Skip to content

Opt-in to Arm MTE #15661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Opt-in to Arm MTE #15661

wants to merge 1 commit into from

Conversation

thgoebel
Copy link
Contributor

This is an easy security improvement (at least for users with Google Pixel 8 and later, which have the hardware for MTE).

Nextcloud doesn't have any explicit native code itself. But there are some libandroidx.graphics.path.so files in the APK, and also Android framework code that Nextcloud calls might have native code. All of that runs in the app's process, so opting in to MTE will cover that. Nextcloud parses potentially attacker controlled data, so enabling MTE is an easy defense-in-depth.

I've been running Nextcloud on a Pixel 8a with GrapheneOS and MTE force-enabled for a few months now without any issues.
Still, I recommend you to test this again on an MTE-compatible device (Pixel 8 and later), just to be sure :)

I'm only sending PRs for Files and Notes for Android, because those I use a lot and can (at)test.
I recommend you enable MTE for other Android apps (Talk, Deck) as well, and also for the Nextcloud iOS Files app.

For background on MTE, see:

@thgoebel thgoebel mentioned this pull request Sep 19, 2025
Open
@thgoebel
Opt-in to Arm MTE
fe670b7 
Signed-off-by: Thore Goebel <git@thore.io>
@thgoebel thgoebel mentioned this pull request Sep 19, 2025
Open
@github-actions GitHub Actions
Copy link

APK file: https://www.kaminsky.me/nc-dev/android-artifacts/15661.apk

qrcode

To test this change/fix you can simply download above APK file and install and test it in parallel to your existing Nextcloud app.

@tobiasKaminsky
Copy link
Member

I think this is the more accurate documentation: https://developer.android.com/ndk/guides/arm-mte

Your linked one is for platform devs.

I unfortunately do not have such a device.

@mahibi do you have a Pixel?

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 4, 2025

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tobiasKaminsky tobiasKaminsky Awaiting requested review from tobiasKaminsky

@alperozturk96 alperozturk96 Awaiting requested review from alperozturk96

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
3. to review enhancement feedback-requested security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thgoebel @tobiasKaminsky