Strongbox icon indicating copy to clipboard operation
Strongbox copied to clipboard
verified publisher icon strongbox-password-safe

Dependency Chain - Security Concerns

Open ronbreault opened this issue 6 years ago • 3 comments

Hi Mark,

Thanks for your continuing work on Strongbox - it's a huge leap forward from the (seemingly) abandoned ios MiniKeePass that I was previously using.

These days we seem to be hearing more and more about supply chain exploits and vulnerabilities, i.e. malicious actors injecting unwanted code into libs/headers/etc. that are included by other projects. This is especially an issue when projects pick up new versions automatically without significant inspection or controls.

How do you manage your dependencies? You rely on quite a few other projects & code. Since I'm not able to build the binaries myself, it does cause one to stop and pause!

I would love it if Apple included a feature to stop/firewall an application from accessing the network, e.g. like turning off wifi & on a per app basis. I understand Android has this. Putting all your "keys to the kingdom" into an unknown binary is scary... anyway, I digress.

Your thoughts and comments on the supply chain issue would be appreciated.

Cheers! Ron.

ronbreault avatar Oct 02 '19 00:10 ronbreault

Hi Ron,

Thanks for the kind words, glad it's useful! :)

Yeah, you raise an important issue and something that's been on the back of my mind for a while now. It's definitely a concern, though I think the risk is currently pretty low. The problem is how to mitigate.

Currently I use Cocoapods for external dependencies, but I also have old school library dependencies (e.g. OpenSSL). I think because I so rarely update these that that helps, but I also verify hashes or build from official source myself (in the case of OpenSSL). The libraries I use are themselves also very mature/stable and popular in the community (not an absolute indicator of safety for sure).

I think things could also be improved here by removing the use of Cocoapods entirely and building those pods from source. This of course doesn't guarantee security, but the flaw would at least have to get into public source code first (which it's hopefully not at the moment), then I would have to update the source in the project (something I'd almost rarely ever want to do, the libraries I use are fairly mature, stable). This would make updating a bit more of a pain but it's something I'd like to do as I'm not crazy about Cocoapods for other reasons (nightmare to debug/configure if anything goes wrong).

Another long standing technical debt item I've been thinking about is to reduce the binary size and I think I can do this by reducing the number of external libraries I link to, so perhaps a combination of trying to use fewer libraries, and having them streamlined and built from source would be a real improvement.

The project has accumulated a fair bit of tech debt, as it's grown pretty quickly over the last 9 or 10 months and though it is becoming mature, it still has a way to go before I think it'll be feature complete to a large degree. At that point, hopefully in the next 6 months or so I would hope to schedule a round of purely maintenance builds, cleaning up this debt and improving things behind the scenes.

Those are my thoughts on the issue at the moment. It is a concern though I think a minor one, still care is required.

Thanks, -Mark

mmcguill avatar Oct 02 '19 11:10 mmcguill

I have looked at this on other projects as well. A few things I do myself. I try to read through the dependencies and their code (where available). This is labor intensive and can be boring/annoying when you don't know that particular language.

The other effort you can make is the comments/issues on their code and their repo. I have done this (although I think people rarely do it?). I brought an issue to KeePassXC about their use of an API for a keyboard shortcut for Global Autotype. I only found out about it because a separate developer mentioned it to me. I had used the same API as KPXC and tested/discovered why I believed it was an issue. This triggered me to change to a different API.

As note to Mark on some of the dependencies (although this wrecks on the whole streamlineness of cocoa pods). In the case of JnKeychain you can just drag and drop the .m and .h files. However, this is probably not possible for all of your dependencies.

Would be nice if you could just drag and drop 2 files into your Xcode project to get the functionally you need...

georgesnow avatar Oct 02 '19 12:10 georgesnow

Thanks @georgesnow - Yes, I'm fairly sure some of those Cocoapods would be very easy to "inline". It's just very quick and convenient using Cocoapods so that I can focus on getting features out

mmcguill avatar Oct 02 '19 12:10 mmcguill