Summary
Plugin discovery currently trusts any installed app that:
- Exposes a service for
io.filmtime.plugin.STREAM_PROVIDER
- Has a ContentProvider authority starting with
io.filmtime.plugin
There is no signature/certificate verification before treating it as a trusted stream provider, which allows a malicious app to impersonate a plugin and supply arbitrary URLs/headers.
Proposed Solution
Add signing certificate verification (or an allowlist) before accepting a package as a plugin. Options to consider:
- Allowlist approach: Maintain a list of known good plugin signing certificates
- Signature verification: Verify plugins are signed with a specific key or set of keys
- User consent: Show a warning for unsigned/unknown plugins and let users decide
Files to Modify
data/plugin-discovery/src/main/java/io/filmtime/data/plugin/discovery/PluginDiscoveryRepositoryImpl.kt
Related
Follow-up from #143 code review
Summary
Plugin discovery currently trusts any installed app that:
io.filmtime.plugin.STREAM_PROVIDERio.filmtime.pluginThere is no signature/certificate verification before treating it as a trusted stream provider, which allows a malicious app to impersonate a plugin and supply arbitrary URLs/headers.
Proposed Solution
Add signing certificate verification (or an allowlist) before accepting a package as a plugin. Options to consider:
Files to Modify
data/plugin-discovery/src/main/java/io/filmtime/data/plugin/discovery/PluginDiscoveryRepositoryImpl.ktRelated
Follow-up from #143 code review