ANDROID APPLICATION

H o@

PENETRATION TESTING
ac h
in

kC a
f

Report for:
on kc

Date:
tro on
c
l tro
l.o

This document contains confidential information about IT systems and network infrastructure of
the customer, as well as information about potential vulnerabilities and methods of their
exploitation. This confidential information is for internal use by the customer only and shall not be
rg

disclosed to third parties.

 Table of Content

Table of Content 2
Introduction 3
Executive Summary 3
Team 4
H o@

Scope of the Security Assessment 5

Methodology 6
ac h

Severity Definition 7
in

Summary of Findings 8
kC a

Key Findings 9
f

Root and developer mode bypass 9

Critical bug in money transfer 15
on kc

Personal data in logs 16

Absence of source code obfuscation 17
tro on

Check modify source code 19

User enumeration 22
c

Application data can be backup 23

l tro

No certificate and public key pinning 25

Http without headers 26
Out of date library 27
Bugs in key word display 28
Export components 29
Vulnerability in webview 31
Appendix B. Automated Tools 31
l.o
rg
 Introduction

We thank _____________ for giving us the opportunity to conduct Security Assessment of their
mobile application and its backend API. This document outlines our methodology, limitations and
results of the security assessment.

Executive Summary
H o@

Hackcontrol (Consultant) was contracted by _________ (Customer) to conduct the penetration testing
of their mobile application.
ac h

This report presents the findings of the penetration testing of CLIENT`s mobile application conducted
in

between February 04th, 2018 – February 22nd, 2018.

kC a

The main subject of the penetration testing is ___________`s mobile systems & API.
f

Application Security Assessment has the following objectives:

- identify technical and functional vulnerabilities;
on kc

- estimate their severity level (ease of use, impact on information systems, etc);
- modelling the “most likely” attack vector against the Customer’s Information System;
- proof of concept and exploitation of vulnerabilities;
- draw up a prioritized list of recommendations to address identified weaknesses.
tro on

According to our research, the mobile application is of high security rating for Customer and
c

Backend systems; Several high-level vulnerabilities have been detected, however it requires a
l tro

considerable amount of time and efforts to exploit them.

Three (3) High vulnerabilities of sensitive info logging and bypass root and developer mode checks
were diagnosed during the security assessment. Also, three (3) Medium and a number of low and
Informative vulnerabilities and errors were identified.
l.o
rg
 Team

Role Name EMAIL

John Doe
Project Manager [email protected]
(CEH, ISO27001 LA)

Penetration Testing John Doe

[email protected]
Engineer (OSCP, eWPT, eCPPT)
H o@
ac h
in

kC a
f

on kc
tro on
c
l tro
l.o
rg
 Scope of the Security Assessment

The following list of systems was in the scope of the Security Assessment.

# Name Description

1 __________v_0.9.2.apk
H o@

Security Assessment start and end dates were coordinated by email according to the following table.
ac h
in

kC a
f

on kc
tro on
c
l tro
l.o
rg
 Methodology

The testing methodology is based on generally accepted industry-wide approaches to perform

penetration testing for mobile applications – Mobile Security Testing Guide (MSTG);
Application-level penetration tests include, at a minimum, checking for the following types of
vulnerabilities:
- lack of binary protections;
- insecure data storage;
H o@

- unintended data leakage;

ac h

- client-side injection;
in

- weak encryption;
kC a
- implicit trust of all certificates;
f

- execution of activities using root;

- private key exposure;
on kc

- exposure of database parameters and SQL queries;

- insecure random number generator;
tro on
c
l tro
l.o
rg
 Severity Definition

The level of criticality of each risk is determined based on the potential impact of loss from successful
exploitation as well as ease of exploitation, existence of exploits in public access and other factors.

Severity Description

High-level vulnerabilities are easy in exploitation and may provide an

H o@

attacker with full control of the affected systems, also may lead to
High significant data loss or downtime. There are exploits or PoC available
in public access.
ac h

Medium-level vulnerabilities are much harder to exploit and may not

in

provide the same access to affected systems. No exploits or PoCs

Medium
kC a
available in public access. Exploitation provides only very limited
f

access.

Low-level vulnerabilities provide an attacker with information that

may assist them in conducting subsequent attacks against target
on kc

Low information systems or against other information systems, which

belong to an organization. Exploitation is extremely difficult, or
impact is minimal.
tro on

Info These vulnerabilities are informational and can be ignored.

c
l tro
l.o
rg
 Summary of Findings

According to the following in-depth testing of the mobile application & API, those require
improvements.

Value Numbers of risks

High 3

Medium 3
H o@

Low 2
ac h

Info 5
in

kC a
Based on our understanding of the mobile application and backend API, as well as the nature of the
f

vulnerabilities discovered, their exploitability, and their potential impact, we have assessed the level
of risk for your organization to be Medium.
on kc

Medium Security Rating

tro on
c
l tro

1 2 3 4 6 7 8 9
0 5 10

Highly Insecure Highly Secure

Three (3) high, three (3) medium, two (2) low and five (5) informational level vulnerabilities have
been found.
Despite the number of vulnerabilities and errors, there was no way to gain an unauthorized access or
steal and modify the sensitive information like database data at backend system. However, the number
of potential issues may increase during implementation of new functionality and its modification.
l.o

There were no prevention and blocking actions during the testing from the _________________’s
security team and systems. Also, no account blocking was provided during a malicious activity and
scanning process.
rg

We have not performed test money transfer between devices. Application is crashing when one of the
devices initiate a transfer and money is not sent. We have tested on 5 different devices and Android
versions.
 Key Findings

Root and developer mode bypass

#1 Description Type: Real

In Android devices, rooting is the process of allowing smartphones, tablets and other devices to
attain privileged control (known as "root access") within Android's sub-system.

Rooting is often performed with the goal of overcoming limitations that carriers and hardware
H o@

manufacturers put on some devices. Thus, rooting gives the ability (or permission) to alter or
replace system applications and settings, run specialized apps that require administrator-level
ac h

permissions, or perform other operations that are otherwise inaccessible to a normal Android user.
On Android, rooting can also facilitate the complete removal and replacement of the device's
in

operating system, usually with a more recent release of its current operating system.
kC a
f

Rooted devices can be used to gain information about an application. The Settings app on Android
includes a screen called Developer options that allows configuring system behavior and debugging
application. For example, it can be used for enabling debugging over USB, capture a bug report,
enable visual feedback for taps and more.
on kc
tro on

Evidences
c

Steps to reproduce:
l tro

− Decompile application
− Search keywords for developer-mode and rootchecks class in source code
− Change associated strings and results of checks
− ReCompile application
− Sign application
l.o
rg
 rg
l.o
l tro
tro on
on kc
c
kC a
ac h
H o@ f
in
 rg
l.o
l tro
tro on
on kc
c
kC a
ac h
H o@ f
in
 rg
l.o
l tro
tro on
on kc
c
kC a
ac h
H o@ f
in
 rg
l.o
l tro
tro on
on kc
c
kC a
ac h
H o@ f
in
H o@
ac h
in

kC a
f

on kc
tro on

1. Obfuscate source code

Recommendations 2. Import function for checking modification of source code
c
l tro
l.o
rg
 Critical bug in money transfer
#2 Description Type: Real

The application crashes, when money is transferred between two different accounts

Evidences

Steps to reproduce:
− Log in application
−
H o@
Enter into money transfer
− Get valet address with help QR-code
− Input data
ac h

− Press send button

in

kC a
f

Recommendations Check transfer work on different version of Android.

on kc
tro on
c
l tro
l.o
rg
 Personal data in logs
#3 Description Type: Real

Personal data can be stolen from application logs. Often Developers leave debugging information
publicly. So any application with READ_LOGS permission can access those logs and can gain
sensitive information through that.

Evidences

Perform pidcat
H o@
ac h
in

kC a
f

on kc
tro on
c
l tro
l.o

Recommendations Turn off READ_LOGS permissions.

rg
 Absence of source code obfuscation
#4 Description Type: Real

Android Application are delivered through an. apk file format which can be exploited by someone
to see all the code contained in it. Below are scenarios of reverse engineering an application:
- A hacker can analyze and determine which defensive measure are implemented in the app
and also find a way to bypass those mechanisms.
- Also a hacker can also insert the malicious code, recompile it and deliver to normal users.
- For example, gaming apps which have some features unlocked are widely downloaded by
youngster through insecure sources (sometimes through Google PlayStore as well). Most
H o@

of those modified apps contain malware and some contain advertising to gain profit from
those users. This can lead to code analysis.
ac h

Evidences
in

- Upload APK into MobSF

kC a

- Click button Java code

f

on kc
tro on
c
l tro
l.o
rg
H o@
ac h
in

kC a
f

on kc
tro on
c
l tro
l.o
rg

Recommendations Application Code can be obfuscated with help of Proguard or DashO,

but it is only able to slow down a hacker from reverse engineering
android application, obfuscation doesn’t prevent reverse engineering.
 Check modify source code
#5 Description Type: Real

Binary protections prevent an adversary from modifying the underlying code or behavior to
disable or add additional functionality on behalf of the adversary. This is likely to occur if an
application stores, transmits, or processes personally identifiable information (PII) or other
sensitive information assets like passwords or credit cards. Code modification often takes the form
of repackaging or insertion of malware into existing mobile apps.

Evidences
H o@

Upload APK into MobSF code

ac h
in

kC a
f

on kc
tro on
c
l tro
l.o
rg
 rg
l.o
l tro
tro on
on kc
c
kC a
ac h
H o@ f
in
H o@
ac h
in

kC a
f

Recommendations Adds tamper detection to let your application react accordingly if a

hacker has tried to modify it or is accessing it illegitimately.
on kc
tro on
c
l tro
l.o
rg
 User enumeration
#6 Description Type: Real

Authorization header contains both email address and authentication token. It was discovered that
by sending existing and not existing email address it is possible to enumerate valid users because
of different responses. Before the token is checked, the application looks up if email address
belongs to a registered user. If the user is not registered, an error “User not found” occurs.

Evidences
H o@

- Check response from existing and not existing user during authorization
ac h
in

kC a
f

on kc
tro on
c
l tro

Recommendations It is recommended to provide the same response irrespective of

whether password was incorrect or username does not exist.
l.o
rg
 Application data can be backup
#7 Description Type: Real

This flag allows anyone to backup your application data via adb. It allows users who have enabled
USB debugging to copy application data of the device.

Evidences

Checks flag “android:allowBackup” adb backup –f backup.ab -apk

exchange._________________
H o@
ac h
in

kC a
f

on kc
tro on
c
l tro
l.o
rg
H o@
ac h
in

kC a
f

on kc
tro on
c
l tro
l.o
rg

Recommendations Set value in flag android:allowBackup=”false”

 No certificate and public key pinning
#8 Description Type: Real

There was no Certificate and Public Key Pinning found during the mobile application test.
Absence of the mechanism makes it more convenient and faster to intercept and decrypt traffic
between an application and a server. Pinning is the process of associating a host with their
expected X509 certificate or public key. Once a certificate or public key is known or seen for a
host, the certificate or public key is associated or 'pinned' to the host.

Evidences
H o@

Steps to reproduce:
ac h

- Configure the Burp Proxy listener

in

- Configure your device to use the proxy

- Test the configuration. If the traffic can be captured and decrypted the Pinning mechanism
kC a
is not implemented
f

Recommendations It is recommended to implement Certificate and Public Key Pinning.

For more details please visit
https://www.owasp.org/index.php/Certificate_and_P
on kc

ublic_Key_Pinning
tro on
c
l tro
l.o
rg
 Http without headers
#9 Description Type: Real

Unless directed otherwise, browsers may store a local cached copy of content received from web
servers. Some browsers, including Internet Explorer, cache
content accessed via HTTPS. If sensitive information in application responses is stored in the local
cache, then this may be retrieved by other users who have access to the same computer at a future
time.(Cache-control: nostore, Pragma: no-cache)
H o@

Recommendations Add the following headers: Cache-control: no-store Pragma: no-

cache
ac h
in

kC a
f

on kc
tro on
c
l tro
l.o
rg
 Out of date library
#10 Description Type: Real

When software generates predictable values in a context requiring unpredictability, it may be

possible for an attacker to guess the next value that will be generated, and use this guess to
impersonate another user or access sensitive information. As the java.util.Random class relies on
a pseudorandom number generator, this class and relating java.lang.Math.random() method should
not be used for security-critical applications or for protecting sensitive data java.util.Random. This
package is flawed and produces predictable values for any given seed which are easily
reproducible once the starting seed is identified.
H o@
ac h
in

kC a
f

on kc
tro on

Use library java.security.SecureRandom, read more

c

Recommendations
https://resources.infosecinstitute.com/randomnumber-generation-
l tro

java/
l.o
rg
 Bugs in key word display
#11 Description Type: Real

Keywords has incorrect position

Recommendations Check position of key words

H o@
ac h
in

kC a
f

on kc
tro on
c
l tro
l.o
rg
 Export components
#12 Description Type: Real

A Service is found to be shared with other apps on the device therefore leaving it accessible to any
other application on the device. The presence of intent-filter indicates that the Service is explicitly
exported. A Broadcast Receiver is found to be shared with other apps on the device therefore
leaving it accessible to any other application on the device. It is protected by a permission which
is not defined in the analyzed application. As a result, the protection level of the permission should
be checked where it is defined. If it is set to normal or dangerous, a malicious application can
request and obtain the permission and interact with the component. If it is set to signature, only
H o@

applications signed with the same certificate can obtain the permission.
ac h

Evidences
in

kC a
f

on kc
tro on
c
l tro
l.o
rg

Recommendations Set flag android:exported=true in:

 - io.invertase.firebase.messaging.RNFirebaseMe
ssagingService
- io.invertase.firebase.messaging.RNFirebaseIns
tanceIdService
- com.google.firebase.messaging.FirebaseMessa gingService -
- com.google.firebase.iid.FirebaseInstanceIdSer vice -
- com.google.android.gms.measurement.AppMe
asurementInstallReferrerReceiver -
- com.google.firebase.iid.FirebaseInstanceIdRec eiver
H o@
ac h
in

kC a
f

on kc
tro on
c
l tro
l.o
rg
 Vulnerability in webview
#13 Description Type: Real

This vulnerability can lead for privilege escalation in Android < 4.2's WebView component that
arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces
added to it. The untrusted Javascript code can call into the Java Reflection APIs exposed by the
Interface and execute arbitrary commands. Some distributions of the Android Browser app have
an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the
Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector
involves the WebViews embedded inside a large number of Android applications. Ad integrations
H o@

are perhaps the worst offender here. If you can MITM the WebView's HTTP connection, or if you
can get a persistent XSS into the page displayed in the WebView, then you can inject the html/js
ac h

served by this module and get a shell. Note: Adding a .js to the URL will return plain javascript
(no HTML markup).
in

(https://www.rapid7.com/db/modules/exploit/android/browser/webview_addj avascriptinterface)
kC a
f

Evidences
$ grep -nr 'setAllowUniversalAccessFromFileURLs' java_source\
java_source\/com/facebook/react/views/webview/ReactWebViewManag er.java:227: public
on kc
void setAllowUniversalAccessFromFileURLs(WebView webView, boolean bl2) {
java_source\/com/facebook/react/views/webview/ReactWebViewManag er.java:228:
webView.getSettings().setAllowUniversalAccessFromFileURLs(bl2); $grep -nr
'setJavaScriptEnabled' java_source\
java_source\/com/facebook/react/views/webview/ReactWebViewManag er.java:242: public
tro on

void setJavaScriptEnabled(WebView webView, boolean bl2) {

java_source\/com/facebook/react/views/webview/ReactWebViewManag er.java:243:
webView.getSettings().setJavaScriptEnabled(bl2); $ grep -nr 'JavascriptInterface'
c

java_source\ java_source\/com/facebook/react/views/webview/ReactWebViewManag
l tro
er.java:21: android.webkit.JavascriptInterface
java_source\/com/facebook/react/views/webview/ReactWebViewManag er.java:58: import
android.webkit.JavascriptInterface;
java_source\/com/facebook/react/views/webview/ReactWebViewManag er.java:420:
this.addJavascriptInterface((Object)new If(this, this), "__REACT_WEB_VIEW_BRIDGE");
java_source\/com/facebook/react/views/webview/ReactWebViewManag er.java:426:
this.removeJavascriptInterface("__REACT_WEB_VIEW_BRIDGE");
java_source\/com/facebook/react/views/webview/ReactWebViewManag er.java:447:
@JavascriptInterface

Recommendations In AndroidManifest.xml sets minSdk=24.

l.o
rg

Appendix B. Automated Tools

Scope Tools used

 Application Security Drozer
Xposed 3.1.5
MobSF
Dex2Jar
JD-GUI
BurpSuite 1.7.30
Nmap Sqlmap
VisualCodeGrepper
SonarQube

Devices Samsung Note 8 – Android 8.0

H o@

Lenovo A968 – Android 4.4.2

Motorola Z Force – Android 8.0
ac h

Motorola Droid Turbo 2 – Android 7.0 Motorola

Droid Maxx – Android 4.4.4
in

kC a
f

on kc
tro on
c
l tro
l.o
rg