Embedded PDFium is dated, has ~5-80 CVE's

[ltguillaume]

Depending on whether https://github.com/DineroRegnskab/PdfiumAndroid/commit/92366356e8cec369d6ec083bc411e8e7d9224e94 actually updated the libraries to March 2021 (M90) versions, which is unclear to me, there are at best 5 known security issues, at worst ~80.

See: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=PDFium https://divestos.org/misc/appsec.txt

[tibbi]

I dont understand those geeky things there, what can happen to an app without internet access?

[ltguillaume]

It doesn't need to. The payload is the PDF itself. That can contain the malicious code perfectly fine. There are too many dynamic components to the PDF standard.

That being said, I'm not an expert in this, so the only takeaway from it is: if you can update the libraries, you should, because with PDF there is bound to be some critical leak.

[lipici]

Thanks for reporting this.

[jondo]

What is PDFium used for? Could that use be disabled as a quick mitigation?

[SkewedZeppelin]

PDF viewing:

• https://github.com/SimpleMobileTools/Simple-File-Manager/blob/master/app/src/main/res/menu/menu_pdf_viewer.xml
• https://github.com/SimpleMobileTools/Simple-File-Manager/blob/master/app/src/main/res/layout/activity_pdf_viewer.xml
• https://github.com/SimpleMobileTools/Simple-File-Manager/blob/master/app/src/main/kotlin/com/simplemobiletools/filemanager/pro/helpers/PdfDocumentAdapter.kt
• https://github.com/SimpleMobileTools/Simple-File-Manager/blob/master/app/src/main/kotlin/com/simplemobiletools/filemanager/pro/activities/PDFViewerActivity.kt

The title should be adjusted, it is either ~5 or ~60, not 80

[jondo]

Hmm, I'd prefer leaving PDF viewing to a specialized app, like MuPDF. Wouldn't that be "simpler"?

[Aga-C]

Hmm, I'd prefer leaving PDF viewing to a specialized app, like MuPDF. Wouldn't that be "simpler"?

I was in favor of a separate PDF app from the beginning (see https://github.com/SimpleMobileTools/Simple-File-Manager/issues/585), and I am using the mentioned app right now (I think it's the simplest PDF app, but too simple and there is still no suitable app).

[TwizzyDizzy]

Hmm, I'd prefer leaving PDF viewing to a specialized app, like MuPDF. Wouldn't that be "simpler"?

Very much in favour of this sentiment. For every kind of media/files to be opened. I see the convenience aspect of not having to install additional apps if you just want to peek at files. But then again: probably nobody would use FileManager to actually listen to music for the usability aspects that are (usually) better in a dedicated player.

I dont understand those geeky things there, what can happen to an app without internet access?

This sentence kinda makes me shiver, to be honest, and re-think my prior love for your app suite. Just one example: use exploits to leave the app's sandbox > use privilege escalation to get root > modify data of apps that have internet access (but basically: do whatever you can imagine)

Just my two cents...

Cheers Thomas

[BrendonIrwan]

It'd be best to remove the PDF functionality really. After all, its a Simple File Manager, not a Document File Manager. My guess is that the integration of a PDF ~reader~ editor is inspired from web browsers, which are also (web) document viewers.

[tibbi]

will be fixed in 6.14.4

[ghost]

will be fixed in 6.14.4

Just because I'm wary of this stuff, I need to ask. Any estimate on when the next version will release?

[BrendonIrwan]

will be fixed in 6.14.4

Your consideration is much, much appreciated.

Just because I'm wary of this stuff, I need to ask. Any estimate on when the next version will release?

If it matters, just try not to load any PDFs for now.

[tibbi]

I want to tweak 1-2 more things in it, then Ill update it within the next few days

[imsi32]

It seems like you just changed PDFViewer to voghdev's PDFViewPager, however it is not updated in 1 year. This project is probably not maintained at this moment so it is not take any security updates for 1 years.

Is it really okey to use this PDF Viewer. I think you should separate PDF viewer to other application. I think just saying there's no Internet connection in app do not prove security. I really like your apps but I just don't want to use unsecured apps which can affect all system.

[tibbi]

The app is secure, no need to overreact stuff. I just used that other PDFViewPager as the base for my own fork with many improvements. It contains no native libraries that could become obsolete.

[SkewedZeppelin]

@imsi32

The new library uses the built-in system functions for actual PDF processing and adds no native code. It should be safe (given your system itself is up2date).

[lipici]

Im not convinced. Shoudnt be released a separate version without pdf viewer ?

[LearningAsIGo71]

I agree. There is no need for a file manager to have a native PDF viewer. The longer this issue remains outstanding the longer time there is for Simple Mobile Tools reputation to be damaged. Let the user decide what PDF viewer they want to open PDFs in. For example, I use GrapheneOS for privacy and it comes with its own PDF Viewer.

[OkyDooky]

Let the user decide what PDF viewer they want to open PDFs in.

Isn't that a built-in feature in the Android OS? If you clear default associations and have multiple apps that can natively open PDFs, it should ask you which one you want to use after tapping on a PDF file. That's what it does for me and it just gives this apps PDF Viewer/Reader as an option, even if I'm opening it from, say, Amaze.

[RokeJulianLockhart]

@OkyDooky, yes, it's a feature provided by Android, but a developer can bypass this by hardcoding it.