About Círculo
Círculo is a safety app built on the Matrix protocol that enables users in authoritarian contexts to create a small “trusted circle” of six people with whom they can share location, safety, and wellness updates, as well as other messages in a secure environment.
Audit Description
OTF’s Security Lab partner 7ASecurity conducted penetration testing and a “whitebox” audit (a form of testing in which auditors have complete knowledge of the item being tested) of Círculo between September and October 2024. Auditors had access to a staging environment, documentation, test users, and source code. 7ASecurity also performed a lightweight threat model review and analyzed the Círculo Supply Chain Implementation.
Scope
The scope of the security review included:
- Mobile Security tests against Círculo Android and iOS apps
- Círculo Lightweight Threat Model documentation
- Whitebox Tests against Círculo:
- Supply Chain Implementation;
- Implementation on Backend Services;
- Servers, Infrastructure and Config via SSH; and
- AWS Infrastructure.
Findings
Overall, the auditors found that the app defended itself well against a broad range of attack vectors. Of the nine vulnerabilities identified one was flagged as “high-risk,” and seven were considered “medium-risk”:
High-Risk:
- Android & iOS apps are vulnerable to DoS attacks via DNS spoofing: Use of the insecure DNS protocol for the system’s backend communications leaves the app open to DoS attacks. By modifying clear-text communications, attackers could spoof legitimate DNS addresses and deny users access to the system. The auditors recommend switching to DNS over HTTPS (DoH).
Medium-Risk:
- Possible phishing via StrandHogg 2.0 on Android: Círculo is vulnerable to task hijacking due its launchMode settings. For users of older but still common versions of Android, a malicious app could insert activity into the user flow that exposes the user to phishing, DoS, or other threats. The report recommends changes to task affinity and launchMode settings, among other adjustments to reduce this risk.
- Multiple DoS attacks via exported activities: There is a risk that malicious apps on the same device as Círculo could crash the app by sending instructions during background activity. This primarily affects older Android users, since newer versions prevent this scenario. To fix this issue, the report recommends changes to Círculo’s deserialization, validation, logging, and exception handling processes.
- Círculo chat history access via memory leaks: The app’s chat content is insecure on Android devices when it is stored in device memory, which would allow an attacker to access this data via privilege escalation. The auditors recommend regular wipes to chat data stored in memory, along with reducing the storage of encryption keys and variables in RAM.
- Círculo room ID access via log leaks: The ID numbers for Círculo’s chat rooms are vulnerable because of the app’s logging activity, for both Android and iOS. The auditors recommend disabling logging or adjusting the logging functions, along with other platform-specific security improvements for Android and iOS.
- Auth token access via inadequate keychain usage: On iOS, user credentials are vulnerable to attackers with access to iOS memory. The report recommends using Apple’s iOS Keychain to store app secrets, and adding even higher restrictions for accessing data not required by any background processes.
- Synapse Admin API exposed to the internet: The auditors noted a vulnerability in Circulo’s use of the Matrix HomeServer (Synapse), due to the public accessibility of the Admin API. If an admin account or session are compromised, an attacker could execute admin actions, including deleting history, listing rooms, and accessing user data. The report recommends further limiting access to the Admin API and more closely monitoring all admin actions.
- Data leaks in Nginx and CloudWatch logs: Logs for CloudWatch, part of Amazon Web Services, are storing unmasked sensitive Círculo data such as session access tokens and room IDs. Auditors recommend monitoring and review of CloudWatch logs to mask or remove any sensitive data.
One other vulnerability, flagged as “low-risk,” involves the absence of a security screen when the Círculo app moves to the background on Android and iOS devices. The report also provides 20 hardening recommendations for removing less significant security weaknesses.
In their analysis of Círculo’s Supply Chain Implementation, the auditors note that while the app meets the Supply-chain Levels for Software Artifacts (SLSA) Level 1 security framework (a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure), a centralized build system infrastructure would be needed for Círculo to reach the higher SLSA levels.
Remediation
Auditors confirmed that the high-risk and low-risk issues have been fixed, as have the following medium-level vulnerabilities:
- Possible phishing via StrandHogg 2.0 on Android
- Multiple DoS attacks via exported activities
- Círculo room ID access via log leaks
The Círculo team is currently working on remediating the following two vulnerabilities:
- Synapse Admin API exposed to the internet
- Data leaks in Nginx and CloudWatch logs
They have accepted the potential risk of Círculo chat history access via memory leaks.
Círculo Security Audit Report
Code:
You can read the Círculo Blog HERE
You can read the OTF Blog HERE
