Cwa-app-android: Is this project vulnerable to CVE-2020-12856?
Explanation about the vulnerability here: https://github.com/alwentiu/COVIDSafe-CVE-2020-12856
The Australian app worked around it by forcing the use of v28 of the Bluetooth API, but that will no longer be supported for distribution of updates in November: https://developer.android.com/distribute/best-practices/develop/target-sdk
So, if this app does the same, it won't be possible to distribute updates any more.
wmertens
All 3 comments
My last information about the Australian app is there are not using the ENF of Google and Apple. I don't think the ENF is affect of this issue.
thomasaugsten
on 4 Oct 2020
@wmertens
The vulnerability you refer to via https://github.com/alwentiu/COVIDSafe-CVE-2020-12856 says:
This vulnerability was reported to DTA (who is responsible for the COVIDSafe app) on May 5th, 2020, and it has been fixed in COVIDSafe (Android) v1.0.18. Details of our finding are available here.
The link https://github.com/alwentiu/COVIDSafe-CVE-2020-12856/blob/master/CVE-2020-12856-19-June-2020.pdf given in the above includes on page 9 the section
Mitigations
...
Use the Apple/Google collaboration (called the "Exposure Notification API").
...
which confirms @thomasaugsten 's comment
I don't think the ENF is affect of this issue.
so since CWA uses the Exposure Notification Framework, then CWA is logically not affected by the vulnerability which was fixed in the Australian app.
Also and although https://developer.android.com/distribute/best-practices/develop/target-sdk specifies
From 2 November 2020, app updates must target Android 10 (API level 29) or higher.
it also refers to targetSdkVersionmanifest attribute (also known as the target API level) and as can be seen in the current version (1.3.1) of CWA https://github.com/corona-warn-app/cwa-app-android/blob/1.3.1/Corona-Warn-App/build.gradle this file already includes
targetSdkVersion 29
in line 35, which already meets the requirements specified by Google.
You should also note that there are special instructions for questions and issues about security vulnerabilities as described in https://github.com/corona-warn-app/cwa-app-android/blob/master/SECURITY.md
MikeMcC399
on 4 Oct 2020
Thank you kindly! Closing.
wmertens
on 5 Oct 2020
Related issues
Magoli1
路
3Comments
HuiiBuh
路
3Comments
Diapolo
路
3Comments
tegutistgut
路
3Comments
schuhmi2
路
3Comments
Most helpful comment
@wmertens
The vulnerability you refer to via https://github.com/alwentiu/COVIDSafe-CVE-2020-12856 says:
The link https://github.com/alwentiu/COVIDSafe-CVE-2020-12856/blob/master/CVE-2020-12856-19-June-2020.pdf given in the above includes on page 9 the section
which confirms @thomasaugsten 's comment
so since CWA uses the Exposure Notification Framework, then CWA is logically not affected by the vulnerability which was fixed in the Australian app.
Also and although https://developer.android.com/distribute/best-practices/develop/target-sdk specifies
it also refers to
targetSdkVersionmanifest attribute (also known as the target API level) and as can be seen in the current version (1.3.1) of CWA https://github.com/corona-warn-app/cwa-app-android/blob/1.3.1/Corona-Warn-App/build.gradle this file already includestargetSdkVersion 29in line 35, which already meets the requirements specified by Google.
You should also note that there are special instructions for questions and issues about security vulnerabilities as described in https://github.com/corona-warn-app/cwa-app-android/blob/master/SECURITY.md