Our development team identified a security issue affecting all previous versions of the Matrix Android SDK and, by extension, any Android clients which use the Matrix Android SDK. This includes Riot Android (Google Play and F-Droid) and mini Vector.
The issue has been fixed in version 0.9.27 of the Matrix Android SDK and Riot Android 0.9.4
RiotX is not affected, nor are any Matrix clients on any other platform.
What is the issue?
Affected Matrix clients were incorrectly including the homeserver access token in requests made to the identity server (the separate service which lets users discover other Matrix users based on email address or phone number).
This means that your identity server provider could in theory use this token to access your Matrix account. In practice, this is only a problem if your identity server and your homeserver are operated by different providers, and also if you do not trust your identity server provider to handle this issue responsibly.
We’ve seen no evidence of this issue having been exploited in the wild, and Sydent, the reference implementation identity server, does not log the homeserver access tokens in its default configuration. Moreover, the identity servers at vector.im and matrix.org do not and have never logged these tokens anywhere. However, your access token can be used to gain access to your account, so it is important to read this guidance carefully and secure your account if you don’t trust your identity server provider.
What do I need to do?
If your homesever is matrix.org (or if its provided by Modular), and your identity server is either matrix.org or vector.im, then no action need be taken (though you are free to re-log in as a precaution).
If your homeserver and identity server are operated by different providers, you should log out and re-log in all of your Android client sessions to invalidate the leaked tokens. The latest version of Riot Android will prompt you to do this automatically.
If your homeserver and identity server are operated by the same provider, your access tokens haven’t been leaked beyond the scope of that provider. You might still want to log out and re-log in to invalidate tokens, out of an abundance of caution.
Whomever provides your homeserver and identity server, it’s good practice to review your signed-in devices and log-out any old sessions — you can do this in Riot by going to User Settings → Security & Privacy.
Finally, if you’re on F-Droid – good news: the official Riot/Android build has been fixed so you can get the security fix and also upgrade to the latest build at last (hopefully by the time you read this!)
What are the technical details?
If you’re a Matrix client developer using the Matrix Android SDK in your project, we recommend that you handle this issue by:
- upgrading your Matrix Android SDK dependency to 0.9.27
- updating your client to record your app version number alongside the homeserver access tokens
- checking on startup to see whether the locally-persisted token is accompanied by a safe version number
- if it’s not, prompt the user to log out and log in again to refresh the token safely
I’m a Matrix client developer and I’d like a bit more warning about such issues please!
If you maintain a Matrix client and would like to be included in our planning around security releases that affect your client, please let us know at firstname.lastname@example.org!