Hello.
In my free time, I usually like to explore Signal-Android’s code-base. I’m not a software engineer. I’m no expert, just curious. I would love it if an expert commented on the issue, maybe @valldrac would like to shed some light?
And yes, I did send an email to Signal to security @ signal (dot) org on 2024.09.20, but there was no response as of this moment.
Here’s the original email I sent to Signal.
Dear Signal,
Signal-Android makes use of OkHttpClients in many places around the app, while I understand the reasoning behind the use of the StandardUserAgentInterceptor class when communicating with Signal’s services, I’m not entirely sure that it was intentional to use it with external services, such as Stripe and Giphy.
In many places around the app, AppDependencies.okHttpClient is reused, which has the interceptor StandardUserAgentInterceptor applied to it.
E.g.
Users of AppDependencies.okHttpClient
Stripe related:
components/settings/app/subscription/StripeRepository.kt
jobs/ExternalLaunchDonationJob.ktjobs/InAppPaymentAuthCheckJob.kt
Giphy related :
giph/mp4/GiphyMp4PagedDataSource.java
video/exo/SimpleExoPlayerPool.ktAnd just as important, users that create their own okHttpClients and apply StandardUserAgentInterceptor directly:
giph/mp4/GiphyMp4Repository.java
glide/ChunkedImageUrlLoader.java
glide/OkHttpUrlLoader.javaAnother concern that I have is with the usage of WebViews, which is fine of course, but what User-Agent do they use? Do they use some sort of combo of my WebView version/Android version? If so, is it possible to change the User-Agent to something that’s really generic/popular so we can just blend in when connecting to external services? I’m also not really concerned with the WebView that connects to Signal’s services for a registration captcha for example (although I would still prefer to give out as little information as possible, even to Signal), but I am concerned with leaking a possibly identifying User-Agent to external services, such as Stripe, since I see that WebViews are being used for Stripe related stuff in the app.
P.s. I’m not an iOS user so I can’t confirm whether all these things apply to iOS as well.
Best regards,