Scribd
Upload
344 views11 pages

Report InsecureBank

Uploaded by

jose
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
344 views11 pages

Report InsecureBank

Uploaded by

jose
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

ANDROID STATIC ANALYSIS REPORT

 InsecureBankv2 (1.0)
File Name: InsecureBankv2.apk

Package Name: com.android.insecurebankv2

Scan Date: Jan. 29, 2024, 12:21 a.m.

App Security Score: 28/100 (CRITICAL RISK)

Grade:
F
Trackers Detection: 3/432
 FINDINGS SEVERITY

 HIGH  MEDIUM  INFO  SECURE  HOTSPOT

7 9 0 0 1

 FILE INFORMATION
File Name: InsecureBankv2.apk
Size: 3.3MB
MD5: 5ee4829065640f9c936ac861d1650ffc
SHA1: 80b53f80a3c9e6bfd98311f5b26ccddcd1bf0a98
SHA256: b18af2a0e44d7634bbcdf93664d9c78a2695e050393fcfbb5e8b91f902d194a4

 APP INFORMATION
App Name: InsecureBankv2
Package Name: com.android.insecurebankv2
Main Activity: com.android.insecurebankv2.LoginActivity
Target SDK: 22
Min SDK: 15
Max SDK:
Android Version Name: 1.0
Android Version Code: 1

 APP COMPONENTS
Activities: 10
Services: 0
Receivers: 2
Providers: 1
Exported Activities: 4
Exported Services: 0
Exported Receivers: 1
Exported Providers: 1

 CERTIFICATE INFORMATION
Binary is signed
v1 signature: True
v2 signature: False
v3 signature: False
v4 signature: False
X.509 Subject: ST=MA, L=Boston, O=SI, OU=Services, CN=Dinesh Shetty
Signature Algorithm: rsassa_pkcs1v15
Valid From: 2015-07-24 20:37:08+00:00
Valid To: 2040-07-17 20:37:08+00:00
Issuer: ST=MA, L=Boston, O=SI, OU=Services, CN=Dinesh Shetty
Serial Number: 0x6bb4f616
Hash Algorithm: sha256
md5: 6a736d89abb13d7165e7cff905ac928d
sha1: a1bae91a2b1620f6c9dab425e69fc32ba1e97741
sha256: 8092db81ae717486631a1534977def465ee112903e1553d38d41df8abd57a375
sha512: 53770f3f69916f74ddd6e750ae16fd9b23fa5b2c8e9e53bd5a84202d7d7c44a26ede13e6db450ab0c1d9f64534802b88ebb0b4de1da076b62112d9b122cbbd92
Found 1 unique certificates

 APPLICATION PERMISSIONS
PERMISSION STATUS INFO DESCRIPTION

android.permission.INTERNET normal full Internet access Allows an application to create network sockets.

read/modify/delete
android.permission.WRITE_EXTERNAL_STORAGE dangerous external storage Allows an application to write to external storage.
contents

send SMS Allows application to send SMS messages. Malicious applications may
android.permission.SEND_SMS dangerous
messages cost you money by sending messages without your confirmation.

use the
authentication
android.permission.USE_CREDENTIALS dangerous Allows an application to request authentication tokens.
credentials of an
account

android.permission.GET_ACCOUNTS dangerous list accounts Allows access to the list of accounts in the Accounts Service.

read the user's


android.permission.READ_PROFILE dangerous personal profile Allows an application to read the user's personal profile data.
data

Allows an application to read all of the contact (address) data stored on


android.permission.READ_CONTACTS dangerous read contact data your phone. Malicious applications can use this to send your data to
other people.

view network
android.permission.ACCESS_NETWORK_STATE normal Allows an application to view the status of all networks.
status

Access coarse location sources, such as the mobile network database, to


coarse (network-
android.permission.ACCESS_COARSE_LOCATION dangerous determine an approximate phone location, where available. Malicious
based) location
applications can use this to determine approximately where you are.
 APKID ANALYSIS

FILE DETAILS

FINDINGS DETAILS

Build.MODEL check
Anti-VM Code Build.MANUFACTURER check
classes.dex Build.PRODUCT check

Compiler dx (possible dexmerge)

Manipulator Found dexmerge

 NETWORK SECURITY

NO SCOPE SEVERITY DESCRIPTION

 CERTIFICATE ANALYSIS
HIGH: 1 | WARNING: 0 | INFO: 1

TITLE SEVERITY DESCRIPTION

Signed Application info Application is signed with a code signing certificate


TITLE SEVERITY DESCRIPTION

Application Application is signed with v1 signature scheme, making it vulnerable to Janus vulnerability on Android 5.0-8.0, if signed
vulnerable to Janus high only with v1 signature scheme. Applications running on Android 5.0-7.0 signed with v1, and v2/v3 scheme is also
Vulnerability vulnerable.

 MANIFEST ANALYSIS
HIGH: 6 | WARNING: 7 | INFO: 0 | SUPPRESSED: 0

NO ISSUE SEVERITY DESCRIPTION

This application can be installed on an older version of android that has


App can be installed on a vulnerable upatched Android
multiple unfixed vulnerabilities. These devices won't receive reasonable
1 version high
security updates from Google. Support an Android version => 10, API 29 to
Android 4.0.3-4.0.4, [minSdk=15]
receive reasonable security updates.

Debugging was enabled on the app which makes it easier for reverse
Debug Enabled For App
2 high engineers to hook a debugger to it. This allows dumping a stack trace and
[android:debuggable=true]
accessing debugging helper classes.

This flag allows anyone to backup your application data via adb. It allows
Application Data can be Backed up
3 warning users who have enabled USB debugging to copy application data off of the
[android:allowBackup=true]
device.

Activity is found to be vulnerable to StrandHogg 2.0 task hijacking


vulnerability. When vulnerable, it is possible for other applications to place a
malicious activity on top of the activity stack of the vulnerable application.
Activity (com.android.insecurebankv2.PostLogin) is This makes the application an easy target for phishing attacks. The
4 high
vulnerable to StrandHogg 2.0 vulnerability can be remediated by setting the launch mode attribute to
"singleInstance" and by setting an empty taskAffinity (taskAffinity=""). You can
also update the target SDK version (22) of the app to 29 or higher to fix this
issue at platform level.
NO ISSUE SEVERITY DESCRIPTION

Activity (com.android.insecurebankv2.PostLogin) is not


An Activity is found to be shared with other apps on the device therefore
5 Protected. warning
leaving it accessible to any other application on the device.
[android:exported=true]

Activity is found to be vulnerable to StrandHogg 2.0 task hijacking


vulnerability. When vulnerable, it is possible for other applications to place a
malicious activity on top of the activity stack of the vulnerable application.
Activity (com.android.insecurebankv2.DoTransfer) is This makes the application an easy target for phishing attacks. The
6 high
vulnerable to StrandHogg 2.0 vulnerability can be remediated by setting the launch mode attribute to
"singleInstance" and by setting an empty taskAffinity (taskAffinity=""). You can
also update the target SDK version (22) of the app to 29 or higher to fix this
issue at platform level.

Activity (com.android.insecurebankv2.DoTransfer) is not


An Activity is found to be shared with other apps on the device therefore
7 Protected. warning
leaving it accessible to any other application on the device.
[android:exported=true]

Activity is found to be vulnerable to StrandHogg 2.0 task hijacking


vulnerability. When vulnerable, it is possible for other applications to place a
malicious activity on top of the activity stack of the vulnerable application.
Activity (com.android.insecurebankv2.ViewStatement) is This makes the application an easy target for phishing attacks. The
8 high
vulnerable to StrandHogg 2.0 vulnerability can be remediated by setting the launch mode attribute to
"singleInstance" and by setting an empty taskAffinity (taskAffinity=""). You can
also update the target SDK version (22) of the app to 29 or higher to fix this
issue at platform level.

Activity (com.android.insecurebankv2.ViewStatement) is
An Activity is found to be shared with other apps on the device therefore
9 not Protected. warning
leaving it accessible to any other application on the device.
[android:exported=true]

Content Provider
(com.android.insecurebankv2.TrackUserContentProvider) A Content Provider is found to be shared with other apps on the device
10 warning
is not Protected. therefore leaving it accessible to any other application on the device.
[android:exported=true]
NO ISSUE SEVERITY DESCRIPTION

Broadcast Receiver
(com.android.insecurebankv2.MyBroadCastReceiver) is A Broadcast Receiver is found to be shared with other apps on the device
11 warning
not Protected. therefore leaving it accessible to any other application on the device.
[android:exported=true]

Activity is found to be vulnerable to StrandHogg 2.0 task hijacking


vulnerability. When vulnerable, it is possible for other applications to place a
malicious activity on top of the activity stack of the vulnerable application.
Activity (com.android.insecurebankv2.ChangePassword) This makes the application an easy target for phishing attacks. The
12 high
is vulnerable to StrandHogg 2.0 vulnerability can be remediated by setting the launch mode attribute to
"singleInstance" and by setting an empty taskAffinity (taskAffinity=""). You can
also update the target SDK version (22) of the app to 29 or higher to fix this
issue at platform level.

Activity (com.android.insecurebankv2.ChangePassword)
An Activity is found to be shared with other apps on the device therefore
13 is not Protected. warning
leaving it accessible to any other application on the device.
[android:exported=true]

 CODE ANALYSIS

NO ISSUE SEVERITY STANDARDS FILES

 NIAP ANALYSIS v1.3

NO IDENTIFIER REQUIREMENT FEATURE DESCRIPTION


 ABUSED PERMISSIONS

TYPE MATCHES PERMISSIONS

android.permission.INTERNET, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.SEND_SMS,


Malware
7/24 android.permission.GET_ACCOUNTS, android.permission.READ_CONTACTS, android.permission.ACCESS_NETWORK_STATE,
Permissions
android.permission.ACCESS_COARSE_LOCATION

Other
Common 0/45
Permissions

Malware Permissions:
Top permissions that are widely abused by known malware.
Other Common Permissions:
Permissions that are commonly abused by known malware.

 TRACKERS

TRACKER CATEGORIES URL

Google AdMob Advertisement https://reports.exodus-privacy.eu.org/trackers/312

Google Analytics Analytics https://reports.exodus-privacy.eu.org/trackers/48

Google Tag Manager Analytics https://reports.exodus-privacy.eu.org/trackers/105

 HARDCODED SECRETS
POSSIBLE SECRETS

"loginscreen_password" : "Password:"

"loginscreen_username" : "Username:"

Report Generated by - MobSF v3.9.3 Beta


Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment
framework capable of performing static and dynamic analysis.

© 2024 Mobile Security Framework - MobSF | Ajin Abraham | OpenSecurity.

You might also like