On 2 May 2014 13:15, Hans-Christoph Steiner <[email protected]> wrote: > > I couldn't get that APK to download, anyone else? Can it be posted elsewhere? > You might be able to see some interesting links by uploading it to > https://androidobservatory.org/
I was - you may need to use a 'fancy' browser, like a non-Tor-ed Chrome to get MEGA to work. Not sure though, I'd think it'd work for others. Thanks for this, and for saving me from having to JAD it myself. :) This is my 5-minute hit-list - Manifest File is... binary? Pain in the butt, here it is: https://gist.github.com/tomrittervg/52095aad83b06f2c6dd4 That, is a lot of stuff. Lot of attack surface. - BouncyCastle Java library for PGP - Looks like it's using the sdcard for a lot of stuff, which is scary: public static final String DOWN_FILEPATH = Environment.getExternalStorageDirectory() + "/Download"; public static final String PGPHOMEPATH = Environment.getExternalStorageDirectory() + "/openpgp"; - Looks like they keep KeyIDs in some sort of database, and while they haveparameterized queries in one place, I'm not sure about everywhere...[0] - I'm not certain at all, but signs point towards them support PGP/MIME, and not inline...? [1] Anyway, I couldn't spend a lot of time looking at it, so nothing here is definitive, except that there's definitely a lot of PGP 'stuff' happening. I don't suppose Samsung makes their apps open source? This might be an interesting base to audit and build on.... -tom [0]: if (this.mFlag == 268439825) { Vector localVector = (Vector)paramObject; String[] arrayOfString = { "c_key_id", "c_email_id", "c_user_name", "c_expiry", "c_is_default" }; String str = "( c_expiry > '" + l + "' OR " + "c_expiry" + "= '0')" + " AND ( " + "c_creation" + " < " + "'" + l + "' OR " + "c_creation" + "= '0') "; int i = 0; if (i < localVector.size()) { if (i == 0) str = str + " AND ( c_key_id in ('" + localVector.elementAt(i) + "'"; while (true) { i++; break; if (i == -1 + localVector.size()) str = str + " ,'" + localVector.elementAt(i) + "' ))"; else str = str + " ,'" + localVector.elementAt(i) + "'"; } } [1] if ((!str5.contains("multipart/encrypted")) || (!str5.contains("application/pgp-encrypted"))) _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
