Page MenuHomePhabricator
Create Task
Maniphest T181516

Perform Security Review of Commons Android App Authentication Logic
Closed, ResolvedPublic
Actions

Description

In order for the Commons app to remain on the WMF account, we need to ensure that their authentication logic is in line with our privacy policy.

To do that, we need to do a code review of the authentication code and ensure credentials are securely stored and transmitted and not sent to any 3rd parties.

Some more specific points to check:

  • Ensure that the app makes correct use of the system AccountManager for storing credentials, and doesn't store them anywhere else.
    • Side track: Consider sharing account credentials between our app and the Commons app, which is easily done with AccountManager.
  • Make sure the app uses SSL for all API requests, especially when transmitting credentials.
  • Make sure that no kinds of credentials / API keys / etc. are checked into the repo itself.

Related Objects

Event Timeline

Fjalapeno created this task.Nov 28 2017, 3:59 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 28 2017, 3:59 PM
Dbrant merged a task: T181517: Perform Security Review of Commons Android App Authentication Logic.Nov 28 2017, 4:43 PM
Dbrant updated the task description. (Show Details)Nov 28 2017, 9:50 PM
NHarateh_WMF moved this task from Needs Triage to Tracking on the Wikipedia-Android-App-Backlog board.Nov 29 2017, 5:20 PM
Fjalapeno added a subscriber: NHarateh_WMF.Nov 30 2017, 4:05 PM

@NHarateh_WMF @Dbrant I saw this got put into "tracking", but it is work that the Android team needs to perform. Just want to make sure that this gets scheduled and doesn't get lost in the shuffle.

Dbrant closed this task as Resolved.Dec 4 2017, 1:25 PM
Dbrant claimed this task.
Dbrant updated the task description. (Show Details)
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits