Frosty The Kitten Lite - MIT license, WebView code execution vulnerabilities

{"cvelist": [], "published": "2016-04-01T09:09:51", "bulletinFamily": "software", "objectVersion": "1.2", "href": "https://hackapp.com/report/7f0c87a2294e3b4b9dc360599c5379a0", "lastseen": "2016-09-26T20:43:25", "id": "HACKAPP:COM.APOFISS.FROSTYTHEKITTENLITE.APK", "hackapp": {"link": "https://play.google.com/store/apps/details?id=com.apofiss.frostythekittenlite&hl=en", "bugs": [{"description": "Control of WebView context allows to access local files.\n\t\t\t", "severity": "medium", "id": "99268e77262ace27c2900684246685e2", "name": "WebView files access"}, {"description": "SD-cards and other external storages have 'worldwide read' policy.", "severity": "medium", "id": "4966045e8a190bcf26c35a84e97f6a1b", "name": "SD-card access"}, {"description": "All items deleted with 'file.delete()' could be recovered.", "severity": "notice", "id": "9e997f4bd04974f27ce4eeb3caa49042", "name": "Unsafe deleting"}, {"description": "WebView 'setJavaScriptEnabled(true)' could be exploited during cross-site scripting attacks.", "severity": "medium", "id": "f80c6565295838f6558a878f611bac69", "name": "WebView JavaScript enabled"}, {"description": "Other applications could access the interfaces.", "severity": "medium", "id": "3430f3a5f1fa131985170fec2b6f214d", "name": "Exported components"}, {"description": "Where do they point?", "severity": "notice", "id": "0000e66d877324eb28691d23e3a6dabe", "name": "External URLs"}, {"description": "Native code (.so) usage 'System.loadLibrary();' is found.", "severity": "notice", "id": "63062d065e37ce0f30ac6684b7e5b92f", "name": "Native code usage"}, {"description": "This app is looking for root tools.", "severity": "notice", "id": "5f4e7d9a3893722857a4e7c8f6010940", "name": "Possible privilege escalation"}, {"description": "Are you sure these files should be here?", "severity": "notice", "id": "1624f2f0799d5177c2b814156b7b7095", "name": "Suspicious files"}, {"description": "Code for 'DexClassLoader' could be tampered.", "severity": "medium", "id": "05e6fc3700485f97e88b88e77cd740b1", "name": "Dynamic Code Loading"}, {"description": "WebView 'addJavascriptInterface' could be used to control the host app with JavaScript bindings. Remote Code Execution (RCE) is possible.", "severity": "critical", "id": "365d6017a368d421e3cda702c9f06868", "name": "WebView code execution"}, {"description": "The app should be compliant with open source license requirements.", "severity": "critical", "id": "513f306385bbe094f7898f55694ca2d7", "name": "MIT license"}], "vendor": "apofiss", "release": "2016-03-30T00:00:00", "version": "1.1.0", "apk": "COM.APOFISS.FROSTYTHEKITTENLITE.APK", "store": "play", "name": "Frosty The Kitten Lite", "icon": "http://lh5.ggpht.com/H5kqJO1xiIzoNBKOMd1IBEW7Uc3ewk7b5inZ5VWDcEsRt3pY5FIHvdbc5TfvcDBgcZ7t=w300"}, "reporter": "Hackapp.org", "references": ["https://play.google.com/store/apps/details?id=com.apofiss.frostythekittenlite&hl=en"], "hashmap": [{"hash": "512017d72fdd5a91a9b632dc9e66b864", "key": "affectedSoftware"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "de026b69d2f2c8ac4df2d35f1c48aacc", "key": "description"}, {"hash": "81171824ac7a96306655e3ba16b6e463", "key": "hackapp"}, {"hash": "ae93a016c232bf5b04363eab1070b892", "key": "href"}, {"hash": "32f197cc3e7e3657eda1c4a8816ad3f4", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "32f197cc3e7e3657eda1c4a8816ad3f4", "key": "published"}, {"hash": "ce9fa7fd36d7a2d49bf4d1c15120e742", "key": "references"}, {"hash": "3b012aae1848bb95fe11f3cebae83cb0", "key": "reporter"}, {"hash": "40e4dc7da119bf7dceb80e5dea9b1138", "key": "title"}, {"hash": "96e87ef1fcc8d9d3cdd337488987c423", "key": "type"}, {"hash": "cfcd208495d565ef66e7dff9f98764da", "key": "viewCount"}], "description": "HackApp vulnerability scanner discovered that application Frosty The Kitten Lite published at the 'play' market has multiple vulnerabilities.", "modified": "2016-04-01T09:09:51", "cvss": {"vector": "NONE", "score": 0}, "viewCount": 0, "type": "hackapp", "affectedSoftware": [{"name": "Frosty The Kitten Lite", "operator": "le", "version": "1.1.0"}], "title": "Frosty The Kitten Lite - MIT license, WebView code execution vulnerabilities", "hash": "08b9796e98ec53b373463a58d34e6c8a7c7c3869ea92bf3152349c240220a1f5", "history": [], "edition": 1, "enchantments": {"vulnersScore": 4.6}}