Dr.-Ing. Mario Heiderich, Cure53
Bielefelder Str. 14
D 10709 Berlin
Cure53 also looked into the authentication flow used by the Mozilla VPN clients. The
implementation of the OpenID Connection protocol was examined and no major issues
were detected. However, it was found that creating a login URL concurrently makes the
port parameter injectable with an arbitrary value. While it could result in a potential
authorization code leak, this is prevented via CSP in place (FVP-02-016). Despite the
one found issue, the implemented authentication setup makes a solid impression.
The mobile applications provided for Android and iOS were also examined by Cure53.
These apps were built from the same codebase the desktop apps stems from. Thus, the
mobile apps running basically the same application, whereby the main functionality is
included via binary files. However, platform-specific features exist and needed to be
evaluated.
First, the Android application was analyzed in regard to how the current version fits into
the Android’s ecosystem. Attention was also given to how communication with the
Android’s Platform API is handled. It was investigated if and how the application is
receiving data through the registered custom scheme (deeplink), data URLs, extra
strings or parcelable objects. The one exported activity, three services and one receiver
were examined. However, most exported components require corresponding
permissions, which reduces the attack surface only to the one exported activity. No
problems could be spotted in this area.
Cure53 also examined the general configuration of the Android app. It was found that
not all security flags offered by Android are utilized. The absence of these flags does not
introduce a security issue but could allow an attacker to exploit other problems more
easily. As such, the missing backup flag (FVP-02-008) and the secure flag (FVP-02-009)
can be seen as defense-in-depth mechanisms. The tested staging and production builds
of the Android apps are signed with a v1 APK signature. In combination with a supported
minimum SDK level 21, the app is prone to the known Janus vulnerability, which could
lead to a complete takeover in the context of the Android app (FVP-02-010). It is strongly
recommended to only support v2 and v3 signatures and to raise the minimum supported
SDK level to at least 24 (Android 7).
Second, moving to iOS, the app does not utilize external custom protocol handlers or
universal links, which reduces the exposed attack surface drastically. The only exception
happens during the authentication flow, as the deployed WebView component relies on
a custom protocol callback to receive the authentication token. As the user is not allowed
to navigate to third-party websites, the possibility for an attack against this functionality is
slim to none. Cure53 also verified the storage of local files and secrets. The app properly
protects user related information by deploying file encryption and storage of key data in
Cure53, Berlin · 08/17/21 24/25