APP SUMMARY
App Name insecurebankv2
Android Package com.android.insecurebankv2
Date of Scan 16-JUL-2021, 11:28 AM
App Version 1.0
Android Min SDK Version 15
Android Target SDK Version 22
App Size 3.3 MB

SUMMARY OF FINDINGS


Risk Count
High 1
Medium 8
Low 1
Warning 1
Information 2
Total 13

No Vulnerability Name Risk Severity Cvss score Occurrences
1 Insecure communication High High 8.1 36
2 Use of insufficiently random values Medium Medium 5.9 3
3 Android debuggable enabled Medium Medium 4.9 1
4 Android backup vulnerability Medium Medium 4.9 1
5 Improper export of providers Medium Medium 4.9 1
6 Improper export of receivers Medium Medium 4.9 1
7 Weak hash - MD5 Medium Medium 4.3 4
8 Weak hash - SHA-1 Medium Medium 4.3 1
9 Insecure signature – SHA1withRSA Medium Medium 4.1 1
10 Javascript enabled in WebView Low Low 2.9 3
11 Android external storage Warning Warning 13
12 Missing copy and paste protection from EditText fields Information Information 9
13 Missing protection against screenshots Information Information 10

Findings 1 : Insecure communication

Risk High
Severity High
CVSS Score 8.1
Occurrences 36
Details Yaazhini detected HTTP URL in the source code. By default, the HTTP is insecure and fails to encrypt network traffic when necessary to protect sensitive communications.
Remediation Use the latest SSL/TLS protocol for all the connections that are authenticated or transmitting sensitive or valuable data. Such as credentials, credit card details, health, and other private information.
Occurrence : 1
File Path: com\android\insecurebankv2\ChangePassword.java
Line 51. String protocol = "http://";
Occurrence : 2
File Path: com\android\insecurebankv2\DoLogin.java
Line 42. String protocol = "http://";
Occurrence : 3
File Path: com\android\insecurebankv2\DoTransfer.java
Line 55. String protocol = "http://";
Occurrence : 4
File Path: com\google\android\gms\analytics\AnalyticsReceiver.java
Line 51. zzhQ.zzaW("Analytics service at risk of not starting. For more reliable analytics, add the WAKE_LOCK permission to your manifest. See http://goo.gl/8Rd3yj for instructions.");
Occurrence : 5
File Path: com\google\android\gms\analytics\CampaignTrackingReceiver.java
Line 40. zzhQ.zzaW("CampaignTrackingService not registered or disabled. Installation tracking not possible. See http://goo.gl/8Rd3yj for instructions.");
Occurrence : 6
File Path: com\google\android\gms\analytics\CampaignTrackingReceiver.java
Line 62. zzhQ.zzaW("CampaignTrackingService service at risk of not starting. For more reliable installation campaign reports, add the WAKE_LOCK permission to your manifest. See http://goo.gl/8Rd3yj for instructions.");
Occurrence : 7
File Path: com\google\android\gms\analytics\internal\zza.java
Line 119. zzaW("IllegalStateException getting Ad Id Info. If you would like to see Audience reports, please ensure that you have added '<meta-data android:name=\"com.google.android.gms.version\" android:value=\"@integer/google_play_services_version\" />' to your application manifest file. See http://goo.gl/naFqQk for details.");
Occurrence : 8
File Path: com\google\android\gms\analytics\internal\zzl.java
Line 175. zzaW("AnalyticsReceiver is not registered or is disabled. Register the receiver for reliable dispatching on non-Google Play devices. See http://goo.gl/8Rd3yj for instructions.");
Occurrence : 9
File Path: com\google\android\gms\analytics\internal\zzl.java
Line 177. zzaX("AnalyticsService is not registered or is disabled. Analytics service at risk of not starting. See http://goo.gl/8Rd3yj for instructions.");
Occurrence : 10
File Path: com\google\android\gms\analytics\internal\zzl.java
Line 180. zzaW("CampaignTrackingReceiver is not registered, not exported or is disabled. Installation campaign tracking is not possible. See http://goo.gl/8Rd3yj for instructions.");
Occurrence : 11
File Path: com\google\android\gms\analytics\internal\zzl.java
Line 182. zzaW("CampaignTrackingService is not registered or is disabled. Installation campaign tracking is not possible. See http://goo.gl/8Rd3yj for instructions.");
Occurrence : 12
File Path: com\google\android\gms\analytics\internal\zzl.java
Line 258. zzaU("Hit delivery not possible. Missing network permissions. See http://goo.gl/8Rd3yj for instructions");
Occurrence : 13
File Path: com\google\android\gms\analytics\internal\zzl.java
Line 943. zzaX("Missing required android.permission.ACCESS_NETWORK_STATE. Google Analytics disabled. See http://goo.gl/8Rd3yj for instructions");
Occurrence : 14
File Path: com\google\android\gms\analytics\internal\zzl.java
Line 947. zzaX("Missing required android.permission.INTERNET. Google Analytics disabled. See http://goo.gl/8Rd3yj for instructions");
Occurrence : 15
File Path: com\google\android\gms\analytics\internal\zzl.java
Line 955. zzaW("AnalyticsService not registered in the app manifest. Hits might not be delivered reliably. See http://goo.gl/8Rd3yj for instructions.");
Occurrence : 16
File Path: com\google\android\gms\analytics\internal\zzy.java
Line 40. public static zza<String> zzLp = zza.zzm("analytics.insecure_host", "http://www.google-analytics.com");
Occurrence : 17
File Path: com\google\android\gms\analytics\Tracker.java
Line 389. Uri parse = Uri.parse("http://hostname/?" + queryParameter);
Occurrence : 18
File Path: com\google\android\gms\appindexing\Action.java
Line 11. public static final String STATUS_TYPE_ACTIVE = "http://schema.org/ActiveActionStatus";
Occurrence : 19
File Path: com\google\android\gms\appindexing\Action.java
Line 12. public static final String STATUS_TYPE_COMPLETED = "http://schema.org/CompletedActionStatus";
Occurrence : 20
File Path: com\google\android\gms\appindexing\Action.java
Line 13. public static final String STATUS_TYPE_FAILED = "http://schema.org/FailedActionStatus";
Occurrence : 21
File Path: com\google\android\gms\appindexing\Action.java
Line 14. public static final String TYPE_ACTIVATE = "http://schema.org/ActivateAction";
Occurrence : 22
File Path: com\google\android\gms\appindexing\Action.java
Line 15. public static final String TYPE_ADD = "http://schema.org/AddAction";
Occurrence : 23
File Path: com\google\android\gms\appindexing\Action.java
Line 16. public static final String TYPE_BOOKMARK = "http://schema.org/BookmarkAction";
Occurrence : 24
File Path: com\google\android\gms\appindexing\Action.java
Line 17. public static final String TYPE_COMMUNICATE = "http://schema.org/CommunicateAction";
Occurrence : 25
File Path: com\google\android\gms\appindexing\Action.java
Line 18. public static final String TYPE_FILM = "http://schema.org/FilmAction";
Occurrence : 26
File Path: com\google\android\gms\appindexing\Action.java
Line 19. public static final String TYPE_LIKE = "http://schema.org/LikeAction";
Occurrence : 27
File Path: com\google\android\gms\appindexing\Action.java
Line 20. public static final String TYPE_LISTEN = "http://schema.org/ListenAction";
Occurrence : 28
File Path: com\google\android\gms\appindexing\Action.java
Line 21. public static final String TYPE_PHOTOGRAPH = "http://schema.org/PhotographAction";
Occurrence : 29
File Path: com\google\android\gms\appindexing\Action.java
Line 22. public static final String TYPE_RESERVE = "http://schema.org/ReserveAction";
Occurrence : 30
File Path: com\google\android\gms\appindexing\Action.java
Line 23. public static final String TYPE_SEARCH = "http://schema.org/SearchAction";
Occurrence : 31
File Path: com\google\android\gms\appindexing\Action.java
Line 24. public static final String TYPE_VIEW = "http://schema.org/ViewAction";
Occurrence : 32
File Path: com\google\android\gms\appindexing\Action.java
Line 25. public static final String TYPE_WANT = "http://schema.org/WantAction";
Occurrence : 33
File Path: com\google\android\gms\appindexing\Action.java
Line 26. public static final String TYPE_WATCH = "http://schema.org/WatchAction";
Occurrence : 34
File Path: com\google\android\gms\common\internal\zzm.java
Line 9. private static final Uri zzaaV = Uri.parse("http://plus.google.com/");
Occurrence : 35
File Path: com\google\android\gms\internal\zzgk.java
Line 82. this.zzEp = zza(packageManager, "http://www.google.com") == null ? false : z;
Occurrence : 36
File Path: com\google\android\gms\tagmanager\zzax.java
Line 18. return Uri.parse("http://hostname/?" + str).getQueryParameter(str2);

Findings 2 : Use of insufficiently random values

Risk Medium
Severity Medium
CVSS Score 5.9
Occurrences 3
Details The android application used to generate random numbers in java is java.util.Random. Usage of java.util.Random class makes the random number generation cryptographically weak.
Remediation Use java.security.SecureRandom class for random number generation.
Occurrence : 1
File Path: com\google\android\gms\ads\internal\client\zzl.java
Line 9. private final Random zzsz = new Random();
Occurrence : 2
File Path: com\google\android\gms\analytics\Tracker.java
Line 119. this.zzyn.put("&a", Integer.toString(new Random().nextInt(ActivityChooserView.ActivityChooserViewAdapter.MAX_ACTIVITY_COUNT_UNLIMITED) + 1));
Occurrence : 3
File Path: com\google\android\gms\iid\zzc.java
Line 141. this.zzaxn = new Random().nextInt(1000) + 1000;

Findings 3 : Android debuggable enabled

Risk Medium
Severity Medium
CVSS Score 4.9
Occurrences 1
Details android:debuggable='true' property is present in the application tag which means an application can be debugged even when running on a device.
Remediation Yaazhini detected Android debugging on the androidmanifest.xml file. The android:debuggable='true' property is present in the application tag, which means an application can be debugged even when the program is running on a device.
Occurrence : 1
File Path: AndroidManifest.xml
Line 17. <application android:theme="@style/Theme.Holo.Light.DarkActionBar" android:label="@string/app_name" android:icon="@mipmap/ic_launcher" android:debuggable="true" android:allowBackup="true">

Findings 4 : Android backup vulnerability

Risk Medium
Severity Medium
CVSS Score 4.9
Occurrences 1
Details Yaazhini detected an Android backup vulnerability in the androidmanifest.xml file. The property android:allowBackup='true' exists on the application tag in the androidmanifest.xml file, which means the Android application users can back up the app's internal data, which resides under /data/data/<app-package>.
Remediation To avoid Android backup vulnerability, set android:allowBackup=false within the androidmanifest.xml file.
Occurrence : 1
File Path: AndroidManifest.xml
Line 17. <application android:theme="@style/Theme.Holo.Light.DarkActionBar" android:label="@string/app_name" android:icon="@mipmap/ic_launcher" android:debuggable="true" android:allowBackup="true">

Findings 5 : Improper export of providers

Risk Medium
Severity Medium
CVSS Score 4.9
Occurrences 1
Details Yaazhini detected the providers were exported on the androidmanifest.xml file. The content provider is public because android:exported='true' property is specified. The ContentProviderclass provides a mechanism for managing and sharing data with other Android applications. When sharing a provider's data with other applications, public access should be disabled.
Remediation If the provider does not need to be accessed by other android applications, mark the provider explicitly as android:exported=false in the application manifest file. Ignore the issue if the provider was exported intentionally.
Occurrence : 1
File Path: AndroidManifest.xml
Line 30. <provider android:name="com.android.insecurebankv2.TrackUserContentProvider" android:exported="true" android:authorities="com.android.insecurebankv2.TrackUserContentProvider"/>

Findings 6 : Improper export of receivers

Risk Medium
Severity Medium
CVSS Score 4.9
Occurrences 1
Details Yaazhini detected the receiver was exported on the android Manifest.xml file. The Android application exports a component to use other android applications but does not properly restrict which applications can launch the feature or access the data it contains. If the access to the receiver is not specified, the external applications can receive them. It is not an issue if the receiver does not get involved with any sensitive data.
Remediation If the receiver does not need to be accessed by other Android applications, mark receiver explicitly as android:exported=false in the application manifest file. Ignore the issue if the receiver was exported intentionally.
Occurrence : 1
File Path: AndroidManifest.xml
Line 31. <receiver android:name="com.android.insecurebankv2.MyBroadCastReceiver" android:exported="true">

Findings 7 : Weak hash - MD5

Risk Medium
Severity Medium
CVSS Score 4.3
Occurrences 4
Details Yaazhini detected that this application uses the MD5 MessageDigest algorithm, which is weak.
Remediation SHA256 algorithm is recommended to use. PBKDF2 is recommended to use as hash passwords.
Occurrence : 1
File Path: com\google\android\gms\ads\internal\util\client\zza.java
Line 114. MessageDigest instance = MessageDigest.getInstance("MD5");
Occurrence : 2
File Path: com\google\android\gms\internal\zzak.java
Line 80. MessageDigest instance = MessageDigest.getInstance("MD5");
Occurrence : 3
File Path: com\google\android\gms\internal\zzbl.java
Line 19. zzrK = MessageDigest.getInstance("MD5");
Occurrence : 4
File Path: com\google\android\gms\internal\zzhl.java
Line 554. MessageDigest instance = MessageDigest.getInstance("MD5");

Findings 8 : Weak hash - SHA-1

Risk Medium
Severity Medium
CVSS Score 4.3
Occurrences 1
Details Yaazhini detected that this application uses the SHA-1 MessageDigest algorithm, which is weak.
Remediation SHA256 algorithm is recommended to use. PBKDF2 is recommended to use as hash passwords.
Occurrence : 1
File Path: com\google\android\gms\iid\InstanceID.java
Line 62. byte[] digest = MessageDigest.getInstance("SHA1").digest(keyPair.getPublic().getEncoded());

Findings 9 : Insecure signature – SHA1withRSA

Risk Medium
Severity Medium
CVSS Score 4.1
Occurrences 1
Details Yaazhini detected that this application uses the SHA1withRSA algorithm. SHA1withRSA is known as insecure signature in the mobile application.
Remediation Use strong encryption algorithms such as SHA256withRSA for the signature.
Occurrence : 1
File Path: com\google\android\gms\ads\internal\purchase\zzl.java
Line 20. Signature instance = Signature.getInstance("SHA1withRSA");

Findings 10 : Javascript enabled in WebView

Risk Low
Severity Low
CVSS Score 2.9
Occurrences 3
Details Yaazhini detected that this application uses Webview with JavaScript enabled. Allowing JavaScript code to be executed on WebView might execute arbitrary JavaScript code.
Remediation It's better not to use javascript on the WebView. But if the developers have to use this feature, Allow only trusted javascript code to be processed in the WebView, and the code processed in the WebView must be audited for a Cross-site scripting attack.
Occurrence : 1
File Path: com\android\insecurebankv2\ViewStatement.java
Line 27. mWebView.getSettings().setJavaScriptEnabled(true);
Occurrence : 2
File Path: com\google\android\gms\internal\zzfd.java
Line 45. webView.getSettings().setJavaScriptEnabled(true);
Occurrence : 3
File Path: com\google\android\gms\internal\zzig.java
Line 108. settings.setJavaScriptEnabled(true);

Findings 11 : Android external storage

Risk Warning
Severity Warning
Occurrences 13
Details Yaazhini detected that this application uses an Android external storage application. External storage also stores Android application data. There's no security enforced on the saved file in external storage. Files created on external storage, such as SD cards, are globally readable and writable because external storage can be removed and modified by the user. It is not an issue if the developer does not store sensitive information on external storage.
Remediation Always use internal storage to write sensitive information. If the user wants to store data externally, encryption is required.
Occurrence : 1
File Path: android\support\v4\content\ContextCompat.java
Line 58. single = ContextCompatFroyo.getExternalFilesDir(context, type);
Occurrence : 2
File Path: android\support\v4\content\ContextCompat.java
Line 46. single = buildPath(Environment.getExternalStorageDirectory(), DIR_ANDROID, DIR_OBB, context.getPackageName());
Occurrence : 3
File Path: android\support\v4\content\ContextCompat.java
Line 60. single = buildPath(Environment.getExternalStorageDirectory(), DIR_ANDROID, DIR_DATA, context.getPackageName(), DIR_FILES, type);
Occurrence : 4
File Path: android\support\v4\content\ContextCompat.java
Line 74. single = buildPath(Environment.getExternalStorageDirectory(), DIR_ANDROID, DIR_DATA, context.getPackageName(), DIR_CACHE);
Occurrence : 5
File Path: android\support\v4\content\ContextCompatFroyo.java
Line 14. public static File getExternalFilesDir(Context context, String type) {
Occurrence : 6
File Path: android\support\v4\content\ContextCompatFroyo.java
Line 15. return context.getExternalFilesDir(type);
Occurrence : 7
File Path: android\support\v4\content\FileProvider.java
Line 180. target = buildPath(Environment.getExternalStorageDirectory(), path);
Occurrence : 8
File Path: android\support\v4\os\EnvironmentCompat.java
Line 18. if (path.getCanonicalPath().startsWith(Environment.getExternalStorageDirectory().getCanonicalPath())) {
Occurrence : 9
File Path: com\android\insecurebankv2\DoTransfer.java
Line 158. BufferedWriter out2 = new BufferedWriter(new FileWriter(Environment.getExternalStorageDirectory() + "/Statements_" + DoTransfer.this.usernameBase64ByteString + ".html", true));
Occurrence : 10
File Path: com\android\insecurebankv2\DoTransfer.java
Line 173. BufferedWriter out22 = new BufferedWriter(new FileWriter(Environment.getExternalStorageDirectory() + "/Statements_" + DoTransfer.this.usernameBase64ByteString + ".html", true));
Occurrence : 11
File Path: com\android\insecurebankv2\ViewStatement.java
Line 22. File fileToCheck = new File(Environment.getExternalStorageDirectory(), "Statements_" + this.uname + ".html");
Occurrence : 12
File Path: com\android\insecurebankv2\ViewStatement.java
Line 26. mWebView.loadUrl("file://" + Environment.getExternalStorageDirectory() + "/Statements_" + this.uname + ".html");
Occurrence : 13
File Path: com\google\android\gms\internal\zzcb.java
Line 45. if (this.zzuI.get() && (externalStorageDirectory = Environment.getExternalStorageDirectory()) != null) {

Findings 12 : Missing copy and paste protection from EditText fields

Risk Information
Severity Information
Occurrences 9
Details Yaazhini detected that this Android application does not implement the copy and paste protection in the edit text fields. On the Android application platform, the clipboard is a framework that supports various types of data to copy and paste within the app and among apps. The clipboard holds only one clip object at a time. The developer should not allow the sensitive fields to be copied in the clipboard.
Remediation Disable the copy and paste operation in the EditText field, which contains sensitive data like PIN and credit card numbers.
Occurrence : 1
File Path: res\layout\activity_change_password.xml
Line 7. <EditText android:textSize="20sp" android:textColorHint="#cccccc" android:id="@+id/editText_newPassword" android:background="@android:drawable/editbox_background" android:padding="20dp" android:layout_width="match_parent" android:layout_height="wrap_content" android:layout_marginLeft="20dp" android:layout_marginRight="20dp" android:hint="New Password" android:password="true" android:drawableLeft="@android:drawable/ic_lock_lock" android:layout_weight="1"/>
Occurrence : 2
File Path: res\layout\activity_do_transfer.xml
Line 10. <EditText android:id="@+id/editText_from" android:layout_width="match_parent" android:layout_height="wrap_content" android:layout_marginLeft="0dp" android:layout_marginRight="20dp" android:layout_weight="1"/>
Occurrence : 3
File Path: res\layout\activity_do_transfer.xml
Line 18. <EditText android:id="@+id/editText_to" android:layout_width="match_parent" android:layout_height="wrap_content" android:layout_marginLeft="0dp" android:layout_marginRight="20dp" android:layout_weight="1"/>
Occurrence : 4
File Path: res\layout\activity_do_transfer.xml
Line 29. <EditText android:id="@+id/editText_amount" android:layout_width="match_parent" android:layout_height="wrap_content" android:layout_marginLeft="0dp" android:layout_marginRight="20dp" android:layout_weight="1"/>
Occurrence : 5
File Path: res\layout\activity_do_transfer.xml
Line 36. <EditText android:textColorHint="#cccccc" android:id="@+id/editText_Phone" android:background="@android:drawable/editbox_background" android:padding="20dp" android:layout_width="match_parent" android:layout_height="wrap_content" android:layout_marginLeft="20dp" android:layout_marginRight="20dp" android:hint=" Phone Number" android:drawableLeft="@android:drawable/sym_action_call" android:layout_weight="1"/>
Occurrence : 6
File Path: res\layout\activity_file_pref.xml
Line 5. <EditText android:textSize="20sp" android:textStyle="bold" android:textColor="#000000" android:id="@+id/edittext_serverip" android:background="@android:drawable/editbox_background" android:padding="10dp" android:layout_width="wrap_content" android:layout_height="wrap_content" android:layout_marginLeft="0dp" android:layout_marginRight="5dp" android:text="10.0.2.2" android:layout_weight="1"/>
Occurrence : 7
File Path: res\layout\activity_file_pref.xml
Line 9. <EditText android:textSize="20sp" android:textStyle="bold" android:textColor="#000000" android:id="@+id/edittext_serverport" android:background="@android:drawable/editbox_background" android:padding="10dp" android:layout_width="wrap_content" android:layout_height="wrap_content" android:layout_marginLeft="0dp" android:layout_marginRight="5dp" android:text="8888" android:layout_weight="1"/>
Occurrence : 8
File Path: res\layout\activity_log_main.xml
Line 4. <EditText android:textColorHint="#cccccc" android:id="@+id/loginscreen_username" android:background="@android:drawable/editbox_background" android:padding="20dp" android:layout_width="match_parent" android:layout_height="wrap_content" android:layout_marginLeft="20dp" android:layout_marginRight="20dp" android:hint="Username" android:drawableLeft="@android:drawable/ic_menu_crop" android:layout_weight="1"/>
Occurrence : 9
File Path: res\layout\activity_log_main.xml
Line 7. <EditText android:textColorHint="#cccccc" android:id="@+id/loginscreen_password" android:background="@android:drawable/editbox_background" android:padding="20dp" android:layout_width="match_parent" android:layout_height="wrap_content" android:layout_marginLeft="20dp" android:layout_marginRight="20dp" android:hint="Password" android:password="true" android:drawableLeft="@android:drawable/ic_lock_lock" android:layout_weight="1"/>

Findings 13 : Missing protection against screenshots

Risk Information
Severity Information
Occurrences 10
Details Yaazhini detected that this Android application does not implement screenshot protection.
Remediation Disable taking a screenshot feature if the app's screen contains sensitive data.