, so these veulnerabilities are regressions.
We should investigate the High Ridk vulnerability, and SAF-818 has been raised to investigate this. However since this is not a regression, it is not a blocker for 1.2.0.
Analysis - Android
We had previously run Android scans, as far back as 27 March (on Private Kit). This scan can be found here:
https://github.com/tripleblindmarket/private-kit/files/4391596/pv.27.mar.2020.pdf
(see also this GitHub issue: Security Audit Report 27 mar 2020 · Issue #232 · Path-Check/safeplaces-dct-app )
We also have a scan from the 0.9.2 version of the Safe Paths app (linked in comments in that GitHub issue, but also duplicated here:)
The 27 March scan only includes static analysis (OWASP Top 10 assessment). The 0.9.2 scan and 1.2.0b2 scans also include some dynamic testing:
Mobile Application Behaviour
Software Composition Analysis
Mobile App External Communications.
Each of these is assessed below.
OWASP Top 10
We have 5 Medium Risk items
4 of these are identical to the issues flagged in the 27 March Private Kit scan.
1 of them was introduced by the 0.9.2 Version of COVID Safe Paths.
Within that, just this section is new since 0.9.2.
The following files using Plain Text databases were also present in 0.9.2 Safe Paths:
logback.db
RKStorage
cordova_bg_geolocation.db
Given that our main Realm database in encrypted, and we have a security principle that data is encrypted at rest, it’s important that we understand what is stored in these plain text databases, and confirm that there is no risk of leakage of sensitive data.
SAF-819 raised to cover this.
Note that there are also a series of Low Risk, and Warning items. We should investigate these as well, but at a lower priority. Tickets not raised for these yet.
Mobile Application Behavior
The Dynamic Analysis identified significant external traffic, including traffic to sites such as www.youtube.com, www.googleadservices.com and pagead2.googlesyndication.com
There were a total of 6 traffic destinations in 1.2.0 (of which 1, to rawcdn.githack.com is expected).
This is an improvement on 0.9.2 where there were 36 such traffic destinations. However 5 of the 6 remaining traffic targets are still unexpected and merit investigation.
SAF-820 raised to cover this
Details as follows:
Software Composition Analysis
This shows the diffs in software components between 0.9.2 and 1.2.0.
We will ask the Development team to review this to confirm there is nothing unexpected here.
Mobile App External Communications
There are several unexpected targets in Mobile App External Communications.
A comparison with the 0.9.2 report shows that only two of these are new, and we believe that both expected (we will confirm with the Dev team):
raw.githubusercontent.com
rawcdn.githack.com
The others were in 0.9.2 as well. These were analyzed under Security Audit Report 27 mar 2020 · Issue #232 · Path-Check/safeplaces-dct-app and we drew the following conclusions:
The link to mindprod.com comes from apktool. There are some forks of apktool that have removed this - e.g. iBotPeaches/Apktool#1166 and we could consider moving to one of these.
The other links (facebook, twitter, pinterest, youtube) come from GitHub - react-native-share/react-native-share: Social share, sending simple data to other apps.
I believe that this is used for Local Download of JSON data. That function is no longer intended to be used by end users (we have a secure share for location data now), but the function is still useful for diagostic purposes, and is included under a feature flag.
In all cases there don’t appear to be any security issues, just issues of optics. Therefore I am not raising any tickets for these issues.