Skip to content

Latest commit

 

History

History
50 lines (41 loc) · 5.06 KB

threat-modeling.md

File metadata and controls

50 lines (41 loc) · 5.06 KB

Threat Model Analysis for airbnb/mvrx

Threat: State Spoofing via Persisted State Manipulation

  • Description: An attacker gains access to the device's storage and modifies the persisted MvRx state file. They alter values like isLoggedIn, userId, or permission flags to impersonate a legitimate user or gain elevated privileges. This directly exploits MvRx's persistence mechanism.
    • Impact: Unauthorized access to sensitive data or functionality; complete account takeover; bypassing security controls.
    • Affected MvRx Component: MvRxPersistedStateSaver (or custom persistence implementation), initialState (during state restoration). This is a direct attack on MvRx's persistence feature.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • EncryptedSharedPreferences: Use Android's EncryptedSharedPreferences to store the persisted state.
      • State Integrity Verification: Implement a checksum or digital signature to verify the integrity of the loaded state. Reject the state and revert to a safe default if the checksum fails.
      • Minimal Persisted Data: Persist only the absolute minimum necessary data. Avoid persisting sensitive tokens.
      • Key Management: Securely manage encryption keys using the Android Keystore System.

Threat: State Tampering via Reflection/Debugging (Targeting MvRx State)

  • Description: An attacker uses debugging tools or reflection to directly modify the in-memory MvRxViewModel's state object, bypassing MvRx's state update mechanisms (reducers). This is a targeted attack on the core of MvRx's state management.
    • Impact: Bypassing security checks; triggering unintended actions; data corruption; potentially gaining elevated privileges.
    • Affected MvRx Component: MvRxViewModel (the state object itself). This is a direct attack on the in-memory state managed by MvRx.
    • Risk Severity: High
    • Mitigation Strategies:
      • Immutability Enforcement: Ensure strict immutability of the state object using Kotlin's data class and avoiding mutable collections. This makes modification harder, but not impossible.
      • Obfuscation and Anti-Tampering: Use code obfuscation (ProGuard/R8) and anti-tampering techniques.
      • Root Detection: Implement root detection and limit functionality or warn users on rooted devices.
      • Debuggable Flag: Set android:debuggable to false in release builds.

Threat: State-Driven Privilege Escalation via Invalid State Transitions (Exploiting Reducers)

  • Description: An attacker exploits a flaw within the application's MvRx reducers (setState logic) to transition the application into an invalid state that grants them higher privileges. This is a direct attack on the logic within the MvRx state update flow.
    • Impact: Unauthorized access to sensitive data or functionality; bypassing security controls.
    • Affected MvRx Component: MvRxViewModel (reducers), setState. The vulnerability lies within the MvRx state update logic defined by the developer.
    • Risk Severity: High
    • Mitigation Strategies:
      • Comprehensive State Validation: Implement thorough validation within the reducers. Ensure all state changes are valid and consistent.
      • Authorization Checks: Perform authorization checks before allowing state changes that affect privileges. Base these on a secure source of truth, not solely on the MvRx state.
      • Finite State Machine (FSM): Consider using an FSM pattern to explicitly define valid state transitions.
      • Testing: Write comprehensive unit and integration tests to verify state transitions and prevent unauthorized changes.

Threat: State Leakage via Logging (Directly Logging State)

  • Description: Developers accidentally log the entire MvRx state object to Logcat or a file, exposing sensitive data. This is a direct misuse of the MvRx state object.
    • Impact: Exposure of sensitive data; privacy violations; aiding attackers.
    • Affected MvRx Component: MvRxViewModel (the state object), any component that logs state information. The issue is the direct logging of the MvRx state.
    • Risk Severity: High
    • Mitigation Strategies:
      • Selective Logging: Never log the entire state object. Log only specific, non-sensitive fields.
      • Logging Library with Redaction: Use a logging library that allows filtering and redaction of sensitive data.
      • Code Reviews: Enforce code reviews to prevent accidental logging of sensitive data.
      • Production Logging Configuration: Configure logging levels appropriately for production.