Mobile Application Analysis – October 25, 2023

Checks to determine whether the allowBackup flag within the Android Manifest is set to False. If this flag is enabled, it could allow easier access to the application files stored on the device.

Analysis Type: Static
Severity (CVSS): Informational (0)

The activities called for by an app are an important part of understanding the application's life cycle from the initial main activity launch to the final activity shutdown. The main activity is the main entry point into the application's user interface.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Checks for arbitrary code execution. When executable code is world-writable, another app could swap the file and gain code execution capabilities in other apps.

Analysis Type: Dynamic
Severity (CVSS): Critical (9.8)

Checks for arbitrary code execution. When executable code is world-writable, another app could swap the file and gain code execution capabilities in other apps.

Analysis Type: Dynamic
Severity (CVSS): High (7.5)

Details of the automated interaction.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Programmatic interactions are logged during dynamic analysis. Results are shown in the forensic data.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Checks to see if the certificate used for this application compilation is valid to determine whether the certificate is expired or is set to expire within 30 days.

Analysis Category: Code
Analysis Type: Static
Severity (CVSS): High (7.5)

Analyzes the attributes set within the cookies used by the app to determine if the “httponly” flag is set. When a cookie is set with the “httponly” flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies and can prevent attacks, like cross-site scripting (XSS), as the cookie cannot be accessed via client-side (e.g., using a JavaScript code snippet).

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Analyzes the attributes set within the cookies used by the app to determine if the “secure” flag is set. When set to “true,” the “secure” flag tells the browser to only send the cookie if the request is sent using a secure channel. This ensures the cookie is not transmitted over unencrypted requests.

Analysis Type: Dynamic
Severity (CVSS): Medium (0)

Checks to determine whether the application was compiled with the debuggable flag enabled in the Android manifest. If the application has the debuggable flag enabled, it’s possible to attach a debugger to the application’s process and execute arbitrary code. The default value is "true" if the debuggable flag is not set. Debugging should be disabled before compiling an app for production.

Analysis Type: Static
Severity (CVSS): Informational (0)

Checks for the usage of addJavascriptInterface(). This can be used to intercept network traffic that’s being sent and interact with the javascript interface.

Analysis Type: Static
Severity (CVSS): Informational (0)

This test checks to see if the key used to sign the application is larger than 1024 bits. Anything smaller leaves your app vulnerable to forged digital signatures.

Analysis Category: Code
Analysis Type: Static
Severity (CVSS): Medium (5.9)

Local application files and external storage locations are inspected for Android ID exposure.

Analysis Type: Dynamic
Severity (CVSS): Low (2.3)

Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the Bluetooth MAC Address were searched.

Analysis Type: Dynamic
Severity (CVSS): Low (2.3)

Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the Build Fingerprint were searched.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Using specified custom search terms, local application files and external storage locations are inspected for sensitive user or application data.

Analysis Type: Dynamic
Severity (CVSS): Medium (4.4)

Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the DNS were searched.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Local application files and external storage locations are inspected for Domain Name System (DNS) exposure.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Local application files and external storage locations are inspected for user email address exposure.

Analysis Type: Dynamic
Severity (CVSS): Low (2.3)

Local application files and external storage locations are inspected for user first name exposure.

Analysis Type: Dynamic
Severity (CVSS): Low (2.3)

Local application files and external storage locations are inspected for exposed GPS latitude coordinates.

Analysis Type: Dynamic
Severity (CVSS): Medium (4.4)

Local application files and external storage locations are inspected for exposed GPS longitude coordinates.

Analysis Type: Dynamic
Severity (CVSS): Medium (4.4)

Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the IMEI were searched.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Local application files and external storage locations are inspected for user last name exposure.

Analysis Type: Dynamic
Severity (CVSS): Low (2.3)

Local application files and external storage locations are inspected for local wi-fi MAC address exposure.

Analysis Type: Dynamic
Severity (CVSS): Low (2.3)

Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the MAC Address were searched.

Analysis Type: Dynamic
Severity (CVSS): Low (2.3)

Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the Full Name were searched.

Analysis Type: Dynamic
Severity (CVSS): Low (2.3)

Local application files and external storage locations are inspected for exposed passwords.

Analysis Type: Dynamic
Severity (CVSS): Medium (4.4)

Local application files and external storage locations are inspected for exposed phone numbers.

Analysis Type: Dynamic
Severity (CVSS): Low (2.3)

Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the Serial were searched.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the Surrounding WiFi Network BSSID were searched.

Analysis Type: Dynamic
Severity (CVSS): Low (2.3)

Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the Surrounding WiFi Network SSID were searched.

Analysis Type: Dynamic
Severity (CVSS): Low (2.3)

Local application files and external storage locations are inspected for exposed usernames.

Analysis Type: Dynamic
Severity (CVSS): Low (2.3)

Local application files and external storage locations are inspected for exposed wi-fi IP addresses.

Analysis Type: Dynamic
Severity (CVSS): Low (2.3)

Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the WiFi MAC Address were searched.

Analysis Type: Dynamic
Severity (CVSS): Low (2.3)

Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the zip code were searched.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Low (2.1)

Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. Additionally, any application on that device with the "READ_LOGS" permission can interrogate the logs, and in more recent versions of Android, the log files have been more carefully isolated and do not require system level permissions to be requested. In this test, the system log files are analyzed for the existence of sensitive user or application data.

Analysis Type: Dynamic
Severity (CVSS): Low (2.1)

System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Low (2.1)

System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Medium (5.5)

Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. Additionally, any application on that device with the "READ_LOGS" permission can interrogate the logs, and in more recent versions of Android, the log files have been more carefully isolated and do not require system level permissions to be requested. In this test, the system log files are analyzed for the existence of sensitive user or application data.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

System log files are analyzed for DNS2 exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. Additionally, any application on that device with the "READ_LOGS" permission can interrogate the logs, and in more recent versions of Android, the log files have been more carefully isolated and do not require system level permissions to be requested. In this test, the system log files are analyzed for the existence of sensitive user or application data.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

System log files are analyzed for exposure of the user’s last name. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

System log files are analyzed for exposure of the local wi-fi MAC address. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Low (2.1)

Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. Additionally, any application on that device with the "READ_LOGS" permission can interrogate the logs, and in more recent versions of Android, the log files have been more carefully isolated and do not require system level permissions to be requested. In this test, the system log files are analyzed for the existence of sensitive user or application data.

Analysis Type: Dynamic
Severity (CVSS): Low (2.1)

System log files are analyzed for exposure of the user’s name. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Medium (5.5)

System log files are analyzed for exposure of the user’s phone number. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. Additionally, any application on that device with the "READ_LOGS" permission can interrogate the logs, and in more recent versions of Android, the log files have been more carefully isolated and do not require system level permissions to be requested. In this test, the system log files are analyzed for the existence of sensitive user or application data.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

System log files are analyzed for exposure of the surrounding wi-fi network basic service set identifier (BSSID). Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Low (2.1)

System log files are analyzed for surrounding wi-fi MAC address exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Low (2.1)

Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. Additionally, any application on that device with the "READ_LOGS" permission can interrogate the logs, and in more recent versions of Android, the log files have been more carefully isolated and do not require system level permissions to be requested. In this test, the system log files are analyzed for the existence of sensitive user or application data.

Analysis Type: Dynamic
Severity (CVSS): Low (2.3)

System log files are analyzed for the existence of any sensitive user or application data. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Low (2.1)

System log files are analyzed for the existence of any sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

System log files are analyzed for the existence of any sensitive user or application data.Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Low (2.1)

System log files are analyzed for the existence of any sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Low (2.1)

Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. Additionally, any application on that device with the "READ_LOGS" permission can interrogate the logs, and in more recent versions of Android, the log files have been more carefully isolated and do not require system level permissions to be requested. In this test, the system log files are analyzed for the existence of sensitive user or application data.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Checks if the source code has been obfuscated either by Proguard or Dexguard in order to make class identification less obvious.

Analysis Type: Static
Severity (CVSS): Informational (0)

Debug logs are generally designed to be used to detect and correct flaws in an application. OSLog is a unified logging system that stores messages in memory and in a data store, rather than writing to text–based log files. These logs can leak sensitive information that may help an attacker launch a more powerful attack. Forensic data will provide any OSLog messages detected while performing dynamic analysis.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

On Android systems, path traversal (a.k.a. directory traversal) allows attackers to perpetrate a "dot–dot–slash (../)" attack to read/write files in internal storage. Any vulnerable content providers will be listed in the forensic data.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Checks for writable executable file permissions and for zip files sent in transit over the network. The combination of these two instances more than likely indicates a remote code execution vulnerability.

Analysis Type: Dynamic
Severity (CVSS): Critical (9.8)

This check determines if the application attempts to use escalated privileges through the su command. This is commonly used by malware to exploit rooted devices.

Analysis Type: Dynamic
Severity (CVSS): Low (1.8)

External storage locations are monitored as the application runs to determine if data is being stored in the application.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the PRNG (pseudo–random number generator). Applications that directly invoke the system–provided OpenSSL PRNG without explicit initialization on Android are also affected. Please note that for "electronic wallet" applications, or applications that process sensitive and/or monetary transactions (including bitcoin transactions), the risk associated with this finding should carefully be considered and should potentially be classified using a finding with severity "High."

Analysis Type: Static
Severity (CVSS): Informational (0)

Determines whether the application is performing proper certificate validation or hostname verification. Lack of proper validation could result in sensitive data being intercepted by a man-in-the-middle attack. If the application's traffic can be decrypted, it is searched for sensitive data, including username, password, GPS coordinates, wi-fi MAC address, International Mobile Equipment Identity (IMEI), device serial number, and phone number.

Analysis Type: Dynamic
Severity (CVSS): High (7.7)

All TLS/SSL communications sent by the application are proxied and traffic is searched for sensitive values, including the user’s username, password, GPS coordinates, wi-fi MAC address, International Mobile Equipment Identity (IMEI), serial number, and phone number.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Traffic is analyzed to determine if the Android ID is exposed from insecure transmission over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the user’s build fingerprint is exposed from insecure transmission over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Using custom search terms, traffic is analyzed to determine if any sensitive data is exposed from insecure transmission over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (8.1)

Traffic is analyzed to determine if any sensitive data is transmitted insecurely over the network without encryption. For this check, instances of the DNS were searched across any intercepted traffic.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Traffic is analyzed to determine if any DNS data is exposed from insecure transmission over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Traffic is analyzed to determine if any sensitive data is transmitted insecurely over the network without encryption. For this check, instances of the Bluetooth MAC Address were searched across any intercepted traffic.

Analysis Type: Dynamic
Severity (CVSS): Medium (4.3)

Traffic is analyzed to determine if the user’s email address is exposed from insecure transmission over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the user’s first name is exposed from insecure transmission over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the user’s GPS latitude location is exposed from insecure transmission over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (8.1)

Traffic is analyzed to determine if any sensitive data is exposed from insecure transmission over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (8.1)

Traffic is analyzed to determine if the user’s International Mobile Equipment Identity (IMEI) is exposed from insecure transmission over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the user’s last name is exposed from insecure transmission over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the local wi-fi MAC address is exposed from insecure transmission over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): Medium (4.3)

Traffic is analyzed to determine if any sensitive data is transmitted insecurely over the network without encryption. For this check, instances of the MAC Address were searched across any intercepted traffic.

Analysis Type: Dynamic
Severity (CVSS): Medium (4.3)

Traffic is analyzed to determine if the user’s full name is exposed from insecure transmission over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the user’s password is exposed from insecure transmission over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (8.1)

Traffic is analyzed to determine if the user’s phone number is exposed from insecure transmission over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the device’s serial is exposed from insecure transmission over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the surrounding wi-fi MAC address is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): Medium (4.3)

Traffic is analyzed to determine if the surrounding wi-fi network basic service set identifiers (BSSID) is exposed from insecure transmission over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): Medium (4.3)

Traffic is analyzed to determine if the surrounding wi-fi network service set Identifier (SSID) is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): Medium (4.3)

Traffic is analyzed to determine if the user’s username is exposed from insecure transmission over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the wi-fi IP address is exposed from insecure transmission over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if any sensitive data is transmitted insecurely over the network without encryption. For this check, instances of the WiFi MAC Address were searched across any intercepted traffic.

Analysis Type: Dynamic
Severity (CVSS): Informational (7.1)

Traffic is analyzed to determine if any sensitive data is transmitted insecurely over the network without encryption. For this check, instances of the zip code were searched across any intercepted traffic.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

SMS communications are monitored during dynamic analysis. Forensic data provides context on what was found to be sent over SMS.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Network communications are monitored while the application is running to locate the destination of the application’s sent data.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Calls within the application are checked for the use of world–readable permissions. Forensic details show any detections.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Calls within the application are checked for the use of world-writable permissions. Forensic details show any detections.

Analysis Category: Permissions
Analysis Type: Dynamic
Severity (CVSS): Medium (5)

Checks for writable executable file permissions in shared storage locations. If the application has a “writable_executable” and is combined with another bug, such as a network ZIP download, the app could be vulnerable to remote code execution attacks.

Analysis Category: Permissions
Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Checks for writable executable file permissions in the application’s data directory. If the application has a “writable_executable” and is combined with another bug, such as a network ZIP download, the app could be vulnerable to remote code execution attacks.

Analysis Category: Permissions
Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Detects whether zip files are being sent by the application in transit over HTTP. Zip files can lead to a remote arbitrary file write, which could allow an attacker remote code execution.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Detects when ZIP files are being sent by the application over HTTPS. ZIP files can contain arbitrary code written in the file, which could allow an attacker to carry out a remote code execution attack.

Analysis Category: Network
Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Determines whether the application is performing proper certificate validation and hostname verification. Lack of proper certificate validation OR hostname verification could result in sensitive data being intercepted by a man–in– the–middle attack.

Analysis Type: Dynamic
Severity (CVSS): High (7)

Certain versions of OpenSSL do not properly restrict the processing of ChangeCipherSpec messages during the TLS/SSL handshake, which could lead to a man-in-the-middle exploit. This is also referred to as the “CCS Injection” vulnerability. For additional details, refer to CVE-2014-0224.

Analysis Category: Code
Analysis Type: Static
Severity (CVSS): High (7.3)

Determines if the application can be decoded and if its resources can be extracted for further analysis.

Analysis Category: Code
Analysis Type: Static
Severity (CVSS): Informational (0)

Determines if the application can be decompiled and if its source code can be extracted for further analysis.

Analysis Type: Static
Severity (CVSS): Informational (0)

Inter Process Communication allows functionality to be discovered and invoked on the fly, granting end users the ability to replace applications with others that offer similar functionality. To allow this, applications must be able to contract out operations to other applications. This is accomplished through the use of various mechanisms such as Intents, Bundles, and Binders.

Analysis Category: Inter Process Communication (IPC)
Analysis Type: Dynamic
Severity (CVSS): High (7.3)

Checks for the use of dynamic code loading within the APK. This mechanism allows a developer to specify which components of the application should not be loaded by default when the application is started. Typically, core components and additional dependencies are loaded natively at runtime, however, dynamically loaded components are only loaded as they are specifically requested. While this can have a positive impact on performance, or grant additional functionality (i.e. a non–invasive update feature), it can also open the application to serious security vulnerabilities if not implemented properly.

Analysis Type: Static
Severity (CVSS): Medium (4.3)

This check looks for code reflection within the application and returns where reflection is used. Reflection grants developers the ability and flexibility to view and determine API characteristics at runtime, as opposed to compilation time. At runtime, reflection techniques can be used to determine if a specific class or method is available before trying to use it. Developers can dynamically construct objects, access fields, and invoke methods. It enables the developer to leverage newer APIs while still supporting older versions, all from within the same app. Reflection APIs are part of the Android SDK and can be beneficial when targeting a variety of versions/devices.

Analysis Category: Code
Analysis Type: Static
Severity (CVSS): Informational (0)

Determines if the application attempts to use escalated privileges through the “su” command. This is commonly used by malware to exploit rooted devices.

Analysis Category: Code
Analysis Type: Static
Severity (CVSS): High (7.5)

Local application files and external storage locations are inspected for provision revision exposure.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

System log files are analyzed for provision revision exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

This checks if the application is attempting to exploit the Master Key vulnerability. Android OS versions 1.6 through 4.2 do not properly check cryptographic signatures and this could lead to non–approved code being run.

For more information see CVE-2013-4787.

The purpose of this check is to flag potentially malicious behavior within the application.

Analysis Type: Static
Severity (CVSS): Informational (0)

OkHttp before 2.7.4 and 3.x before 3.1.2 allows man–in–the–middle attackers to bypass certificate pinning. During static analysis, the binary is searched for vulnerable versions of this library.

Analysis Type: Static
Severity (CVSS): Informational (0)

Path traversal (a.k.a. directory traversal) allows attackers to perpetrate a “dot–dot–slash” (../) attack to read/write files in internal storage. Any vulnerable content providers will be listed in the forensic data.

Analysis Category: Inter Process Communication (IPC)
Analysis Type: Dynamic
Severity (CVSS): High (7.3)

Traffic is analyzed to determine if the provision revision is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Android applications may use untrusted input to construct SQL queries, and do so in a way that is exploitable. The most common case is when applications do not sanitize input for an SQL query and do not limit access to content providers. Any vulnerable content providers will be listed in the forensic data.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Forensic data highlights a list of the potential behaviors that might have been observed while interacting with the application. A brief description of each behavior, potential use, and the applicable architecture (MACH–O slice) in which that behavior was detected are included.

Analysis Type: Static
Severity (CVSS): Informational (0)

Any certificates used by the application are displayed as forensic data, covering the type of key, number of bits, serial number, URL, and common name associated with each certificate.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Confers specific capabilities or security permissions to an iOS application. Forensic data show specific entitlements along with associated values.

Analysis Type: Static
Severity (CVSS): Informational (0)

Network communications are monitored as the application is running to locate where the application is sending its data.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Highlights any activity where the app calls the iOS Keychain, indicating when keychain items were created, deleted, or queried.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

CommonCrypto calls are analyzed to determine if any sensitive data is protected using symmetric encryption, hash-based message authentication codes, and digests.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Informational details about the compiled binary that were observed during dynamic analysis of the application. Example metadata includes the supported app versions, various flags set in the application, bundle information, identified behaviors, important libraries, and more. Many of these items are already being analyzed and separated out into their own individual checks and results.

Analysis Type: Static
Severity (CVSS): Informational (0)

CFURLConnection requests are analyzed to determine if any sensitive data is transmitted over the network.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Related to the hostname verification issue, sensitive data that can be intercepted over the network due to improper certificate validation and/or hostname verification is searched. Sensitive data includes usernames, passwords, GPS coordinates, wi-fi MAC address, International Mobile Equipment Identity (IMEI), device serial number, and phone number.

Analysis Type: Dynamic
Severity (CVSS): High (7.7)

This test utilizes methods to proxy all TLS/SSL communications sent by the application. During this process, we search the traffic for sensitive search values, including Username, Password, GPS coordinates, WiFi Mac Address,IMEI, Serial Number, and Phone Number.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Traffic is analyzed to determine if the advertising ID (AdID) is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if custom terms are insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (8.1)

Traffic is analyzed to determine if device information is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): Medium (5.3)

Traffic is analyzed to determine if any email addresses are insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the user’s first name is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the user’s GPS latitude coordinate is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (8.1)

Traffic is analyzed to determine if the user’s GPS longitude coordinate is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (8.1)

Traffic is analyzed to determine if the Identifier for Vendors (IDFV) is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the user’s last name is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the local wi-fi MAC address is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): Medium (4.3)

Traffic is analyzed to determine if the user’s password is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (8.1)

Traffic is analyzed to determine if the user’s phone number is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if the surrounding wi-fi MAC address is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): Medium (4.3)

Traffic is analyzed to determine if the username is insecurely transmitted over the network without encryption.

Analysis Type: Dynamic
Severity (CVSS): High (7.1)

Traffic is analyzed to determine if any sensitive data is transmitted insecurely over the network without encryption. For this check, instances of the zip code were searched across any intercepted traffic.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

iOS Keychain entries are monitored and custom terms are searched.

Analysis Type: Dynamic
Severity (CVSS): Low (3.8)

iOS Keychain entries and values related to the instrumented test device (e.g., Device ID, GPS coordinates, etc.) are searched.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

iOS Keychain entries are monitored and instances of the password are searched.

Analysis Type: Dynamic
Severity (CVSS): Low (3.8)

iOS Keychain entries are monitored and instances of the username are searched.

Analysis Type: Dynamic
Severity (CVSS): Low (1.6)

Detects whether zip files are being sent by the application in transit over HTTP. Zip files can lead to a remote arbitrary file write, which could allow an attacker remote code execution.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Determines if ZIP files are being sent by the application over HTTPS. ZIP files can lead to a remote arbitrary file write, which could allow an attacker to carry out a remote code execution attack.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

ASL messages are analyzed for advertising ID (AdID) exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (2.1)

ASL messages are analyzed for sensitive user or application data. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Medium (5.5)

ASL messages are analyzed for evidence of exposing the user’s email. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

ASL messages are analyzed for evidence of exposing the user’s first name. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

ASL messages are analyzed for exposure of the GPS latitude. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

ASL messages are analyzed for exposure of the GPS longitude. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

ASL messages are analyzed for Identifier for Vendors (IDFV) exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (2.1)

ASL messages are analyzed for user last name exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

ASL messages are analyzed for local wi-fi MAC address exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (2.1)

ASL messages are analyzed for exposure of the user’s name. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

ASL messages are analyzed for password exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Medium (5.5)

ASL messages are analyzed for phone number exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

ASL messages are analyzed for surrounding wi-fi MAC address exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (2.1)

ASL messages are analyzed for username exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack.

Analysis Type: Dynamic
Severity (CVSS): Low (3.3)

Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. In this test, ASL messages are analyzed for the existence of sensitive user or application data.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

This check examines the compiled binary for libraries that do not have Automatic Reference Counting (ARC) enabled.

Analysis Type: Static
Severity (CVSS): Low (1.6)

This test checks if the individual components inside the compiled binary used stack canaries to prevent buffer overflows.

Analysis Type: Static
Severity (CVSS): Low (1.6)

This check only applies to iOS apps that utilize Touch ID for authentication. It checks to determine if your application is using an insecure implementation of the Local Authentication framework, which makes it possible to bypass the authentication process through runtime analysis or patching the binary.

Analysis Type: Static
Severity (CVSS): Informational (0)

Any interaction with SQLite databases is monitored as the application is running to determine how the application interacts with its data.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Network requests are evaluated for unencrypted (HTTP) connections. Any such detected endpoints are available in the forensic data.

Analysis Type: Static
Severity (CVSS): Informational (0)

Checks if the application was compiled with flags, improving its performance and preventing some stack overflow vulnerabilities. Automatic Reference Counting is a memory management system that automatically takes care of the reference count of objects at compile time, instead of leaving this task to the developer. The compiler automatically inserts the release and retains calls, making the developer’s life easier and eliminating risks of introducing vulnerabilities related to the object’s memory life cycle. The process is completely done at compile time, so it does not introduce any runtime overhead and there are no drawbacks for developers switching to this system. This feature was introduced with iOS 5, but it can be backported to previous versions since operations are performed at the time of compilation.

Analysis Type: Static
Severity (CVSS): Low (1.6)

Checks to see if the application binary was compiled with the -PIE flag. Address space layout randomization (ASLR) is a security feature introduced in iOS 4.3 that randomizes how an app is loaded and maintained in memory. ASLR randomizes the address space used in the application, making it difficult to execute malicious code without first causing the application to crash. It also complicates the process of dumping allocated memory of the application.

Analysis Category: Code
Analysis Type: Static
Severity (CVSS): Low (1.6)

Checks for vulnerable code in the AFNetworking implementation setting used by the application to add networking functionality.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Checks for vulnerable code in the AFNetworking implementation setting used by the application to add networking functionality.

Analysis Type: Dynamic
Severity (CVSS): Medium (5.3)

ATS is new in iOS 9, and it helps ensure secure connections between an app and the back end server(s). It is on by default when an app is linked against iOS 9.0 SDK or later. With ATS enabled, HTTP connections are forced to use HTTPS (TLS v1.2), and any attempts to connect using insecure HTTP will fail. There are a couple of options when implementing ATS:

• ATS can be enabled globally (by linking to iOS 9.0 or later SDK), and the developer can choose to decrease ATS restrictions on a specific server using an exception key.
• ATS can be disabled globally (by setting the NSAllowsArbitraryLoads key to YES). An exception could then allow the developer to increase ATS restrictions on a specific server.

Analysis Type: Static
Severity (CVSS): Informational (0)

Most iOS apps do not have/require background processes to be run. However, background modes must be set if an app plays music, needs location, etc. The forensic data highlights a list of the background modes that were detected. It is recommended to review all enabled background modes and disable any that are not required.

Analysis Type: Static
Severity (CVSS): Informational (0)

Certain versions of OpenSSL do not properly restrict the processing of ChangeCipherSpec messages during the SSL/TLS handshake, which could lead to a man–in–the–middle exploit. This is also referred to as the "CCS Injection" vulnerability. For additional details, refer to CVE-2014-0224.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

CommonCrypto API requests are hooked during dynamic analysis. Detected methods are listed in the forensic data. When applicable, additional contextual data are also provided.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Detected frameworks, which are self-contained, reusable chunks of code and resources that can be imported into any number of apps shared across iOS, tvOS, watchOS, and macOS apps. These are similar to frameworks used in other languages (e.g. node modules).

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Checks to see if the application is vulnerable to the Heartbleed vulnerability. Heartbleed is a serious issue caused by a vulnerable version of the library called “OpenSSL 1.0.1” with heartbeats support enabled. In this version, the “tls1_process_heartbeat” function does not properly validate its input and can lead to information disclosure due to buffer overreading, potentially allowing a malicious attacker to retrieve sensitive information like credentials or encryption keys.

Analysis Category: Code
Analysis Type: Static
Severity (CVSS): Informational (0)

Determines whether the application is performing proper certificate validation and hostname verification. Lack of proper certificate validation OR hostname verification could result in sensitive data being intercepted by a man–in– the–middle attack.

Severity (CVSS): High (7.0)

Files and actions pertaining to dynamic analysis observations on jailbreak methods are listed in the forensic data.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

An NSURLConnection object allows the developer to load the contents of a URL by providing a URL request object. The forensic data highlights each of these connections and provides contextual details, including the type of NSURLConnection, the associated method, URL, body, and status code.

Analysis Type: Dynamic
Severity (CVSS): Informational (0)

Checks if the application was compiled with flags preventing some stack overflow vulnerabilities. When an application is compiled with stack smashing protection, a known value or “canary” is placed on the stack directly before the local variables to protect the saved base pointer, saved instruction pointer, and function arguments. The value of the canary is verified upon the function return to see if it has been overwritten. The compiler uses a heuristic to intelligently apply stack protection to a function, which are typically functions using character arrays.

Analysis Category: Code
Analysis Type: Static
Severity (CVSS): Low (1.6)