Known Vulnerabilities

Below you will find the list security vulnerabilities known to affect particular versions of tapXphone software and instructions on what users can do to protect themselves. The lists will be added to when new security problems are found.

Please read Security reporting program for information on how we handle security bugs. If you have found a security problem which is not on this list and has not already been filed as a bug, or if you find errors or inconsistencies in this list, please mail us. If needed our PGP key can be found it in bellow.

The PGP key for security@tapxphone.com below can be used to send encrypted mail or to verify responses received from that address.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEY87kahYJKwYBBAHaRw8BAQdA0VfxU94JNL3h5dEFKQj3vO8Zk4B3zS+Yvl9v
eROWNLS0K3RhcHhwaG9uZS1zZWN1cml0eSA8c2VjdXJpdHlAdGFweHBob25lLmNv
bT6ImQQTFgoAQQIbAwULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgBYhBO+EJyM8
ch8pRLoAsH+eofvuBtEfBQJjzuSHBQkWkm9kAAoJEH+eofvuBtEfiRkBANlVg6z6
AscFu65vfjxAljXeaCMyWzj04qghO1FEmDdCAP4y8rwD4ubzPME/orHiusx2DC4+
WKGjprw3pr/kaBtVA7g4BGPO5GoSCisGAQQBl1UBBQEBB0AtCelsA7HD0EaiMmHz
ofuSDEaXsDMm3QnNJ0FU/dbVdwMBCAeIfgQYFgoAJgIbDBYhBO+EJyM8ch8pRLoA
sH+eofvuBtEfBQJjzuSHBQkWkm9kAAoJEH+eofvuBtEfQNcA+wTKNeqh3xFqynHF
6hlHJto41E0UwRqRF/ZPheRNkLfjAP9FAL6esp1eH9jhmrD/NQ6TG5d7XDkBUkPc
5/pQwFdlBQ==
=FUQT
-----END PGP PUBLIC KEY BLOCK-----

General action for mitigations

This is a summary of the mitigations provided by the IBA. These capabilities reduce the likelihood that security vulnerabilities (if any) could be successfully exploited in tapXphone Software for Android.

· Exploitation for many issues is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.

· Enable Google Play Protect

· Exploitation for many issues is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.

Severity

Rating
Consequence of successful exploitation

Critical

  • Remote access to cardholder data and sensitive credentials used for card payment authorization (for example, PAN or PIN)

  • Remote unauthorized access to cryptographic keys including access to used symmetric keys (excluding Google services API keys)

  • Remote unauthorized access to attestation data and their modification that effects to device trust level

  • Remote bypass of software reverse-engineer protection

  • Remote bypass of software modification protection that doesn’t lead application blocking

  • Remote bypass of software mechanisms designed to prevent safety-related software (for example, hooking, rooting, emulation or debugging detection, verification, and validation of software).

  • Remote bypass of software mechanisms designed to prevent stealing cardholder data and sensitive credentials used for card payment authorization from the device screen (for example, screenshot, overlay, broadcast, video-recording detection)

  • Remote bypass of software mechanisms to prevent modification of configuration files, cryptographic keys

  • Remote creation of Fake Payments

High

  • Local access to cardholder data and sensitive credentials used for card payment authorization (for example, PAN or PIN)

  • Local unauthorized access to cryptographic keys including access to used symmetric keys (excluding Google services API keys)

  • Local unauthorized access to attestation data and their modification that effects to device trust level

  • Local bypass of software reverse-engineer protection

  • Local bypass of software modification protection that doesn’t lead application blocking

  • Local bypass of software mechanisms designed to prevent safety-related software (for example, hooking, rooting, emulation or debugging detection, verification, and validation of software).

  • Local bypass of software mechanisms designed to prevent stealing cardholder data and sensitive credentials used for card payment authorization from the device screen (for example, screenshot, overlay, broadcast, video-recording detection)

  • Local bypass of software mechanisms to prevent modification of configuration files, cryptographic keys

  • Cryptographic vulnerability that allows for attacks attacks against transport layer security (TLS).

  • Remote interception of the NFC module while the application is running on the payment card waiting screen

  • Local creation Fake Payments

Medium

  • Local interception of the NFC module while the application is running on the payment card waiting screen

  • Bypassing device setup process (initialization)

  • Bypassing user authentication

  • Substitution of data leading to incorrect payments (for example, substitution of amounts, type of operation, payment terminal credentials identifiers

  • Remote temporary application denial of service

Low

  • A general bypass for a user level defense in depth or exploit mitigation technology in an unprivileged context

  • Cryptographic vulnerability in non-standard usage

  • Incorrect documentation that may lead to a security vulnerability

  • Local arbitrary code execution in a constrained context

Vulnerabilities finding list

In this sections, we provide details for each of the security vulnerabilities that apply to the tapXphone Software for Android 2.1.0.

Issues are described in the tables below and include CVE ID, Severity, Description,

updated software versions (where applicable), mitigation (where applicable) action

CVE
Severity
Description
Updated software versions
Action for mitigations

No vulnerabilities have been detected to date

N/A

N/A

N/A

N/A

Last updated