rmt/ssh-workbench
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
112 commits 1 branch 0 tags 8.4 MiB
Find a file
jima ca16651d69 Security audit: TOFU hardening, FLAG_SECURE, paste sanitization, compiler hardening 
Production security audit (OWASP-aligned, prod-only scope):
- Default TOFU to REJECT when no UI handler (prevents silent accept during service-start window)
- Add FLAG_SECURE with preventScreenCapture preference (default ON, Settings → Security)
- Sanitize bracketed paste content (strip \e[200~/\e[201~ to prevent paste-escape injection)
- Add VaultCrypto ProGuard keep rule (prevents R8 stripping JNI methods in release)
- Create network_security_config.xml (system CAs only, cleartext disabled)
- Add compiler hardening flags to both native modules (-fstack-protector-strong, -D_FORTIFY_SOURCE=2)
- Set EXTRA_IS_SENSITIVE on all clipboard writes (terminal copy, key copy, SFTP path copy)
- Remove file:// from URL detection (prevents local file access via crafted terminal output)
- Verify signing certificate in pro APK migration (prevents fake APK granting free features)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 16:04:05 +02:00
app Security audit: TOFU hardening, FLAG_SECURE, paste sanitization, compiler hardening 2026-04-05 16:04:05 +02:00
docs Security audit: TOFU hardening, FLAG_SECURE, paste sanitization, compiler hardening 2026-04-05 16:04:05 +02:00
gradle
lib-ssh
lib-terminal-keyboard
lib-terminal-view Security audit: TOFU hardening, FLAG_SECURE, paste sanitization, compiler hardening 2026-04-05 16:04:05 +02:00
lib-vault-crypto Security audit: TOFU hardening, FLAG_SECURE, paste sanitization, compiler hardening 2026-04-05 16:04:05 +02:00
scripts
.gitignore
build.gradle.kts
gradle.properties
gradlew
gradlew.bat
SecurityAudit.md Security audit: TOFU hardening, FLAG_SECURE, paste sanitization, compiler hardening 2026-04-05 16:04:05 +02:00
settings.gradle.kts