Hackapp.orgHACKAPP:CA.TRANSOPOLIS.PRAGUEMETRO.APKPrague Metro Map - Base64 encoded String, Exported ContentProvider, Hardcoded secrets vulnerabilities
HackApp vulnerability scanner discovered that application Prague Metro Map published at the ‘play’ market has multiple vulnerabilities.
Name
Prague Metro MapVendor
TransopolisLink
CA.TRANSOPOLIS.PRAGUEMETRO.APKStore
playVersion
1.0- CRITICAL
- Hardcoded secrets
Passwords or tokens here. Everyone can see and use it.
- WebView code execution
WebView 'addJavascriptInterface' could be used to control the host app with JavaScript bindings. Remote Code Execution (RCE) is possible.
- Exported ContentProvider
Exported ContentProvider is available to other apps.
- Base64 encoded String
Base64 encoded string could include authentication credentials.
- MIT license
The app should be compliant with open source license requirements.
- NOTICE
- Unsafe deleting
All items deleted with 'file.delete()' could be recovered.
- External URLs
Where do they point?
- Suspicious files
Are you sure these files should be here?
- Possible privilege escalation
This app is looking for root tools.
- Native code usage
Native code (.so) usage 'System.loadLibrary();' is found.
- MEDIUM
- WebView files access
Control of WebView context allows to access local files.
- Exported components
Other applications could access the interfaces.
- SD-card access
SD-cards and other external storages have 'worldwide read' policy.
- Dynamic Code Loading
Code for 'DexClassLoader' could be tampered.
- WebView JavaScript enabled
WebView 'setJavaScriptEnabled(true)' could be exploited during cross-site scripting attacks.
| CPE | Name | Operator | Version |
|---|---|---|---|
| prague metro map | le | 1.0 |