cure53 Security Audit 2015

Dominik Schürmann edited this page Jan 5, 2017 · 10 revisions

The Security Audit can be downloaded at

All identified vulnerabilities have been discussed with cure53 and fixed in OpenKeychain 3.6. OKC-01-006 has been fixed in 4.2. We will work on two "Miscellaneous Issues" (not vulnerabilities) for a future version of OpenKeychain.

Identified Vulnerabilities

OKC-01-001 Private Keys can be imported from Keyserver (Medium)


OKC-01-004 Arbitrary file write when decrypting and saving messages (High)

Filenames with slashes are rejected


OKC-01-006 Keyserver can send arbitrary Public Keys without Verification (Low)

A comparison of user ids is difficult to implement as keyservers could, in some circumstances, return User IDs with a broken encoding. We would also need to check for revocation status, key size etc. which introduces much code complexity. Downloading all search results and parsing them locally before prompting the user which key(s) he wants would result in too much network traffic. Keys are several to many kilobytes in size, e.g., 66kb.

FIXED in 4.2: Before importing keys from keyservers, they are downloaded fully, verified, and displayed to the user.

OKC-01-009 Bypassable Fingerprint-Check for Key Exchange via QR Code (High)

The fingerprint check is now performed after canonicalization and the method has been changed to check primary and mutually bound keys only.


OKC-01-010 Database can be exported using Encrypt Operation (Low)

Proposed fix has been implemented.

FIXED FOR ANDROID >= 5 IN (We will leave this open for Android < 5 for now due to the low priority)

OKC-01-011 Unconfirmed Main Identities are shown as confirmed (Low)

Confirmed identities (if they exist) are now prioritized over non-confirmed ones.


OKC-01-012 Database Extraction possible via Version Downgrade (Medium)

The database version has been increased, this already prevents a downgrade. In addition onDowngrade has been overridden.


OKC-01-013 Key Usage unchecked upon Decryption / Signature Verification (Low)

Now only uses keys for verification which are allowed to sign.


OKC-01-014 Multiple File overwrite Vulnerabilities via Path Traversal (High)

The save functionality has been removed for Android < 4.4, on Android >= 4.4 the new Document Storage Framework is used. The problematic file dialog has been removed.


OKC-01-015 Export of PGP Information in clear-text on insecure Storage (Medium)

Logs are no longer saved. Instead a dialog is shown that warns the user about potential sensitive information inside the log and allows to share the log directly with another app such as a mail program. Save functionality removed for Android < 4.4, only the new backup function has code for saving files on Android < 4.4. On Android >= 4.4 saving is enabled via the Document Provider API, which handles everything Backup/Export. Backups are now symmetrically encrypted via a randomly generated Backup Code.


OKC-01-017 Predictable File Creation on insecure Location (Medium)

see OKC-01-015

OKC-01-018 Key Server Verification Bypass via HTTP Redirect (Medium)

We now disallow all redirects, a warning is now shown when a keyserver is added without a pinned certificate, users needs to uncheck "only trusted keyserver" to get past the warning. We pinned sks-keyserver,,


Miscellaneous Issues

OKC-01-002 Malicious public Key can lead to persistent Denial of Service (Medium)

OpenKeychain now processes 100 User IDs at maximum.


OKC-01-003 Malicious Key Server response can lead to Denial of Service (Low)

OpenKeychain now skips keys or User IDs with broken encodings or other wrong values, the get-method no longer crashes on empty or wrong data.


OKC-01-005 Insufficient and insecure RSA/DSA Key Sizes permitted (Medium)

Min key length for key creation is now at 2048 bit for RSA, DSA, ElGamal.


OKC-01-007 Signing Operations with weak Key lead to Denial of Service (Info)

In the future, we like to tag insecure keys inside our database, like revoked or expired keys and make them unselectable. There will be future work on this, when other issues have been sorted out, see


OKC-01-008 OpenKeychain accepts weak Passwords without any Warning (Info)

In the future, we like to switch to a model where the whole database of OpenKeychain is encrypted, not every single secret key separately, see


OKC-01-016 No Warnings when adding a clear-text HTTP Key Server (Low)

Http is still allowed, but http keyservers are not one of the trusted keyservers, so the warning is shown that we implemented for OKC-01-018.


You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.