Discover more from Berker’s Scribbles
Strengthening Security and Enhancing Accessibility: Keyoxide Mobile's Latest Updates
We got our first penetration test, implemented fixes, added new accessibility features and unit tests.
Hi everyone, I have been hard at work implementing the NLnet milestones alongside improving and fixing the bugs. Keyoxide Mobile recently underwent a comprehensive security audit by Radically Open Security (ROS).
“The Keyoxide mobile application presented overall a high level of security, even if some medium to low issues were found.”
The audit revealed several areas that required attention, including incomplete cleanup of shared preferences, improper TLS certificate validation, improper input validation, and improper input validation of server response.
The security audit conducted on Keyoxide Mobile uncovered several vulnerabilities that needed immediate attention. I took swift action to rectify these issues, ensuring that users' data and privacy remain safeguarded. Here are the key security improvements implemented after the audit findings:
1. Complete Cleanup of Shared Preferences:
Shared preferences might contain sensitive data from users profile (It normally shouldn’t but who knows). Failing to clear these preferences thoroughly could leave traces of sensitive information. App now ensures complete cleanup of shared preferences.
2. Proper TLS Certificate Validation:
Validating the Transport Layer Security (TLS) certificates used in secure connections is crucial to prevent man-in-the-middle attacks and protect the integrity of data transmission. By addressing the improper TLS certificate validation, app now enforces robust security measures, guaranteeing secure and encrypted communication between the app and its servers. ( I had to revert this fix because of frequent certificate renewals but once I implement the local profile verification, we won’t need this server request at all.)
3. Improved Input Validation:
Input validation is a critical defense against common security vulnerabilities such as injection attacks and cross-site scripting. I bolstered the input validation mechanism by using the DIO package parameters instead of string concatenation when constructing the URLs, which ensures that user-supplied data is thoroughly checked and sanitized to prevent malicious code execution or unintended data manipulation.
4. Strengthened Validation of Server Response:
Just added a simple check to make sure the data returned from the server is in JSON format.
Apart from addressing security concerns, I have been working on enhancing accessibility. Here's an overview of the accessibility improvements:
I incorporated semantic elements into the user interface, enabling assistive technologies to better understand and navigate the app's content. By leveraging semantic tags & widgets and proper structuring, Keyoxide Mobile now offers improved accessibility for users relying on screen readers or other assistive technologies.
2. Dyslexic Font:
Understanding the challenges faced by individuals with dyslexia, Keyoxide Mobile now includes a dyslexic font option. This feature enhances readability and comprehension, making the app more accessible for users with dyslexia or reading difficulties.
3. Seed color
We now have a new section in the theming which lets you chose a seed color, the app then create a color palette from the chosen color and applies it across the app. It’s suppose to have the right contrast for accessibility and looks really neat if you ask me.
We also updated the design from material 2 to material 3. You will notice the new material 3 widgets like bottom navigation, theme mode buttons etc.
Unit and Bloc Tests for Reliability:
Ensuring the reliability of an application is crucial for maintaining user trust and satisfaction. I integrated unit and bloc tests into the development process. These tests validate the individual units of code and cubits of application states, respectively, ensuring that the app functions as intended and minimizing the risk of regression issues. The unit tests are integrated to the CI/CD process, if the tests doesn’t pass, build process stops and sends me an email with the report so I can fix the issue.
This is it for now. You can find all the changes and fixes in the new version 1.5.0. If you wanna get these seldom updates to your inbox, subscribe below. Through semantic labels I had to add a lot of new text to the weblate waiting to be translated.