Security hardening across payment, networking and URL handling#46
Open
rm335 wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security hardening across payment, networking and URL handling
Summary
tdsvideopayment://URL scheme previously unlocked the app by simply setting a UserDefaults boolean — any app (or Safari) could call it. Now requires a server-verified token before unlocking.pinnedPublicKeyHashwas declared but never used. ImplementedURLSessionDelegateto validate the server's public key SHA-256 hash on every API request./frameand/mjpegendpoints reject requests without a valid?token=parameter.tdsvideo://deep links, shared UserDefaults URLs, and Darwin notification URLs now only accepthttp/httpsschemes — blocksfile://,javascript:, and other dangerous schemes from loading in the CarPlaywebview.
BackgroundAuthIDwas stored in UserDefaults (trivially readable/editable). Migrated to Keychain withkSecAttrAccessibleAfterFirstUnlock.AppConfig.swiftenum. Removed dead McDonald's API URLs (ManagmentURLSclass) that leaked unrelated endpoint information.Test plan
tdsvideopayment://without a token — app should NOT unlockpinnedPublicKeyHashmatches the production certificate)/frameand/mjpegreturn 403 without the token query parameterhttp://<ip>:8080/and confirm the video stream loads (token is auto-injected)tdsvideo://shared-url?url=file:///etc/passwd— should be rejectedtdsvideo://shared-url?url=https://example.com— should load normally in CarPlayServer-side prerequisite
A new
POST /verifyPaymentendpoint is needed onapi.thomasdye.netthat accepts{ "token": "...", "deviceID": "..." }and returns HTTP 200 if valid. The payment callback URL should becometdsvideopayment://?token=<server-generated-token>.