Security Audit Report 27 mar 2020 #232
Comments
rparet
added
help wanted
|
todo: audit results, apply fixes as necessary. |
|
I looked through the serializable results:
|
|
Ran a security report against v0.9.2 https://www.immuniweb.com/mobile/?id=ZShRvPsc Overall looks broadly similar to what was assessed before. Are there good reasons we commuicate with Facebook, Twitter, Pinterest & YouTube? This seems pretty hard to justify to me, and IMO damaging to our Privacy credentials? Also, what is that link to www.mindprod.com? "CMP (Canadian Mind Products)’s purpose is to stand up for the rights of plants and animals. Animals also includes cetacea, humans, gay people, atheists, war victims and invertebrates. CMP attempts to inculcate planetary consciousness — concern for the planet as a whole. A subgoal is to teach people to use computers effectively, particularly with the Java computer language."
Medium risk security flaws also merit attention.
|
|
Full PDF report |
|
More from mindprod.com: "The long-term goal of Christians in politics should be to gain exclusive control over the franchise [the right to vote]. Those who refuse to submit publicly to the eternal sanctions of God by submitting to His Church’s public marks of the covenant — baptism and holy communion — must be denied citizenship, just as they were in ancient Israel." Why on earth does SafePaths link to this? |
|
Wow... it should not be doing that. The core of Safe Paths does not connect to those sites. My only guess is that those sites are accessed by one of the linked data (health authorities maybe). The hardcoded Haitian authority is beng removed in #499. We need to verify this locally to find out if this data is accurate, and the cause. |
|
Heres the details from the PDF. Can a Dev please look at these java files and determine if we can remove these? I'm guessing these are 3rd party libraries - are we able to modify them? Or do we have to do something else? http:// with value http://mindprod.com in following files: |
|
Some more digging on these rogue HTTP links (c&p from what I wrote on Slack): I'm stretching outside my area of expertise here, but I don't like being defeated by things like this... https://github.com/react-native-community/react-native-share Medium term, I think we should be building a direct API to the HA, and not using e-mail or similar transport mechanisms. Don't know if that's aligned with others' visions, but IMO it's pretty important for privacy not to use services like email that leave a trail of unredacted data. The other one... Looks like it comes from apktool, e.g. (I don't know how to determine which specific version of apktool we use). Some forks of apktool have removed this (for different reasons: specifically the "non-military use" license, which could actually impact us too So I think there might be a way around this one - and a reason to do so as well, due to the unusual license conditions. |
|
@diarmidmackenzie I believe this one should be good to close, as we have some more up-to-date security audits? |
[pv 27 mar 2020.pdf](https://github.com/tripleblindmarket/private-kit/files/4391596/pv.27.mar.2020.pdf)The text was updated successfully, but these errors were encountered: