ID HACKAPP:BR.GOV.PE.DETRAN.MOBILEAPP.APK
Type hackapp
Reporter Hackapp.org
Modified 2017-01-28T01:58:45
Description
HackApp vulnerability scanner discovered that application DETRAN-PE Mais Fácil published at the 'play' market has multiple vulnerabilities.
{"id": "HACKAPP:BR.GOV.PE.DETRAN.MOBILEAPP.APK", "bulletinFamily": "software", "title": "DETRAN-PE Mais F\u00e1cil - Customized SSL, Redefined SSL Common Names verifier, WebView SSL handling enabled vulnerabilities", "description": "HackApp vulnerability scanner discovered that application DETRAN-PE Mais F\u00e1cil published at the 'play' market has multiple vulnerabilities.", "published": "2017-01-28T01:58:45", "modified": "2017-01-28T01:58:45", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackapp.com/report/5e8c406eae34c6243fcdb34aede8f154", "reporter": "Hackapp.org", "references": ["https://play.google.com/store/apps/details?id=br.gov.pe.detran.mobileapp&hl=en"], "cvelist": [], "type": "hackapp", "lastseen": "2018-08-02T14:00:59", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "93a3af167d4fc8c158fa273923a6e44b"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "933525e977338ef60c1a95991b12b663"}, {"key": "hackapp", "hash": "d8160ab94978d8e75521493d6c299fbc"}, {"key": "href", "hash": "b2b980bf42498b918e66afa815a849c8"}, {"key": "modified", "hash": "a02becf735006f24959f291afc74e94e"}, {"key": "published", "hash": "a02becf735006f24959f291afc74e94e"}, {"key": "references", "hash": "8d04862f0e8189a490e7a064916daaa0"}, {"key": "reporter", "hash": "3b012aae1848bb95fe11f3cebae83cb0"}, {"key": "title", "hash": "1a86341e4c2f9fa43ca81e029fd1627a"}, {"key": "type", "hash": "96e87ef1fcc8d9d3cdd337488987c423"}], "hash": "8270d395d258ea0e67ded31a3f1dbb13a77a5f77f20ce8a07b364e655f21cf57", "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE", "modified": "2018-08-02T14:00:59"}, "vulnersScore": 5.0}, "objectVersion": "1.3", "affectedSoftware": [{"name": "DETRAN-PE Mais F\u00e1cil", "operator": "le", "version": "1.0.37"}], "hackapp": {"apk": "BR.GOV.PE.DETRAN.MOBILEAPP.APK", "bugs": [{"description": "WebView 'addJavascriptInterface' could be used to control the host app with JavaScript bindings. Remote Code Execution (RCE) is possible.", "id": "1e870e6edcf90ba2c6fd87b6975aaf71", "name": "WebView code execution", "severity": "critical"}, {"description": "SD-cards and other external storages have 'worldwide read' policy.", "id": "0eb4ea1d2cb39f67e85e1e2d8225b96e", "name": "SD-card access", "severity": "medium"}, {"description": "This app uses self defined certificate verifier. If it is not properly configured it could allow attackers to do MITM attacks with their valid certificate without your knowledge.", "id": "2a3cabe6943063c1db907da1e004ce17", "name": "Redefined SSL Common Names verifier", "severity": "critical"}, {"description": "WebView 'setJavaScriptEnabled(true)' could be exploited during cross-site scripting attacks.", "id": "5b16b0e1a82ae3f254972b549442f0e1", "name": "WebView JavaScript enabled", "severity": "medium"}, {"description": "All items deleted with 'file.delete()' could be recovered.", "id": "25c35aa37b22daf65622d506f2e9cf8e", "name": "Unsafe deleting", "severity": "notice"}, {"description": "Were do they point?", "id": "8966426a2e6568d3dfb11e0e3ac5ac7a", "name": "External URLs", "severity": "notice"}, {"description": "Are you sure these files should be here?", "id": "2510104940dde32ef2c2f7d4a8189c04", "name": "Suspicious files", "severity": "notice"}, {"description": "Native code (.so) usage 'System.loadLibrary();' is found.", "id": "2c4fd3e0ebb5a967d0c5d8c4ed25a1f3", "name": "Native code usage", "severity": "notice"}, {"description": "Control of WebView context allows to access local files.\n\t\t\t", "id": "53a4e12a6d2790c461026ca857b9a487", "name": "WebView files access", "severity": "medium"}, {"description": "WebView with 'handler.proceed();' allows connection to continue even if the SSL certificate validation is failed.", "id": "958ab0d697b5122bc4605a27fcf8267c", "name": "WebView SSL handling enabled", "severity": "critical"}, {"description": "\n\t\t\tCheck certificate validation. Do not create or redefine X509Certificate class methods by yourself, if you don't understand risks. Use the existing API.\n\t\t\t", "id": "293cb21b2b61ac6e24f71d643322689e", "name": "Customized SSL", "severity": "critical"}], "icon": "http://lh3.googleusercontent.com/8EsE3Uya8BEGgiyvq2WYcj_wCsrU7bMX644u17tTUU_tGjgfGYJknwihLaIG5zMC2Tg=w300", "link": "https://play.google.com/store/apps/details?id=br.gov.pe.detran.mobileapp&hl=en", "name": "DETRAN-PE Mais F\u00e1cil", "release": "2017-01-25T00:00:00", "store": "play", "vendor": "Departamento Estadual de Tr\u00e2nsito de Pernambuco", "version": "1.0.37"}}
{}
