Command Palette

Search for a command to run...

F-

Bundle Report

F-Droid v1.23.2

Bundle risk65medium
Binary-only · L1Live analyzer output · not mock dataAnalyzed just now

F-Droidv1.23.2build 1023052medium· 65

985f5181d48bb6bafd54083a048b391271e0ab28385881cc41294fb01a222762

Platform
Android · APK
Bundle size
11.9 MB
OS range
Android API 23 → Android API 30
Architectures
arm64-v8a, armeabi-v7a, x86, x86_64
Permissions
28

Store review readiness

Will flag at review

26 reviewer-flag items but no auto-rejection causes.

Safe to submit, but the reviewer may ask about the items above. Have answers ready and watch for review delays.

Blocking0

No pre-review rejection causes

None detected
Needs review26

Reviewer may ask

  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: Bouncy Castle· bouncycastle
  • Embedded SDK with known CVE: OkHttp· okhttp
  • Embedded SDK with known CVE: OkHttp· okhttp
  • Embedded SDK with known CVE: Okio· okio
OK2

What was checked and passed

  • Data Safety form covers SDK-collected data categories
  • Data Safety form covers third-party sharing
37 findings
  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · critical

    GHSA-2j2x-hx4g-2gf4 — In Bouncy Castle JCE Provider the DHIES implementation allowed the use of ECB mode

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · critical

    GHSA-4446-656p-f54g — Deserialization of Untrusted Data in Bouncy castle

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · warning

    GHSA-4h8f-2wvx-gg5w — Bouncy Castle Java Cryptography API vulnerable to DNS poisoning

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · warning

    GHSA-4mv7-cq75-3qjm — Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · critical

    GHSA-4vhj-98r6-424h — In Bouncy Castle JCE Provider it is possible to inject extra elements in the sequence making up the signature and still have it validate

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · warning

    GHSA-6xx3-rg99-gc3p — Timing based private key exposure in Bouncy Castle

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · warning

    GHSA-72m5-fvvv-55m6 — Observable Differences in Behavior to Error Inputs in Bouncy Castle

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · critical

    GHSA-73xv-w5gp-frxh — Logic error in Legion of the Bouncy Castle BC Java

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · warning

    GHSA-8353-fgcr-xfhx — Improper Input Validation in Bouncy Castle

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · warning

    GHSA-8477-3v39-ggpm — Improper Validation of Integrity Check Value in Bouncy Castle

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · warning

    GHSA-8xfc-gm6g-vgpv — Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation.

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · warning

    GHSA-9gp4-qrff-c648 — Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · warning

    GHSA-c8xf-m4ff-jcxj — Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · info

    GHSA-fjqm-246c-mwqg — In Bouncy Castle JCE Provider the other party DH public key is not fully validated

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · warning

    GHSA-hr8g-6v94-x4m9 — Bouncy Castle For Java LDAP injection vulnerability

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · critical

    GHSA-qcj7-g2j5-g7r3 — In Bouncy Castle JCE Provider ECDSA does not fully validate ASN.1 encoding of signature on verification

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · critical

    GHSA-r97x-3g8f-gx3m — The Bouncy Castle JCE Provider carry a propagation bug

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · warning

    GHSA-r9ch-m4fh-fc7q — Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · critical

    GHSA-rrvx-pwf8-p59p — In Bouncy Castle JCE Provider the DSA key pair generator generates a weak private key if used with default values

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · warning

    GHSA-v435-xc8x-wvr9 — Bouncy Castle affected by timing side-channel for RSA key exchange ("The Marvin Attack")

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · critical

    GHSA-w285-wf9q-5w69 — In Bouncy Castle JCE Provider the ECIES implementation allowed the use of ECB mode

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · warning

    GHSA-wjxj-5m7g-mg7q — Bouncy Castle Denial of Service (DoS)

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · warning

    GHSA-wrwf-pmmj-w989 — Observable Discrepancy in BouncyCastle

    component: bouncycastle

  • Embedded SDK with known CVE: Bouncy CastleSDK vulnerability · critical

    GHSA-xqj7-j8j5-f2xr — Bouncy Castle has a flaw in the Low-level interface to RSA key pair generator

    component: bouncycastle

  • Embedded SDK with known CVE: OkHttpSDK vulnerability · critical

    GHSA-3cqm-mf7h-prrj — Square OkHttp can accept the wrong certificate

    component: okhttp

  • Embedded SDK with known CVE: OkHttpSDK vulnerability · warning

    GHSA-4hc2-jh7r-wrc3 — Improper Certificate Validation in OkHttp

    component: okhttp

  • Embedded SDK with known CVE: OkioSDK vulnerability · warning

    GHSA-w33c-445m-f8w7 — Okio Signed to Unsigned Conversion Error vulnerability

    component: okio

  • Exported Android componentExported component · info

    org.fdroid.fdroid.views.repos.AddRepoActivity (activity)

  • Exported Android componentExported component · info

    org.fdroid.fdroid.panic.PanicPreferencesActivity (activity)

  • Exported Android componentExported component · info

    org.fdroid.fdroid.views.AppDetailsActivity (activity)

  • Exported Android componentExported component · info

    org.fdroid.fdroid.views.main.MainActivity (activity)

  • Exported Android componentExported component · info

    org.fdroid.fdroid.panic.PanicResponderActivity (activity)

  • Exported Android componentExported component · info

    org.fdroid.fdroid.panic.CalculatorActivity (activity)

  • Exported Android componentExported component · info

    androidx.work.impl.background.systemjob.SystemJobService (service)

  • Exported Android componentExported component · info

    androidx.profileinstaller.ProfileInstallReceiver (receiver)

  • Exported Android componentExported component · info

    androidx.work.impl.diagnostics.DiagnosticsReceiver (receiver)

  • Exported Android componentExported component · info

    org.fdroid.fdroid.receiver.RepoUpdateReceiver (receiver)

Want PR-level context for this app?

Connect the GitHub repo for this app to upgrade to L3. You'll get per-PR Check Runs, source-aware risk factors, and root-cause attribution against this exact bundle.

Compare tiers