All InThe Loop

Vulnerability Report
16 Jul 2019

QA Ninjas SECURITY
This document summarizes the findings, analysis and recommendations from the assessment
conducted by QA Ninjas

1.1. CONFIDENTIALITY & LIABILITY

The contents of this document are intended solely for “All InThe Loop” and may contain
confidential and/or privileged information and may be legally protected from disclosure. This
document must not be given to any third party, be printed, photo copied or shared in electronic
form such as email, in whole or in part, without the prior consent of “All InThe Loop.” If you are
not the intended recipient of this document, or if this has been addressed to you in error, please
alert the sender immediately.

1.2. DISCLAIMER

Private & Confidential

 • QA Ninjas will not be responsible for any data loss, business functionality loss, reputational
and/or revenue loss caused during the testing or then forth. To that end, QA Ninjas mandates
and urges the customer to be very diligent to backup all systems, configurations, folders and
files, and settings which come in the scope of the proposed testing.

• By its nature the test scans only the vulnerabilities that can potentially lead to an intrusion. It
does not mean that the intrusions which happened in the past will be detected; neither would it
mean that it will detect and prevent intrusions which might happen in future.

• The test is meant to find possible vulnerabilities based on the data provided by customer. If
inadequate or incorrect data is provided, it can result into limiting the scope of testing, which
can further result in unidentified loopholes in the network. QA Ninjas will not be liable for
such situations.

• With time, hacking methodologies, technologies and tools change. As a result, a vulnerability
fixed today does not mean it is fixed forever. It is very likely that the vulnerability fixed today
with a patch or re-configuration, can still be exploited in future, which is why we recommend
taking the vulnerability test periodically.

• It is often misconstrued that a vulnerability test is an actual hacking attack; in reality, the test is
an attempt to look for possible vulnerabilities that can potentially lead to an intrusion.

• Vulnerability tests are not capable of and are not intended to detect any inherent hardware,
software, firmware or application based problems. The same applies to IT performance and
functionality problems too.

• As a policy to protect customer’s data privacy, QA Ninjas does not provide logs to the
customer. The logs are treated as internal working data for QA Ninjas’s tech team, hence are
intellectual property of QA Ninjas, and the report generated out of it is the only output/outcome
meant for the customer to see. QA Ninjas deletes/destroys all the logs and findings of the
performance test, after 3 (three) days from the submission of final report as a matter of
security practice, to protect client’s confidentiality. Any disputes or concerns raised after 3
days will call for a re-testing which counts of repetition of the testing effort and will be charged
extra.

1.3. TESTING METHODOLOGY

QA Ninjas tests the app using variety of industry standard tools, scanners and traffic analyzers
to cover a wide range of applicative vulnerabilities as recommended by the OWASP
methodology. This allows us to test mobile application for high risk security and privacy. A black
box approach will be utilized during the tests.

A complete assessment involves the following areas-

Private & Confidential

1.4. APP INFO
Platform : Android

Application Name : All InThe Loop

Package Name : com.allintheloop

Package Version : 2.4

1.5. EXECUTIVE SUMMARY

Total Vulnerabilities Detected : 9

High Risk Threats : 2

Medium Risk Threats : 6

Low Risk Threats : 1

1.6. PERMISSIONS USED

android.permission.BLUETOOTH_ADMIN

android.permission.INTERNET

android.permission.WRITE_EXTERNAL_STORAGE

android.permission.BLUETOOTH

android.permission.ACCESS_WIFI_STATE

android.permission.ACCESS_NETWORK_STATE

android.permission.CAMERA

android.permission.WRITE_SYNC_SETTINGS

com.google.android.providers.gsf.permission.READ_GSERVICES

android.permission.ACCESS_COARSE_LOCATION

Private & Confidential

 android.permission.ACCESS_FINE_LOCATION

android.permission.SYSTEM_ALERT_WINDOW

com.google.android.c2dm.permission.RECEIVE

com.allintheloop.permission.C2D_MESSAGE

com.allintheloop.permission.MAPS_RECEIVE

android.permission.READ_EXTERNAL_STORAGE

android.permission.READ_PHONE_STATE

android.permission.VIBRATE

android.permission.WAKE_LOCK

android.permission.DOWNLOAD_WITHOUT_NOTIFICATION

1.7. LINKS ACCESSED

http://allintheloop.com/terms.html

http://docs.google.com/gview?embedded=true&url=

http://graph.facebook.com/

http://gvtesting.cloudapp.net/cgi-bin/Loop/getroute.py

http://maps.google.com/maps/api/staticmap?&zoom=14&markers=color:red%7Clabel:%7C

http://www.

http://www.allintheloop.net/apiv4/testParam

http://www.allintheloop.net/assets/user_files/

http://www.twitter.com/

http://zxing.appspot.com

https://.facebook.com

https://api.linkedin.com/v1/people/~:(email-address,first-name,last-name,picture-url,headline)

https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))&

https://api.linkedin.com/v2/me?

https://api.linkedin.com/v2/me?projection=(id,profilePicture(displayImage~:playableStreams))&

https://cloud.estimote.com

https://com.allintheloop.linkedin.oauth/oauth

Private & Confidential

https://facebook.com

https://facebook.com/device?user_code=%1$s&qr=1

https://graph-video.%s

https://graph.%s

https://play.google.com/store/apps/details?id=

https://plus.google.com/

https://proximitybeacon.googleapis.com/v1beta1/

https://www.

https://www.allintheloop.net/

https://www.example.com/legal

https://www.example.com/privacy

https://www.facebook.com/dialog/return/close?#_=_

https://www.google.com/cloudprint/dialog.html

https://www.googleapis.com/auth/appstate

https://www.googleapis.com/auth/datastoremobile

https://www.googleapis.com/auth/drive

https://www.googleapis.com/auth/drive.appdata

https://www.googleapis.com/auth/drive.apps

https://www.googleapis.com/auth/drive.file

https://www.googleapis.com/auth/fitness.activity.read

https://www.googleapis.com/auth/fitness.activity.write

https://www.googleapis.com/auth/fitness.blood_glucose.read

https://www.googleapis.com/auth/fitness.blood_glucose.write

https://www.googleapis.com/auth/fitness.blood_pressure.read

https://www.googleapis.com/auth/fitness.blood_pressure.write

https://www.googleapis.com/auth/fitness.body.read

https://www.googleapis.com/auth/fitness.body.write

https://www.googleapis.com/auth/fitness.body_temperature.read

https://www.googleapis.com/auth/fitness.body_temperature.write

Private & Confidential

https://www.googleapis.com/auth/fitness.location.read

https://www.googleapis.com/auth/fitness.location.write

https://www.googleapis.com/auth/fitness.nutrition.read

https://www.googleapis.com/auth/fitness.nutrition.write

https://www.googleapis.com/auth/fitness.oxygen_saturation.read

https://www.googleapis.com/auth/fitness.oxygen_saturation.write

https://www.googleapis.com/auth/fitness.reproductive_health.read

https://www.googleapis.com/auth/fitness.reproductive_health.write

https://www.googleapis.com/auth/games

https://www.googleapis.com/auth/games.firstparty

https://www.googleapis.com/auth/games_lite

https://www.googleapis.com/auth/plus.login

https://www.googleapis.com/auth/plus.me

https://www.linkedin.com/oauth/v2/login-cancel

https://www.linkedin.com/uas/oauth2/accessToken?

https://www.linkedin.com/uas/oauth2/authorization?

http://cancelurl

http://returnurl

https://api-m.paypal.com/v1/

https://api-m.sandbox.paypal.com/v1/

https://api.mapbox.com

https://api.paypal.com/v1/tracking/events

https://api.stripe.com

https://b.stats.paypal.com/counter.cgi?p=

https://cms.paypal.com/jp/cgi-bin/marketingweb?cmd=_render-
content&content_ID=ua/Legal_Hub_full&locale.x=en_US

https://cms.paypal.com/jp/cgi-bin/marketingweb?cmd=_render-
content&content_ID=ua/Legal_Hub_full&locale.x=ja_JP

https://e.crashlytics.com/spi/v2/events

https://events.mapbox.com
Private & Confidential
 https://settings.crashlytics.com/spi/v2/platforms/android/apps/%s/settings

https://svcs.paypal.com/AccessControl/LogRiskMetadata

https://uri.paypal.com/services/expresscheckout

https://uri.paypal.com/services/loyalty/memberships/update

https://uri.paypal.com/services/mis/customer

https://uri.paypal.com/services/payments/basic

https://uri.paypal.com/services/payments/funding-options

https://uri.paypal.com/services/payments/futurepayments

https://uri.paypal.com/services/paypalattributes

https://uri.paypal.com/services/pos/payments

https://uri.paypal.com/services/wallet/financial-instruments/view

https://uri.paypal.com/services/wallet/money-request/requests

https://uri.paypal.com/services/wallet/sendmoney

https://www.mapbox.com/map-feedback

https://www.mapbox.com/map-feedback/#/%f/%f/%d

https://www.paypal.com/%s/cgi-bin/webscr?cmd=_account-recovery&from=%s&locale.x=%s

https://www.paypal.com/%s/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outside

https://www.paypal.com/%s/webapps/mpp/ua/useragreement-full

https://www.paypal.com/signup/account?country.x=%s&locale.x=%s

https://www.paypal.com/webapps/accountrecovery/passwordrecovery

https://www.paypal.jp/jp/contents/regulation/info/overseas-remittance/

https://www.paypalobjects.com/webstatic/risk/dyson_config_android_v3.json

1.8. HIGH SEVERITY VULNERABILITIES

1.8.1 SSL Implementation Check - SSL Certificate Verification

Severity : High
Risk
This is a critical vulnerability and allows attackers to do MITM attacks without your knowledge.

Threat
The developer implements the TrustManager interface so that it will trust all the server certificate

Private & Confidential

(regardless of who signed it.)

Technical Details

This app does not check the validation of SSL Certificate. It allows self-signed, expired or
mismatch CN certificates for SSL connection
1. com.paypal.android.sdk.cc.a() 2.Following classes may be vulnerable, Please manually
confirm 3.io.fabric.sdk.android.services.network.NetworkUtils.a()
4.org.apache.http.ssl.SSLContextBuilder.loadTrustMaterial()

1.8.2 File unsafe Delete Check

Severity : High
Risk
Everything you delete may be recovered by any user or attacker, especially rooted devices.

Threat
When you delete a file using file.delete(), only the reference to the file is removed from the file
system table. The file still exists on disk until other data overwrites it, leaving it vulnerable to
recovery.

Technical Details

Private & Confidential

This app uses file.delete() to delete file,File deleted using file.delete() may be recovered by any
user or attacker, especially rooted devices. Please make sure do not use "file.delete()" to delete
essential files.This app uses file.delete() in following methods. 1.
com.bumptech.glide.disklrucache.DiskLruCache.a()
2.com.bumptech.glide.disklrucache.DiskLruCache.f()
3.com.bumptech.glide.disklrucache.DiskLruCache.c()
4.com.bumptech.glide.disklrucache.Util.a()
5.com.crashlytics.android.core.CrashlyticsController.deleteSessionPartFilesFor()
6.com.crashlytics.android.core.CrashlyticsController.retainSessions()
7.com.crashlytics.android.core.CrashlyticsController.doCleanInvalidTempFiles()
8.com.crashlytics.android.core.CrashlyticsFileMarker.remove()
9.com.crashlytics.android.core.LogFileManager.discardOldLogFiles()
10.com.crashlytics.android.core.Utils.capFileCount()
11.com.estimote.sdk.repackaged.okhttp_v2_2_0.com.squareup.okhttp.internal.DiskLruCache.d
eleteIfExists()
12.com.estimote.sdk.repackaged.okhttp_v2_2_0.com.squareup.okhttp.internal.DiskLruCache.re
buildJournal()
13.com.estimote.sdk.repackaged.okhttp_v2_2_0.com.squareup.okhttp.internal.DiskLruCache.ini
tialize()
14.com.estimote.sdk.repackaged.okhttp_v2_2_0.com.squareup.okhttp.internal.Util.deleteConte
nts() 15.com.facebook.appevents.AppEventStore.a()
16.com.facebook.internal.FileLruCache$2.run()
17.com.facebook.internal.FileLruCache$BufferFile.a()
18.com.facebook.internal.FileLruCache.a() 19.com.facebook.internal.FileLruCache.d()
20.com.facebook.internal.FileLruCache.b()
21.com.facebook.internal.NativeAppCallAttachmentStore.a() 22.com.facebook.internal.Utility.a()
23.com.facebook.stetho.inspector.network.ResponseBodyFileManager.cleanupFiles()
24.com.android.volley.toolbox.DiskBasedCache.a()
25.com.android.volley.toolbox.DiskBasedCache.c()
26.com.android.volley.toolbox.DiskBasedCache.clear()
27.com.crashlytics.android.core.InvalidSessionReport.remove()
28.com.crashlytics.android.core.QueueFileLogStore.deleteLogFile()
29.com.crashlytics.android.core.SessionReport.remove()
30.com.facebook.internal.FileLruCache$1.onClose()
31.com.facebook.stetho.dumpapp.plugins.HprofDumperPlugin.handlePipeOutput()
32.com.facebook.stetho.dumpapp.plugins.HprofDumperPlugin.truncateAndDeleteFile()
33.Check this video for more details https://www.youtube.com/watch?v=tGw1fxUD-
uYcom.mapbox.mapboxsdk.offline.OfflineManager$1.run() 34.com.paypal.android.sdk.ap.q()

Private & Confidential

 35.com.squareup.okhttp.internal.io.FileSystem$1.a()
36.com.squareup.okhttp.internal.io.FileSystem$1.g()
37.io.fabric.sdk.android.services.events.QueueFileEventStorage.a()
38.io.fabric.sdk.android.services.events.QueueFileEventStorage.d() 39.Check this video for
more details https://www.youtube.com/watch?v=tGw1fxUD-uY

1.9. MEDIUM SEVERITY VULNERABILITIES

1.9.1 Usage of Adb Backup

Severity : Medium
Risk
The attacker can access backup and access the sensitive data including passwords

Threat
The Android operating system offers a backup/restore mechanism of installed packages through
the ADB utility. Full backup of applications including the private files stored on /data partition is
performed by default, but applications can customize this behaviour by implementing a
BackupAgent class. This way they can feed the backup process with custom files and data.

Technical Details

ADB Backup is enabled for this app (default: ENABLED).

ADB Backup is a good tool for backing up all of your files. If it's open for this app, people who
have your phone can copy all of the sensitive data for this app in your phone (Prerequisite:
1.Unlock phone's screen 2.Open the developer mode).
The sensitive data may include lifetime access token, username or password, etc. Security case
related to ADB Backup:
1.http://www.securityfocus.com/archive/1/530288/30/0/threaded
2.http://blog.c22.cc/advisories/cve-2013-5112-evernote-android-insecure-storage-of-pin-data-
bypass-of-pin-protection
3.http://nelenkov.blogspot.co.uk/2012/06/unpacking-android-backups.html

1.9.2 WebView addJavascriptInterface Remote Code Execution

Severity : Medium
Risk
The WebView JavaScript bridge can be abused to execute arbitrary Java code, by using
reflection to acquire a reference to a run time object via the interface. The attacker can perform
many attacks against the device. The lowest impact attack would be downloading contents in the
SD card and the exploited application’s data directory. However, depending on the device

Private & Confidential

exploited this could extend to obtaining root privileges, retrieving other sensitive user data from
the device or causing the user monetary loss.

Threat
For some apps that handle web content if they want to view (equivalent to) certain web pages in
that app, than in the browser they make use of web view.

Technical Details

This app uses Webview.addJavascriptInterface. Webview.addJavascriptInterface is used in

following methods:
1. bolts.WebViewAppLinkResolver$2.a().
2.com.allintheloop.Activity.PrintDialogActivity.onCreate().com.highsoft.highcharts.core.HIChartVi
ew.a().

1.9.3 Outputting Logs to logCat/ Logging Sensitive information

Severity : Medium
Risk
Logging sensitive information can leak sensitive information to malicious apps

Threat
Android provides capabilities for an app to output logging information and obtain log output.
Applications can send information to log output using the android.util.Log class. To obtain log
output, applications can execute the logcat command.

Technical Details

Private & Confidential

This app outputs logs in Logcat, Following methods has code for outputting logs:
1. bolts.MeasurementEvent.a() 2.com.allintheloop.Activity.CoutryList_Activity$1.onItemClick()
3.com.allintheloop.Activity.FullScreenMapActivity$4.onPictureTaken()
4.com.allintheloop.Activity.LoginActivity$11.onClick()
5.com.allintheloop.Activity.LoginActivity$15.onCheckedChanged()
6.com.allintheloop.Activity.RegisterActivity$12.shouldOverrideUrlLoading()
7.com.allintheloop.Adapter.Agenda.userWiseAgendaExpaListAdapter.getChildView()
8.com.allintheloop.Adapter.Attendee.AttandeeMyContactAdaper$AttendaceFilter.performFilterin
g() 9.com.allintheloop.Adapter.SilentAuctionAdapter$3.run()
10.com.allintheloop.Bean.GeoLocation.MyLocationListener.onLocationChanged()
11.com.allintheloop.Bean.GeoLocation.MyLocationListener.onProviderDisabled()
12.com.allintheloop.Bean.GeoLocation.MyLocationListener.onProviderEnabled()
13.com.allintheloop.Fragment.AttandeeFragments.AttendeeMyContact_Fragment$2.onEditorAc
tion()
14.com.allintheloop.Fragment.AttandeeFragments.AttendeeMyContact_Fragment$3.afterTextC
hanged()
15.com.allintheloop.Fragment.AttandeeFragments.Attendee_Detail_Fragment$1.onReceive()
16.com.allintheloop.Fragment.FundraisingModule.AddItem_Fragment$10.onItemSelected()
17.com.allintheloop.Fragment.HomeFragment$5$1.onSingleTapUp()
18.com.allintheloop.Fragment.MapModule.Map_Detail_Fragment$1$2.onSingleTapConfirmed()
19.com.allintheloop.Fragment.PrivateMessage.PrivateMessageSpeakerAndAttendeeList$1.onC
hildClick() 20.com.allintheloop.Fragment.VirtualSuperMarker_Fragment$2.onTextChanged()
21.com.allintheloop.Fragment.cms.Webview_Fragment$WebViewController.onPageFinished()
22.com.allintheloop.Fragment.cms.Webview_Fragment$WebViewController.onReceivedError()
23.com.allintheloop.Util.AppController$1.onLeScan()
24.com.allintheloop.Util.AppController$4$1.verify()
25.com.allintheloop.Util.Client.doInBackground() 26.com.allintheloop.Util.Param.J()
27.com.allintheloop.Util.Param.K() 28.com.allintheloop.Util.Param.N()
29.com.allintheloop.Util.Param.j() 30.com.allintheloop.Util.Param.q()
31.com.allintheloop.Util.Param.z() 32.com.allintheloop.Util.TouchImageView.onMeasure()
33.com.bumptech.glide.manager.RequestManagerRetriever.handleMessage()
34.com.bumptech.glide.request.target.ViewTarget$SizeDeterminer$SizeDeterminerLayoutListe
ner.onPreDraw() 35.com.facebook.GraphRequestAsyncTask.onPreExecute()
36.com.facebook.places.internal.LocationPackageManager$3.call()
37.com.allintheloop.Activity.LoginActivity$1.onCancel()
38.com.allintheloop.Fragment.MapModule.Map_Detail_Fragment$2.onMapReady()
39.com.allintheloop.Volly.VolleyRequest.()
40.com.estimote.sdk.repackaged.retrofit_v1_9_0.retrofit.android.AndroidLog.logChunk()

Private & Confidential

41.com.github.mikephil.charting.charts.Chart.onSizeChanged()
42.com.github.mikephil.charting.charts.Chart.setData()
43.com.github.mikephil.charting.listener.BarLineChartTouchListener.onDoubleTap()
44.com.allintheloop.Fragment.ActivityModule.ActivityCommentView_Fragment.onRequestPermi
ssionsResult()
45.com.allintheloop.Fragment.ActivityModule.ActivitySharePost_Fragment.onActivityResult()
46.com.allintheloop.Fragment.AgendaModule.AgendaInstantFragment.onCreateView()
47.com.allintheloop.Fragment.MapModule.Map_Detail_Fragment.onDestroy()
48.com.allintheloop.Fragment.MapModule.Map_Fragment.onResume()
49.com.allintheloop.GCMPushReceiverService.onMessageReceived()
50.com.allintheloop.MyFirebaseMessagingService.onNewToken()
51.com.github.mikephil.charting.charts.BarLineChartBase.onDraw()
52.com.allintheloop.Fragment.EventDailog_Fragment.onPause()
53.com.allintheloop.Activity.LoginActivity.onBackPressed()
54.com.allintheloop.MainActivity.onCreateOptionsMenu()
55.com.allintheloop.MainActivity.onOptionsItemSelected()
56.com.highsoft.highcharts.core.HIChartView$1.onConsoleMessage()
57.com.journeyapps.barcodescanner.CaptureManager$3.run()
58.com.journeyapps.barcodescanner.camera.AutoFocusManager.()
59.com.journeyapps.barcodescanner.camera.CameraManager$CameraPreviewCallback.onPre
viewFrame() 60.com.linkedin.platform.errors.LIAuthError.toString()
61.com.mapbox.services.android.telemetry.http.TelemetryClient.sendEventsWrapped()
62.com.mapbox.services.android.telemetry.service.TelemetryService.shutdownTelemetryServic
e() 63.com.mapbox.services.android.telemetry.service.TelemetryService.onBind()
64.com.mapbox.services.android.telemetry.service.TelemetryService.onCreate()
65.com.mapbox.services.android.telemetry.service.TelemetryService.onDestroy()
66.com.mapbox.services.android.telemetry.service.TelemetryService.onStartCommand()
67.com.mapbox.services.android.telemetry.service.TelemetryService.onTaskRemoved()
68.com.paypal.android.sdk.payments.ca.onReceive()
69.com.wdullaer.materialdatetimepicker.time.RadialPickerLayout.onTouch()
70.io.card.payment.CardIOActivity.onActivityResult()
71.io.card.payment.CardIOActivity.onBackPressed()
72.io.card.payment.CardIOActivity.onPause() 73.io.card.payment.CardIOActivity.onResume()
74.io.card.payment.CardScanner.() 75.io.card.payment.CardScanner.surfaceChanged()
76.io.card.payment.CardScanner.surfaceCreated()
77.io.card.payment.CardScanner.surfaceDestroyed()
78.io.card.payment.OverlayView.onTouchEvent() 79.io.card.payment.Preview.onDraw()
80.io.card.payment.Preview.onLayout() 81.io.card.payment.Preview.onMeasure()

Private & Confidential

82.me.dm7.barcodescanner.core.CameraPreview.setAutoFocus()
83.me.zhanghai.android.materialprogressbar.MaterialProgressBar.applyTintForDrawable()
84.com.mapbox.services.android.telemetry.MapboxTelemetry.checkStagingServerInformation()
85.com.mapbox.services.android.telemetry.MapboxTelemetry.initialize()
86.com.mapbox.services.android.telemetry.MapboxTelemetry.pushEvent()
87.com.mapbox.services.android.telemetry.MapboxTelemetry.setTelemetryEnabled()
88.com.mapbox.services.android.telemetry.location.AndroidLocationEngine.updateCurrentProvi
der() 89.com.mapbox.services.android.telemetry.location.AndroidLocationEngine.activate()
90.com.mapbox.services.android.telemetry.location.AndroidLocationEngine.deactivate()
91.com.mapbox.services.android.telemetry.location.AndroidLocationEngine.onLocationChange
d()
92.com.mapbox.services.android.telemetry.location.AndroidLocationEngine.onProviderDisabled
()
93.com.mapbox.services.android.telemetry.location.AndroidLocationEngine.onProviderEnabled(
)
94.com.mapbox.services.android.telemetry.location.AndroidLocationEngine.onStatusChanged()
95.com.paypal.android.sdk.cq.onFailure() 96.com.paypal.android.sdk.cq.onResponse()

1.9.4 Protection of text fields from copying the text and paste outside your app

Severity : Medium
Risk
Clipboard data manipulation may lead to common code injection attacks, like JavaScript injection
and command injection. Furthermore, it can also cause phishing attacks, including web phishing
and app phishing. Data stealing happens when sensitive data copied into the clipboard is
accessed by malicious applications.

Threat
On Android platform, the clipboard is a powerful framework to support various types of data copy
and paste within an app as well as among apps. There is a flaw In Android's API that allows any
installed application to listen to changes to the clipboard (listen to everything that is copied and
pasted).

Technical Details

This app does not have code for preventing copy paste from application

1.9.5 Protection of capturing screenshots & sharing screens outside your app

Severity : Medium
Risk
Private & Confidential
 By not protecting the screen shot capture and screen sharing the user risks of leaking sensitive
information.

Threat
The sensitive information of an app and user activities can be stolen via capturing screen shot
and sharing the screens.

Technical Details

This app does not have code to prevent from taking screenshots

1.9.6 Protection of app screens by blurring when the app is running in background

Severity : Medium
Risk
By not protecting the screen shot capture of the app preview running in background the user
risks of leaking sensitive information.

Threat
When a user sends an app to background, the information displayed on the screen when the
screen is on foreground is shown as preview. This information shown in the preview of the app
can be stolen via screen shot capture.

Technical Details

This app does not have code to prevent previewing application screens when application is
running background

1.10. LOW SEVERITY VULNERABILITIES

1.10.1 Unencrypted Credentials in Databases (sqlite db) Vulnerability check

Severity Low

Risk
Unencrypted Credentials in Databasesexposes credentials that allow unauthorized individuals to
act with the identity and permission of trusted individuals and systems .

Threat
SQLite is an in-process library that implements a self-contained, serverless, zero-configuration,
transactional SQL database engine.

Technical Details
Private & Confidential
This app is not using SQLCipher(http://sqlcipher.net/) to encrypt or decrypt databases.Usage of
SQLiteDatabase classes found in following methods
1.com.allintheloop.Util.SQLiteDatabaseHandler.A()

Private & Confidential