Jobfit

Vulnerability Report
23 Jul 2018

QUIXXI SECURITY
This document summarizes the findings, analysis and recommendations from the assessment
conducted by Quixxi

1.1. CONFIDENTIALITY & LIABILITY

The contents of this document are intended solely for “Jobfit” and may contain confidential
and/or privileged information and may be legally protected from disclosure. This document must
not be given to any third party, be printed, photo copied or shared in electronic form such as
email, in whole or in part, without the prior consent of “Jobfit.” If you are not the intended
recipient of this document, or if this has been addressed to you in error, please alert the sender
immediately.

1.2. DISCLAIMER

Private & Confidential

 • Quixxi will not be responsible for any data loss, business functionality loss, reputational and/or
revenue loss caused during the testing or then forth. To that end, Quixxi mandates and urges
the customer to be very diligent to backup all systems, configurations, folders and files, and
settings which come in the scope of the proposed testing.

• By its nature the test scans only the vulnerabilities that can potentially lead to an intrusion. It
does not mean that the intrusions which happened in the past will be detected; neither would it
mean that it will detect and prevent intrusions which might happen in future.

• The test is meant to find possible vulnerabilities based on the data provided by customer. If
inadequate or incorrect data is provided, it can result into limiting the scope of testing, which
can further result in unidentified loopholes in the network. Quixxi will not be liable for such
situations.

• With time, hacking methodologies, technologies and tools change. As a result, a vulnerability
fixed today does not mean it is fixed forever. It is very likely that the vulnerability fixed today
with a patch or re-configuration, can still be exploited in future, which is why we recommend
taking the vulnerability test periodically.

• It is often misconstrued that a vulnerability test is an actual hacking attack; in reality, the test is
an attempt to look for possible vulnerabilities that can potentially lead to an intrusion.

• Vulnerability tests are not capable of and are not intended to detect any inherent hardware,
software, firmware or application based problems. The same applies to IT performance and
functionality problems too.

• As a policy to protect customer’s data privacy, Quixxi does not provide logs to the customer.
The logs are treated as internal working data for Quixxi’s tech team, hence are intellectual
property of Quixxi, and the report generated out of it is the only output/outcome meant for the
customer to see. Quixxi deletes/destroys all the logs and findings of the performance test, after
3 (three) days from the submission of final report as a matter of security practice, to protect
client’s confidentiality. Any disputes or concerns raised after 3 days will call for a re-testing
which counts of repetition of the testing effort and will be charged extra.

1.3. TESTING METHODOLOGY

Quixxi tests the app using variety of industry standard tools, scanners and traffic analyzers to
cover a wide range of applicative vulnerabilities as recommended by the OWASP methodology.
This allows us to test mobile application for high risk security and privacy. A black box approach
will be utilized during the tests.

A complete assessment involves the following areas-

Private & Confidential

1.4. APP INFO
Platform : Android

Application Name : Jobfit

Package Name : au.gov.employment.jobfit

Package Version : 2.0.31

1.5. EXECUTIVE SUMMARY

Total Vulnerabilities Detected : 10

High Risk Threats : 1

Medium Risk Threats : 7

Low Risk Threats : 2

1.6. PERMISSIONS USED

android.permission.READ_EXTERNAL_STORAGE

android.permission.READ_PHONE_STATE

android.permission.GET_ACCOUNTS

android.permission.WAKE_LOCK

android.permission.INTERNET

android.permission.ACCESS_NETWORK_STATE

android.permission.ACCESS_FINE_LOCATION

android.permission.ACCESS_COARSE_LOCATION

android.permission.WRITE_EXTERNAL_STORAGE

android.permission.ACCESS_WIFI_STATE

Private & Confidential

 android.permission.ACCESS_NETWORK_STATE

android.permission.READ_PHONE_STATE

android.permission.READ_PHONE_STATE

android.permission.INTERNET

android.permission.GET_ACCOUNTS

android.permission.WAKE_LOCK

au.gov.employment.jobfit.permission.C2D_MESSAGE

com.google.android.c2dm.permission.RECEIVE

android.permission.RECEIVE_BOOT_COMPLETED

android.permission.ACCESS_COARSE_LOCATION

android.permission.ACCESS_FINE_LOCATION

1.7. LINKS ACCESSED

http://cp.pushwoosh.com/json/1.3/

http://dh8vjmvwgc27o.cloudfront.net/AIRGamepad/connect_ping.txt

http://dh8vjmvwgc27o.cloudfront.net/AIRGamepad/connect_ping.txt?publisher=

http://gamespace.adobe.com

http://s3-us-west-1.amazonaws.com/gamepreview/prod/airandroid/air.properties

http://static.pushwoosh.com/RichPush/Android/

http://www.adobe.com/airgames/3/

https://airdownload2.adobe.com/air?

https://cp.pushwoosh.com/json/1.3/

https://dh8vjmvwgc27o.cloudfront.net

https://go.pushwoosh.com/content/%s

https://pagead2.googlesyndication.com/pagead/gen_204?id=gmob-apps

https://plus.google.com/

https://ssl.google-analytics.com

https://www.adobe.com/airgames/4/

https://www.adobe.com/airgames/5/

Private & Confidential

 https://www.adobe.com/gamepreview/?game=notification/notificationClicked.html_

https://www.googleapis.com/auth/appstate

https://www.googleapis.com/auth/datastoremobile

https://www.googleapis.com/auth/drive.appdata

https://www.googleapis.com/auth/drive.file

https://www.googleapis.com/auth/fitness.activity.read

https://www.googleapis.com/auth/fitness.activity.write

https://www.googleapis.com/auth/fitness.body.read

https://www.googleapis.com/auth/fitness.body.write

https://www.googleapis.com/auth/fitness.location.read

https://www.googleapis.com/auth/fitness.location.write

https://www.googleapis.com/auth/fitness.nutrition.read

https://www.googleapis.com/auth/fitness.nutrition.write

https://www.googleapis.com/auth/games

https://www.googleapis.com/auth/plus.login

https://www.googleapis.com/auth/plus.me

https://www.googletagmanager.com

1.8. HIGH SEVERITY VULNERABILITIES

1.8.1 File unsafe Delete Check

Severity : High
Risk
Everything you delete may be recovered by any user or attacker, especially rooted devices.

Threat
When you delete a file using file.delete(), only the reference to the file is removed from the file
system table. The file still exists on disk until other data overwrites it, leaving it vulnerable to
recovery.

Technical Details

Private & Confidential

 This app uses file.delete() to delete file,File deleted using file.delete() may be recovered by any
user or attacker, especially rooted devices. Please make sure do not use "file.delete()" to delete
essential files. This app uses file.delete() in following methods.
1.com.pushwoosh.internal.utils.c.a()
Check this video for more details https://www.youtube.com/watch?v=tGw1fxUD-uY

1.9. MEDIUM SEVERITY VULNERABILITIES

1.9.1 WebView addJavascriptInterface Remote Code Execution

Severity : Medium
Risk
The WebView JavaScript bridge can be abused to execute arbitrary Java code, by using
reflection to acquire a reference to a run time object via the interface. The attacker can perform
many attacks against the device. The lowest impact attack would be downloading contents in the
SD card and the exploited application’s data directory. However, depending on the device
exploited this could extend to obtaining root privileges, retrieving other sensitive user data from
the device or causing the user monetary loss.

Threat
For some apps that handle web content if they want to view (equivalent to) certain web pages in
that app, than in the browser they make use of web view.

Technical Details

This app uses Webview.addJavascriptInterface. Webview.addJavascriptInterface is used in

following methods:
1. com.pushwoosh.inapp.WebActivity.a().

1.9.2 Missing usage of native(C, C++) code

Severity : Medium
Risk
Business logic in Java can be easily decompiled and understanding of logics are easier than
native codes than in Native.

Threat
Usage Of Native Code is determined by usage of c or c++ codes in application. Java codes can
be easily decompiled and understanding of logic are easier than native codes.

Private & Confidential

Technical Details

This application have any native (C, C++) code

1.9.3 Outputting Logs to logCat/ Logging Sensitive information

Severity : Medium
Risk
Logging sensitive information can leak sensitive information to malicious apps

Threat
Android provides capabilities for an app to output logging information and obtain log output.
Applications can send information to log output using the android.util.Log class. To obtain log
output, applications can execute the logcat command.

Technical Details

This app outputs logs in Logcat, Following methods has code for outputting logs:
1. au.gov.employment.jobfit.AppEntry.onCreate()
2. com.distriqt.core.utils.FREUtils.log()
3. com.distriqt.core.utils.Resources.listResources()
4. com.distriqt.extension.core.util.Assets.listAssetsInDirectory()
5. com.distriqt.extension.dialog.functions.DialogToastFunction.call()
6. com.pushwoosh.PushManager.getInstance()
7. com.pushwoosh.internal.utils.PWLog.debug()
8. com.pushwoosh.internal.utils.PWLog.info()
9. com.pushwoosh.internal.utils.PWLog.noise()
10. com.pushwoosh.internal.utils.PWLog.warn()

1.9.4 Usage of Adb Backup

Severity : Medium
Risk
The attacker can access backup and access the sensitive data including passwords

Threat
The Android operating system offers a backup/restore mechanism of installed packages through
the ADB utility. Full backup of applications including the private files stored on /data partition is
performed by default, but applications can customize this behaviour by implementing a
BackupAgent class. This way they can feed the backup process with custom files and data.

Private & Confidential

Technical Details

ADB Backup is enabled for this app (default: ENABLED).

ADB Backup is a good tool for backing up all of your files. If it's open for this app, people who
have your phone can copy all of the sensitive data for this app in your phone (Prerequisite:
1.Unlock phone's screen 2.Open the developer mode).
The sensitive data may include lifetime access token, username or password, etc. Security case
related to ADB Backup:
1.http://www.securityfocus.com/archive/1/530288/30/0/threaded
2.http://blog.c22.cc/advisories/cve-2013-5112-evernote-android-insecure-storage-of-pin-data-
bypass-of-pin-protection
3.http://nelenkov.blogspot.co.uk/2012/06/unpacking-android-backups.html

1.9.5 Protection of text fields from copying the text and paste outside your app

Severity : Medium
Risk
Clipboard data manipulation may lead to common code injection attacks, like JavaScript injection
and command injection. Furthermore, it can also cause phishing attacks, including web phishing
and app phishing. Data stealing happens when sensitive data copied into the clipboard is
accessed by malicious applications.

Threat
On Android platform, the clipboard is a powerful framework to support various types of data copy
and paste within an app as well as among apps. There is a flaw In Android's API that allows any
installed application to listen to changes to the clipboard (listen to everything that is copied and
pasted).

Technical Details

This app does not have code for preventing copy paste from application

1.9.6 Protection of capturing screenshots & sharing screens outside your app

Severity : Medium
Risk
By not protecting the screen shot capture and screen sharing the user risks of leaking sensitive
information.

Threat
The sensitive information of an app and user activities can be stolen via capturing screen shot

Private & Confidential

 and sharing the screens.

Technical Details

This app does not have code to prevent from taking screenshots

1.9.7 Protection of app screens by blurring when the app is running in background

Severity : Medium
Risk
By not protecting the screen shot capture of the app preview running in background the user
risks of leaking sensitive information.

Threat
When a user sends an app to background, the information displayed on the screen when the
screen is on foreground is shown as preview. This information shown in the preview of the app
can be stolen via screen shot capture.

Technical Details

This app does not have code to prevent previewing application screens when application is
running background

1.10. LOW SEVERITY VULNERABILITIES

1.10.1 Executing "root" or System Privilege Check

Severity Low

Risk
When a app runs in an rooted device attacker can dynamically analyse the app and can access
sensitive data and steal intellectual property.

Threat
Rooting is the process of allowing users of smartphones, tablets and other devices running the
Android mobile operating system to attain privileged control (superuser) over various Android
subsystems.

Technical Details

This application does not have code to check "root" permission.

Private & Confidential

1.10.2 MODE_WORLD_READABLE or MODE_WORLD_WRITEABLE Vulnerability
check

Severity Low

Risk
Apps that store their own executable code with world writable permissions allowing a malicious
app to overwrite the executable code and achieve the ability to execute malicious code with the
privileges of the vulnerable app.

Threat
Shared preferences properties such "MODE_WORLD_READABLE" or
"MODE_WORLD_WRITEABLE" allow the information sharing between apps. So Any Malicious
app can get hold of the information used in the app. This constant was deprecated in API level
17. Creating world-writable files is very dangerous, and likely to cause security holes in
applications. It is strongly discouraged; instead, applications should use more formal mechanism
for interactions such as ContentProvider,BroadcastReceiver, and Service.

Technical Details

This app uses "MODE_WORLD_READABLE" or "MODE_WORLD_WRITEABLE" flag in

following classes while creating file.
1.com.distriqt.extension.core.util.Assets.getAssetFile()

2.com.distriqt.extension.dialog.util.Assets.getAssetFile()

3.com.distriqt.extension.googleanalytics.util.Assets.getAssetFile()

Private & Confidential