[Bug]: Security - unofficial mirror url loading in Google Play version

[wbrinksma]

Problem description

This is my first post in a repository's issues section. If I did something wrong or there is room for improvement, please let me know.

I am unsure if this report valid for this platform, but I wanted to address this issue here because I feel it has potential to lead to problems in the future. I have not used Termux for quite a while, but always loved the project and today came back to it. I unwittingly installed it from Google Play (I did not read the description) and quickly ran into errors. This is not the problem I want to address however, because after reading up on the situation, I noticed some changes in the official mirrors. What alarmed me was that https://main.termux-mirror.ml was not official anymore, yet my output of pkg upgrade listed it as ok. The danger lies in the fact that the Google Play version of Termux seemingly accepts information from an untrusted web server somewhere.

This situation threw me on a little tangent to figure out how the mirror could be listed as ok. It seems termux-mirror.ml was bought up by a company which aggregates popular domain names and sells them. The reason the code that checks for valid mirrors marks this one as ok is because when it is checking, the --location flag makes it accept a redirect to a page which advertises the fact the domain is for sale. This page gives status code 200, so according to the checker, all is well. This could provide a nice attack vector in the future, because the version of included programs such as curl will become more and more out of date. If a flaw is found in the way it handles HEAD requests, the Termux application in the Play Store is at serious risk, especially because every new install of the Google Play version will at some point connect to the old mirror address.

In contrast, the availability checker does figure out nicely that Bintray is not valid anymore, although the fact that the Bintray repository is not valid - but still included - could also be seen as the same issue as described above, albeit a less impactful one for now.

(As a side note, the IP termux_mirror.ml points to has been reported in the last few months for malicious activity. This might not be that alarming because it looks like the IP belongs to a server which hosts a very large number of sites, but it still felt worth mentioning.)

What steps will reproduce the bug?

For new users, running $ pkg upgrade reproduces this behavior.

What is the expected behavior?

I feel the application in the Play Store should not include these mirrors, because they are not officially controlled anymore. I am not sure if remedying this is possible however, because of the Android 10 problems. I read in the deprecation notice that the Google Play version would at some point be removed. I feel that might be the best solution to prevent problems in the future, however it is currently still up. Is there a roadmap of the phase out and is it happening soon?

System information

I uninstalled the app already because of the reason mentioned above, but it is the old Google Play version.

[ghost]

There are more issues with Play Store - we can't update or unpublish it as we do not own Play Store account. Unless @fornwall will do something with it, outdated version will continue to be available for installation.

[agnostic-apollo]

We deprecated playstore version many months ago and also now show a red banner at the top of terminal via #7493 for users using old versions if they fix their repo urls to active ones and update termux-tools. That's all active maintainers can do.

Playstore version definitely needs to be unpublished from playstore but nobody other than fornwall can do that and he's unresponsive to emails/messages.

The mirror issue would still exist even after we unpublish the app since tonne of existing users would still be using playstore version. I guess someone trusted should buy the domain for a while until we disable the playstore version with an update. I can work on making that, but then again, without fornwall, it's pointless.

[ghost]

I guess someone trusted should buy the domain for a while until we disable the playstore version with an update

This isn't possible at the moment. *.ml domains are free and can be acquired by everyone once released. Specifically termux-mirror.ml is now owned by unknown party.

I don't know where "domain sale" page has been found, I'm simply getting 403 forbidden. But anyway, even if you have seen such page and it is not a Freenom registrar's page, it is a scam. Reselling of free domains is prohibited by Freenom ToC.

---

Regarding package security: package manager performs signature verification to ensure that downloads come from trusted source and are not tampered. You are safe as soon as use our keyring (termux-keyring package), not installed any sideloaded keys or explicitly disabled verification through [trusted=yes] parameter in sources.list.

[wbrinksma]

I was getting the 403 forbidden too, so I'm guessing you used standard curl to check it out. It seems the nginx backend of the domain does something a little clever, because I found that when the word "curl" is somewhere in the user agent string, it serves a 403. However, if the user agent is anything else, it serves the sale page. I tested this with both a recent firefox user agent and the specific one pkg uses.

Regarding the company behind it, I did a whois and found some info. This led me to a domain aggregator. I also found out the domain is currently listed on Afternic, a domain marketplace.

Package security will indeed not be impacted, but I am worried about the app making a (successful) connection to the untrusted domain at all. To maximize security and privacy, it should not do that. As an example, because of the specific user agent Termux uses, these guys now know I have the app installed.

A thought I had while thinking about it some more: would it be useful to host a list of verified mirrors somewhere that pkg then would use to periodically update its mirror list? That way, a valid mirror list is not dependant on the version of the app a user has.

[ghost]

However, if the user agent is anything else, it serves the sale page

For me it does multiple redirects to a random page with ads or internet shop specific to my location

A thought I had while thinking about it some more: would it be useful to host a list of verified mirrors somewhere that pkg then would use to periodically update its mirror list?.

I guess we can serve mirror list within this (termux-packages) repo.

[wbrinksma]

I saw the add as well, though somewhere in the source it said something about the domain being for sale. I did not dare view it in a browser, so that might explain it.

I want to thank you for the positive replies. I understand you have a lot on your plate maintaining the repositories. I do not have experience yet in contributing to an open source repository, but I have been somehwat anxious to try it. This feature seems doable for a first time and I now know a little bit about how the mirrors work because of this as well. Can I assist you by developing this feature and possibly adding it through the pull request system?

The timeframe would not be next week, but somewhere in the coming weeks I think.

[truboxl]

The only up to date mirror repo included in Google Play version is mirrors.tuna.tsinghua.edu.cn.
One can termux-change-repo to that mirror, apt upgrade, then change back to packages-cf.termux.org.

Though it's better to just uninstall and install from F-Droid with how much termux-app has improved since then.

[Iclo30]

Isn't the DNS automatic. And if the DNS is bought by someone and the person can't afford the web address it becomes locked making whatever server invalid including the app

[finagolfin]

Looks like google will soon remove Termux from the Play store, along with hundreds of thousands of other apps that have not been updated in two years.

[Iclo30]

Any idea when

…

On Fri, May 20, 2022, 3:53 PM buttaface ***@***.***> wrote: Looks like google will soon remove Termux from the Play store <https://arstechnica.com/gadgets/2022/05/apple-and-googles-outdated-apps-ban-would-cut-each-store-by-a-third/> . — Reply to this email directly, view it on GitHub <#7834 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AY7BX7EYQKV3TEWBE4Z27B3VLACXNANCNFSM5GS7G2ZQ> . You are receiving this because you commented.Message ID: ***@***.***>

[agnostic-apollo]

From Nov 1, 2022, termux app shouldn't be installable on Android >= 10 from playstore.

https://www.xda-developers.com/google-play-store-outdated-apps-policy

[Midris204]

I remember exactly when I noticed this issue two years ago when my accounts and devices were hacked.
Since that time , I have not been able to find a solution to the problem. Rather, I have come to believe that this version whitch is ( not updated and is not certfied ( is a hacking application and all the applications in it are injected applications )

[kristibektashi]

The app is still installable from the Play Store in Android 14 as of February 18, 2024

[sylirre]

@kristibektashi It is installable only for accounts who previously used to install Termux. For new Google accounts this app can't be installed.

[tutacat]

The old Termux app is still shown on normal public search on google play store, Google has not changed anything, and since @fornwall has not modified it more or made it clearer that the Play version should not be used generally. People will still find or use it, as you can see from reviews. Especially since the old mirror domain is dead, the warning will not show because it can't be updated by default.

[agnostic-apollo]

It's at least not installable on Android >= 10 from playstore since some x months.