Mobile Application Security findings are subjected to static and dynamic analysis to analyze an app publisher’s mobile applications and determine the severity of vulnerabilities. The analysis process will be updated on October 30, 2023.
The changes include:
Android Assessments
Name | Details |
---|---|
Allow Backup Check |
Checks to determine whether the allowBackup flag within the Android Manifest is set to False. If this flag is enabled, it could allow easier access to the application files stored on the device. The CVSS score for this assessment was formerly 4.6. Analysis Type: Static |
APK Info |
The activities called for by an app are an important part of understanding the application's life cycle from the initial main activity launch to the final activity shutdown. The main activity is the main entry point into the application's user interface. Analysis Type: Dynamic |
Arbitrary Code Execution Observed |
Checks for arbitrary code execution. When executable code is world-writable, another app could swap the file and gain code execution capabilities in other apps. Analysis Type: Dynamic |
Arbitrary Code Execution Probable |
Checks for arbitrary code execution. When executable code is world-writable, another app could swap the file and gain code execution capabilities in other apps. Analysis Type: Dynamic |
Automation Info |
Details of the automated interaction. Analysis Type: Dynamic |
Behavioral Events |
Programmatic interactions are logged during dynamic analysis. Results are shown in the forensic data. Analysis Type: Dynamic |
Certificate Validity Check |
Checks to see if the certificate used for this application compilation is valid to determine whether the certificate is expired or is set to expire within 30 days. Analysis Category: Code |
Cookie Without HttpOnly Flag |
Analyzes the attributes set within the cookies used by the app to determine if the “httponly” flag is set. When a cookie is set with the “httponly” flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies and can prevent attacks, like cross-site scripting (XSS), as the cookie cannot be accessed via client-side (e.g., using a JavaScript code snippet). The CVSS score for this assessment was formerly 5.3. Analysis Type: Dynamic |
Cookie Without Secure Flag |
Analyzes the attributes set within the cookies used by the app to determine if the “secure” flag is set. When set to “true,” the “secure” flag tells the browser to only send the cookie if the request is sent using a secure channel. This ensures the cookie is not transmitted over unencrypted requests. The CVSS score for this assessment was formerly 5.3. Analysis Type: Dynamic |
Debug Flag Check |
Checks to determine whether the application was compiled with the debuggable flag enabled in the Android manifest. If the application has the debuggable flag enabled, it’s possible to attach a debugger to the application’s process and execute arbitrary code. The default value is "true" if the debuggable flag is not set. Debugging should be disabled before compiling an app for production. Analysis Type: Static |
Javascript Interface Check |
Checks for the usage of addJavascriptInterface(). This can be used to intercept network traffic that’s being sent and interact with the javascript interface. The CVSS score for this assessment was formerly 3.1. Analysis Type: Static |
Keysize Check |
This test checks to see if the key used to sign the application is larger than 1024 bits. Anything smaller leaves your app vulnerable to forged digital signatures. Analysis Category: Code |
Leaked Data in Files Android ID |
Local application files and external storage locations are inspected for Android ID exposure. Analysis Type: Dynamic |
Leaked Data in Files Bluetooth MAC |
Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the Bluetooth MAC Address were searched. Analysis Type: Dynamic |
Leaked Data in Files Build Fingerprint |
Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the Build Fingerprint were searched. Analysis Type: Dynamic |
Leaked Data in Files (Custom Values) |
Using specified custom search terms, local application files and external storage locations are inspected for sensitive user or application data. Analysis Type: Dynamic |
Leaked Data in Files DNS1 |
Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the DNS were searched. The CVSS score for this assessment was previously 2.3. Analysis Type: Dynamic |
Leaked Data in Files DNS2 |
Local application files and external storage locations are inspected for Domain Name System (DNS) exposure. Analysis Type: Dynamic |
Leaked Data in Files Email |
Local application files and external storage locations are inspected for user email address exposure. Analysis Type: Dynamic |
Leaked Data in Files First Name |
Local application files and external storage locations are inspected for user first name exposure. Analysis Type: Dynamic |
Leaked Data in Files GPS Latitude |
Local application files and external storage locations are inspected for exposed GPS latitude coordinates. Analysis Type: Dynamic |
Leaked Data in Files GPS Longitude |
Local application files and external storage locations are inspected for exposed GPS longitude coordinates. Analysis Type: Dynamic |
Leaked Data in Files IMEI |
Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the IMEI were searched. The CVSS score for this assessment was previously 2.3. Analysis Type: Dynamic |
Leaked Data in Files Last Name |
Local application files and external storage locations are inspected for user last name exposure. Analysis Type: Dynamic |
Leaked Data in Files Local WiFi MAC |
Local application files and external storage locations are inspected for local wi-fi MAC address exposure. Analysis Type: Dynamic |
Leaked Data in Files MAC |
Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the MAC Address were searched. Analysis Type: Dynamic |
Leaked Data in Files Name |
Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the Full Name were searched. Analysis Type: Dynamic |
Leaked Data in Files Password |
Local application files and external storage locations are inspected for exposed passwords. Analysis Type: Dynamic |
Leaked Data in Files Phone Number |
Local application files and external storage locations are inspected for exposed phone numbers. Analysis Type: Dynamic |
Leaked Data in Files Serial |
Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the Serial were searched. The CVSS score for this assessment was previously 2.3. Analysis Type: Dynamic |
Leaked Data in Files Surrounding WiFi Network BSSID |
Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the Surrounding WiFi Network BSSID were searched. Analysis Type: Dynamic |
Leaked Data in Files Surrounding WiFi Network SSID |
Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the Surrounding WiFi Network SSID were searched. Analysis Type: Dynamic |
Leaked Data in Files Username |
Local application files and external storage locations are inspected for exposed usernames. Analysis Type: Dynamic |
Leaked Data in Files WiFi IP |
Local application files and external storage locations are inspected for exposed wi-fi IP addresses. Analysis Type: Dynamic |
Leaked Data in Files WiFi MAC |
Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the WiFi MAC Address were searched. Analysis Type: Dynamic |
Leaked Data in Files ZIP Code |
Local application files and external storage locations are inspected for sensitive user/application data. For this check, instances of the zip code were searched. The CVSS score for this assessment was previously 2.3. Analysis Type: Dynamic |
Leaked LogCat Data Android ID |
System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. Analysis Type: Dynamic |
Leaked LogCat Data Bluetooth MAC |
Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. Additionally, any application on that device with the "READ_LOGS" permission can interrogate the logs, and in more recent versions of Android, the log files have been more carefully isolated and do not require system level permissions to be requested. In this test, the system log files are analyzed for the existence of sensitive user or application data. Analysis Type: Dynamic |
Leaked LogCat Data Build Fingerprint |
System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. Analysis Type: Dynamic |
Leaked LogCat Data (Custom Values) |
System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. Analysis Type: Dynamic |
Leaked LogCat Data DNS1 |
Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. Additionally, any application on that device with the "READ_LOGS" permission can interrogate the logs, and in more recent versions of Android, the log files have been more carefully isolated and do not require system level permissions to be requested. In this test, the system log files are analyzed for the existence of sensitive user or application data. Analysis Type: Dynamic |
Leaked LogCat Data DNS2 |
System log files are analyzed for DNS2 exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. Analysis Type: Dynamic |
Leaked LogCat Data Email |
System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. Analysis Type: Dynamic |
Leaked LogCat Data First Name |
System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. Analysis Type: Dynamic |
Leaked LogCat Data GPS Latitude |
System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. Analysis Type: Dynamic |
Leaked LogCat Data GPS Longitude |
System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. Analysis Type: Dynamic |
Leaked LogCat Data IMEI |
Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. Additionally, any application on that device with the "READ_LOGS" permission can interrogate the logs, and in more recent versions of Android, the log files have been more carefully isolated and do not require system level permissions to be requested. In this test, the system log files are analyzed for the existence of sensitive user or application data. Analysis Type: Dynamic |
Leaked LogCat Data Last Name |
System log files are analyzed for exposure of the user’s last name. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. Analysis Type: Dynamic |
Leaked LogCat Data Local WiFi MAC |
System log files are analyzed for exposure of the local wi-fi MAC address. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. Analysis Type: Dynamic |
Leaked LogCat Data MAC |
Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. Additionally, any application on that device with the "READ_LOGS" permission can interrogate the logs, and in more recent versions of Android, the log files have been more carefully isolated and do not require system level permissions to be requested. In this test, the system log files are analyzed for the existence of sensitive user or application data. The CVSS score for this assessment was previously 0 (informational). Analysis Type: Dynamic |
Leaked LogCat Data Name |
System log files are analyzed for exposure of the user’s name. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. Analysis Type: Dynamic |
Leaked LogCat Data Password |
System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. Analysis Type: Dynamic |
Leaked LogCat Data Phone Number |
System log files are analyzed for exposure of the user’s phone number. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. Analysis Type: Dynamic |
Leaked LogCat Data Serial |
Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. Additionally, any application on that device with the "READ_LOGS" permission can interrogate the logs, and in more recent versions of Android, the log files have been more carefully isolated and do not require system level permissions to be requested. In this test, the system log files are analyzed for the existence of sensitive user or application data. Analysis Type: Dynamic |
Leaked LogCat Data Surrounding Wifi Network BSSID |
System log files are analyzed for exposure of the surrounding wi-fi network basic service set identifier (BSSID). Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. The CVSS of this assessment was previously 0 (informational). Analysis Type: Dynamic |
Leaked LogCat Data Surrounding WiFi MAC |
System log files are analyzed for surrounding wi-fi MAC address exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. Analysis Type: Dynamic |
Leaked LogCat Data Surrounding WiFi Network BSSID |
Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. Additionally, any application on that device with the "READ_LOGS" permission can interrogate the logs, and in more recent versions of Android, the log files have been more carefully isolated and do not require system level permissions to be requested. In this test, the system log files are analyzed for the existence of sensitive user or application data. Analysis Type: Dynamic |
Leaked LogCat Data Surrounding Wifi Network SSID |
System log files are analyzed for the existence of any sensitive user or application data. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. The CVSS of this assessment was previously 0 (informational). Analysis Type: Dynamic |
Leaked LogCat Data Username |
System log files are analyzed for the existence of any sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. Analysis Type: Dynamic |
Leaked LogCat Data WiFi IP |
System log files are analyzed for the existence of any sensitive user or application data.Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. Analysis Type: Dynamic |
Leaked LogCat Data WiFi MAC |
System log files are analyzed for the existence of any sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. Analysis Type: Dynamic |
Leaked LogCat Data ZIP Code |
Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. Additionally, any application on that device with the "READ_LOGS" permission can interrogate the logs, and in more recent versions of Android, the log files have been more carefully isolated and do not require system level permissions to be requested. In this test, the system log files are analyzed for the existence of sensitive user or application data. The CVSS score for this assessment was previously 3.3. Analysis Type: Dynamic |
Obfuscation Check |
Checks if the source code has been obfuscated either by Proguard or Dexguard in order to make class identification less obvious. The CVSS score for this assessment was previously 4.0. Analysis Type: Static |
OSLogs |
Debug logs are generally designed to be used to detect and correct flaws in an application. OSLog is a unified logging system that stores messages in memory and in a data store, rather than writing to text–based log files. These logs can leak sensitive information that may help an attacker launch a more powerful attack. Forensic data will provide any OSLog messages detected while performing dynamic analysis. Analysis Type: Dynamic |
Path Traversal |
On Android systems, path traversal (a.k.a. directory traversal) allows attackers to perpetrate a "dot–dot–slash (../)" attack to read/write files in internal storage. Any vulnerable content providers will be listed in the forensic data. The intrinsic CVSS score for this vulnerability is 7.3, but the CVSS score reported here is 0 to signify no ratings impact. Analysis Type: Dynamic |
Remote Code Execution |
Checks for writable executable file permissions and for zip files sent in transit over the network. The combination of these two instances more than likely indicates a remote code execution vulnerability. Analysis Type: Dynamic |
Runs Root Command Check |
This check determines if the application attempts to use escalated privileges through the su command. This is commonly used by malware to exploit rooted devices. The CVSS score for this assessment was previously 10. Analysis Type: Dynamic |
SD Card File List |
External storage locations are monitored as the application runs to determine if data is being stored in the application. Analysis Type: Dynamic |
Secure Random Check |
Applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the PRNG (pseudo–random number generator). Applications that directly invoke the system–provided OpenSSL PRNG without explicit initialization on Android are also affected. Please note that for "electronic wallet" applications, or applications that process sensitive and/or monetary transactions (including bitcoin transactions), the risk associated with this finding should carefully be considered and should potentially be classified using a finding with severity "High." The CVSS score for this assessment was previously 2.7. Analysis Type: Static |
Sensitive Data Cert Validation |
Determines whether the application is performing proper certificate validation or hostname verification. Lack of proper validation could result in sensitive data being intercepted by a man-in-the-middle attack. If the application's traffic can be decrypted, it is searched for sensitive data, including username, password, GPS coordinates, wi-fi MAC address, International Mobile Equipment Identity (IMEI), device serial number, and phone number. Analysis Type: Dynamic |
Sensitive Data Flow |
All TLS/SSL communications sent by the application are proxied and traffic is searched for sensitive values, including the user’s username, password, GPS coordinates, wi-fi MAC address, International Mobile Equipment Identity (IMEI), serial number, and phone number. The CVSS score for this assessment was previously 1.6. Analysis Type: Dynamic |
Sensitive Data HTTP Android ID |
Traffic is analyzed to determine if the Android ID is exposed from insecure transmission over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP Build Fingerprint |
Traffic is analyzed to determine if the user’s build fingerprint is exposed from insecure transmission over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP (Custom Values) |
Using custom search terms, traffic is analyzed to determine if any sensitive data is exposed from insecure transmission over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP DNS1 |
Traffic is analyzed to determine if any sensitive data is transmitted insecurely over the network without encryption. For this check, instances of the DNS were searched across any intercepted traffic. The CVSS score for this assessment was previously 4.3. Analysis Type: Dynamic |
Sensitive Data HTTP DNS2 |
Traffic is analyzed to determine if any DNS data is exposed from insecure transmission over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP Bluetooth MAC |
Traffic is analyzed to determine if any sensitive data is transmitted insecurely over the network without encryption. For this check, instances of the Bluetooth MAC Address were searched across any intercepted traffic. Analysis Type: Dynamic |
Sensitive Data HTTP Email |
Traffic is analyzed to determine if the user’s email address is exposed from insecure transmission over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP First Name |
Traffic is analyzed to determine if the user’s first name is exposed from insecure transmission over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP GPS Latitude |
Traffic is analyzed to determine if the user’s GPS latitude location is exposed from insecure transmission over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP GPS Longitude |
Traffic is analyzed to determine if any sensitive data is exposed from insecure transmission over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP IMEI |
Traffic is analyzed to determine if the user’s International Mobile Equipment Identity (IMEI) is exposed from insecure transmission over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP Last Name |
Traffic is analyzed to determine if the user’s last name is exposed from insecure transmission over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP Local WiFi MAC |
Traffic is analyzed to determine if the local wi-fi MAC address is exposed from insecure transmission over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP MAC |
Traffic is analyzed to determine if any sensitive data is transmitted insecurely over the network without encryption. For this check, instances of the MAC Address were searched across any intercepted traffic. Analysis Type: Dynamic |
Sensitive Data HTTP Name |
Traffic is analyzed to determine if the user’s full name is exposed from insecure transmission over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP Password |
Traffic is analyzed to determine if the user’s password is exposed from insecure transmission over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP Phone Number |
Traffic is analyzed to determine if the user’s phone number is exposed from insecure transmission over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP Serial |
Traffic is analyzed to determine if the device’s serial is exposed from insecure transmission over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP Surrounding WiFi MAC |
Traffic is analyzed to determine if the surrounding wi-fi MAC address is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP Surrounding Wifi Network BSSID |
Traffic is analyzed to determine if the surrounding wi-fi network basic service set identifiers (BSSID) is exposed from insecure transmission over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP Surrounding Wifi Network SSID |
Traffic is analyzed to determine if the surrounding wi-fi network service set Identifier (SSID) is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP Username |
Traffic is analyzed to determine if the user’s username is exposed from insecure transmission over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP WiFi IP |
Traffic is analyzed to determine if the wi-fi IP address is exposed from insecure transmission over the network without encryption. Analysis Type: Dynamic |
Sensitive Data HTTP WiFi MAC |
Traffic is analyzed to determine if any sensitive data is transmitted insecurely over the network without encryption. For this check, instances of the WiFi MAC Address were searched across any intercepted traffic. Analysis Type: Dynamic |
Sensitive Data HTTP ZIP Code |
Traffic is analyzed to determine if any sensitive data is transmitted insecurely over the network without encryption. For this check, instances of the zip code were searched across any intercepted traffic. The CVSS score for this assessment was previously 7.1. Analysis Type: Dynamic |
SMS Communications |
SMS communications are monitored during dynamic analysis. Forensic data provides context on what was found to be sent over SMS. Analysis Type: Dynamic |
Snoop Network Hosts |
Network communications are monitored while the application is running to locate the destination of the application’s sent data. Analysis Type: Dynamic |
World Readable Files Check |
Calls within the application are checked for the use of world–readable permissions. Forensic details show any detections. The intrinsic CVSS score for this vulnerability is 4.7, but the CVSS score reported here is 0 to signify no ratings impact. Analysis Type: Dynamic |
World Writable Files Check |
Calls within the application are checked for the use of world-writable permissions. Forensic details show any detections. Analysis Category: Permissions |
Writable Executable Files Check |
Checks for writable executable file permissions in shared storage locations. If the application has a “writable_executable” and is combined with another bug, such as a network ZIP download, the app could be vulnerable to remote code execution attacks. Analysis Category: Permissions |
Writable Executable Files Private Check |
Checks for writable executable file permissions in the application’s data directory. If the application has a “writable_executable” and is combined with another bug, such as a network ZIP download, the app could be vulnerable to remote code execution attacks. Analysis Category: Permissions |
Zip File in Transit Check |
Detects whether zip files are being sent by the application in transit over HTTP. Zip files can lead to a remote arbitrary file write, which could allow an attacker remote code execution. The intrinsic CVSS score for this vulnerability is 7.6, but the CVSS score reported here is 0 to signify no ratings impact. Analysis Type: Dynamic |
Zip File in Transit Check Https |
Detects when ZIP files are being sent by the application over HTTPS. ZIP files can contain arbitrary code written in the file, which could allow an attacker to carry out a remote code execution attack. Analysis Category: Network |
Deprecated Android Assessments
Name | Details |
---|---|
Broken SSL |
Determines whether the application is performing proper certificate validation and hostname verification. Lack of proper certificate validation OR hostname verification could result in sensitive data being intercepted by a man–in– the–middle attack. The intrinsic CVSS score for this vulnerability is 7.0, but the CVSS score reported here is 0 to signify no ratings impact. Analysis Type: Dynamic |
Change Cipher Spec Check |
Certain versions of OpenSSL do not properly restrict the processing of ChangeCipherSpec messages during the TLS/SSL handshake, which could lead to a man-in-the-middle exploit. This is also referred to as the “CCS Injection” vulnerability. For additional details, refer to CVE-2014-0224. Analysis Category: Code |
Decode APK Check |
Determines if the application can be decoded and if its resources can be extracted for further analysis. Analysis Category: Code |
Decompile APK Check |
Determines if the application can be decompiled and if its source code can be extracted for further analysis. Analysis Type: Static |
Directory Traversal Content Providers |
Inter Process Communication allows functionality to be discovered and invoked on the fly, granting end users the ability to replace applications with others that offer similar functionality. To allow this, applications must be able to contract out operations to other applications. This is accomplished through the use of various mechanisms such as Intents, Bundles, and Binders. The intrinsic CVSS score for this vulnerability is 7.3, but the CVSS score reported here is 0 to signify no ratings impact. Analysis Category: Inter Process Communication (IPC) |
Dynamic Code Loading Check |
Checks for the use of dynamic code loading within the APK. This mechanism allows a developer to specify which components of the application should not be loaded by default when the application is started. Typically, core components and additional dependencies are loaded natively at runtime, however, dynamically loaded components are only loaded as they are specifically requested. While this can have a positive impact on performance, or grant additional functionality (i.e. a non–invasive update feature), it can also open the application to serious security vulnerabilities if not implemented properly. The intrinsic CVSS score for this vulnerability is 4.3, but the CVSS score reported here is 0 to signify no ratings impact. Analysis Type: Static |
Get Reflection Code |
This check looks for code reflection within the application and returns where reflection is used. Reflection grants developers the ability and flexibility to view and determine API characteristics at runtime, as opposed to compilation time. At runtime, reflection techniques can be used to determine if a specific class or method is available before trying to use it. Developers can dynamically construct objects, access fields, and invoke methods. It enables the developer to leverage newer APIs while still supporting older versions, all from within the same app. Reflection APIs are part of the Android SDK and can be beneficial when targeting a variety of versions/devices. Analysis Category: Code |
HeartBleed Check |
Determines if the application attempts to use escalated privileges through the “su” command. This is commonly used by malware to exploit rooted devices. Analysis Category: Code |
Leaked Data in Files Provision Revision |
Local application files and external storage locations are inspected for provision revision exposure. Analysis Type: Dynamic |
Leaked LogCat Data Provision Revision |
System log files are analyzed for provision revision exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested. Analysis Type: Dynamic |
Master Key Check |
This checks if the application is attempting to exploit the Master Key vulnerability. Android OS versions 1.6 through 4.2 do not properly check cryptographic signatures and this could lead to non–approved code being run. For more information see CVE-2013-4787. The purpose of this check is to flag potentially malicious behavior within the application. The intrinsic CVSS score for this vulnerability is 9.3, but the CVSS score reported here is 0 to signify no ratings impact. Analysis Type: Static |
OkHttp |
OkHttp before 2.7.4 and 3.x before 3.1.2 allows man–in–the–middle attackers to bypass certificate pinning. During static analysis, the binary is searched for vulnerable versions of this library. The intrinsic CVSS score for this vulnerability is 5.9, but the CVSS score reported here is 0 to signify no ratings impact. Analysis Type: Static |
Path Traversal |
Path traversal (a.k.a. directory traversal) allows attackers to perpetrate a “dot–dot–slash” (../) attack to read/write files in internal storage. Any vulnerable content providers will be listed in the forensic data. Analysis Category: Inter Process Communication (IPC) |
Sensitive Data HTTP Provision Revision |
Traffic is analyzed to determine if the provision revision is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
SQL Injection |
Android applications may use untrusted input to construct SQL queries, and do so in a way that is exploitable. The most common case is when applications do not sanitize input for an SQL query and do not limit access to content providers. Any vulnerable content providers will be listed in the forensic data. The intrinsic CVSS score for this vulnerability is 5.7, but the CVSS score reported here is 0 to signify no ratings impact. Analysis Type: Dynamic |
iOS Assessments
Name | Details |
---|---|
Application Behaviors |
Forensic data highlights a list of the potential behaviors that might have been observed while interacting with the application. A brief description of each behavior, potential use, and the applicable architecture (MACH–O slice) in which that behavior was detected are included. Analysis Type: Static |
Cert |
Any certificates used by the application are displayed as forensic data, covering the type of key, number of bits, serial number, URL, and common name associated with each certificate. Analysis Type: Dynamic |
Entitlements |
Confers specific capabilities or security permissions to an iOS application. Forensic data show specific entitlements along with associated values. Analysis Type: Static |
GeoIP |
Network communications are monitored as the application is running to locate where the application is sending its data. Analysis Type: Dynamic |
iOS Keychain |
Highlights any activity where the app calls the iOS Keychain, indicating when keychain items were created, deleted, or queried. Analysis Type: Dynamic |
IPA Crypto Data Flows |
CommonCrypto calls are analyzed to determine if any sensitive data is protected using symmetric encryption, hash-based message authentication codes, and digests. Analysis Type: Dynamic |
IPA Dynamic Log |
Analysis Type: Dynamic |
IPA Metadata |
Informational details about the compiled binary that were observed during dynamic analysis of the application. Example metadata includes the supported app versions, various flags set in the application, bundle information, identified behaviors, important libraries, and more. Many of these items are already being analyzed and separated out into their own individual checks and results. Analysis Type: Static |
IPA Network Data Flows |
CFURLConnection requests are analyzed to determine if any sensitive data is transmitted over the network. Analysis Type: Dynamic |
IPA Sensitive Data Cert Validation |
Related to the hostname verification issue, sensitive data that can be intercepted over the network due to improper certificate validation and/or hostname verification is searched. Sensitive data includes usernames, passwords, GPS coordinates, wi-fi MAC address, International Mobile Equipment Identity (IMEI), device serial number, and phone number. Analysis Type: Dynamic |
IPA Sensitive Data Flow |
This test utilizes methods to proxy all TLS/SSL communications sent by the application. During this process, we search the traffic for sensitive search values, including Username, Password, GPS coordinates, WiFi Mac Address,IMEI, Serial Number, and Phone Number. The CVSS score for this assessment was previously 1.6. Analysis Type: Dynamic |
IPA Sensitive Data HTTP AdID |
Traffic is analyzed to determine if the advertising ID (AdID) is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
IPA Sensitive Data HTTP (Custom Values) |
Traffic is analyzed to determine if custom terms are insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
IPA Sensitive Data HTTP Device Information |
Traffic is analyzed to determine if device information is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
IPA Sensitive Data HTTP Email |
Traffic is analyzed to determine if any email addresses are insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
IPA Sensitive Data HTTP First Name |
Traffic is analyzed to determine if the user’s first name is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
IPA Sensitive Data HTTP GPS Latitude |
Traffic is analyzed to determine if the user’s GPS latitude coordinate is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
IPA Sensitive Data HTTP GPS Longitude |
Traffic is analyzed to determine if the user’s GPS longitude coordinate is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
IPA Sensitive Data HTTP IDFV |
Traffic is analyzed to determine if the Identifier for Vendors (IDFV) is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
IPA Sensitive Data HTTP Last Name |
Traffic is analyzed to determine if the user’s last name is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
IPA Sensitive Data HTTP Local WiFi MAC |
Traffic is analyzed to determine if the local wi-fi MAC address is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
IPA Sensitive Data HTTP Password |
Traffic is analyzed to determine if the user’s password is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
IPA Sensitive Data HTTP Phone Number |
Traffic is analyzed to determine if the user’s phone number is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
IPA Sensitive Data HTTP Surrounding WiFi MAC |
Traffic is analyzed to determine if the surrounding wi-fi MAC address is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
IPA Sensitive Data HTTP Username |
Traffic is analyzed to determine if the username is insecurely transmitted over the network without encryption. Analysis Type: Dynamic |
IPA Sensitive Data HTTP ZIP Code |
Traffic is analyzed to determine if any sensitive data is transmitted insecurely over the network without encryption. For this check, instances of the zip code were searched across any intercepted traffic. Analysis Type: Dynamic |
IPA Sensitive Data Keychain (Custom Values) |
iOS Keychain entries are monitored and custom terms are searched. Analysis Type: Dynamic |
IPA Sensitive Data Keychain Other |
iOS Keychain entries and values related to the instrumented test device (e.g., Device ID, GPS coordinates, etc.) are searched. Analysis Type: Dynamic |
IPA Sensitive Data Keychain Password |
iOS Keychain entries are monitored and instances of the password are searched. Analysis Type: Dynamic |
IPA Sensitive Data Keychain Username |
iOS Keychain entries are monitored and instances of the username are searched. Analysis Type: Dynamic |
IPA Zip File in Transit Check |
Detects whether zip files are being sent by the application in transit over HTTP. Zip files can lead to a remote arbitrary file write, which could allow an attacker remote code execution. Analysis Type: Dynamic |
IPA Zip File in Transit Check Https |
Determines if ZIP files are being sent by the application over HTTPS. ZIP files can lead to a remote arbitrary file write, which could allow an attacker to carry out a remote code execution attack. Analysis Type: Dynamic |
Leaked ASL Data AdID |
ASL messages are analyzed for advertising ID (AdID) exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
Leaked ASL Data (Custom Values) |
ASL messages are analyzed for sensitive user or application data. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
Leaked ASL Data Email |
ASL messages are analyzed for evidence of exposing the user’s email. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
Leaked ASL Data First Name |
ASL messages are analyzed for evidence of exposing the user’s first name. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
Leaked ASL Data GPS Latitude |
ASL messages are analyzed for exposure of the GPS latitude. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
Leaked ASL Data GPS Longitude |
ASL messages are analyzed for exposure of the GPS longitude. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
Leaked ASL Data IDFV |
ASL messages are analyzed for Identifier for Vendors (IDFV) exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
Leaked ASL Data Last Name |
ASL messages are analyzed for user last name exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
Leaked ASL Data Local WiFi MAC |
ASL messages are analyzed for local wi-fi MAC address exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
Leaked ASL Data Name |
ASL messages are analyzed for exposure of the user’s name. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
Leaked ASL Data Password |
ASL messages are analyzed for password exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
Leaked ASL Data Phone Number |
ASL messages are analyzed for phone number exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
Leaked ASL Data Surrounding WiFi MAC |
ASL messages are analyzed for surrounding wi-fi MAC address exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
Leaked ASL Data Username |
ASL messages are analyzed for username exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Analysis Type: Dynamic |
Leaked ASL Data Zip Code |
Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. In this test, ASL messages are analyzed for the existence of sensitive user or application data. The CVSS score for this assessment was previously 3.3. Analysis Type: Dynamic |
Libraries ARC |
This check examines the compiled binary for libraries that do not have Automatic Reference Counting (ARC) enabled. Analysis Type: Static |
Libraries SSP |
This test checks if the individual components inside the compiled binary used stack canaries to prevent buffer overflows. Analysis Type: Static |
Local Auth Check |
This check only applies to iOS apps that utilize Touch ID for authentication. It checks to determine if your application is using an insecure implementation of the Local Authentication framework, which makes it possible to bypass the authentication process through runtime analysis or patching the binary. The CVSS score for this assessment was previously 3.8. Analysis Type: Static |
SQLite |
Any interaction with SQLite databases is monitored as the application is running to determine how the application interacts with its data. Analysis Type: Dynamic |
Uses HTTP |
Network requests are evaluated for unencrypted (HTTP) connections. Any such detected endpoints are available in the forensic data. The intrinsic CVSS score for this vulnerability is 6.5, but the CVSS score reported here is 0 to signify no ratings impact. Analysis Type: Static |
Deprecated iOS Assessments
Name | Details |
---|---|
Address Reference Counting Check |
Checks if the application was compiled with flags, improving its performance and preventing some stack overflow vulnerabilities. Automatic Reference Counting is a memory management system that automatically takes care of the reference count of objects at compile time, instead of leaving this task to the developer. The compiler automatically inserts the release and retains calls, making the developer’s life easier and eliminating risks of introducing vulnerabilities related to the object’s memory life cycle. The process is completely done at compile time, so it does not introduce any runtime overhead and there are no drawbacks for developers switching to this system. This feature was introduced with iOS 5, but it can be backported to previous versions since operations are performed at the time of compilation. Analysis Type: Static |
Address Space Layout Rand Check |
Checks to see if the application binary was compiled with the -PIE flag. Address space layout randomization (ASLR) is a security feature introduced in iOS 4.3 that randomizes how an app is loaded and maintained in memory. ASLR randomizes the address space used in the application, making it difficult to execute malicious code without first causing the application to crash. It also complicates the process of dumping allocated memory of the application. Analysis Category: Code |
AFNetworking |
Checks for vulnerable code in the AFNetworking implementation setting used by the application to add networking functionality. The intrinsic CVSS score for this vulnerability is 7.5, but the CVSS score reported here is 0 to signify no ratings impact. Analysis Type: Dynamic |
AFNetworking Detected |
Checks for vulnerable code in the AFNetworking implementation setting used by the application to add networking functionality. Analysis Type: Dynamic |
App Transport Security (ATS) |
ATS is new in iOS 9, and it helps ensure secure connections between an app and the back end server(s). It is on by default when an app is linked against iOS 9.0 SDK or later. With ATS enabled, HTTP connections are forced to use HTTPS (TLS v1.2), and any attempts to connect using insecure HTTP will fail. There are a couple of options when implementing ATS:
The intrinsic CVSS score for this vulnerability is 5.3, but the CVSS score reported here is 0 to signify no ratings impact. Analysis Type: Static |
Background Modes |
Most iOS apps do not have/require background processes to be run. However, background modes must be set if an app plays music, needs location, etc. The forensic data highlights a list of the background modes that were detected. It is recommended to review all enabled background modes and disable any that are not required. Analysis Type: Static |
Change Cipher Spec Check |
Certain versions of OpenSSL do not properly restrict the processing of ChangeCipherSpec messages during the SSL/TLS handshake, which could lead to a man–in–the–middle exploit. This is also referred to as the "CCS Injection" vulnerability. For additional details, refer to CVE-2014-0224. The intrinsic CVSS score for this vulnerability is 7.3, but the CVSS score reported here is 0 to signify no ratings impact. Analysis Type: Dynamic |
Crypto Methods |
CommonCrypto API requests are hooked during dynamic analysis. Detected methods are listed in the forensic data. When applicable, additional contextual data are also provided. Analysis Type: Dynamic |
Frameworks |
Detected frameworks, which are self-contained, reusable chunks of code and resources that can be imported into any number of apps shared across iOS, tvOS, watchOS, and macOS apps. These are similar to frameworks used in other languages (e.g. node modules). Analysis Type: Dynamic |
Heartbleed Check |
Checks to see if the application is vulnerable to the Heartbleed vulnerability. Heartbleed is a serious issue caused by a vulnerable version of the library called “OpenSSL 1.0.1” with heartbeats support enabled. In this version, the “tls1_process_heartbeat” function does not properly validate its input and can lead to information disclosure due to buffer overreading, potentially allowing a malicious attacker to retrieve sensitive information like credentials or encryption keys. The intrinsic CVSS score for this vulnerability is 7.5, but the CVSS score reported here is 0 to signify no ratings impact. Analysis Category: Code |
IPA Broken SSL |
Determines whether the application is performing proper certificate validation and hostname verification. Lack of proper certificate validation OR hostname verification could result in sensitive data being intercepted by a man–in– the–middle attack. The intrinsic CVSS score for this vulnerability is 7.0, but the CVSS score reported here is 0 to signify no ratings impact. Severity (CVSS): High (7.0) |
Jailbreak Detection |
Files and actions pertaining to dynamic analysis observations on jailbreak methods are listed in the forensic data. Analysis Type: Dynamic |
Network |
An NSURLConnection object allows the developer to load the contents of a URL by providing a URL request object. The forensic data highlights each of these connections and provides contextual details, including the type of NSURLConnection, the associated method, URL, body, and status code. Analysis Type: Dynamic |
Stack Smashing Protection Check |
Checks if the application was compiled with flags preventing some stack overflow vulnerabilities. When an application is compiled with stack smashing protection, a known value or “canary” is placed on the stack directly before the local variables to protect the saved base pointer, saved instruction pointer, and function arguments. The value of the canary is verified upon the function return to see if it has been overwritten. The compiler uses a heuristic to intelligently apply stack protection to a function, which are typically functions using character arrays. Analysis Category: Code |
Feedback
0 comments
Please sign in to leave a comment.