App doesn't show any warning on connecting with PC by USB (High Priority)

[iamsh4shank]

The app doesn't show any warning or ask for any password if the user connects it with the PC through USB, as there would be the chance of decompiling the app via ADB shell and hacker can apply reversing techniques to alter the various personal credentials which would result in privacy threat or any other crucial threat.

[iamareebjamal]

What would a warning do? What would a password do? It'd not stop any "attacker" from running any commands on ADB. ADB doesn't require app to be open on the device. And if someone is attempting to connect the devices through USB, warning would only be shown to them, so it'll be useless

[iamsh4shank]

@iamareebjamal like in google pay app you can't connect the phone with PC if your google pay is on. We can do something like that to stop privacy leak.

[iamareebjamal]

How will that prevent privacy leak? The data stored will still be accessible through ADB. In Google Pay, they do this to prevent automation and bots. If it is in some way an issue in Aarogya Setu, then yes, there should be a way to prevent it, but it won't stop any privacy leak AFAIK

[iamsh4shank]

Yeah sorry for mentioning privacy leak if connecting via USB but there is a issue for the automation.

[adityaruplaha]

I don't see any need of doing that, source code is public anyways now.

[aravindvnair99]

The app doesn't show any warning or ask for any password if the user connects it with the PC through USB, as there would be the chance of decompiling the app via ADB shell and hacker can apply reversing techniques to alter the various personal credentials which would result in privacy threat or any other crucial threat.

@robustTechie Detecting is simple with just:

Settings.Global.getInt(context.getContentResolver(), Settings.Global.ADB_ENABLED, 0);

But I see no need for it. If ADB or ADB root is enabled, it's the user enabling it on his or her own. Android by default shows a warning when turning on ADB. There's a notification when USB debugging is active as well. Also, ADB is a useful tool for debugging and for getting logs. So I don't see the point of showing an extra notification. Also, I don't see a sign of a privacy leak or automation attack either. @delhiamitk I think this issue can be closed.

@iamareebjamal like in google pay app you can't connect the phone with PC if your google pay is on. We can do something like that to stop privacy leak.

@robustTechie Out of curiosity, I just tried opening Google Pay with ADB and ADB root. I don't see any warning or popups thrown by Google Pay. Could you show me a screenshot?

[iamsh4shank]

Ok I am closing this issue then

[pallav12]

Hey @robustTechie , I think it's the most crucial issue out of all 171 issues from the security point of view. Adding a simple check of BuildConfig.DEBUG will allow developers to develop. Users should be forced to switch to charge only while using the release version.

[aravindvnair99]

Hey @robustTechie , I think it's the most crucial issue out of all 171 issues from the security point of view. Adding a simple check of BuildConfig.DEBUG will allow developers to develop. Users should be forced to switch to charge only while using the release version.

@pallav12 What if the user wants to take a logcat? A user obviously wouldn't want to compile an app each time. They need simplicity.

[pallav12]

He will be able to connect USB and file transfer in DEBUG mode but will be restricted in release mode. No one should be allowed to download apk From play store and connect USB in file transfer. Also built in abstraction over logs is such that logs are only available in debug mode.

[iamareebjamal]

Still no info on how will it be restricted in release mode and how will it prevent any kind of leak 🤷‍♂️

[adityaruplaha]

Hey @robustTechie , I think it's the most crucial issue out of all 171 issues from the security point of view. Adding a simple check of BuildConfig.DEBUG will allow developers to develop. Users should be forced to switch to charge only while using the release version.

@pallav12 I see no point in doing that? What is the problem if a user reverses the Release build and accesses files, while they can see the source code anyways?

[pallav12]

Still no info on how will it be restricted in release mode and how will it prevent any kind of leak 🤷‍♂️

How to do it is irrelevant right now, since they aren't accepting any PRs. Any brute force attack, API hooking, Code tempering is done either on an emulator or on a real device on developers mode. If we try to prevent both then it'll add additional layer of friction for hackers.

Hey @robustTechie , I think it's the most crucial issue out of all 171 issues from the security point of view. Adding a simple check of BuildConfig.DEBUG will allow developers to develop. Users should be forced to switch to charge only while using the release version.

@pallav12 I see no point in doing that? What is the problem if a user reverses the Release build and accesses files, while they can see the source code anyways?

I'm not sure if I'm 100% clear, How can anyone reverse release build? they don't have endpoints, endpoints are secured by Keystore on play store.

[pallav12]

All of this is irrelevant

[iamareebjamal]

Exactly, this discussion is irrelevant and there is no point in restricting apps on emulators or restrict ADB (which you can't)

Still not a single comment on what actually can be leaked, or how and why should ADB be restricted.

Any brute force attack, API hooking, Code tempering

Brute force to do what? API hooking can still be done by decompiling and recompiling. It's code tampering, not tempering and still can be done by decompiling and recompiling.

Whatever you are suggesting is security by obscurity which doesn't increase security by 1 iota and just increase a false sense of security