security fixes for Janus and image metadata exploits
The Janus vuln that was made public last weekend inspired me to do a little cleaning of some possible attack vectors:
- Janus-style two-headed DEX+APK files are rejected by
fdroid update, there is no legitimate use for this.
- all KnownVulns are logged as warnings to the console during
- image metadata is stripped from PNGs and JPEGs
The image metadata is stripped using a simple method requires recompressing the file. For PNG, the recompression is optimized, so it should result in smaller PNG sizes on top, without image quality loss. For JPEG, recompression means some loss of quality. I couldn't find any Python code to just strip. If someone wants to take that on as a project, look at exiftool (Perl) or jhead (C). Those both strip metadata from JPEGs without changing the image data. We just need some Python code to do that stripping. If we had Java code to do it, then we could just strip metadata in the client.