Security Vulnerbility in iOS SDK and Android SDK

zacksiri · November 3, 2020, 2:35am

I’ve been supporting a team with integrating / uploading into Transloadit. In other environments we can simply upload using the Auth Key, however in Android SDK and iOS it requires the secret also be given. This means that The Android / iOS app can be reverse engineered to retrieve the secret and the attacker can use the secret to access data of other users (by listing out the assemblies and getting the detail of each one).

Why was it designed this way? Any way we can fix this?

elwillis · November 3, 2020, 3:52am

Hey there,

So you bring up a very good point. It looks like this might be a rough spot in our documentation around both the Java SDK and the Android SDK. (I’ll need to have someone else look deeper at the iOS SDK).

Constructor for the AndroidTransloadit class in the Android SDK

github.com

transloadit/android-sdk/blob/master/transloadit-android/src/main/java/com/transloadit/android/sdk/AndroidTransloadit.java#L11


package com.transloadit.android.sdk;

import android.app.Activity;

import com.transloadit.sdk.async.AssemblyProgressListener;

import org.jetbrains.annotations.Nullable;


public class AndroidTransloadit extends com.transloadit.sdk.Transloadit {
    public AndroidTransloadit(String key, @Nullable String secret, long duration, String hostUrl) {
        super(key, secret, duration, hostUrl);
    }

    /**
     * A new instance to transloadit client
     *
     * @param key User's transloadit key
     * @param secret User's transloadit secret.
     * @param hostUrl the host url to the transloadit service.
     */

Corresponding constructor from the Java SDK that AndroidTransloadit extends.

github.com

transloadit/java-sdk/blob/master/src/main/java/com/transloadit/sdk/Transloadit.java#L36


boolean shouldSignRequest;

/**
 * A new instance to transloadit client
 *
 * @param key User's transloadit key
 * @param secret User's transloadit secret.
 * @param duration for how long (in seconds) the request should be valid.
 * @param hostUrl the host url to the transloadit service.
 */
public Transloadit(String key, @Nullable String secret, long duration, String hostUrl) {
    this.key = key;
    this.secret = secret;
    this.duration = duration;
    this.hostUrl = hostUrl;
    shouldSignRequest = secret != null;
}

/**
 * A new instance to transloadit client
 *

From these the secret string is nullable. So you should be able to instantiate like so and not have to leak the Transloadit secret in your app.

 AndroidTransloadit transloadit = new AndroidTransloadit("key", null);

However, what ends up happening in the core JavaSDK when the secret is not set is that signature authentication is disabled. To use signature authentication without exposing the secret the Transloadit client would have to support generating signatures from a server side application. If signature authentication is not a requirement for you immediately then simply nulling the secret will be sufficient for your use case.

MMasterson · November 3, 2020, 4:06am

The iOS SDK is turning Swift, the codebase can be seen in the Swift-Development branch of the repo.

Nulling the secret has not yet been implemented in that version, but will be implemented just as/or as similarly to the Android SDK way listed above. Can get a version of that out for you this week.

it would be look like such

func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?) -> Bool {
        var config = TransloaditConfig(withKey: "")
        Transloadit.setup(with: config)
        return true
    }
}

or creating a plist like

Transloadit.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=“1.0”>
<dict>
<key>key</key>
<string>PUT_KEY_HERE</string>
</dict>
</plist>

MMasterson · November 8, 2020, 10:16pm

This is now working in TUSKit 2.1.0.alpha, working as described above.

Topic		Replies	Views
Companion dynamic config Uppy	2	410	September 28, 2020
Using @uppy/core and @uppy/transloadit with authkey and secret Transloadit	1	1229	November 22, 2021
Passing temporary s3 credentials to assembly Transloadit	1	1717	July 17, 2020
Ssl_url as showLinkToFileUploadResult Uppy	0	279	December 30, 2022
Provide custom instagram credentials to transloadit Transloadit	1	1541	July 22, 2020

Security Vulnerbility in iOS SDK and Android SDK

Related Topics