briar issueshttps://code.briarproject.org/briar/briar/-/issues2022-01-21T14:13:18Zhttps://code.briarproject.org/briar/briar/-/issues/1985Register public mesh research app's signing key and package name with Google ...2022-01-21T14:13:18ZakwizgranRegister public mesh research app's signing key and package name with Google PlayIf we plan to develop a research app as part of #1817, register the package name and app signing key with Google Play before the end of July 2021 so we're not required to let Google manage the signing key.
https://android-developers.goo...If we plan to develop a research app as part of #1817, register the package name and app signing key with Google Play before the end of July 2021 so we're not required to let Google manage the signing key.
https://android-developers.googleblog.com/2020/11/new-android-app-bundle-and-target-api.html
Subtask of #1817.Public mesh researchakwizgranakwizgran2021-07-31https://code.briarproject.org/briar/briar/-/issues/2153Upgrade Tor to 0.3.5.172022-02-25T14:59:07ZakwizgranUpgrade Tor to 0.3.5.17Tor 0.3.5.16 contains a fix for a remotely triggerable denial-of-service vulnerability.
https://gitweb.torproject.org/tor.git/plain/ChangeLogTor 0.3.5.16 contains a fix for a remotely triggerable denial-of-service vulnerability.
https://gitweb.torproject.org/tor.git/plain/ChangeLogAndroid 1.4Torsten GroteTorsten Grotehttps://code.briarproject.org/briar/briar/-/issues/1984Register social mesh research app's signing key and package name with Google ...2021-09-01T09:47:43ZakwizgranRegister social mesh research app's signing key and package name with Google PlayIf we plan to develop a research app as part of #1816, register the package name and app signing key with Google Play before the end of July 2021 so we're not required to let Google manage the signing key.
https://android-developers.goo...If we plan to develop a research app as part of #1816, register the package name and app signing key with Google Play before the end of July 2021 so we're not required to let Google manage the signing key.
https://android-developers.googleblog.com/2020/11/new-android-app-bundle-and-target-api.html
Subtask of #1816.akwizgranakwizgran2021-07-31https://code.briarproject.org/briar/briar/-/issues/1849Upgrade Tor to 0.3.5.122020-11-16T16:52:46ZakwizgranUpgrade Tor to 0.3.5.12Tor 0.3.5.12 is out. This release has a security fix that could affect anonymity, and an updated list of fallback directories, which might improve bootstrapping.
https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.5.12Tor 0.3.5.12 is out. This release has a security fix that could affect anonymity, and an updated list of fallback directories, which might improve bootstrapping.
https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.5.12Android 1.2akwizgranakwizgranhttps://code.briarproject.org/briar/briar/-/issues/1755Test whether panic button response still works on Android 102020-09-04T11:35:02ZakwizgranTest whether panic button response still works on Android 10Android 10 places new restrictions on background apps starting activities:
https://developer.android.com/guide/components/activities/background-starts
Test whether this affects the panic button response, which uses two invisible activi...Android 10 places new restrictions on background apps starting activities:
https://developer.android.com/guide/components/activities/background-starts
Test whether this affects the panic button response, which uses two invisible activities (PanicResponderActivity and ExitActivity), under the following circumstances:
* Briar isn't running
* Briar is running and visible in recent apps
* Briar is running but not visible in recent appsakwizgranakwizgranhttps://code.briarproject.org/briar/briar/-/issues/1724For more security spongycastle -> bouncycastle2021-08-31T14:04:03ZNeustradamusFor more security spongycastle -> bouncycastleFor more security, can you change old spongycastle (based on old bouncycastle) to bouncycastle?
- https://www.bouncycastle.org/
- https://www.bouncycastle.org/releasenotes.html
- http://www.bouncycastle.org/latest_releases.html
- https:/...For more security, can you change old spongycastle (based on old bouncycastle) to bouncycastle?
- https://www.bouncycastle.org/
- https://www.bouncycastle.org/releasenotes.html
- http://www.bouncycastle.org/latest_releases.html
- https://www.cvedetails.com/vulnerability-list/vendor_id-7637/Bouncycastle.htmlAndroid 1.3akwizgranakwizgranhttps://code.briarproject.org/briar/briar/-/issues/1606ClassCastException when opening conversation with contact who supports images2019-06-28T13:28:39ZakwizgranClassCastException when opening conversation with contact who supports images* Android version: 9
* Phone model: Xiaomi Mi A1
* Briar version: 1.1.7 (37d0b61)
Stacktrace:
```
java.lang.ClassCastException: org.briarproject.briar.android.view.TextSendController cannot be cast to org.briarproject.briar.android.view...* Android version: 9
* Phone model: Xiaomi Mi A1
* Briar version: 1.1.7 (37d0b61)
Stacktrace:
```
java.lang.ClassCastException: org.briarproject.briar.android.view.TextSendController cannot be cast to org.briarproject.briar.android.view.TextAttachmentController
at org.briarproject.briar.android.conversation.ConversationActivity.showImageOnboarding(ConversationActivity.java:730)
at org.briarproject.briar.android.conversation.ConversationActivity.lambda$tKsX2hu-pmpHBYdC5ev_sWoOCXk(Unknown Source:0)
at org.briarproject.briar.android.conversation.-$$Lambda$ConversationActivity$tKsX2hu-pmpHBYdC5ev_sWoOCXk.run(Unknown Source:2)
at android.os.Handler.handleCallback(Handler.java:873)
at android.os.Handler.dispatchMessage(Handler.java:99)
at android.os.Looper.loop(Looper.java:193)
at android.app.ActivityThread.main(ActivityThread.java:6762)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:858)
```
The crash is caused by failing to check the image attachments feature flag before calling showImageOnboarding(). This is fixed on master but will happen for Briar 1.1.7 (and possibly some earlier releases) when contacts upgrade to a version that supports image attachments, including 1.2 and 1.3 alpha releases.
Fortunately I've found a sneaky workaround: we bump the client minor version to 2. Briar 1.1.7 only considers that a contact supports image attachments if the minor version is exactly 1 (this is also fixed on master, but fortunately didn't make it into the 1.1.7 release).Android 1.3akwizgranakwizgranhttps://code.briarproject.org/briar/briar/-/issues/1566Investigate whether equivalent public keys can damage the security of handsha...2019-05-14T11:16:36ZakwizgranInvestigate whether equivalent public keys can damage the security of handshake modeSome ECDH public keys are equivalent, in the sense that multiplying them by the same scalar produces the same point. If an attacker sends us a handshake public key that's equivalent to a contact's handshake public key, we'll fail to dete...Some ECDH public keys are equivalent, in the sense that multiplying them by the same scalar produces the same point. If an attacker sends us a handshake public key that's equivalent to a contact's handshake public key, we'll fail to detect that it's the same key (see #1565) and derive the same handshake mode transport keys. The attacker won't be able to derive the keys, but we'll use the same keys for handshaking with the contact and trying to handshake with the attacker.
This shouldn't affect confidentiality, integrity or authenticity, as we use a unique random nonce with the stream header key, but it could affect protocol obfuscation by using the same tags for sending streams to the contact and the attacker.
Work out whether this attack is possible, and if so, whether we can detect and prevent it.
Subtask of #1232.Android 1.2akwizgranakwizgranhttps://code.briarproject.org/briar/briar/-/issues/1565UX for handling duplicate handshake links2019-10-16T16:19:19ZakwizgranUX for handling duplicate handshake linksIf Mallory knows Bob's handshake link, she may send it to Alice pretending it's Mallory's own link, in order to discover whether Alice and Bob are contacts/pending contacts.
When adding a pending contact we should check whether a contac...If Mallory knows Bob's handshake link, she may send it to Alice pretending it's Mallory's own link, in order to discover whether Alice and Bob are contacts/pending contacts.
When adding a pending contact we should check whether a contact/pending contact with the same handshake public key exists. If so, we should ask the user whether the new pending contact and the existing contact/pending contact are the same person. If yes, we discard the new pending contact. If no, we tell the user that two contacts sent the same link, which could mean that one of them is trying to discover who the user's contacts are, and we warn the user not to tell either or them that someone else sent the same link. Then we discard the new pending contact.
If we support more than one link format in future, Mallory may change the format of Bob's link before sending it to Alice, so we should compare the parsed public keys or public key hashes rather than the unparsed links.
Subtask of #1230.Android 1.2Torsten GroteTorsten Grotehttps://code.briarproject.org/briar/briar/-/issues/1536Find out whether intent extras or instance state bundles are persisted by the OS2019-04-22T13:30:11ZakwizgranFind out whether intent extras or instance state bundles are persisted by the OSSince roughly Android 5, the recent apps list has been persisted across reboots. Find out whether intent extras or instance state bundles for the activities in the recent apps list are persisted. If so, this might leak confidential infor...Since roughly Android 5, the recent apps list has been persisted across reboots. Find out whether intent extras or instance state bundles for the activities in the recent apps list are persisted. If so, this might leak confidential information to disk.Android 1.1https://code.briarproject.org/briar/briar/-/issues/1433BdfReaderImpl has undefined behaviour for strings with illegal byte sequences2018-10-30T13:58:53ZakwizgranBdfReaderImpl has undefined behaviour for strings with illegal byte sequencesBdfReaderImpl uses the `String(byte[] bytes, int offset, int length, String charsetName)` constructor to convert UTF-8 byte arrays into strings. The [javadoc](https://docs.oracle.com/javase/8/docs/api/java/lang/String.html#String-byte:A-...BdfReaderImpl uses the `String(byte[] bytes, int offset, int length, String charsetName)` constructor to convert UTF-8 byte arrays into strings. The [javadoc](https://docs.oracle.com/javase/8/docs/api/java/lang/String.html#String-byte:A-int-int-java.lang.String-) says "The behavior of this constructor when the given bytes are not valid in the given charset is unspecified. The CharsetDecoder class should be used when more control over the decoding process is required."
We have a `StringUtils.toUtf8(byte[] bytes)` method with well-defined behaviour for this situation (illegal byte sequences are ignored), which we should probably be using here (and fuzz-testing).Android 1.1akwizgranakwizgranhttps://code.briarproject.org/briar/briar/-/issues/1352Latest version of Ripple from F-Droid doesn't trigger panic actions2018-09-28T09:57:20ZakwizgranLatest version of Ripple from F-Droid doesn't trigger panic actionsThe latest release of Ripple from the main F-Droid repo (version 0.2.2) doesn't trigger Briar's panic actions because the package isn't signed with a key we trust. However, the Ripple UI says that Briar will respond to the panic trigger.The latest release of Ripple from the main F-Droid repo (version 0.2.2) doesn't trigger Briar's panic actions because the package isn't signed with a key we trust. However, the Ripple UI says that Briar will respond to the panic trigger.Android 1.1Torsten GroteTorsten Grotehttps://code.briarproject.org/briar/briar/-/issues/1298Wifi address should be scrubbed from crash reports/feedback2018-12-10T10:13:18ZakwizgranWifi address should be scrubbed from crash reports/feedbackIt's possible for the wifi IP address included in crash reports and feedback to be a public (routable) address, so it should be scrubbed like other IP addresses.It's possible for the wifi IP address included in crash reports and feedback to be a public (routable) address, so it should be scrubbed like other IP addresses.Android 1.1https://code.briarproject.org/briar/briar/-/issues/1277BdfReaderImpl accepts any string/raw length up to Integer.MAX_VALUE2018-09-07T11:16:32ZakwizgranBdfReaderImpl accepts any string/raw length up to Integer.MAX_VALUEThis leads to a remotely triggerable OOM by sending, for example, a private message with the body 0x604406400000, which is the start of a BDF list containing a 100 MB string, causing the BdfReaderImpl to try to allocate a 100 MB buffer.This leads to a remotely triggerable OOM by sending, for example, a private message with the body 0x604406400000, which is the start of a BDF list containing a 100 MB string, causing the BdfReaderImpl to try to allocate a 100 MB buffer.Android 1.1akwizgranakwizgranhttps://code.briarproject.org/briar/briar/-/issues/1185Move native binary extraction to the Installer2020-11-16T10:35:40ZJulian DehmMove native binary extraction to the InstallerManually extracting the tor binary to the writable data directory could be dangerous. We should investigate the option to bundle the binary in a way that it gets extracted by the installer to a read-only directory as described here: http...Manually extracting the tor binary to the writable data directory could be dangerous. We should investigate the option to bundle the binary in a way that it gets extracted by the installer to a read-only directory as described here: https://twitter.com/CopperheadOS/status/917924329857474560
This might be done by disguising the binary as library file and moving it to jniLibs/<ABI>/tor.so
This would also allow us to use `targetSandboxVersion="2"`for improved security.Android 1.2akwizgranakwizgranhttps://code.briarproject.org/briar/briar/-/issues/1109Uninstalling Panic Action Requires User Interaction on Latest Android2018-09-28T09:57:20ZTorsten GroteUninstalling Panic Action Requires User Interaction on Latest AndroidIt seems an app can no longer uninstall itself without user interaction. At least on Android O, the user needs to confirm the uninstall. In a panic situation, there might be no time for that and actions should normally be completely auto...It seems an app can no longer uninstall itself without user interaction. At least on Android O, the user needs to confirm the uninstall. In a panic situation, there might be no time for that and actions should normally be completely automatic.
Maybe we should just remove the uninstall option then?Android 1.1Torsten GroteTorsten Grote