edjing PRO LE - Music DJ mixer - Base64 encoded String, Customized SSL, Dangerous filesystem permissions vulnerabilities

{"title": "edjing PRO LE - Music DJ mixer - Base64 encoded String, Customized SSL, Dangerous filesystem permissions vulnerabilities", "published": "2016-04-01T09:14:20", "href": "https://hackapp.com/report/8c160319446af8568a57c13108ad0b08", "lastseen": "2016-09-26T20:43:32", "hash": "259814cfc4ea9b0181f6ebb3c68f8bd39ffbaa2088834464d0177243bb0b0465", "id": "HACKAPP:COM.DJIT.APPS.EDJING.EXPERT.LE.APK", "cvelist": [], "history": [], "type": "hackapp", "modified": "2016-04-01T09:14:20", "hackapp": {"link": "https://play.google.com/store/apps/details?id=com.djit.apps.edjing.expert.le&hl=en", "apk": "COM.DJIT.APPS.EDJING.EXPERT.LE.APK", "vendor": "DJiT - Best free music and audio apps for Android", "bugs": [{"name": "Redefined SSL Common Names verifier", "severity": "critical", "description": "This app uses self defined certificate verifier. If it is not properly configured it could allow attackers to do MITM attacks with their valid certificate without your knowledge.", "id": "2e99f3f4d899b5d8f49c8c26d1de27e9"}, {"name": "Native code usage", "severity": "notice", "description": "Native code (.so) usage 'System.loadLibrary();' is found.", "id": "5d9c901c9d801b964808e4334d04f8d6"}, {"name": "WebView files access", "severity": "medium", "description": "Control of WebView context allows to access local files.\n\t\t\t", "id": "69c7e30246e05ed85d1ad7ec0f5eae0d"}, {"name": "Base64 encoded String", "severity": "critical", "description": "Base64 encoded string could include authentication credentials.", "id": "b2ee55cadc7ce8744ece72c40f3401a1"}, {"name": "SD-card access", "severity": "medium", "description": "SD-cards and other external storages have 'worldwide read' policy.", "id": "89755f3517a039a9a3d1965224c382a1"}, {"name": "Dangerous filesystem permissions", "severity": "critical", "description": "Files created with these methods could be worldwide readable.", "id": "c40477048f9e6db8fca19c9640819aff"}, {"name": "WebView SSL handling enabled", "severity": "critical", "description": "WebView with 'handler.proceed();' allows connection to continue even if the SSL certificate validation is failed.", "id": "3f05b8efdaf5abc30856af9b371b20b2"}, {"name": "Exported ContentProvider", "severity": "critical", "description": "Exported ContentProvider is available to other apps.", "id": "7b94068c41cdf318e5da989c14ee5622"}, {"name": "External URLs", "severity": "notice", "description": "Were do they point?", "id": "ef29977865e6bbd5bd467c23c96da0ac"}, {"name": "Suspicious files", "severity": "notice", "description": "Are you sure these files should be here?", "id": "0bf75f1fbb16720cd3cbc13b40394960"}, {"name": "Customized SSL", "severity": "critical", "description": "\n\t\t\tCheck certificate validation. Do not create or redefine X509Certificate class methods by yourself, if you don't understand risks. Use the existing API.\n\t\t\t", "id": "f67fa54ac42bb33d410faf7a0ba40264"}, {"name": "WebView JavaScript enabled", "severity": "medium", "description": "WebView 'setJavaScriptEnabled(true)' could be exploited during cross-site scripting attacks.", "id": "6cb2a2fcdea148b3871118f56438f3ed"}, {"name": "Unsafe deleting", "severity": "notice", "description": "All items deleted with 'file.delete()' could be recovered.", "id": "9ffa7a99574ff44c52a1ca510453e85c"}, {"name": "Dynamic Code Loading", "severity": "medium", "description": "Code for 'DexClassLoader' could be tampered.", "id": "9e17a9dcb255505f9f1fab464f94db3f"}, {"name": "WebView code execution", "severity": "critical", "description": "WebView 'addJavascriptInterface' could be used to control the host app with JavaScript bindings. Remote Code Execution (RCE) is possible.", "id": "c3867e0e3641a8edcb56669f9ad6071c"}, {"name": "Exported components", "severity": "medium", "description": "Other applications could access the interfaces.", "id": "fac7bc083bc6c0fc4ad15e43dbda57e0"}], "store": "play", "release": "2016-02-16T00:00:00", "icon": "http://lh3.googleusercontent.com/5z9tm6ihKCnG7OySflZ0oONaf4OQ62-ywbMNogJGxbiUY4ZArQUOBYq5DuNglw_fbNw=w300", "name": "edjing PRO LE - Music DJ mixer", "version": "1.2.6"}, "bulletinFamily": "software", "references": ["https://play.google.com/store/apps/details?id=com.djit.apps.edjing.expert.le&hl=en"], "reporter": "Hackapp.org", "hashmap": [{"key": "affectedSoftware", "hash": "c58513e5372c55d41e3a9be1c5d5a244"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "e1fc4a67eb295099bbcab066468d2572"}, {"key": "hackapp", "hash": "983705aa610c8306785126ebb24372dc"}, {"key": "href", "hash": "38984b993afe9075061e0af533cfb394"}, {"key": "modified", "hash": "78b1d6177192e4fee2e4b23d48a98801"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "78b1d6177192e4fee2e4b23d48a98801"}, {"key": "references", "hash": "53501fe3c77fd85549e6e9ba701fe274"}, {"key": "reporter", "hash": "3b012aae1848bb95fe11f3cebae83cb0"}, {"key": "title", "hash": "321e00426c06a55e2ba028c7fe02285e"}, {"key": "type", "hash": "96e87ef1fcc8d9d3cdd337488987c423"}, {"key": "viewCount", "hash": "cfcd208495d565ef66e7dff9f98764da"}], "viewCount": 1, "objectVersion": "1.2", "affectedSoftware": [{"name": "edjing PRO LE - Music DJ mixer", "version": "1.2.6", "operator": "le"}], "description": "HackApp vulnerability scanner discovered that application edjing PRO LE - Music DJ mixer published at the 'play' market has multiple vulnerabilities.", "cvss": {"vector": "NONE", "score": 0.0}, "edition": 1}