docs(security-reports): add security report for SEC-31 demo mode APK flag closes(#263)#295
Closed
itzabdoull wants to merge 1 commit into
Closed
docs(security-reports): add security report for SEC-31 demo mode APK flag closes(#263)#295itzabdoull wants to merge 1 commit into
itzabdoull wants to merge 1 commit into
Conversation
Owner
|
Gracias por el reporte 🙏 Al revisarlo, el contenido de este PR es byte-idéntico al que ya está en Por eso este PR no introduce cambios netos sobre |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #263
📝 Overview
This Pull Request delivers the security report [SEC-31] investigating the security risk where the demo mode build flag (VITE_DEMO_MODE) could be baked into the final release/production APK.
Per the maintainers' request, this PR contains only the security report markdown file (docs/security-reports/SEC-31-vite-demo-mode-apk.md), detailing the results of the investigation, evidence, and the proposed fix suggestion. The team will handle the internal application of the fix to prevent merge conflicts.
🔍 Key Findings from the Report
Embedding Vulnerability: If compiled with VITE_DEMO_MODE=true in production/testnet modes, the static assets (e.g. index-*.js) contain both IS_DEMO_MODE=true and the hardcoded secret: MICOPAY:DEMO:mock_secret_for_ui_preview.
Impact: Bypasses registration in production, displays constant mock QR codes/secrets when backend requests fail, and enables mock transactions instead of real network operations.
Missing Guard: Prior to the suggestion, there was no compile-time build guard checking this flag on release builds.
💡 Suggested Fix
Add a compile-time check in the Vite configuration (micopay/frontend/vite.config.ts) that loads environment variables using loadEnv and throws a fatal error, aborting the build immediately, if VITE_DEMO_MODE is true in a non-development mode (such as production or testnet).