MyPP

Vulnerability Report
12 Jan 2019

QUIXXI SECURITY
This document summarizes the findings, analysis and recommendations from the assessment
conducted by Quixxi

1.1. CONFIDENTIALITY & LIABILITY

The contents of this document are intended solely for “MyPP” and may contain confidential
and/or privileged information and may be legally protected from disclosure. This document must
not be given to any third party, be printed, photo copied or shared in electronic form such as
email, in whole or in part, without the prior consent of “MyPP.” If you are not the intended
recipient of this document, or if this has been addressed to you in error, please alert the sender
immediately.

1.2. DISCLAIMER

Private & Confidential

 • Quixxi will not be responsible for any data loss, business functionality loss, reputational and/or
revenue loss caused during the testing or then forth. To that end, Quixxi mandates and urges
the customer to be very diligent to backup all systems, configurations, folders and files, and
settings which come in the scope of the proposed testing.

• By its nature the test scans only the vulnerabilities that can potentially lead to an intrusion. It
does not mean that the intrusions which happened in the past will be detected; neither would it
mean that it will detect and prevent intrusions which might happen in future.

• The test is meant to find possible vulnerabilities based on the data provided by customer. If
inadequate or incorrect data is provided, it can result into limiting the scope of testing, which
can further result in unidentified loopholes in the network. Quixxi will not be liable for such
situations.

• With time, hacking methodologies, technologies and tools change. As a result, a vulnerability
fixed today does not mean it is fixed forever. It is very likely that the vulnerability fixed today
with a patch or re-configuration, can still be exploited in future, which is why we recommend
taking the vulnerability test periodically.

• It is often misconstrued that a vulnerability test is an actual hacking attack; in reality, the test is
an attempt to look for possible vulnerabilities that can potentially lead to an intrusion.

• Vulnerability tests are not capable of and are not intended to detect any inherent hardware,
software, firmware or application based problems. The same applies to IT performance and
functionality problems too.

• As a policy to protect customer’s data privacy, Quixxi does not provide logs to the customer.
The logs are treated as internal working data for Quixxi’s tech team, hence are intellectual
property of Quixxi, and the report generated out of it is the only output/outcome meant for the
customer to see. Quixxi deletes/destroys all the logs and findings of the performance test, after
3 (three) days from the submission of final report as a matter of security practice, to protect
client’s confidentiality. Any disputes or concerns raised after 3 days will call for a re-testing
which counts of repetition of the testing effort and will be charged extra.

1.3. TESTING METHODOLOGY

Quixxi tests the app using variety of industry standard tools, scanners and traffic analyzers to
cover a wide range of applicative vulnerabilities as recommended by the OWASP methodology.
This allows us to test mobile application for high risk security and privacy. A black box approach
will be utilized during the tests.

A complete assessment involves the following areas-

Private & Confidential

1.4. APP INFO
Platform : Android

Application Name : MyPP

Package Name : com.orangenoire3.mirunacretan.secspacibmypp

Package Version : 1.0

1.5. EXECUTIVE SUMMARY

Total Vulnerabilities Detected : 11

High Risk Threats : 1

Medium Risk Threats : 7

Low Risk Threats : 3

1.6. PERMISSIONS USED

android.permission.ACCESS_COARSE_LOCATION

android.permission.ACCESS_FINE_LOCATION

android.permission.ACCESS_NETWORK_STATE

android.permission.INTERNET

com.google.android.providers.gsf.permission.READ_GSERVICES

android.permission.WRITE_EXTERNAL_STORAGE

android.permission.WAKE_LOCK

com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE

com.google.android.c2dm.permission.RECEIVE

com.orangenoire3.mirunacretan.secspacibmypp.permission.C2D_MESSAGE

Private & Confidential

1.7. HIGH SEVERITY VULNERABILITIES
1.7.1 File unsafe Delete Check

Severity : High
Risk
Everything you delete may be recovered by any user or attacker, especially rooted devices.

Threat
When you delete a file using file.delete(), only the reference to the file is removed from the file
system table. The file still exists on disk until other data overwrites it, leaving it vulnerable to
recovery.

Technical Details

This app uses file.delete() to delete file,File deleted using file.delete() may be recovered by any
user or attacker, especially rooted devices. Please make sure do not use "file.delete()" to delete
essential files. This app uses file.delete() in following methods.
1.com.android.tools.ir.server.FileManager.delete()
2.com.android.tools.ir.server.FileManager.purgeTempDexFiles()
3.com.android.tools.ir.server.FileManager.setLeftActive()
Check this video for more details https://www.youtube.com/watch?v=tGw1fxUD-uY

1.8. MEDIUM SEVERITY VULNERABILITIES

1.8.1 Is App Debuggable

Severity : Medium
Risk
The risk impact of this vulnerability and its exploitation is only limited by the imagination of a
hacker. For instance, hacker can spy on your communication or he can go a step further and
send premium rate SMS without the user’s knowledge, make background calls, take pictures and
forward to mail, etc. Some built-in apps that come along with the phone have higher privileges
than the other applications which are installed from the play store, so an attacker can take
advantage of this and create apps that have system-level privileges. A Trojan application
installed from a device application can access the entire Android system and their applications
and their data.

Threat
The android debug bridge (adb) is used to connect the developer's system to an Android phone
or the emulator. On the device itself the adbd daemon is started as soon as the phone is
Private & Confidential
connected to the computer when USB debugging is enabled. On the computer adb can now be
used to spawn a shell, forward ports and do other debugging related tasks. Adb is also used by
the development environment to get a list of all running debuggable applications and to connect
to one of these applications for debugging.Debug mode is enabled by default, during the
development of an app in Android studio. Android Studio will set android:debuggable="True" in
AndroidManifest.xml (AndroidManifest.xml is the central configuration file for any Android
application. If this attribute is set, the application will try to connect to a local UNIX socket
“@jdwp-control”. This socket is opened on the device by adbd (ADB server daemon process),
waiting for debuggable applications to register by connecting to the socket.Adb running on the
computer can now request a connection to any of these and adbd will forward a connection
between the debugger and the debuggee. Any further communication will now take place using
the standard Java Debug Wire Protocol.(JDWP). Debuggable applications will try to connect to
the UNIX socket “@jdwp-control”, even if adbd is not running. This is the case on default
configurations of Android (USB debugging disabled) or on phones in development mode unless
they are connected to a computer.
Any application can open this UNIX socket and thus trick any debuggable application into
connecting to it. Using a bit of “magic trickery” we can now establish a JDWP connection
between the debuggable application and our malicious application. Using JDWP Attacker will
gain full access to the Java process and execute arbitrary code in the context of the debuggable
application.

Technical Details

Application has "ApplicationInfo.FLAG_DEBUGGABLE" tag in AndroidManifest.xml.

1.8.2 Missing usage of native(C, C++) code

Severity : Medium
Risk
Business logic in Java can be easily decompiled and understanding of logics are easier than
native codes than in Native.

Threat
Usage Of Native Code is determined by usage of c or c++ codes in application. Java codes can
be easily decompiled and understanding of logic are easier than native codes.

Technical Details

This application have any native (C, C++) code

1.8.3 Outputting Logs to logCat/ Logging Sensitive information

Private & Confidential
Severity : Medium
Risk
Logging sensitive information can leak sensitive information to malicious apps

Threat
Android provides capabilities for an app to output logging information and obtain log output.
Applications can send information to log output using the android.util.Log class. To obtain log
output, applications can execute the logcat command.

Technical Details

This app outputs logs in Logcat, Following methods has code for outputting logs:
1. com.android.tools.ir.server.FileManager.getExternalResourceFile()
2. com.android.tools.ir.server.FileManager.getTempDexFile()
3. com.android.tools.ir.server.FileManager.writeAaptResources()
4. com.android.tools.ir.server.Server$SocketServerReplyThread.authenticate()
5. com.android.tools.ir.server.Server$SocketServerReplyThread.handle()
6. com.android.tools.ir.server.Server$SocketServerThread.run()
7. com.android.tools.ir.server.InstantRunContentProvider.isMainProcess()
8. com.android.tools.ir.server.InstantRunContentProvider.onCreate()
9. com.android.tools.ir.server.Restarter.hasAppCrashed()
10. com.android.tools.ir.server.Restarter.restartActivity()
11. com.android.tools.ir.server.Restarter.restartApp()
12. com.android.tools.ir.server.Restarter.showToast()
13. com.android.tools.ir.server.Logging$1.log()
14. com.android.tools.ir.server.Server.()
15. com.android.tools.ir.server.Server.handleHotSwapPatch()
16. com.android.tools.ir.server.Server.handleResourcePatch()

1.8.4 Usage of Adb Backup

Severity : Medium
Risk
The attacker can access backup and access the sensitive data including passwords

Threat
The Android operating system offers a backup/restore mechanism of installed packages through
the ADB utility. Full backup of applications including the private files stored on /data partition is
performed by default, but applications can customize this behaviour by implementing a
BackupAgent class. This way they can feed the backup process with custom files and data.

Private & Confidential

Technical Details

ADB Backup is enabled for this app (default: ENABLED).

ADB Backup is a good tool for backing up all of your files. If it's open for this app, people who
have your phone can copy all of the sensitive data for this app in your phone (Prerequisite:
1.Unlock phone's screen 2.Open the developer mode).
The sensitive data may include lifetime access token, username or password, etc. Security case
related to ADB Backup:
1.http://www.securityfocus.com/archive/1/530288/30/0/threaded
2.http://blog.c22.cc/advisories/cve-2013-5112-evernote-android-insecure-storage-of-pin-data-
bypass-of-pin-protection
3.http://nelenkov.blogspot.co.uk/2012/06/unpacking-android-backups.html

1.8.5 Protection of text fields from copying the text and paste outside your app

Severity : Medium
Risk
Clipboard data manipulation may lead to common code injection attacks, like JavaScript injection
and command injection. Furthermore, it can also cause phishing attacks, including web phishing
and app phishing. Data stealing happens when sensitive data copied into the clipboard is
accessed by malicious applications.

Threat
On Android platform, the clipboard is a powerful framework to support various types of data copy
and paste within an app as well as among apps. There is a flaw In Android's API that allows any
installed application to listen to changes to the clipboard (listen to everything that is copied and
pasted).

Technical Details

This app does not have code for preventing copy paste from application

1.8.6 Protection of capturing screenshots & sharing screens outside your app

Severity : Medium
Risk
By not protecting the screen shot capture and screen sharing the user risks of leaking sensitive
information.

Threat
The sensitive information of an app and user activities can be stolen via capturing screen shot
Private & Confidential
 and sharing the screens.

Technical Details

This app does not have code to prevent from taking screenshots

1.8.7 Protection of app screens by blurring when the app is running in background

Severity : Medium
Risk
By not protecting the screen shot capture of the app preview running in background the user
risks of leaking sensitive information.

Threat
When a user sends an app to background, the information displayed on the screen when the
screen is on foreground is shown as preview. This information shown in the preview of the app
can be stolen via screen shot capture.

Technical Details

This app does not have code to prevent previewing application screens when application is
running background

1.9. LOW SEVERITY VULNERABILITIES

1.9.1 Usage of Installer verification code

Severity Low

Risk
If Installer verification code is not used we may not be able identify the source of the download of
the apps and we cannot ascertain the authenticity of the app

Threat
Installer verification code is used to verify/check the installer sources(e.g. from Google Play, from
Amazon, etc.).

Technical Details

This app does not have code to verify installer source

1.9.2 Executing "root" or System Privilege Check

Severity Low
Private & Confidential
Risk
When a app runs in an rooted device attacker can dynamically analyse the app and can access
sensitive data and steal intellectual property.

Threat
Rooting is the process of allowing users of smartphones, tablets and other devices running the
Android mobile operating system to attain privileged control (superuser) over various Android
subsystems.

Technical Details

This application does not have code to check "root" permission.

1.9.3 Emulator Detection Check

Severity Low

Risk
When a app runs in an emulator as attacker can dynamically analyse the app and can access
sensitive data and steal intellectual property.

Threat
If your app is being run on anemulatoroutside the development process, it gives an indication
that someone other than you is trying to analyse the app.

Technical Details

This app does not have code for checking "emulator" detection

Private & Confidential