Building a cross-platform metadata resistant messaging tool is 50% research, 50% security engineering and 80% staring in horror at proposed dependencies and wondering if people are aware that not every library needs to handle arbitrary remote resources "as a feature".
Conversation
I just want to play a local audio file, and every audio dependency README is like "you can now set custom HTTP headers and cache timeouts"
1
5
31
Any this is why doesn't support images or audio yet even through "rendering images / playing audio" is "easy": "rendering images / playing audio" that may have been maliciously crafted in ways that don't leak metadata in arbitrary ways is certainly not.
2
3
40
Would mitigation also require extended metadata - scrubbing of uploaded files before sharing?
Or are there other ways for media to leak other metadata?
1
It's also probably a good idea to encode it into a standard, simple format and re-encode it even if the user supplies it in that format. That at least reduces attack surface substantially and gets rid of identifiers based on how it was generated/encoded, but not other things.
1
1
As long as it isnt 4K / 60 fps its doable I think?
In my experience Signal for example performs 720p at slower framerates pretty fast or acceptable.
1
The main issue is that if you actually run it in your own sandbox you wouldn't have access to hardware accelerated decoding/encoding. I made a thread about doing that here:
twitter.com/DanielMicay/st
It would also be beneficial for other code like the cryptography.
Quote Tweet
Replying to @SarahJamieLewis and @cwtch_im
Ideally, do that kind of thing in an isolatedProcess service:
developer.android.com/guide/topics/m
isolatedProcess services are the Chromium layer-1 sandbox implementation on Android and it's very easy to use. It's just a fully unprivileged service only able to communicate via service API.
Nearly every phone have hardware encoding/decoding for H.264 and now also H.265. OS-provided encoding/decoding is sandboxed quite well but primarily to protect the OS. It doesn't protect separate contexts from each other. It's all sandboxed together in the same media processes.
1
Chromium largely uses their own media decoding on Android other than the parts that need to be hardware accelerated (which runs on an isolated SoC component anyway) largely because they want it to run in the site isolated renderers.