mobsfscan

MobSF

Hidden elements in view can be used to hide data from user. But this data can be leaked.

MobSF

The App logs information. Please ensure that sensitive information is never logged.

MobSF

Insecure Implementation of SSL. Trusting all the certificates or accepting self signed certificates is a critical Security Hole. This application is vulnerable to MITM attacks.

MobSF

The App uses ECB mode in Cryptographic encryption algorithm. ECB mode is known to be weak as it results in the same ciphertext for identical blocks of plaintext.

MobSF

Calling Cipher.getInstance("AES") will return AES ECB mode by default. ECB mode is known to be weak as it results in the same ciphertext for identical blocks of plaintext.

MobSF

Hardcoded encryption key makes AES symmetric encryption useless. An attacker can easily reverse engineer the application and recover the keys.

MobSF

This app does not uses SafetyNet Attestation API that provides cryptographically-signed attestation, assessing the device's integrity. This check helps to ensure that the servers are interacting with the genuine app running on a genuine Android device.

MobSF

The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks.

MobSF

The IV for AES CBC mode should be random. A static IV makes the ciphertext vulnerable to Chosen Plaintext Attack.

MobSF

User controlled strings in exec() will result in command execution.

MobSF

A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.

MobSF

DefaultHTTPClient() with default constructor is not compatible with TLS 1.2.

MobSF

This app does not have capabilities to prevent against Screenshots from Recent Task History/ Now On Tap etc.

MobSF

The App uses an insecure Random Number Generator.

MobSF

SSLv3 is insecure and has multiple known vulnerabilities.

MobSF

The app uses jackson deserialization library. Deserialization of untrusted input can result in arbitrary code execution. Consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.

MobSF

Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. Consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.

MobSF

This app does not have root detection capabilities. Running a sensitive application on a rooted device questions the device integrity and affects users data.

MobSF

This App uses RSA Crypto without OAEP padding. The purpose of the padding scheme is to prevent a number of attacks on RSA that only work when the encryption is performed without padding.

MobSF

A hardcoded Key is identified.

MobSF

A hardcoded password in plain text is identified.

MobSF

A hardcoded secret is identified.

MobSF

A hardcoded username in plain text is identified.

MobSF

SHA1 Hash algorithm used. The SHA1 hash is known to have hash collisions.

MobSF

App uses SQLite Database and execute raw SQL query. Untrusted user input in raw SQL queries can cause SQL Injection. Also sensitive information should be encrypted and written to the database.

MobSF

This app does not have capabilities to prevent tapjacking attacks. An attacker can hijack the user's taps and tricks him into performing some critical operations that he did not intend to.

MobSF

This app does not enforce TLS Certificate Transparency that helps to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority.

MobSF

This app does not use a TLS/SSL certificate or public key pinning in code to detect or prevent MITM attacks in secure communication channel. Please verify if pinning is enabled in `network_security_config.xml`.

MobSF

Weak encryption algorithm identified. This algorithm is vulnerable to cryptographic attacks.

MobSF

Weak Hash algorithm used. The hash algorithm is known to have hash collisions.

MobSF

The App may use weak IVs like "0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00" or "0x01,0x02,0x03,0x04,0x05,0x06,0x07". Not using a random IV makes the resulting ciphertext much more predictable and susceptible to a dictionary attack.

MobSF

Cryptographic implementations with insufficient key length is susceptible to bruteforce attacks.

MobSF

Remote WebView debugging is enabled. This allows an attacker with debugging access to interact with the webview and steal or corrupt data.

MobSF

WebView load files from external storage. Files in external storage can be modified by any application.

MobSF

WebView File System Access is enabled. An attacker able to inject script into a WebView, could exploit the opportunity to access local resources.

MobSF

Insecure WebView Implementation. WebView ignores SSL Certificate errors and accept any SSL Certificate. This application is vulnerable to MITM attacks.

MobSF

Ensure that javascript interface is implemented securely. Execution of user controlled code in WebView is a critical Security issue.

MobSF

The file is World Readable. Any App can read from the file.

MobSF

The file is World Readable and Writable. Any App can read/write to the file.

MobSF

XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities.

MobSF

XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting "javax.xml.stream.isSupportingExternalEntities" to false.

MobSF

XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting "javax.xml.stream.isSupportingExternalEntities" to false.

MobSF

Hidden elements in view can be used to hide data from user. But this data can be leaked.

MobSF

The App logs information. Please ensure that sensitive information is never logged.

MobSF

A hardcoded Key is identified.

MobSF

A hardcoded password in plain text is identified.

MobSF

A hardcoded secret is identified.

MobSF

A hardcoded username in plain text is identified.

MobSF

The file is World Readable. Any App can read from the file.

MobSF

The file is World Readable and Writable. Any App can read/write to the file.

MobSF

This app does not uses SafetyNet Attestation API that provides cryptographically-signed attestation, assessing the device's integrity. This check helps to ensure that the servers are interacting with the genuine app running on a genuine Android device.

MobSF

This app does not have capabilities to prevent against Screenshots from Recent Task History/ Now On Tap etc.

MobSF

This app does not have root detection capabilities. Running a sensitive application on a rooted device questions the device integrity and affects users data.

MobSF

This app does not have capabilities to prevent tapjacking attacks. An attacker can hijack the user's taps and tricks him into performing some critical operations that he did not intend to.

MobSF

This app does not enforce TLS Certificate Transparency that helps to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority.

MobSF

This app does not use a TLS/SSL certificate or public key pinning in code to detect or prevent MITM attacks in secure communication channel. Please verify if pinning is enabled in `network_security_config.xml`.

MobSF

The App uses ECB mode in Cryptographic encryption algorithm. ECB mode is known to be weak as it results in the same ciphertext for identical blocks of plaintext.

MobSF

Calling Cipher.getInstance("AES") will return AES ECB mode by default. ECB mode is known to be weak as it results in the same ciphertext for identical blocks of plaintext.

MobSF

Hardcoded encryption key makes AES symmetric encryption useless. An attacker can easily reverse engineer the application and recover the keys.

MobSF

The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks.

MobSF

The IV for AES CBC mode should be random. A static IV makes the ciphertext vulnerable to Chosen Plaintext Attack.

MobSF

The App uses an insecure Random Number Generator.

MobSF

SSLv3 is insecure and has multiple known vulnerabilities.

MobSF

This App uses RSA Crypto without OAEP padding. The purpose of the padding scheme is to prevent a number of attacks on RSA that only work when the encryption is performed without padding.

MobSF

SHA1 Hash algorithm used. The SHA1 hash is known to have hash collisions.

MobSF

Weak encryption algorithm identified. This algorithm is vulnerable to cryptographic attacks.

MobSF

Weak Hash algorithm used. The hash algorithm is known to have hash collisions.

MobSF

The App may use weak IVs like "0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00" or "0x01,0x02,0x03,0x04,0x05,0x06,0x07". Not using a random IV makes the resulting ciphertext much more predictable and susceptible to a dictionary attack.

MobSF

Cryptographic implementations with insufficient key length is susceptible to bruteforce attacks.

MobSF

The app uses jackson deserialization library. Deserialization of untrusted input can result in arbitrary code execution. Consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.

MobSF

Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. Consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.

MobSF

User controlled strings in exec() will result in command execution.

MobSF

A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.

MobSF

App uses SQLite Database and execute raw SQL query. Untrusted user input in raw SQL queries can cause SQL Injection. Also sensitive information should be encrypted and written to the database.

MobSF

Insecure Implementation of SSL. Trusting all the certificates or accepting self signed certificates is a critical Security Hole. This application is vulnerable to MITM attacks.

MobSF

DefaultHTTPClient() with default constructor is not compatible with TLS 1.2.

MobSF

Remote WebView debugging is enabled. This allows an attacker with debugging access to interact with the webview and steal or corrupt data.

MobSF

WebView load files from external storage. Files in external storage can be modified by any application.

MobSF

WebView File System Access is enabled. An attacker able to inject script into a WebView, could exploit the opportunity to access local resources.

MobSF

Insecure WebView Implementation. WebView ignores SSL Certificate errors and accept any SSL Certificate. This application is vulnerable to MITM attacks.

MobSF

Ensure that javascript interface is implemented securely. Execution of user controlled code in WebView is a critical Security issue.

MobSF

XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities.

MobSF

XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting "javax.xml.stream.isSupportingExternalEntities" to false.

MobSF

XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting "javax.xml.stream.isSupportingExternalEntities" to false.