v1.0.19 — Security Hardening
Ghost
released this
2026-05-24 18:51:50 +00:00
| 62 commits to main since this release
Security Fixes (build 20)\n\n### Critical\n- SFTP: Replaced PromiscuousVerifier with Trust-On-First-Use host key verification — fingerprints stored in EncryptedSharedPreferences, key changes rejected on subsequent connections\n\n### High\n- Google Drive & Dropbox: Fixed JSON injection in all API calls — replaced raw string templates with buildJsonObject\n- OAuth CSRF: Added cryptographically random state parameter to Dropbox and OneDrive flows; OAuthRedirectActivity now validates it before exchanging the authorization code\n\n### Medium\n- WebDAV: Cross-host redirects are now blocked — Authorization header can no longer be leaked to a different server\n- AccountSetupScreen: FLAG_SECURE set while credential fields are visible (blocks screenshots and screen recording)\n- Dependencies: security-crypto → 1.0.0 stable; biometric → 1.1.0 stable (from alpha pre-releases)
Downloads