Command Palette

Search for a command to run...

Si

Bundle Report

Signal v8.10.3

Bundle risk65medium
Binary-only · L1Live analyzer output · not mock dataAnalyzed just now

Signalv8.10.3build 168702medium· 65

741727aeb08a976e092c371db7ee7e79b2c9cd29b181858e0d40d9dac9f10848

Platform
Android · APK
Bundle size
107.1 MB
OS range
Android API 23 → Android API 35
Architectures
arm64-v8a, armeabi-v7a, x86, x86_64
Permissions
77

Store review readiness

Will flag at review

78 reviewer-flag items but no auto-rejection causes.

Safe to submit, but the reviewer may ask about the items above. Have answers ready and watch for review delays.

Blocking0

No pre-review rejection causes

None detected
Needs review78

Reviewer may ask

  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: Jackson· jackson
  • Embedded SDK with known CVE: OkHttp· okhttp
  • Embedded SDK with known CVE: OkHttp· okhttp
  • Embedded SDK with known CVE: Protocol Buffers· protobuf
  • Embedded SDK with known CVE: Protocol Buffers· protobuf
  • Embedded SDK with known CVE: Protocol Buffers· protobuf
  • Embedded SDK with known CVE: Protocol Buffers· protobuf
  • Embedded SDK with known CVE: Protocol Buffers· protobuf
  • Embedded SDK with known CVE: Okio· okio
  • Embedded SDK with known CVE: Gson· gson
OK2

What was checked and passed

  • Data Safety form covers SDK-collected data categories
  • Data Safety form covers third-party sharing
103 findings
  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-27xj-rqx5-2255 — jackson-databind mishandles the interaction between serialization gadgets and typing

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-288c-cq4h-88gq — XML External Entity (XXE) Injection in Jackson Databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-3x8x-79m2-3w2w — jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-4gq5-ch57-c2mg — Arbitrary Code Execution in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-4w82-r329-3q67 — Deserialization of Untrusted Data in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-57j2-w4cx-62h2 — Deeply nested json in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-58pp-9c76-5625 — jackson-databind mishandles the interaction between serialization gadgets and typing

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-5949-rw7g-wx7w — Deserialization of untrusted data in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-5p34-5m6p-p58g — jackson-databind mishandles the interaction between serialization gadgets and typing

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-5r5r-6hpj-8gg9 — Serialization gadget exploit in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-5ww9-j83m-q7qx — Information exposure in FasterXML jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-645p-88qh-w398 — Arbitrary Code Execution in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-6fpp-rgj9-8rwc — Deserialization of untrusted data in FasterXML jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-6wqp-v4v6-c87c — Deserialization of Untrusted Data

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-758m-v56v-grj4 — jackson-databind mishandles the interaction between serialization gadgets and typing

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-85cw-hj65-qqv9 — Polymorphic Typing issue in FasterXML jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-89qr-369f-5m5x — Unsafe Deserialization in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-8c4j-34r4-xr8g — Unsafe Deserialization in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-8w26-6f25-cm9x — Unsafe Deserialization in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-95cm-88f5-f2c7 — jackson-databind mishandles the interaction between serialization gadgets and typing

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-9gph-22xh-8x98 — Unsafe Deserialization in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-9m6f-7xcq-8vf8 — Unsafe Deserialization in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-9mxf-g3x6-wv74 — Server-Side Request Forgery (SSRF) in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-9vvp-fxw6-jcxr — jackson-databind mishandles the interaction between serialization gadgets and typing

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-c265-37vj-cwcc — Deserialization of untrusted data in Jackson Databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-c2q3-4qrh-fm48 — Deserialization of untrusted data in Jackson Databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-c8hm-7hpq-7jhg — com.fasterxml.jackson.core:jackson-databind vulnerable to Deserialization of Untrusted Data

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-cf6r-3wgc-h863 — Polymorphic deserialization of malicious object in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-cggj-fvv3-cqwv — FasterXML jackson-databind allows unauthenticated remote code execution

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-cjjf-94ff-43w7 — jackson-databind Deserialization of Untrusted Data vulnerability

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · warning

    GHSA-cmfg-87vq-g5g4 — Deserialization of untrusted data in FasterXML jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-cvm9-fjm9-3572 — Unsafe Deserialization in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-f3j5-rmmp-3fc5 — Improper Input Validation in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-f9hv-mg5h-xcw9 — Deserialization of Untrusted Data in jackson-databind due to polymorphic deserialization

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-f9xh-2qgp-cq57 — Unsafe Deserialization in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-fmmc-742q-jg75 — jackson-databind polymorphic typing issue

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-fqwf-pjwf-7vqv — jackson-databind mishandles the interaction between serialization gadgets and typing

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-gjmw-vf9h-g25v — jackson-databind polymorphic typing issue

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-gwp4-hfv6-p7hw — Deserialization of untrusted data in FasterXML jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-gww7-p5w4-wrfv — Deserialization of Untrusted Data in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-h3cw-g4mq-c5x2 — Code Injection in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-h4rc-386g-6m85 — jackson-databind mishandles the interaction between serialization gadgets and typing

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-h592-38cm-4ggp — jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-h822-r4r5-v8jg — Polymorphic Typing issue in FasterXML jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-j823-4qch-3rgm — Deserialization of untrusted data in Jackson Databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-jjjh-jjxp-wpff — Uncontrolled Resource Consumption in Jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-m6x4-97wx-4q27 — Unsafe Deserialization in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-mc6h-4qgp-37qh — Deserialization of untrusted data in Jackson Databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · warning

    GHSA-mph4-vhrx-mv67 — Deserialization of Untrusted Data in FasterXML jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-mx7p-6679-8g3q — Polymorphic Typing in FasterXML jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-mx9v-gmh4-mgqw — Deserialization of Untrusted Data in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-p43x-xfjf-5jhr — jackson-databind mishandles the interaction between serialization gadgets and typing

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-q93h-jc49-78gg — jackson-databind mishandles the interaction between serialization gadgets and typing

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-qjw2-hr98-qgfh — Unsafe Deserialization in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-qmqc-x3r4-6v39 — Polymorphic deserialization of malicious object in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-qr7j-h6gg-jmgc — Deserialization of Untrusted Data in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-qxxx-2pp7-5hmx — jackson-databind is vulnerable to a deserialization flaw

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-r3gr-cxrf-hg25 — Serialization gadgets exploit in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-r695-7vr9-jgc2 — Unsafe Deserialization in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-rf6r-2c4q-2vwg — jackson-databind mishandles the interaction between serialization gadgets and typing

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-rfx6-vp9g-rh7v — jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-rgv9-q543-rqg4 — Uncontrolled Resource Consumption in FasterXML jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-rpr3-cw39-3pxh — jackson-databind vulnerable to unsafe deserialization

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-v3xw-c963-f5hc — jackson-databind mishandles the interaction between serialization gadgets and typing

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-v585-23hc-c647 — Unsafe Deserialization in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-vfqx-33qm-g869 — Unsafe Deserialization in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-w3f4-3q6j-rh82 — Deserialization of Untrusted Data in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-wh8g-3j2c-rqj5 — Serialization gadgets exploit in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: JacksonSDK vulnerability · critical

    GHSA-x2w5-5m2g-7h5m — XML External Entity Reference (XXE) in jackson-databind

    component: jackson

  • Embedded SDK with known CVE: OkHttpSDK vulnerability · critical

    GHSA-3cqm-mf7h-prrj — Square OkHttp can accept the wrong certificate

    component: okhttp

  • Embedded SDK with known CVE: OkHttpSDK vulnerability · warning

    GHSA-4hc2-jh7r-wrc3 — Improper Certificate Validation in OkHttp

    component: okhttp

  • Embedded SDK with known CVE: Protocol BuffersSDK vulnerability · critical

    GHSA-4gg5-vx3j-xwc7 — Protobuf Java vulnerable to Uncontrolled Resource Consumption

    component: protobuf

  • Embedded SDK with known CVE: Protocol BuffersSDK vulnerability · critical

    GHSA-735f-pc8j-v9w8 — protobuf-java has potential Denial of Service issue

    component: protobuf

  • Embedded SDK with known CVE: Protocol BuffersSDK vulnerability · critical

    GHSA-g5ww-5jh7-63cx — Protobuf Java vulnerable to Uncontrolled Resource Consumption

    component: protobuf

  • Embedded SDK with known CVE: Protocol BuffersSDK vulnerability · warning

    GHSA-h4h5-3hr4-j3g2 — protobuf-java has a potential Denial of Service issue

    component: protobuf

  • Embedded SDK with known CVE: Protocol BuffersSDK vulnerability · critical

    GHSA-wrvw-hg22-4m67 — A potential Denial of Service issue in protobuf-java

    component: protobuf

  • Embedded SDK with known CVE: OkioSDK vulnerability · warning

    GHSA-w33c-445m-f8w7 — Okio Signed to Unsigned Conversion Error vulnerability

    component: okio

  • Embedded SDK with known CVE: GsonSDK vulnerability · critical

    GHSA-4jrv-ppp4-jm57 — Deserialization of Untrusted Data in Gson

    component: gson

  • Exported Android componentExported component · info

    org.thoughtcrime.securesms.sharing.v2.ShareActivity (activity)

  • Exported Android componentExported component · info

    org.thoughtcrime.securesms.SystemContactsEntrypointActivity (activity)

  • Exported Android componentExported component · info

    org.thoughtcrime.securesms.webrtc.VoiceCallShare (activity)

  • Exported Android componentExported component · info

    org.thoughtcrime.securesms.DeviceProvisioningActivity (activity)

  • Exported Android componentExported component · info

    org.thoughtcrime.securesms.ShortcutLauncherActivity (activity)

  • Exported Android componentExported component · info

    org.thoughtcrime.securesms.stickers.preview.StickerPackPreviewActivity (activity)

  • Exported Android componentExported component · info

    org.thoughtcrime.securesms.deeplinks.DeepLinkEntryActivity (activity)

  • Exported Android componentExported component · info

    androidx.activity.ComponentActivity (activity)

  • Exported Android componentExported component · info

    androidx.test.core.app.InstrumentationActivityInvoker$BootstrapActivity (activity)

  • Exported Android componentExported component · info

    androidx.test.core.app.InstrumentationActivityInvoker$EmptyActivity (activity)

  • Exported Android componentExported component · info

    androidx.test.core.app.InstrumentationActivityInvoker$EmptyFloatingActivity (activity)

  • Exported Android componentExported component · info

    org.thoughtcrime.securesms.components.settings.app.AppSettingsActivity (activity)

  • Exported Android componentExported component · info

    androidx.core.telecom.internal.JetpackConnectionService (service)

  • Exported Android componentExported component · info

    com.google.android.gms.auth.api.signin.RevocationBoundService (service)

  • Exported Android componentExported component · info

    org.thoughtcrime.securesms.components.voice.VoiceNotePlaybackService (service)

  • Exported Android componentExported component · info

    org.thoughtcrime.securesms.service.AccountAuthenticatorService (service)

  • Exported Android componentExported component · info

    org.thoughtcrime.securesms.service.ContactsSyncAdapterService (service)

  • Exported Android componentExported component · info

    org.thoughtcrime.securesms.gcm.FcmReceiveService (service)

  • Exported Android componentExported component · info

    androidx.sharetarget.ChooserTargetServiceCompat (service)

  • Exported Android componentExported component · info

    org.thoughtcrime.securesms.apkupdate.ApkUpdateDownloadManagerReceiver (receiver)

  • Exported Android componentExported component · info

    org.thoughtcrime.securesms.service.PanicResponderListener (receiver)

  • Exported Android componentExported component · info

    androidx.media.session.MediaButtonReceiver (receiver)

  • Exported Android componentExported component · info

    com.google.firebase.iid.FirebaseInstanceIdReceiver (receiver)

  • Exported Android componentExported component · info

    androidx.core.telecom.internal.MuteStateReceiver (receiver)

  • Exported Android componentExported component · info

    androidx.profileinstaller.ProfileInstallReceiver (receiver)

Want PR-level context for this app?

Connect the GitHub repo for this app to upgrade to L3. You'll get per-PR Check Runs, source-aware risk factors, and root-cause attribution against this exact bundle.

Compare tiers