Exchange Position was sending exact position when channel settings were different #3805
Conversation
…n or not send position at all based on settings This is replicated based on the firmware
|
|
There was a problem hiding this comment.
Pull request overview
This PR fixes a privacy vulnerability in the Exchange Position functionality where the Android app was sending exact GPS coordinates regardless of channel precision settings or position-sharing preferences. The fix replicates the firmware's position precision masking algorithm to ensure that imprecise positions are sent based on channel settings.
Key Changes:
- Adds position precision masking logic that respects channel-specific precision settings
- Supports sending no position data when precision is set to 0 (position disabled)
- Applies bit masking and offset calculations to reduce position accuracy based on precision value
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.
Co-authored-by: Copilot <[email protected]> Signed-off-by: Camerin Figueroa <[email protected]>
Co-authored-by: Copilot <[email protected]> Signed-off-by: Camerin Figueroa <[email protected]>
|
Run spotless and detekt again, apparently copilot doesn't meet code standards |
|
Lmao sorry about that. ill try to find time tomorrow.
…-------- Original Message --------
On Wednesday, 11/26/25 at 20:38 Dane Evans ***@***.***> wrote:
**DaneEvans** left a comment (meshtastic/Meshtastic-Android#3805)
Run spotless and detekt again, apparently copilot doesn't meet code standards
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
I've pushed a fix. |
|
The packet should be encrypted via PKI since its a DM |
|
Nobody else should see it |
|
@GUVWAF did something change to make it possible to send imprecise position packets from the phone? I thought we determined this did not work. |
|
As discussed in meshtastic/firmware#3752, this only works for broadcasts. |
|
As I showed in the screenshots above it does work sending imprecise position requests. I had received a response with a position when sending the imprecise request. I also received a response when sending a request with no position. As for sending it encrypted, I set my position to 41.123 and -73.12299999999 (some reason the app appends 9s). On the current beta build of the app I sent a position request to a nearby repeater. As you can see the position is precise and unencrypted. I ensured that mqtt has encryption enabled too so it isn't because of an mqtt misconfiguration. https://malla.nyme.sh/packet/2872751 |
|
I'll try to test when I get the chance to see what channel number is being used when exchange position is pressed. I had tested manually setting pki_encrypted flag to true (couldn't receive responses), but I can't remember if I checked the channel number. |
|
@jp-bennett knows more about PKI, he should be able to help you |
6 participants
There was an issue I noticed with the Exchange Position functionality where it would send my exact position to the mesh when my position was disabled or when the precision was modified. I hadn't opened an issue as I already discovered where this is happening.
The issue
In the android app when the user activated the Exchange Position button, a POSITION_APP packet is generated and sent by the android app. This is different from the firmware which would have sent an imprecise position based on the precision setting of that channel or would not include position if disabled on the channel.
I replicated how the firmware generates POSITION_APP packets to ensure that this functions similarly.
Testing
After making the change I built and ran the app on my phone, connected to a node and set the primary channel precision to 13.
You can see that the position app with precision 13 was sent and I also received a response from the destination.
I then sent the request with position disabled on my primary channel.
You can see that the request was sent without the position and a response was received.
I ran the unit tests via android studio and ran the other gradle commands required by the contribution guide.