Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User profile information leaked to (essentially) every other app on Android #9

Open
jbash opened this issue May 19, 2019 · 1 comment

Comments

@jbash
Copy link

commented May 19, 2019

The Tok app creates a directory on shared storage and adds subdirectories named after user profiles. That in itself tells every app with "storage" permission (which is practically every damned app on Android these days) that Tok is installed, and gives away all the user's profile names. It looks like it puts stuff like avatars (probably the user's picture!) in there too.

An app like this should never, ever, put anything outside of its own private storage without explicit, knowing direction from the user. Nor, for that matter, should it ask for storage permission at all until the user actually tells it to use shared storage for something specific. Android shared storage is a dumpster fire.

@prdTok

This comment has been minimized.

Copy link

commented May 20, 2019

The issue you're talking about is existing and important, that's what we're going to do next to keep the privacy Device-to-Device,after ensuring the security of transmission

@prdTok prdTok added the enhancement label May 20, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.