Known Vulnerabilities

Below you will find the list security vulnerabilities known to affect particular versions of tapXphone software and instructions on what users can do to protect themselves. The lists will be added to when new security problems are found.

Please read Security reporting program for information on how we handle security bugs. If you have found a security problem which is not on this list and has not already been filed as a bug, or if you find errors or inconsistencies in this list, please mail us. If needed our PGP key can be found it in bellow.

The PGP key for security@tapxphone.com below can be used to send encrypted mail or to verify responses received from that address.

General action for mitigations

This is a summary of the mitigations provided by the IBA. These capabilities reduce the likelihood that security vulnerabilities (if any) could be successfully exploited in tapXphone Software for Android.

· Exploitation for many issues is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.

· Enable Google Play Protect

· Exploitation for many issues is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.

Severity

Rating	Consequence of successful exploitation
Critical	Remote access to cardholder data and sensitive credentials used for card payment authorization (for example, PAN or PIN) Remote unauthorized access to cryptographic keys including access to used symmetric keys (excluding Google services API keys) Remote unauthorized access to attestation data and their modification that effects to device trust level Remote bypass of software reverse-engineer protection Remote bypass of software modification protection that doesn’t lead application blocking Remote bypass of software mechanisms designed to prevent safety-related software (for example, hooking, rooting, emulation or debugging detection, verification, and validation of software). Remote bypass of software mechanisms designed to prevent stealing cardholder data and sensitive credentials used for card payment authorization from the device screen (for example, screenshot, overlay, broadcast, video-recording detection) Remote bypass of software mechanisms to prevent modification of configuration files, cryptographic keys Remote creation of Fake Payments
High	Local access to cardholder data and sensitive credentials used for card payment authorization (for example, PAN or PIN) Local unauthorized access to cryptographic keys including access to used symmetric keys (excluding Google services API keys) Local unauthorized access to attestation data and their modification that effects to device trust level Local bypass of software reverse-engineer protection Local bypass of software modification protection that doesn’t lead application blocking Local bypass of software mechanisms designed to prevent safety-related software (for example, hooking, rooting, emulation or debugging detection, verification, and validation of software). Local bypass of software mechanisms designed to prevent stealing cardholder data and sensitive credentials used for card payment authorization from the device screen (for example, screenshot, overlay, broadcast, video-recording detection) Local bypass of software mechanisms to prevent modification of configuration files, cryptographic keys Cryptographic vulnerability that allows for attacks attacks against transport layer security (TLS). Remote interception of the NFC module while the application is running on the payment card waiting screen Local creation Fake Payments
Medium	Local interception of the NFC module while the application is running on the payment card waiting screen Bypassing device setup process (initialization) Bypassing user authentication Substitution of data leading to incorrect payments (for example, substitution of amounts, type of operation, payment terminal credentials identifiers Remote temporary application denial of service
Low	A general bypass for a user level defense in depth or exploit mitigation technology in an unprivileged context Cryptographic vulnerability in non-standard usage Incorrect documentation that may lead to a security vulnerability Local arbitrary code execution in a constrained context

Rating

Consequence of successful exploitation

Critical

Remote access to cardholder data and sensitive credentials used for card payment authorization (for example, PAN or PIN)
Remote unauthorized access to cryptographic keys including access to used symmetric keys (excluding Google services API keys)
Remote unauthorized access to attestation data and their modification that effects to device trust level
Remote bypass of software reverse-engineer protection
Remote bypass of software modification protection that doesn’t lead application blocking
Remote bypass of software mechanisms designed to prevent safety-related software (for example, hooking, rooting, emulation or debugging detection, verification, and validation of software).
Remote bypass of software mechanisms designed to prevent stealing cardholder data and sensitive credentials used for card payment authorization from the device screen (for example, screenshot, overlay, broadcast, video-recording detection)
Remote bypass of software mechanisms to prevent modification of configuration files, cryptographic keys
Remote creation of Fake Payments

High

Local access to cardholder data and sensitive credentials used for card payment authorization (for example, PAN or PIN)
Local unauthorized access to cryptographic keys including access to used symmetric keys (excluding Google services API keys)
Local unauthorized access to attestation data and their modification that effects to device trust level
Local bypass of software reverse-engineer protection
Local bypass of software modification protection that doesn’t lead application blocking
Local bypass of software mechanisms designed to prevent safety-related software (for example, hooking, rooting, emulation or debugging detection, verification, and validation of software).
Local bypass of software mechanisms designed to prevent stealing cardholder data and sensitive credentials used for card payment authorization from the device screen (for example, screenshot, overlay, broadcast, video-recording detection)
Local bypass of software mechanisms to prevent modification of configuration files, cryptographic keys
Cryptographic vulnerability that allows for attacks attacks against transport layer security (TLS).
Remote interception of the NFC module while the application is running on the payment card waiting screen
Local creation Fake Payments

Medium

Local interception of the NFC module while the application is running on the payment card waiting screen
Bypassing device setup process (initialization)
Bypassing user authentication
Substitution of data leading to incorrect payments (for example, substitution of amounts, type of operation, payment terminal credentials identifiers
Remote temporary application denial of service

Low

A general bypass for a user level defense in depth or exploit mitigation technology in an unprivileged context
Cryptographic vulnerability in non-standard usage
Incorrect documentation that may lead to a security vulnerability
Local arbitrary code execution in a constrained context

Vulnerabilities finding list

In this sections, we provide details for each of the security vulnerabilities that apply to the tapXphone Software for Android 2.1.0.

Issues are described in the tables below and include CVE ID, Severity, Description,

updated software versions (where applicable), mitigation (where applicable) action

CVE	Severity	Description	Updated software versions	Action for mitigations
No vulnerabilities have been detected to date	N/A	N/A	N/A	N/A

CVE

Severity

Description

Updated software versions

Action for mitigations

No vulnerabilities have been detected to date

N/A

PreviousSecurity reporting program NextApp User Guide

Last updated 7 months ago