Photok icon indicating copy to clipboard operation
Photok copied to clipboard

Published 20 hours ago verified publisher icon leonlatsch

[Security] Meta.json inside backup file contains unencrypted plaintext file information accessible by 3rd parties

Open Mhowser opened this issue 1 year ago • 5 comments

Describe the bug When a Photok backup file is created, the app generates a Compressed ZIP file containing the encrypted files and a file called meta.json. This JSON file contains all filename information and a partial password hash in plaintext.

To Reproduce Steps to reproduce the behavior:

  1. add files to Photok Vault
  2. go to the settings section and select Backup
  3. open the compressed backup file and open meta.json in your preferred text editor.
  4. Profit?

Expected behavior All contents of a Photok backup file should be encrypted, ZIP compression supports password-protection which should be utilized in this situation.

Screenshots meta json photok

Smartphone (please complete the following information): This applies to all devices running Photok 1.5.0 or less

Additional context None

Mhowser avatar Jun 04 '23 06:06 Mhowser

This data is not considered sensitive for Photok. The file names and password hash is not encrypted inside Photok either. The meta.json is a plain copy of photoks database with some additional values.

But, encrypting the file names would be a interesting topic. For the backup, aswell as the database itself. You can submit a feature request via a new issue.

About the password hash: The password cannot be derived from the hash. It is used to check your password input when restoring a backup. It is also contained in Photoks database (shared preferences).

leonlatsch avatar Jun 07 '23 12:06 leonlatsch

Also using zip password protection would be a new feature request.

leonlatsch avatar Jun 07 '23 12:06 leonlatsch

In my case the filenames for the images are quite revealing, I could rename all images to something else but that would not be feasible for most users including myself, especially with a large collection. I believe ZIP password protection is the solution for this.

May I ask why you are no longer adding features to this app? And are there any incentives for you to add this feature?

Mhowser avatar Jun 07 '23 13:06 Mhowser

I just don't have that much time anymore for side projects. Since I created Photok, I moved out, started working full time (also Android Dev), etc. I do my best to reply to issues and emails. I keep maintaining the app abut I simply don't have the time for feature development. But thats the nice thing about open source. Other people can implement those features. I will always look at those prs and create new releases :)

leonlatsch avatar Jun 07 '23 13:06 leonlatsch

Thanks for clarifying your position, I always appreciate a different perspective on how different developers manage their projects. And thanks for making us a great app! I wish I had the experience to contribute more to this project. Maybe someday I'll get there too...

Mhowser avatar Jun 07 '23 22:06 Mhowser

This will not be worked on right now.

If anyone would like to implement Zip Protection, go ahead.

A workaround would be to password protect your backup yourself for now.

leonlatsch avatar Apr 26 '24 09:04 leonlatsch