HackApp vulnerability scanner discovered that application Prague Metro Map published at the ‘play’ market has multiple vulnerabilities.
Passwords or tokens here. Everyone can see and use it.
WebView 'addJavascriptInterface' could be used to control the host app with JavaScript bindings. Remote Code Execution (RCE) is possible.
Exported ContentProvider is available to other apps.
Base64 encoded string could include authentication credentials.
The app should be compliant with open source license requirements.
All items deleted with 'file.delete()' could be recovered.
Where do they point?
Are you sure these files should be here?
This app is looking for root tools.
Native code (.so) usage 'System.loadLibrary();' is found.
Control of WebView context allows to access local files.
Other applications could access the interfaces.
SD-cards and other external storages have 'worldwide read' policy.
Code for 'DexClassLoader' could be tampered.
WebView 'setJavaScriptEnabled(true)' could be exploited during cross-site scripting attacks.
CPE | Name | Operator | Version |
---|---|---|---|
prague metro map | le | 1.0 |