Security Vulnerbility in iOS SDK and Android SDK

I’ve been supporting a team with integrating / uploading into Transloadit. In other environments we can simply upload using the Auth Key, however in Android SDK and iOS it requires the secret also be given. This means that The Android / iOS app can be reverse engineered to retrieve the secret and the attacker can use the secret to access data of other users (by listing out the assemblies and getting the detail of each one).

Why was it designed this way? Any way we can fix this?

Hey there,

So you bring up a very good point. It looks like this might be a rough spot in our documentation around both the Java SDK and the Android SDK. (I’ll need to have someone else look deeper at the iOS SDK).

Constructor for the AndroidTransloadit class in the Android SDK

Corresponding constructor from the Java SDK that AndroidTransloadit extends.

From these the secret string is nullable. So you should be able to instantiate like so and not have to leak the Transloadit secret in your app.

 AndroidTransloadit transloadit = new AndroidTransloadit("key", null);

However, what ends up happening in the core JavaSDK when the secret is not set is that signature authentication is disabled. To use signature authentication without exposing the secret the Transloadit client would have to support generating signatures from a server side application. If signature authentication is not a requirement for you immediately then simply nulling the secret will be sufficient for your use case.

The iOS SDK is turning Swift, the codebase can be seen in the Swift-Development branch of the repo.

Nulling the secret has not yet been implemented in that version, but will be implemented just as/or as similarly to the Android SDK way listed above. Can get a version of that out for you this week.

it would be look like such

func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?) -> Bool {
        var config = TransloaditConfig(withKey: "")
        Transloadit.setup(with: config)
        return true

or creating a plist like

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “”>
<plist version=“1.0”>

This is now working in TUSKit 2.1.0.alpha, working as described above.