Known Vulnerabilities
Below you will find the list security vulnerabilities known to affect particular versions of tapXphone software and instructions on what users can do to protect themselves. The lists will be added to when new security problems are found.
Please read Security reporting program for information on how we handle security bugs. If you have found a security problem which is not on this list and has not already been filed as a bug, or if you find errors or inconsistencies in this list, please mail us. If needed our PGP key can be found it in bellow.
The PGP key for security@tapxphone.com below can be used to send encrypted mail or to verify responses received from that address.
General action for mitigations
This is a summary of the mitigations provided by the IBA. These capabilities reduce the likelihood that security vulnerabilities (if any) could be successfully exploited in tapXphone Software for Android.
· Exploitation for many issues is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
· Enable Google Play Protect
· Exploitation for many issues is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
Severity
Critical
Remote access to cardholder data and sensitive credentials used for card payment authorization (for example, PAN or PIN)
Remote unauthorized access to cryptographic keys including access to used symmetric keys (excluding Google services API keys)
Remote unauthorized access to attestation data and their modification that effects to device trust level
Remote bypass of software reverse-engineer protection
Remote bypass of software modification protection that doesn’t lead application blocking
Remote bypass of software mechanisms designed to prevent safety-related software (for example, hooking, rooting, emulation or debugging detection, verification, and validation of software).
Remote bypass of software mechanisms designed to prevent stealing cardholder data and sensitive credentials used for card payment authorization from the device screen (for example, screenshot, overlay, broadcast, video-recording detection)
Remote bypass of software mechanisms to prevent modification of configuration files, cryptographic keys
Remote creation of Fake Payments
High
Local access to cardholder data and sensitive credentials used for card payment authorization (for example, PAN or PIN)
Local unauthorized access to cryptographic keys including access to used symmetric keys (excluding Google services API keys)
Local unauthorized access to attestation data and their modification that effects to device trust level
Local bypass of software reverse-engineer protection
Local bypass of software modification protection that doesn’t lead application blocking
Local bypass of software mechanisms designed to prevent safety-related software (for example, hooking, rooting, emulation or debugging detection, verification, and validation of software).
Local bypass of software mechanisms designed to prevent stealing cardholder data and sensitive credentials used for card payment authorization from the device screen (for example, screenshot, overlay, broadcast, video-recording detection)
Local bypass of software mechanisms to prevent modification of configuration files, cryptographic keys
Cryptographic vulnerability that allows for attacks attacks against transport layer security (TLS).
Remote interception of the NFC module while the application is running on the payment card waiting screen
Local creation Fake Payments
Medium
Local interception of the NFC module while the application is running on the payment card waiting screen
Bypassing device setup process (initialization)
Bypassing user authentication
Substitution of data leading to incorrect payments (for example, substitution of amounts, type of operation, payment terminal credentials identifiers
Remote temporary application denial of service
Low
A general bypass for a user level defense in depth or exploit mitigation technology in an unprivileged context
Cryptographic vulnerability in non-standard usage
Incorrect documentation that may lead to a security vulnerability
Local arbitrary code execution in a constrained context
Vulnerabilities finding list
In this sections, we provide details for each of the security vulnerabilities that apply to the tapXphone Software for Android 2.1.0.
Issues are described in the tables below and include CVE ID, Severity, Description,
updated software versions (where applicable), mitigation (where applicable) action
No vulnerabilities have been detected to date
N/A
N/A
N/A
N/A
Last updated