kebab_definite

You should read the main landing page of the website before making posts like this.

Simple Android PDF viewer based on pdf.js and content providers. The app doesn't require any permissions. The PDF stream is fed into the sandboxed WebView without giving it access to content or files. Content-Security-Policy is used to enforce that the JavaScript and styling properties within the WebView are entirely static content from the apk assets. It reuses the hardened Chromium rendering stack while only exposing a tiny subset of the attack surface compared to actual web content. The PDF rendering code itself is memory safe with dynamic code evaluation disabled, and even if an attacker did gain code execution by exploiting the underlying web rendering engine, they're within the Chromium renderer sandbox with no access to the network (unlike a browser), files, or other content.

GrapheneOS comes with a hardened PDF Viewer built in. Surely you'd know this if you had the OS installed?

https://grapheneos.org/features#grapheneos-pdf-viewer

    gravity-reprint While what you wrote is correct and maybe a heavily secured and sandboxed PDF reader can mitigate a dangerous pdf file, that was not what the OP asked about.

    I also find your remark about how OP should install an OS before posting at the very least unnecessary, and at most disrespectful and patronizing because 1) you have no way of knowing if OP has the OS installed or not and 2) they have every right to ask questions about it without actually having it installed on a device (as many actually do the same here), that is what this forum is for I imagine. Hope you have a good day.

    @kebab_definite maybe dangerzone has a CLI, in which case you might be able to make it work in a terminal emulator like Termux. But do note that Termux may not provide sufficient security regarding the program such as isolation.

    The mat2 python metadata removal tool has an option to turn .pdf-s into images, but I don't know how that fares in regards to security, or does it actually make pdf-s safe.

      ticklemyIP thanks for ur words.

      For me its about to share safe pdfs with other people and device from my gos phone. Im not sure about your mentioned approaches but thank you for these.

      If anyone has idea's iam thankful to her them. :)

        kebab_definite
        For images you can view them and take a screenshot. Then share the screenshot. Maybe crop it first if you feel thats necessary.

        For pdfs you can open them in PDF Viewer and then share them to Print to print a new pdf.

        It is worth considering that neither of these methods are designed to sanitize malicious files, but both may have the desired outcome.

        If someone had the time and interest it would be nice to know if any problematic pdf properties could persist after Print to pdf. I would suspect it should remove all the complex functionality that can be included in a pdf file and just leave text and images?

          a month later

          Carlos-Anso If someone had the time and interest it would be nice to know if any problematic pdf properties could persist after Print to pdf. I would suspect it should remove all the complex functionality that can be included in a pdf file and just leave text and images?

          I was curious about this, so I did a small experiment, and I jotted down a report on it: https://gist.github.com/FID02/b2b25c3241bd4226ac5003b0b3837edb

          In sum, in my experiment, Javascript and other properties were kept when using the "Save to PDF" feature.

          So the attack vector is executing javascript in PDFs, other scripts in SVG images or Macros in office documents.

          I am curious if the PDF viewer runs any javascript code at all?

          And what image viewer would you use to open such images in the first place? All viewers I know have access at least to all my photos, which is kind of a lot.

          Then dangerzone is also for converting office files. I am not sure if CollaboraOffice Android even executes Macros or if they werent simply broken. Collabora Office can use the filechooser portal and thus run fully sandboxed.

          Then dangerzone is sanitizing documents without opening them. It uses a restricted podman sandbox and gVisor, a memory safe and minimal application kernel, which should prevent attacks on the kernel directly.

            missing-root

            I am curious if the PDF viewer runs any javascript code at all?

            I think it does, but its only static JS. Its safer than opening a website on a regular browser tbh.

            And what image viewer would you use to open such images in the first place? All viewers I know have access at least to all my photos, which is kind of a lot.

            You could work around this by granting storage scopes to specific files. Stock gallery is the best one for security probably. You can keep it as a secondary gallery for opening sus files.

            Then dangerzone is also for converting office files. I am not sure if CollaboraOffice Android even executes Macros or if they werent simply broken. Collabora Office can use the filechooser portal and thus run fully sandboxed.

            I usually use Libreoffice Viewer for office files. I don't think it executes macros.

              Rizzler You can keep it as a secondary gallery for opening sus files.

              I use NoScript and Vanadium AND Mull both block JIT Javascript by default. So I doubt that

              Rizzler Its safer than opening a website on a regular browser tbh.

              Yes having an additional image viewer with no filesystem access is the obvious workaround. Using ImagePipe could also work.

              So ImagePipe may be a good converter but not sure about SVGs (which are the actual target). SVGs could be opened with the webview, a secure viewer would be possible, just like the PDF viewer.

                missing-root Well think about what's different on a PDF than a website. The fact that it can't load 3rd party resources like a site can, and it can't access the internet. In this case, its especially true because its using pdfjs.

                  Rizzler

                  It can execute embedded JS code so this is not relevant. Please leave some room for other people to comment here in this thread.

                    Wasnt meant to be rude. It simply doesnt cover the use case and afaik this is not the same, points kinda repeated themselves.