Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SDK audit] Recommendations: 4.2.1 (SDK) Make it obvious that plaintext connections are not possible in production releases #1453

Open
HonzaR opened this issue Apr 23, 2024 · 0 comments
Open

[SDK audit] Recommendations: 4.2.1 (SDK) Make it obvious that plaintext connections are not possible in production releases #1453

HonzaR opened this issue Apr 23, 2024 · 0 comments
Labels
security_finding

Comments

@HonzaR
Copy link
Collaborator

HonzaR commented Apr 23, 2024

Is your feature request related to a problem? Please describe.

The following code from ChannelFactory.kt within the SDK is used to determine whether the connection to lightwalletd will be plaintext or TLS.

Describe the solution you'd like

Screenshot 2024-04-23 at 13 33 19

As an added safeguard, the branch of code that uses a plaintext connection should additionally check that the app was built for testing or debugging, i.e. that it is not a production release of the app. By adding a check to the code here, it will be more obvious that the released app can never use an insecure connection.

Alternatives you've considered

Additional context
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security_finding
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@HonzaR