· 6 years ago · Mar 26, 2020, 06:00 PM
1Platform: Android
2Package Name: com.hamagen
3Package Version Name: 1.0.19
4Package Version Code: 19
5Min Sdk: 23
6Target Sdk: 28
7MD5 : 84480386adcefba358cac7e1ea146585
8SHA1 : e69aa9a9f4b293fcab9ba917920b55e85f2f6f39
9SHA256: 9de9499c1d9c7f103d7d9ce64961766d876ab4b10c21847b164bcf47c1deaf21
10SHA512: 6f771e96f14e0c6ad63cff6d9326c0eaa5354e16a17c56faf432b973011eb5e3c49e78f6ba9833e107635b0f5064d52f966409df4c699c519e80d654a4938dda
11------------------------------------------------------------
12[Critical] <#BID 64208, CVE-2013-6271#> Fragment Vulnerability Checking:
13 'Fragment' or 'Fragment for ActionbarSherlock' has a severe vulnerability prior to Android 4.4 (API 19).
14 Please check:
15 (1)http://developer.android.com/reference/android/os/Build.VERSION_CODES.html#KITKAT
16 (2)http://developer.android.com/reference/android/preference/PreferenceActivity.html#isValidFragment(java.lang.String)
17 (3)http://stackoverflow.com/questions/19973034/isvalidfragment-android-api-19
18 (4)http://securityintelligence.com/new-vulnerability-android-framework-fragment-injection/
19 (5)http://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf
20 (6)https://cureblog.de/2013/11/cve-2013-6271-remove-device-locks-from-android-phone/
21 You MUST override 'isValidFragment' method in every "PreferenceActivity" class to avoid Exception throwing in Android 4.4:
22 Lcom/facebook/react/devsupport/DevSettingsActivity;
23 All of the potential vulnerable "fragment":
24 Landroidx/lifecycle/t;
25 Lcom/google/android/gms/common/api/internal/fa;
26[Critical] <SSL_Security> SSL Implementation Checking (Verifying Host Name in Custom Classes):
27 This app allows Self-defined HOSTNAME VERIFIER to accept all Common Names(CN).
28 This is a critical vulnerability and allows attackers to do MITM attacks with his valid certificate without your knowledge.
29 Case example:
30 (1)http://osvdb.org/96411
31 (2)http://www.wooyun.org/bugs/wooyun-2010-042710
32 (3)http://www.wooyun.org/bugs/wooyun-2010-052339
33 Also check Google doc: http://developer.android.com/training/articles/security-ssl.html (Caution: Replacing HostnameVerifier can
34 be very dangerous).
35 OWASP Mobile Top 10 doc: https://www.owasp.org/index.php/Mobile_Top_10_2014-M3
36 Check this book to see how to solve this issue: http://goo.gl/BFb65r
37
38 To see what's the importance of Common Name(CN) verification.
39 Use Google Chrome to navigate:
40 - https://www.google.com => SSL certificate is valid
41 - https://60.199.175.158/ => This is the IP address of google.com, but the CN is not match, making the certificate invalid. You
42 still can go Google.com but now you cannot distinguish attackers from normal users
43
44 Please check the code inside these methods:
45 Lcom/RNFetchBlob/C;->verify(Ljava/lang/String; Ljavax/net/ssl/SSLSession;)Z
46[Critical] <SSL_Security> SSL Connection Checking:
47 URLs that are NOT under SSL (Total:2):
48 http://logback.qos.ch/css/classic.css
49 => Lch/qos/logback/classic/html/UrlCssBuilder;-><init>()V
50 http://www.android.com/
51 => Lcom/facebook/soloader/SoLoader;->a(Ljava/lang/String; I)Z
52[Critical] <WebView><Remote Code Execution><#CVE-2013-4710#> WebView RCE Vulnerability Checking:
53 Found a critical WebView "addJavascriptInterface" vulnerability. This method can be used to allow JavaScript to control the host
54 application.
55 This is a powerful feature, but also presents a security risk for applications targeted to API level JELLY_BEAN(4.2) or below,
56 because JavaScript could use reflection to access an injected object's public fields. Use of this method in a WebView containing
57 untrusted content could allow an attacker to manipulate the host application in unintended ways, executing Java code with the
58 permissions of the host application.
59 Reference:
60 1."http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface(java.lang.Object,
61 java.lang.String) "
62 2.https://labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/
63 3.http://50.56.33.56/blog/?p=314
64 4.http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/
65 Please modify the below code:
66 => Lcom/reactnativecommunity/webview/RNCWebViewManager$b;->setMessagingEnabled(Z)V (0x1e) --->
67 Landroid/webkit/WebView;->addJavascriptInterface(Ljava/lang/Object; Ljava/lang/String;)V
68[Warning] External Storage Accessing:
69 External storage access found (Remember DO NOT write important files to external storages):
70 => Lb/f/a/b;->parsePathStrategy(Landroid/content/Context; Ljava/lang/String;)Lb/f/a/b$a; (0xcc) --->
71 Landroid/os/Environment;->getExternalStorageDirectory()Ljava/io/File;
72 => Lch/qos/logback/core/android/AndroidContextUtil;->getExternalStorageDirectoryPath()Ljava/lang/String; (0x0) --->
73 Landroid/os/Environment;->getExternalStorageDirectory()Ljava/io/File;
74 => Lch/qos/logback/core/android/AndroidContextUtil;->getMountedExternalStorageDirectoryPath()Ljava/lang/String; (0x2e) --->
75 Landroid/os/Environment;->getExternalStorageDirectory()Ljava/io/File;
76 => Lcom/RNFetchBlob/Utils/a;->a(Landroid/content/Context; Landroid/net/Uri;)Ljava/lang/String; (0x6a) --->
77 Landroid/os/Environment;->getExternalStorageDirectory()Ljava/io/File;
78 => Lcom/RNFetchBlob/t;->a(Lcom/facebook/react/bridge/ReactApplicationContext;)Ljava/util/Map; (0x10a) --->
79 Landroid/os/Environment;->getExternalStorageDirectory()Ljava/io/File;
80 => Lcom/RNFetchBlob/t;->a(Lcom/facebook/react/bridge/Callback;)V (0x66) --->
81 Landroid/os/Environment;->getExternalStorageDirectory()Ljava/io/File;
82 => Lcom/RNFetchBlob/t;->a(Lcom/facebook/react/bridge/Promise;)V (0x18) --->
83 Landroid/os/Environment;->getExternalStorageDirectory()Ljava/io/File;
84 => Ld/b/d/i/a;->b()V (0x26) ---> Landroid/os/Environment;->getExternalStorageDirectory()Ljava/io/File;
85 => Ld/b/b/b/b;->a(Ljava/io/File; Ld/b/b/a/a;)Z (0x2) --->
86 Landroid/os/Environment;->getExternalStorageDirectory()Ljava/io/File;
87 => Lcom/learnium/RNDeviceInfo/RNDeviceModule;->getFreeDiskStorageSync()D (0x4) --->
88 Landroid/os/Environment;->getExternalStorageDirectory()Ljava/io/File;
89 => Lio/invertase/firebase/storage/RNFirebaseStorage;->getConstants()Ljava/util/Map; (0xb6) --->
90 Landroid/os/Environment;->getExternalStorageDirectory()Ljava/io/File;
91[Warning] AndroidManifest Exported Components Checking:
92 Found "exported" components(except for Launcher) for receiving outside applications' actions (AndroidManifest.xml).
93 These components can be initilized by other apps. You should add or modify the attribute to [exported="false"] if you don't want
94 to.
95 You can also protect it with a customized permission with "signature" or higher protectionLevel and specify in
96 "android:permission" attribute.
97 receiver => com.transistorsoft.rnbackgroundfetch.HeadlessBroadcastReceiver
98[Warning] <Sensitive_Information> Getting ANDROID_ID:
99 This app has code getting the 64-bit number "Settings.Secure.ANDROID_ID".
100 ANDROID_ID seems a good choice for a unique device identifier. There are downsides: First, it is not 100% reliable on releases of
101 Android prior to 2.2 (Froyo).
102 Also, there has been at least one widely-observed bug in a popular handset from a major manufacturer, where every instance has
103 the same ANDROID_ID.
104 If you want to get an unique id for the device, we suggest you use "Installation" framework in the following article.
105 Please check the reference: http://android-developers.blogspot.tw/2011/03/identifying-app-installations.html
106 => Lf/a/a/f/a;->a(Landroid/content/Context;)Ljava/lang/String; (0x16) --->
107 Landroid/provider/Settings$Secure;->getString(Landroid/content/ContentResolver; Ljava/lang/String;)Ljava/lang/String;
108 => Lcom/google/android/gms/measurement/internal/we;->b(Lcom/google/android/gms/measurement/internal/o;
109 Lcom/google/android/gms/measurement/internal/Je;)V (0xe4c) --->
110 Landroid/provider/Settings$Secure;->getString(Landroid/content/ContentResolver; Ljava/lang/String;)Ljava/lang/String;
111 => Lcom/facebook/react/modules/systeminfo/AndroidInfoModule;->getAndroidID()Ljava/lang/String; (0x14) --->
112 Landroid/provider/Settings$Secure;->getString(Landroid/content/ContentResolver; Ljava/lang/String;)Ljava/lang/String;
113 => Lcom/learnium/RNDeviceInfo/RNDeviceModule;->getUniqueIdSync()Ljava/lang/String; (0x14) --->
114 Landroid/provider/Settings$Secure;->getString(Landroid/content/ContentResolver; Ljava/lang/String;)Ljava/lang/String;
115[Warning] <SSL_Security> SSL Certificate Verification Checking:
116 Please make sure this app has the conditions to check the validation of SSL Certificate. If it's not properly checked, it MAY
117 allows self-signed, expired or mismatch CN certificates for SSL connection.
118 This is a critical vulnerability and allows attackers to do MITM attacks without your knowledge.
119 If you are transmitting users' username or password, these sensitive information may be leaking.
120 Reference:
121 (1)OWASP Mobile Top 10 doc: https://www.owasp.org/index.php/Mobile_Top_10_2014-M3
122 (2)Android Security book: http://goo.gl/BFb65r
123 (3)https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=134807561
124 This vulnerability is much more severe than Apple's "goto fail" vulnerability: http://goo.gl/eFlovw
125 Please do not try to create a "X509Certificate" and override "checkClientTrusted", "checkServerTrusted", and "getAcceptedIssuers"
126 functions with blank implementation.
127 We strongly suggest you use the existing API instead of creating your own X509Certificate class.
128 Please modify or remove these vulnerable code:
129 --------------------------------------------------
130 [Maybe Vulnerable (Please manually confirm)]
131 => Lcom/RNFetchBlob/B;
132 -> used by: Lcom/RNFetchBlob/D;->a(Lokhttp3/OkHttpClient;)Lokhttp3/OkHttpClient$Builder;
133[Warning] <WebView> WebView Local File Access Attacks Checking:
134 Found "setAllowFileAccess(true)" or not set(enabled by default) in WebView. The attackers could inject malicious script into
135 WebView and exploit the opportunity to access local resources. This can be mitigated or prevented by disabling local file system
136 access. (It is enabled by default)
137 Note that this enables or disables file system access only. Assets and resources are still accessible using file:///android_asset
138 and file:///android_res.
139 The attackers can use "mWebView.loadUrl("file:///data/data/[Your_Package_Name]/[File]");" to access app's local file.
140 Reference: (1)https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/
141 (2)http://developer.android.com/reference/android/webkit/WebSettings.html#setAllowFileAccess(boolean)
142 Please add or modify "yourWebView.getSettings().setAllowFileAccess(false)" to your WebView:
143 Lcom/learnium/RNDeviceInfo/RNDeviceModule;->getUserAgentSync()Ljava/lang/String;
144 Lcom/reactnativecommunity/webview/RNCWebViewManager$b;->a()V
145 Lcom/reactnativecommunity/webview/RNCWebViewManager;->setAllowFileAccessFromFileURLs(Landroid/webkit/WebView; Z)V
146 Lcom/reactnativecommunity/webview/RNCWebViewManager;->setAllowUniversalAccessFromFileURLs(Landroid/webkit/WebView; Z)V
147 Lcom/reactnativecommunity/webview/RNCWebViewManager;->setApplicationNameForUserAgent(Landroid/webkit/WebView;
148 Ljava/lang/String;)V
149 Lcom/reactnativecommunity/webview/RNCWebViewManager;->setCacheEnabled(Landroid/webkit/WebView; Z)V
150 Lcom/reactnativecommunity/webview/RNCWebViewManager;->setCacheMode(Landroid/webkit/WebView; Ljava/lang/String;)V
151 Lcom/reactnativecommunity/webview/RNCWebViewManager;->setDomStorageEnabled(Landroid/webkit/WebView; Z)V
152 Lcom/reactnativecommunity/webview/RNCWebViewManager;->setGeolocationEnabled(Landroid/webkit/WebView; Ljava/lang/Boolean;)V
153 Lcom/reactnativecommunity/webview/RNCWebViewManager;->setIncognito(Landroid/webkit/WebView; Z)V
154 Lcom/reactnativecommunity/webview/RNCWebViewManager;->setJavaScriptEnabled(Landroid/webkit/WebView; Z)V
155 Lcom/reactnativecommunity/webview/RNCWebViewManager;->setMediaPlaybackRequiresUserAction(Landroid/webkit/WebView; Z)V
156 Lcom/reactnativecommunity/webview/RNCWebViewManager;->setMixedContentMode(Landroid/webkit/WebView; Ljava/lang/String;)V
157 Lcom/reactnativecommunity/webview/RNCWebViewManager;->setSaveFormDataDisabled(Landroid/webkit/WebView; Z)V
158 Lcom/reactnativecommunity/webview/RNCWebViewManager;->setScalesPageToFit(Landroid/webkit/WebView; Z)V
159 Lcom/reactnativecommunity/webview/RNCWebViewManager;->setSource(Landroid/webkit/WebView;
160 Lcom/facebook/react/bridge/ReadableMap;)V
161 Lcom/reactnativecommunity/webview/RNCWebViewManager;->setTextZoom(Landroid/webkit/WebView; I)V
162 Lcom/reactnativecommunity/webview/RNCWebViewManager;->setUserAgentString(Landroid/webkit/WebView;)V
163[Notice] <Command> Executing "root" or System Privilege Checking:
164 The app may has the code checking for "root" permission, mounting filesystem operations or monitoring system:
165 Lcom/facebook/react/modules/systeminfo/a;->b()Ljava/lang/String; => '/system/bin/getprop'
166[Notice] <Database><#CVE-2011-3901#> Android SQLite Databases Vulnerability Checking:
167 This app is using Android SQLite databases but it's "NOT" suffering from SQLite Journal Information Disclosure Vulnerability.
168[Notice] File Unsafe Delete Checking:
169 Everything you delete may be recovered by any user or attacker, especially rooted devices.
170 Please make sure do not use "file.delete()" to delete essential files.
171 Check this video: https://www.youtube.com/watch?v=tGw1fxUD-uY
172 => Lb/f/a/b;->delete(Landroid/net/Uri; Ljava/lang/String; [Ljava/lang/String;)I (0xc) ---> Ljava/io/File;->delete()Z
173 => Lb/f/b/k;->a(Landroid/content/Context; Landroid/content/res/Resources; I Ljava/lang/String; I)Landroid/graphics/Typeface;
174 (0x1c) ---> Ljava/io/File;->delete()Z
175 => Lb/f/b/k;->a(Landroid/content/Context; Landroid/content/res/Resources; I Ljava/lang/String; I)Landroid/graphics/Typeface;
176 (0x34) ---> Ljava/io/File;->delete()Z
177 => Lb/f/b/k;->a(Landroid/content/Context; Landroid/content/res/Resources; I Ljava/lang/String; I)Landroid/graphics/Typeface;
178 (0x3e) ---> Ljava/io/File;->delete()Z
179 => Lb/f/b/k;->a(Landroid/content/Context; Landroid/content/res/Resources; I Ljava/lang/String; I)Landroid/graphics/Typeface;
180 (0x46) ---> Ljava/io/File;->delete()Z
181 => Lb/f/b/k;->a(Landroid/content/Context; Ljava/io/InputStream;)Landroid/graphics/Typeface; (0x1c) --->
182 Ljava/io/File;->delete()Z
183 => Lb/f/b/k;->a(Landroid/content/Context; Ljava/io/InputStream;)Landroid/graphics/Typeface; (0x34) --->
184 Ljava/io/File;->delete()Z
185 => Lb/f/b/k;->a(Landroid/content/Context; Ljava/io/InputStream;)Landroid/graphics/Typeface; (0x3e) --->
186 Ljava/io/File;->delete()Z
187 => Lb/f/b/k;->a(Landroid/content/Context; Ljava/io/InputStream;)Landroid/graphics/Typeface; (0x46) --->
188 Ljava/io/File;->delete()Z
189 => Lb/f/b/l;->a(Landroid/content/Context; Landroid/content/res/Resources; I)Ljava/nio/ByteBuffer; (0x1c) --->
190 Ljava/io/File;->delete()Z
191 => Lb/f/b/l;->a(Landroid/content/Context; Landroid/content/res/Resources; I)Ljava/nio/ByteBuffer; (0x2c) --->
192 Ljava/io/File;->delete()Z
193 => Lb/f/b/l;->a(Landroid/content/Context; Landroid/content/res/Resources; I)Ljava/nio/ByteBuffer; (0x36) --->
194 Ljava/io/File;->delete()Z
195 => Lb/o/a/c$a;->a(Ljava/lang/String;)V (0x7a) ---> Ljava/io/File;->delete()Z
196 => Lcom/RNFetchBlob/s;->a([Lcom/facebook/react/bridge/ReadableArray;)Ljava/lang/Integer; (0x42) --->
197 Ljava/io/File;->delete()Z
198 => Lcom/RNFetchBlob/t;->a(Ljava/io/File;)V (0x68) ---> Ljava/io/File;->delete()Z
199 => Lcom/RNFetchBlob/t;->b(Ljava/lang/String; Ljava/lang/String; Lcom/facebook/react/bridge/Callback;)V (0x94) --->
200 Ljava/io/File;->delete()Z
201 => Lcom/facebook/soloader/SysUtil;->a(Ljava/io/File;)V (0x32) ---> Ljava/io/File;->delete()Z
202 => Lcom/google/android/gms/measurement/internal/Lb;->getWritableDatabase()Landroid/database/sqlite/SQLiteDatabase; (0x40)
203 ---> Ljava/io/File;->delete()Z
204 => Lcom/google/android/gms/measurement/internal/e;->getWritableDatabase()Landroid/database/sqlite/SQLiteDatabase; (0x70) --->
205 Ljava/io/File;->delete()Z
206 => Lcom/transistorsoft/locationmanager/adapter/BackgroundGeolocation;->d()V (0x22) ---> Ljava/io/File;->delete()Z
207 => Ld/b/d/c/a;->b(Ljava/io/File;)Z (0x12) ---> Ljava/io/File;->delete()Z
208 => Ld/b/d/c/c;->a(Ljava/io/File;)V (0x1a) ---> Ljava/io/File;->delete()Z
209 => Ld/b/d/c/c;->a(Ljava/io/File; Ljava/io/File;)V (0xc) ---> Ljava/io/File;->delete()Z
210 => Lb/f/b/d;->a(Landroid/content/Context; Lb/f/a/a/c$b; Landroid/content/res/Resources; I)Landroid/graphics/Typeface; (0x40)
211 ---> Ljava/io/File;->delete()Z
212 => Lb/f/b/d;->a(Landroid/content/Context; Lb/f/a/a/c$b; Landroid/content/res/Resources; I)Landroid/graphics/Typeface; (0x6c)
213 ---> Ljava/io/File;->delete()Z
214 => Lb/f/b/d;->a(Landroid/content/Context; Lb/f/a/a/c$b; Landroid/content/res/Resources; I)Landroid/graphics/Typeface; (0x74)
215 ---> Ljava/io/File;->delete()Z
216 => Lb/f/b/d;->a(Landroid/content/Context; Lb/f/a/a/c$b; Landroid/content/res/Resources; I)Landroid/graphics/Typeface; (0x82)
217 ---> Ljava/io/File;->delete()Z
218 => Lb/f/b/d;->a(Landroid/content/Context; Lb/f/a/a/c$b; Landroid/content/res/Resources; I)Landroid/graphics/Typeface; (0x8a)
219 ---> Ljava/io/File;->delete()Z
220 => Lch/qos/logback/core/rolling/helper/DefaultFileProvider;->deleteFile(Ljava/io/File;)Z (0x0) ---> Ljava/io/File;->delete()Z
221 => Lcom/RNFetchBlob/n;->a()Z (0x1c) ---> Ljava/io/File;->delete()Z
222 => Lcom/facebook/react/modules/camera/ImageEditingManager$a;->a(Ljava/io/File;)V (0x22) ---> Ljava/io/File;->delete()Z
223 => Ld/b/b/b/b$e;->n()Z (0x14) ---> Ljava/io/File;->delete()Z
224 => Ld/b/b/b/b$f;->a(Ljava/io/File;)V (0x14) ---> Ljava/io/File;->delete()Z
225 => Ld/b/b/b/b$f;->c(Ljava/io/File;)V (0x20) ---> Ljava/io/File;->delete()Z
226 => Ld/b/b/b/b;->a(Ljava/io/File;)J (0x1a) ---> Ljava/io/File;->delete()Z
227 => Lokhttp3/internal/io/FileSystem$1;->delete(Ljava/io/File;)V (0x0) ---> Ljava/io/File;->delete()Z
228 => Lokhttp3/internal/io/FileSystem$1;->deleteContents(Ljava/io/File;)V (0x2a) ---> Ljava/io/File;->delete()Z
229 => Lch/qos/logback/core/rolling/helper/Compressor;->gzCompress(Ljava/lang/String; Ljava/lang/String;)V (0x224) --->
230 Ljava/io/File;->delete()Z
231 => Lch/qos/logback/core/rolling/helper/Compressor;->zipCompress(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)V
232 (0x256) ---> Ljava/io/File;->delete()Z
233 => Lch/qos/logback/core/rolling/helper/RenameUtil;->renameByCopying(Ljava/lang/String; Ljava/lang/String;)V (0x22) --->
234 Ljava/io/File;->delete()Z
235 => Lch/qos/logback/core/rolling/FixedWindowRollingPolicy;->rollover()V (0x2a) ---> Ljava/io/File;->delete()Z
236 => Lcom/facebook/react/devsupport/JSCHeapCapture;->captureHeap(Ljava/lang/String;
237 Lcom/facebook/react/devsupport/JSCHeapCapture$a;)V (0x4e) ---> Ljava/io/File;->delete()Z
238[Notice] <Debug><Hacker> Codes for Checking Android Debug Mode:
239 Found codes for checking "ApplicationInfo.FLAG_DEBUGGABLE" in AndroidManifest.xml:
240 => Ld/c/a/b/c/j;->a (Ljava/lang/String; I)Ld/c/a/b/c/y;
241[Notice] <Hacker> APK Installing Source Checking:
242 This app has code checking APK installer sources(e.g. from Google Play, from Amazon, etc.). It might be used to check for whether
243 the app is hacked by the attackers.
244 => Lcom/google/android/gms/measurement/internal/we;->a(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; Z Z Z
245 J Ljava/lang/String; Ljava/lang/String;)Lcom/google/android/gms/measurement/internal/Je; (0x3a) --->
246 Landroid/content/pm/PackageManager;->getInstallerPackageName(Ljava/lang/String;)Ljava/lang/String;
247 => Lcom/google/android/gms/measurement/internal/Jb;->v()V (0x5c) --->
248 Landroid/content/pm/PackageManager;->getInstallerPackageName(Ljava/lang/String;)Ljava/lang/String;
249[Notice] <KeyStore><Hacker> KeyStore Protection Information:
250 The Keystores below are "protected" by password and seem using SSL-pinning (Total: 1). You can use "Portecle" tool to manage the
251 certificates in the KeyStore:
252 => Lch/qos/logback/core/net/ssl/KeyStoreFactoryBean;->createKeyStore()Ljava/security/KeyStore; (0x3e) --->
253 Ljava/security/KeyStore;->load(Ljava/io/InputStream; [C)V
254[Notice] <Signature><Hacker> Getting Signature Code Checking:
255 This app has code checking the package signature in the code. It might be used to check for whether the app is hacked by the
256 attackers.
257 => Lb/f/g/f;->a(Landroid/content/pm/PackageManager; Lb/f/g/a;
258 Landroid/content/res/Resources;)Landroid/content/pm/ProviderInfo; (0x36) --->
259 Landroid/content/pm/PackageManager;->getPackageInfo(Ljava/lang/String; I)Landroid/content/pm/PackageInfo;
260 => Lcom/google/android/gms/common/util/o;->a(Landroid/content/Context; I)Z (0x20) --->
261 Landroid/content/pm/PackageManager;->getPackageInfo(Ljava/lang/String; I)Landroid/content/pm/PackageInfo;
262 => Ld/c/a/b/c/b/b;->a(Ljava/lang/String; I I)Landroid/content/pm/PackageInfo; (0x10) --->
263 Landroid/content/pm/PackageManager;->getPackageInfo(Ljava/lang/String; I)Landroid/content/pm/PackageInfo;
264 => Ld/c/a/b/c/i;->a(Landroid/content/Context; Z I)I (0x50) --->
265 Landroid/content/pm/PackageManager;->getPackageInfo(Ljava/lang/String; I)Landroid/content/pm/PackageInfo;
266[Notice] Native Library Loading Checking:
267 Native library loading codes(System.loadLibrary(...)) found:
268 [libpbkdf2.so]
269 => Lcom/byteamaze/libpbkdf2/Crypto;-><clinit>()V (0x12) ---> Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
270[Notice] AndroidManifest Exported Components Checking 2:
271 Found "exported" components(except for Launcher) for receiving Google's "Android" actions (AndroidManifest.xml):
272 receiver => com.transistorsoft.locationmanager.BootReceiver
273 receiver => com.learnium.RNDeviceInfo.RNDeviceReceiver
274 receiver => com.transistorsoft.tsbackgroundfetch.BootReceiver
275[Info] AndroidManifest Adb Backup Checking:
276 This app has disabled Adb Backup.
277[Info] <Command> Runtime Command Checking:
278 This app is not using critical function 'Runtime.getRuntime().exec("...")'.
279[Info] <Database> SQLiteDatabase Transaction Deprecated Checking:
280 Ignore checking "SQLiteDatabase:beginTransactionNonExclusive" because your set minSdk >= 11.
281[Info] <Database> Android SQLite Databases Encryption (SQLite Encryption Extension (SEE)):
282 This app is "NOT" using SQLite Encryption Extension (SEE) on Android (http://www.sqlite.org/android) to encrypt or decrpyt
283 databases.
284[Info] <Database> Android SQLite Databases Encryption (SQLCipher):
285 This app is "NOT" using SQLCipher(http://sqlcipher.net/) to encrypt or decrpyt databases.
286[Info] <Debug> Android Debug Mode Checking:
287 DEBUG mode is OFF(android:debuggable="false") in AndroidManifest.xml.
288[Info] Dynamic Code Loading:
289 No dynamic code loading(DexClassLoader) found.
290[Info] <Framework> Framework - MonoDroid:
291 This app is NOT using MonoDroid Framework (http://xamarin.com/android).
292[Info] <Hacker> Base64 String Encryption:
293 No encoded Base64 String or Urls found.
294[Info] <Database><Hacker> Key for Android SQLite Databases Encryption:
295 Did not find using the symmetric key(PRAGMA key) to encrypt the SQLite databases (It's still possible that it might use but we
296 did not find out).
297[Info] <KeyStore><Hacker> KeyStore File Location:
298 Did not find any possible BKS keystores or certificate keystore file (Notice: It does not mean this app does not use keysotre):
299[Info] <Hacker> Code Setting Preventing Screenshot Capturing:
300 Did not detect this app has code setting preventing screenshot capturing.
301[Info] HttpURLConnection Android Bug Checking:
302 Ignore checking "http.keepAlive" because you're not using "HttpURLConnection" and min_Sdk > 8.
303[Info] <KeyStore> KeyStore Type Checking:
304 KeyStore 'BKS' type check OK
305[Info] Google Cloud Messaging Suggestion:
306 Nothing to suggest.
307[Info] <#CVE-2013-4787#> Master Key Type I Vulnerability:
308 No Master Key Type I Vulnerability in this APK.
309[Info] App Sandbox Permission Checking:
310 No security issues "MODE_WORLD_READABLE" or "MODE_WORLD_WRITEABLE" found on 'openOrCreateDatabase' or 'openOrCreateDatabase2' or
311 'getDir' or 'getSharedPreferences' or 'openFileOutput'
312[Info] AndroidManifest Dangerous ProtectionLevel of Permission Checking:
313 No "dangerous" protection level customized permission found (AndroidManifest.xml).
314[Info] AndroidManifest PermissionGroup Checking:
315 PermissionGroup in permission tag of AndroidManifest sets correctly.
316[Info] <Implicit_Intent> Implicit Service Checking:
317 No dangerous implicit service.
318[Info] AndroidManifest "intent-filter" Settings Checking:
319 "intent-filter" of AndroidManifest.xml check OK.
320[Info] AndroidManifest Normal ProtectionLevel of Permission Checking:
321 No default or "normal" protection level customized permission found (AndroidManifest.xml).
322[Info] <#CVE-2013-6272#> AndroidManifest Exported Lost Prefix Checking:
323 No exported components that forgot to add "android:" prefix.
324[Info] AndroidManifest ContentProvider Exported Checking:
325 No exported "ContentProvider" found (AndroidManifest.xml).
326[Info] <Sensitive_Information> Getting IMEI and Device ID:
327 Did not detect this app is getting the "device id(IMEI)" by "TelephonyManager.getDeviceId()" approach.
328[Info] Codes for Sending SMS:
329 Did not detect this app has code for sending SMS messages (sendDataMessage, sendMultipartTextMessage or sendTextMessage).
330[Info] <System> AndroidManifest sharedUserId Checking:
331 This app does not use "android.uid.system" sharedUserId.
332[Info] <SSL_Security> SSL Implementation Checking (Verifying Host Name in Fields):
333 Critical vulnerability "ALLOW_ALL_HOSTNAME_VERIFIER" field setting or "AllowAllHostnameVerifier" class instance not found.
334[Info] <SSL_Security> SSL Implementation Checking (Insecure component):
335 Did not detect SSLSocketFactory by insecure method "getInsecure".
336[Info] <SSL_Security> SSL Implementation Checking (HttpHost):
337 DEFAULT_SCHEME_NAME for HttpHost check: OK
338[Info] <SSL_Security> SSL Implementation Checking (WebViewClient for WebView):
339 Did not detect critical usage of "WebViewClient"(MITM Vulnerability).
340[Info] Unnecessary Permission Checking:
341 Permission 'android.permission.ACCESS_MOCK_LOCATION' sets correctly.
342[Info] Accessing the Internet Checking:
343 This app is using the Internet via HTTP protocol.
344[Info] AndroidManifest System Use Permission Checking:
345 No system-level critical use-permission found.
346[Info] <WebView> WebView Potential XSS Attacks Checking:
347 Did not detect "setJavaScriptEnabled(true)" in WebView.
348------------------------------------------------------------
349AndroBugs analyzing time: 19.566249 secs
350Total elapsed time: 84.367865 secs
351<<< Analysis report is generated: /home/andro/Desktop/Tools/MARA_Framework/tools/AndroBugs/Reports/com.hamagen_3b0a82bd5004fde35b42c5ff4318bad48d9ccd7bef759e38ffff173ffc5085492f529c91d1ccb2e84c3554b6a9947418707a6309586e11fec36f2418fea2f51c.txt >>>