Merge branch 'add-2020-app-audit-reports-and-result'

6 files changed, 151 insertions, 7 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 726211fe9f..a037270df1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -94,22 +94,26 @@ Line wrap the file at 100 chars.                                              Th
 - Tighten the firewall rules that were allowing traffic to the relay server over the physical
   network interface. On Linux and macOS now only processes running under root are allowed to send
   traffic to this port and IP. On Windows only the Mullvad VPN binaries are allowed to send.
-  This fixes audit ticket `MUL-02-002`.
+  This fixes audit ticket [`MUL-02-002`].
 
 #### Windows
 - Tighten the firewall rule allowing traffic on port 53 to the relay server IP on the physical
   interfaces if the VPN tunnel is established on port 53 to only allow UDP. This fixes
-  audit ticket `MUL-02-004`.
+  audit ticket [`MUL-02-004`].
 - Deny access to the management interface named pipe for the `NT AUTHORITY\NETWORK` group.
   This makes the named pipe no longer accessible under the `IPC$` network share.
-  This fixes audit ticket `MUL-02-007`.
+  This fixes audit ticket [`MUL-02-007`].
 
 #### Android
 - Ignore touch events when another view is shown on top of the app in order to prevent tapjacking
-  attacks. Fixes audit ticket `MUL-02-003`.
+  attacks. Fixes audit ticket [`MUL-02-003`].
 - Prevent screens showing potentially sensitive data from being recorded. Fixes audit
-  ticket `MUL-02-003`.
+  ticket [`MUL-02-003`].
 
+[`MUL-02-002`]: audits/2020-06-12-cure53.md#identified-vulnerabilities
+[`MUL-02-003`]: audits/2020-06-12-cure53.md#miscellaneous-issues
+[`MUL-02-004`]: audits/2020-06-12-cure53.md#miscellaneous-issues
+[`MUL-02-007`]: audits/2020-06-12-cure53.md#identified-vulnerabilities
 
 ## [2020.5-beta1] - 2020-05-18
 ### Added
diff --git a/audits/2020-06-12-cure53.md b/audits/2020-06-12-cure53.md
new file mode 100644
index 0000000000..82ca5fc3f6
--- /dev/null
+++ b/audits/2020-06-12-cure53.md
@@ -0,0 +1,137 @@
+# 2020-06-12 - Cure53
+
+Six people from [Cure53](https://cure53.de/) performed a penetration test and source code audit
+of the Mullvad VPN app with a budget of twenty days. The audit included all five supported
+platforms: Windows, Linux, macOS, Android and iOS. The audit work was carried out over a two
+week period in late May and early June of 2020, and the final audit report was handed
+over to Mullvad on 2020-06-12.
+
+For the desktop app, version [2020.4] was audited. On Android version [2020.5-beta1]
+was audited. And on iOS the test flight version that later became [ios/2020.3]
+was audited.
+
+A quote from the conclusions chapter of the report:
+
+> The results of this May-June 2020 project targeting the Mullvad complex are quite
+positive. After spending twenty days on the scope, six members of the Cure53 team
+could only spot seven security-relevant items. Moreover, penetration tests and audits
+against application branches of Mullvad exclusively pointed to issues with limited
+severities, as demonstrated by the most impactful flaw scoring as Medium only.
+
+> Bringing together evidence from different components clearly suggests that the Mullvad
+complex came out victorious from this Cure53 external assessment. Despite thorough
+penetration tests and dedicated audits against various Mullvad apps, clients and APIs,
+Cure53 was unable to compromise the complex. Mullvad clearly represents a mature
+design as a function of a sound development process. All findings found during this
+engagement were patched before the final stages of the project, which is also a very
+good indicator. The Mullvad complex is definitely on the right track from a security
+standpoint.
+
+## Read the report
+
+The final report is available [on Cure53's website](https://cure53.de/pentest-report_mullvad_2020_v2.pdf).
+
+Also public is the [initial report](https://cure53.de/pentest-report_mullvad_2020_v1.pdf) which is the
+version that was initially presented to us. After a discussion with the auditors about the use of
+certain terminology and being more specific about what app versions had been audited,
+they adjusted the report to provide better clarity and produced the final version.
+For full transparency we insist to publish both versions.
+
+The reports are also available directly in this repository:
+* Final version: [pentest-report_mullvad_2020_v2.pdf](./pentest-report_mullvad_2020_v2.pdf)
+* Inital version: [pentest-report_mullvad_2020_v1.pdf](./pentest-report_mullvad_2020_v1.pdf)
+
+## Overview of findings
+
+This chapter will present a short summary of all security findings from the report and
+Mullvad's response to them.
+
+Out of the seven issues found, two were on *medium* level. Two issues had level *low*
+and the remaining three had level *info*. This means that the auditors did not find anything
+that they classified as very dangerous or could seriously or easily compromise
+the security and anonymity of the app users.
+
+Fixes were implemented for five of the seven issues. The remaining two
+identified items are things Mullvad do not deem serious problems nor are they a threat
+to us or our users. Furthermore, there was no way of patching those two as they
+were outside of our control.
+
+All issues that we implemented fixes for had their fixes merged before the final report
+was done and sent over to Mullvad. Version [2020.5-beta2] of the app has all found
+vulnerabilies fixed ([ios/2020.3] for iOS).
+
+### Identified vulnerabilities
+
+* __MUL-02-002 WP2__: Firewall allows deanonymization by eavesdropper (Medium)
+
+  _Our comment_: This is a legitimate and fully possible deanonymization attack. However, it is
+  not trivial to execute, so Cure53 classify it as medium only. This vulnerability is not
+  an issue for any normal user. But as the report outlines in the conclusion chapter, a
+  "state-funded and persistent threat" could very well use it to identify users. Since Mullvad
+  care deeply about anonymity and our users with high threat models, we regard this finding
+  as a rather serious one. But not critical enough to justify rushing out a stable release
+  This issue is fixed in all desktop apps in the following PRs:
+  * [Windows PR #1827](https://github.com/mullvad/mullvadvpn-app/pull/1827)
+  * [Linux PR #1819](https://github.com/mullvad/mullvadvpn-app/pull/1819)
+  * [macOS PR #1829](https://github.com/mullvad/mullvadvpn-app/pull/1829).
+
+* __MUL-02-006 WP1__: Blind HTML Injection via Problem Report (Low)
+
+  _Our comment_: This finding does not put any Mullvad user or Mullvad itself in any risk.
+  The problem reports are handled as plaintext and not HTML all the way from the app to the
+  support team. The pingback observed in the report comes from Google's gmail servers
+  who simply seem to query any URL they can parse in email bodies passing through their servers.
+  As such, we do not agree with the classification as a HTML injection issue.
+  There is probably no way Mullvad can disable this, and even if it was exploitable it would be
+  Google that would be compromised and not Mullvad.
+
+* __MUL-02-007 WP2__: Named Pipe exposed via SMB accessible to everyone (Medium)
+
+  _Our comment_: This vulnerability allows controlling the Mullvad VPN on a Windows machine
+  from the network. However, it requires the user to both enable "Local network sharing" in
+  the app and disable Window's "password protected sharing". Neither of this is done by default,
+  and Mullvad would not recommend anyone who care about their security or privacy to ever disable
+  "password protected sharing" at all. We do not see this as a large security flaw, since the user
+  must explicitly turn off important security settings for this to be exploitable to begin with.
+  However, since the VPN is only supposed to be possible to control from the local computer,
+  and since the report presents an easy to implement fix for the issue, we have implemented the
+  proposed fix in [PR #1830](https://github.com/mullvad/mullvadvpn-app/pull/1830).
+
+### Miscellaneous issues
+
+* __MUL-02-001 iOS__: Lack of filesystem protections (Info)
+
+  _Our comment_: The app does not in any way need the cache file that was found. So we directly
+  implemented the suggested fix to get rid of it in
+  [PR #1808](https://github.com/mullvad/mullvadvpn-app/pull/1808).
+  Since the exposed data is not very sensitive,
+  and since getting the data out of the device is far from trivial, we agree this is *info*
+  level and not a serious leak in any way.
+
+* __MUL-02-003 WP1__: General hardening recommendations for Android app (Info)
+
+  _Our comment_: These are good recommendations from Cure53. It is indeed not a vulnerability
+  in any way, but to practice defense-in-depth better we implemented the recommendations in
+  [PR #1823](https://github.com/mullvad/mullvadvpn-app/pull/1823) and
+  [PR #1822](https://github.com/mullvad/mullvadvpn-app/pull/1822).
+
+* __MUL-02-004 WP2__: Firewall allows TCP connections to WireGuard gateway (Low)
+
+  _Our comment_: This vulnerability is very similar to __MUL-02-002__. But less dangerous
+  since no custom token can be sent out, which makes it harder to identify a specific
+  user. This issue was fixed for Windows in the same PR where __MUL-02-002__ was fixed.
+
+* __MUL-02-005 WP1__: VpnService logs static internal IPs to Android’s syslog (Info)
+
+  _Our comment_: Leaking the private tunnel IP in use is considered bad but not critical
+  in any way. We agree with the *info* level on this security finding since the attacker
+  needs either `adb` access or the phone to be rooted. There is no way Mullvad can fix
+  this potential information leak. The logging of the IP is done by the Android operating
+  system as soon as any VPN app uses the operating system's VPN API. As far as we can tell
+  there is no way to disable this, and all Android VPN apps are subject to the same type
+  of leak.
+
+[2020.4]: ../CHANGELOG.md#20204---2020-05-12
+[2020.5-beta1]: ../CHANGELOG.md#20205-beta1---2020-05-18
+[ios/2020.3]: ../ios/CHANGELOG.md#20203---2020-06-12
+[2020.5-beta2]: ../CHANGELOG.md#20205-beta2---2020-06-16
diff --git a/audits/README.md b/audits/README.md
index 02dfc24201..5f29ec93e3 100644
--- a/audits/README.md
+++ b/audits/README.md
@@ -4,4 +4,5 @@ Independent audits help to discover potential security vulnerabilities and fix t
 in an even better service. It also gives you the opportunity to judge whether or not we are
 technically competent enough to provide a service in which security is paramount.
 
-* 2018-09-24 - [Assured and Cure53](./2018-09-24-assured-cure53.md)
+* [2018-09-24 - Assured and Cure53](./2018-09-24-assured-cure53.md)
+* [2020-06-12 - Cure53](./2020-06-12-cure53.md)
diff --git a/audits/pentest-report_mullvad_2020_v1.pdf b/audits/pentest-report_mullvad_2020_v1.pdf
new file mode 100644
index 0000000000..d35af5bd1d
--- /dev/null
+++ b/audits/pentest-report_mullvad_2020_v1.pdf
diff --git a/audits/pentest-report_mullvad_2020_v2.pdf b/audits/pentest-report_mullvad_2020_v2.pdf
new file mode 100644
index 0000000000..135ded7882
--- /dev/null
+++ b/audits/pentest-report_mullvad_2020_v2.pdf
diff --git a/ios/CHANGELOG.md b/ios/CHANGELOG.md
index d9fc364c40..7275ea925f 100644
--- a/ios/CHANGELOG.md
+++ b/ios/CHANGELOG.md
@@ -38,7 +38,9 @@ Line wrap the file at 100 chars.                                              Th
   and 90 days to always be displayed in days quantity.
 - Fix a number of errors in DNS64 resolution and IPv6 support.
 - Update the tunnel state when the app returns from suspended state.
-- Disable `URLSession` cache.
+- Disable `URLSession` cache. Fixes audit finding [`MUL-02-001`]
+
+[`MUL-02-001`]: ../audits/2020-06-12-cure53.md#miscellaneous-issues
 
 ## [2020.2] - 2020-04-16
 ### Fixed