Professional Documents
Culture Documents
Vulnerability Report
23 Jul 2018
QUIXXI SECURITY
This document summarizes the findings, analysis and recommendations from the assessment
conducted by Quixxi
1.2. DISCLAIMER
• By its nature the test scans only the vulnerabilities that can potentially lead to an intrusion. It
does not mean that the intrusions which happened in the past will be detected; neither would it
mean that it will detect and prevent intrusions which might happen in future.
• The test is meant to find possible vulnerabilities based on the data provided by customer. If
inadequate or incorrect data is provided, it can result into limiting the scope of testing, which
can further result in unidentified loopholes in the network. Quixxi will not be liable for such
situations.
• With time, hacking methodologies, technologies and tools change. As a result, a vulnerability
fixed today does not mean it is fixed forever. It is very likely that the vulnerability fixed today
with a patch or re-configuration, can still be exploited in future, which is why we recommend
taking the vulnerability test periodically.
• It is often misconstrued that a vulnerability test is an actual hacking attack; in reality, the test is
an attempt to look for possible vulnerabilities that can potentially lead to an intrusion.
• Vulnerability tests are not capable of and are not intended to detect any inherent hardware,
software, firmware or application based problems. The same applies to IT performance and
functionality problems too.
• As a policy to protect customer’s data privacy, Quixxi does not provide logs to the customer.
The logs are treated as internal working data for Quixxi’s tech team, hence are intellectual
property of Quixxi, and the report generated out of it is the only output/outcome meant for the
customer to see. Quixxi deletes/destroys all the logs and findings of the performance test, after
3 (three) days from the submission of final report as a matter of security practice, to protect
client’s confidentiality. Any disputes or concerns raised after 3 days will call for a re-testing
which counts of repetition of the testing effort and will be charged extra.
android.permission.READ_PHONE_STATE
android.permission.GET_ACCOUNTS
android.permission.WAKE_LOCK
android.permission.INTERNET
android.permission.ACCESS_NETWORK_STATE
android.permission.ACCESS_FINE_LOCATION
android.permission.ACCESS_COARSE_LOCATION
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.ACCESS_WIFI_STATE
android.permission.READ_PHONE_STATE
android.permission.READ_PHONE_STATE
android.permission.INTERNET
android.permission.GET_ACCOUNTS
android.permission.WAKE_LOCK
au.gov.employment.jobfit.permission.C2D_MESSAGE
com.google.android.c2dm.permission.RECEIVE
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.ACCESS_COARSE_LOCATION
android.permission.ACCESS_FINE_LOCATION
http://dh8vjmvwgc27o.cloudfront.net/AIRGamepad/connect_ping.txt
http://dh8vjmvwgc27o.cloudfront.net/AIRGamepad/connect_ping.txt?publisher=
http://gamespace.adobe.com
http://s3-us-west-1.amazonaws.com/gamepreview/prod/airandroid/air.properties
http://static.pushwoosh.com/RichPush/Android/
http://www.adobe.com/airgames/3/
https://airdownload2.adobe.com/air?
https://cp.pushwoosh.com/json/1.3/
https://dh8vjmvwgc27o.cloudfront.net
https://go.pushwoosh.com/content/%s
https://pagead2.googlesyndication.com/pagead/gen_204?id=gmob-apps
https://plus.google.com/
https://ssl.google-analytics.com
https://www.adobe.com/airgames/4/
https://www.adobe.com/airgames/5/
https://www.googleapis.com/auth/appstate
https://www.googleapis.com/auth/datastoremobile
https://www.googleapis.com/auth/drive.appdata
https://www.googleapis.com/auth/drive.file
https://www.googleapis.com/auth/fitness.activity.read
https://www.googleapis.com/auth/fitness.activity.write
https://www.googleapis.com/auth/fitness.body.read
https://www.googleapis.com/auth/fitness.body.write
https://www.googleapis.com/auth/fitness.location.read
https://www.googleapis.com/auth/fitness.location.write
https://www.googleapis.com/auth/fitness.nutrition.read
https://www.googleapis.com/auth/fitness.nutrition.write
https://www.googleapis.com/auth/games
https://www.googleapis.com/auth/plus.login
https://www.googleapis.com/auth/plus.me
https://www.googletagmanager.com
Severity : High
Risk
Everything you delete may be recovered by any user or attacker, especially rooted devices.
Threat
When you delete a file using file.delete(), only the reference to the file is removed from the file
system table. The file still exists on disk until other data overwrites it, leaving it vulnerable to
recovery.
Technical Details
Severity : Medium
Risk
The WebView JavaScript bridge can be abused to execute arbitrary Java code, by using
reflection to acquire a reference to a run time object via the interface. The attacker can perform
many attacks against the device. The lowest impact attack would be downloading contents in the
SD card and the exploited application’s data directory. However, depending on the device
exploited this could extend to obtaining root privileges, retrieving other sensitive user data from
the device or causing the user monetary loss.
Threat
For some apps that handle web content if they want to view (equivalent to) certain web pages in
that app, than in the browser they make use of web view.
Technical Details
Severity : Medium
Risk
Business logic in Java can be easily decompiled and understanding of logics are easier than
native codes than in Native.
Threat
Usage Of Native Code is determined by usage of c or c++ codes in application. Java codes can
be easily decompiled and understanding of logic are easier than native codes.
Severity : Medium
Risk
Logging sensitive information can leak sensitive information to malicious apps
Threat
Android provides capabilities for an app to output logging information and obtain log output.
Applications can send information to log output using the android.util.Log class. To obtain log
output, applications can execute the logcat command.
Technical Details
This app outputs logs in Logcat, Following methods has code for outputting logs:
1. au.gov.employment.jobfit.AppEntry.onCreate()
2. com.distriqt.core.utils.FREUtils.log()
3. com.distriqt.core.utils.Resources.listResources()
4. com.distriqt.extension.core.util.Assets.listAssetsInDirectory()
5. com.distriqt.extension.dialog.functions.DialogToastFunction.call()
6. com.pushwoosh.PushManager.getInstance()
7. com.pushwoosh.internal.utils.PWLog.debug()
8. com.pushwoosh.internal.utils.PWLog.info()
9. com.pushwoosh.internal.utils.PWLog.noise()
10. com.pushwoosh.internal.utils.PWLog.warn()
Severity : Medium
Risk
The attacker can access backup and access the sensitive data including passwords
Threat
The Android operating system offers a backup/restore mechanism of installed packages through
the ADB utility. Full backup of applications including the private files stored on /data partition is
performed by default, but applications can customize this behaviour by implementing a
BackupAgent class. This way they can feed the backup process with custom files and data.
1.9.5 Protection of text fields from copying the text and paste outside your app
Severity : Medium
Risk
Clipboard data manipulation may lead to common code injection attacks, like JavaScript injection
and command injection. Furthermore, it can also cause phishing attacks, including web phishing
and app phishing. Data stealing happens when sensitive data copied into the clipboard is
accessed by malicious applications.
Threat
On Android platform, the clipboard is a powerful framework to support various types of data copy
and paste within an app as well as among apps. There is a flaw In Android's API that allows any
installed application to listen to changes to the clipboard (listen to everything that is copied and
pasted).
Technical Details
This app does not have code for preventing copy paste from application
1.9.6 Protection of capturing screenshots & sharing screens outside your app
Severity : Medium
Risk
By not protecting the screen shot capture and screen sharing the user risks of leaking sensitive
information.
Threat
The sensitive information of an app and user activities can be stolen via capturing screen shot
Technical Details
This app does not have code to prevent from taking screenshots
1.9.7 Protection of app screens by blurring when the app is running in background
Severity : Medium
Risk
By not protecting the screen shot capture of the app preview running in background the user
risks of leaking sensitive information.
Threat
When a user sends an app to background, the information displayed on the screen when the
screen is on foreground is shown as preview. This information shown in the preview of the app
can be stolen via screen shot capture.
Technical Details
This app does not have code to prevent previewing application screens when application is
running background
Severity Low
Risk
When a app runs in an rooted device attacker can dynamically analyse the app and can access
sensitive data and steal intellectual property.
Threat
Rooting is the process of allowing users of smartphones, tablets and other devices running the
Android mobile operating system to attain privileged control (superuser) over various Android
subsystems.
Technical Details
Severity Low
Risk
Apps that store their own executable code with world writable permissions allowing a malicious
app to overwrite the executable code and achieve the ability to execute malicious code with the
privileges of the vulnerable app.
Threat
Shared preferences properties such "MODE_WORLD_READABLE" or
"MODE_WORLD_WRITEABLE" allow the information sharing between apps. So Any Malicious
app can get hold of the information used in the app. This constant was deprecated in API level
17. Creating world-writable files is very dangerous, and likely to cause security holes in
applications. It is strongly discouraged; instead, applications should use more formal mechanism
for interactions such as ContentProvider,BroadcastReceiver, and Service.
Technical Details
2.com.distriqt.extension.dialog.util.Assets.getAssetFile()
3.com.distriqt.extension.googleanalytics.util.Assets.getAssetFile()