Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FVP-02-010 WP5: Android app supports insecure v1 signature #805

Closed
bakulf opened this issue Apr 7, 2021 · 0 comments · Fixed by #817
Closed

FVP-02-010 WP5: Android app supports insecure v1 signature #805

bakulf opened this issue Apr 7, 2021 · 0 comments · Fixed by #817
Labels
p3 Low Criticality Issues
Projects

Comments

@bakulf
Copy link
Collaborator

bakulf commented Apr 7, 2021

The discovery was made that the provided Android staging and production builds are
signed with an insecure v1 APK signature. Using the insecure v1 signature makes the
app prone to the known Janus4

vulnerability on devices running Android < 7. The
problem lets attackers smuggle malicious code into the APK without breaking the
signature. At the time of writing, the app supports a minimum SDK of 21 (Android 5),
which only uses the v1 signature and is, hence, vulnerable to this attack.
The existence of this flaw means that attackers could trick users into installing a
malicious attacker-controlled APK which matches the v1 APK signature of the Mozilla
VPN Android application. As a result, a transparent update would be possible without
warnings appearing in Android, effectively taking over the existing application and all of
its data. It is recommended to increase the minimum supported SDK level to at least 24
(Android 7) to ensure that this known vulnerability cannot be exploited on devices
running older Android versions. In addition, the production builds should only be shipped
with v2 and v3 APK signatures.

┆Issue is synchronized with this Jira Task

@bakulf bakulf added p3 Low Criticality Issues audit-issue labels Apr 7, 2021
@bakulf bakulf modified the milestone: v2.2 Apr 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
p3 Low Criticality Issues
Projects
No open projects
v2.2 🚀
Awaiting triage
Development

Successfully merging a pull request may close this issue.

2 participants