Author Topic: Results of app security test by High Tech Bridge for AquaMail  (Read 2315 times)

Justin

  • Sr. Member
  • ****
  • Posts: 322
Results of app security test by High Tech Bridge for AquaMail
« on: November 11, 2018, 06:40:55 pm »
Just for information - results:
https://www.htbridge.com/mobile/?id=cTam7ZeM

I do not consider myself competent to judge these results. Maybe others can?

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: Results of app security test by High Tech Bridge for AquaMail
« Reply #1 on: November 13, 2018, 09:16:07 pm »
Looked at most "yellow" (warnings) items - irrelevant at best, misleading, or outright wrong.

Looks like this test grew out of their existing "web site security / encryption" tests, which I know and love and which are good. But trying to extend that to mobile apps didn't quite work as far as I can see.

Like what does it matter if we use "potentially predictable random number generator" in code that animates "bubbles floating up" (on the welcome screen)???

On "clear text database" - that's what Android has, used by almost all apps.

To access it, you'd need to break Android's app isolation (which stores each app's data in a directory that's only accessible by that app). Easy on a rooted phone, but than rooting a phone is a security risk for precisely that reason, and it applies to all apps.

Or take this "exposure of private data in system log":

Quote
11-11 16:13:12.966 I/ActivityManager( 1626): START u0 {act=android.intent.action.VIEW dat=https://www.mobisystems.com/... cmp=org.chromium.webview_shell/.WebViewBrowserActivity (has extras)} from uid 10065 on display 0

This log output line is printed by Android, not by the app. So every app trying to launch a web browser would be logged like this - and note that the URL is shown only partially.

There are two kind of borderline items having to do with Random / SecureRandom and although they're borderline - I'll fix them.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

Justin

  • Sr. Member
  • ****
  • Posts: 322
Re: Results of app security test by High Tech Bridge for AquaMail
« Reply #2 on: November 13, 2018, 10:29:26 pm »
Thx.