New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stagefright Vulnerability: No way to disable auto-downloading of MMS #3817

Closed
acconrad opened this Issue Jul 27, 2015 · 18 comments

Comments

Projects
None yet
9 participants
@acconrad

acconrad commented Jul 27, 2015

In light of the recent news of the Android flaw via the Stagefright hack, one immediate way to mitigate risk is to disable auto-downloading of MMS. However, there is no way in the app right now to disable auto-downloading.

@moxie0

This comment has been minimized.

Member

moxie0 commented Jul 27, 2015

We don't do any pre-processing that involves stagefright. There are no technical details at all available about this vulnerability (for maximum hype), but you'd have to physically tap on the media and then click through a warning about playing media insecurely before stagefright got involved.

@moxie0 moxie0 closed this Jul 27, 2015

@HalosGhost

This comment has been minimized.

HalosGhost commented Jul 28, 2015

Wouldn't it be great if Github had a built-in voting system for bugs. In the meantime, I suppose all I have is a 👍 to show my support for how awesome TextSecure/Signal is. 😄

@2t7

This comment has been minimized.

2t7 commented Aug 6, 2015

@myhndl and everyone else who looks for the relevant commits: There seem to be more commits from Joshua Drake (jduck) which are relevant:
http://review.cyanogenmod.org/#/q/project:CyanogenMod/android_frameworks_av+owner:Abhisek+Devkota
The Commits owned by Abhisek Devkota are authored by Joshua Drake.
Especially the 3 ones for cm-12.0 found their way into the cm-12.1 branch (though i cannot find them in gerrit)

Apparently Julian Strobl did apply Stagefright fixes to the branch CM-10.1:
http://review.cyanogenmod.org/#/q/owner:%22Julian+Strobl%22

There is a commit by Brint E. Kriebel (author Marco Nelissen) which got merged into various branches:
http://review.cyanogenmod.org/#/q/owner:bekit%2540cyngn.com+project:+CyanogenMod/android_frameworks_av+Guard+against+codecinfo+overflow
It seems like this bug got discovered after the stagefright bug became public and I do not know if this is exploitable but it is definitely worth mentioning here

EDIT:
Now CVE descriptions and patches are available here:
https://blog.zimperium.com/stagefright-vulnerability-details-stagefright-detector-tool-released/

@pmarreck

This comment has been minimized.

pmarreck commented Aug 25, 2015

@jduck

I don't always patch security holes affecting <hype>950 MILLION PEOPLE</hype>, but when I do... I at least include a fracking test case in some kind of test suite to prove my assumptions correct :P

@rene0720

This comment has been minimized.

rene0720 commented Oct 3, 2015

It's a critical vulnerability but I can't find an option in the current version to disable auto-downloading MMS. When there will be an update?

@agrajaghh

This comment has been minimized.

Contributor

agrajaghh commented Oct 3, 2015

@rene0720

@moxie0 said:

[...] you'd have to physically tap on the media and then click through a warning about playing media insecurely before stagefright got involved.

@rugk

This comment has been minimized.

rugk commented Nov 7, 2015

So you think all the Stagefright is hype? Really? Are you kidding?

I tested it and sent me a SMS and I did not had to click anywhere to get it downloaded. It was automatically downloaded and I got a push notification.
Possibly it only got downloaded after I opened Signal, but this does not make it better, because it is still automatically downloaded. And as the image was finally displayed it is clear that this was processed through the Stagefright library. Or do you want to claim you do not use this library?

@agrajaghh

This comment has been minimized.

Contributor

agrajaghh commented Nov 7, 2015

afaik just video files are affected, no? Are you sure video files are previewed as well?

@rugk

This comment has been minimized.

rugk commented Nov 7, 2015

No it affects everything parsed by the Stagefright library, including pictures and so on. That's why it can so easily be exploited in multiple ways, including MMS and files downloaded by the browser.

See also: https://en.wikipedia.org/wiki/Stagefright_%28bug%29#Mitigation

@moxie0

This comment has been minimized.

Member

moxie0 commented Nov 7, 2015

@rugk Please don't spread misinformation, there is currently nothing in the Signal code base that touches stagefright without user interaction. Everything in question here is open source, so if you think there's an vulnerability associated with operations like parsing JPG files or whatever on Android, please cite your source.

Everyone is fixated on MMS, but MMS has nothing to do with the actual vulnerability.

@rugk

This comment has been minimized.

rugk commented Nov 8, 2015

I see you where sceptical from the start.

Do you use the media libary for displaying images? Especially how do you display the images you show when receiving MMS?

Everyone is fixated on MMS, but MMS has nothing to do with the actual vulnerability.

It's a very nice attack vector and every other attack vector does not really is important of Signal. (Or do you display downloaded files too? 😉)

Has anyone tried the exploit with Signal?

@moxie0

This comment has been minimized.

Member

moxie0 commented Nov 9, 2015

I see you where sceptical [sic] from the start.

No, I was asking for information from the start. At that point, there was none.

Do you use the media libary for displaying images? Especially how do you display the images you show when receiving MMS?

If you click on your own link, you'll see there's nothing about rendering images in there.

Has anyone tried the exploit with Signal?

Go for it. Nothing in Signal touches stagefright without user interaction.

@rugk

This comment has been minimized.

rugk commented Nov 9, 2015

Do you use the media libary for displaying images? Especially how do you display the images you show when receiving MMS?

If you click on your own link, you'll see there's nothing about rendering images in there.

Okay, so obviously the image may not be a valid one. You're right Stagefright only seems to be about modified video files.

Go for it. Nothing in Signal touches stagefright without user interaction.

And what "user interaction" triggers it? Opening signal, opening a chat, saving a file?

@moxie0

This comment has been minimized.

Member

moxie0 commented Nov 9, 2015

Playing the media

@rugk

This comment has been minimized.

rugk commented Nov 9, 2015

Okay, that's unavoidable. So this issue can be consider closed.

However there are other good reasons to add an option for disabling MMS retrieval.

BTW:

I see you where sceptical [sic] from the start.

That's British english. https://en.wiktionary.org/wiki/sceptical

@acconrad

This comment has been minimized.

acconrad commented Nov 9, 2015

@rugk might I provide one point of empathy for the Whisper team?

This is open source. They are providing this for free out of the goodness of their hearts. To even continue working on this project is something we are all grateful for. So if they set priorities for issues that come in, we are at their mercy, which means they likely won't re-open this issue or the new one you've linked to. And because this is open source, you're free to submit a pull request if in fact your priorities are not in alignment with the priorities of the Whisper group.

Therefore, in the interest of not continuing to receive updates about this already closed issue, I'd encourage you to add a pull request to explicitly disable MMS - you clearly care about this and no one is stopping you from working on it. But the Whisper team has already explained that they don't see an issue at the moment, so simply asking won't be convincing enough, especially given that you aren't paying them to implement this feature. Implementing it yourself may be the best hope for disabling MMS in Signal.

@rugk

This comment has been minimized.

rugk commented Nov 9, 2015

Closing an issue means either "we have fixed/implemented it" or "this is invalid/will not be implemented/wontfix/...".
It does not mean: "Err we won't implement it, but Pull Requests are welcome."
That's just because issues are also important for contributors, so they get ideas what to implement. That's why issues should stay open if they may be implemented (by whom does not matter in this case).

Also keep in mind that this option was mostly just denied by the Whisper team to implement, because this would not help to mitigate the Stagefright vulnerability.
The thing I did was suggesting new arguments and until now nobody has replied saying this is or is not an argument for adding this option.
Also keep in mind that this issue should stay closed (as this is mostly an issue about Stagefright) - only the quite general issue about the option as such (#3821) should be reopened.

BTW I'm not keen on having this feature. I'm just suggesting it, because I think it could provide an additional value. We'll also see how many users like this idea and want to have it too if #3821 is reopened and users may see and comment there.

@signalapp signalapp locked and limited conversation to collaborators Nov 9, 2015

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.