This document describes the security practices, known risks, and guidelines for contributing to security improvements in the OpenTTY-J2ME project.
-
βοΈ Restricted Execution Environment: OpenTTY is designed to run on limited-resource devices like old mobile phones. It should be considered a trusted terminal, not a tool to access critical systems.
-
π Password Storage: The user password is saved within an inaccessible file.
-
π No Communication Encryption: OpenTTY does not implement encryption for network communication. Using secure networks or a VPN is recommended to protect transmitted data.
-
π» Sandbox Execution: OpenTTY runs on the JVM, so it cannot execute arbitrary system commands directly on the device. However, vulnerabilities could still exist within the JVM or the app itself.
-
π« Lack of Access Control: There is no granular access control. Anyone with access to the device can use the terminal.
-
π± Device Security Dependency: The security of the application depends on the underlying deviceβs security features, which may vary between models and manufacturers.
Contributions to enhance OpenTTY security are welcome. When contributing, consider the following:
-
π Code Review: Submit pull requests addressing potential vulnerabilities or improving overall application security.
-
π§ͺ Security Testing: Conduct static and dynamic security testing to identify and fix vulnerabilities.
-
π Security Documentation: Update documentation to reflect changes that could affect security, including new dependencies or altered application behavior.
To report security vulnerabilities or discuss concerns, reach out to the OpenTTY-J2ME security team through:
- βοΈ Email: felipebr4095@gmail.com
- π GitHub Issues: https://github.com/mrlima4095/OpenTTY-J2ME/issues