Android: Thumbnail cache is world-readable

Created on 5 Jan 2019  路  5Comments  路  Source: nextcloud/android

Actual behaviour

  • Thumbnails written to Android/data/com.nextcloud.client/cache/thumbnailCache, which is world-readable.

Expected behaviour

  • Thumbnails written to secure storage (or not written at all).

Steps to reproduce

  1. Browse any folder with images
  2. Wait until thumbnails load
  3. Navigate to the above path
  4. Open any thumbnail

Impact

This leaks information outside the app about what is being stored on NextCloud.

Environment data

Android version: P

Device model: Pixel 3

Stock or customized system: Stock

Nextcloud app version: 3.4.1

Nextcloud server version: 15

approved bug pr exists
Source
picture ams2990

Most helpful comment

RC1 of 3.5.0 is planned for 28.01, so I hope, yes :-)
Otherwise we can still change location and to a migration step.

picture tobiasKaminsky on 7 Jan 2019
1 👍1

All 5 comments

GitMate.io thinks possibly related issues are https://github.com/nextcloud/android/issues/3240 (Thumbnails cache disappear/cleaned after a awhile?), https://github.com/nextcloud/android/issues/518 (Enhance thumbnails), https://github.com/nextcloud/android/issues/596 (Cache size), https://github.com/nextcloud/android/issues/177 (Enhance thumbnail downloading / Download all thumbnails in one folder / smart cache size), and https://github.com/nextcloud/android/issues/734 (Blinking Thumbnails when refreshing).

nextcloud-android-bot picture nextcloud-android-bot on 5 Jan 2019

We can change this to use
"getCacheDir()" instead of "getExternalCacheDir()" here: https://github.com/nextcloud/android/blob/59cf6b9ba4965f38f2749f0624013daf0b83c946/src/main/java/com/owncloud/android/datamodel/ThumbnailsCacheManager.java#L120

This then would mean that all thumbnails needs to be moved or re-generated.
However, we are working on #2871, which then will use the above location.
I am planning to get #2871 into next release.

tobiasKaminsky picture tobiasKaminsky on 7 Jan 2019

Both solutions look good to me. Are you sure you'll be able to finish #2871 in time? If so that would be the nicest way of course.

AndyScherzinger picture AndyScherzinger on 7 Jan 2019

RC1 of 3.5.0 is planned for 28.01, so I hope, yes :-)
Otherwise we can still change location and to a migration step.

tobiasKaminsky picture tobiasKaminsky on 7 Jan 2019
1 👍1

What's the latest here? It doesn't look like #2871 has been fixed yet. If that's going to slip, can this be fixed separately?

ams2990 picture ams2990 on 2 Feb 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

JSoko picture JSoko  路  3Comments
tobiasKaminsky picture tobiasKaminsky  路  3Comments
AndyScherzinger picture AndyScherzinger  路  3Comments
Tie-fighter picture Tie-fighter  路  3Comments
JSoko picture JSoko  路  3Comments