Hackapp.orgHACKAPP:COM.FIVESTARGAMES.SLOTS.APKSlots Free - Big Win Casino™ - AWS Credentials, Customized SSL, Dangerous filesystem permissions vulnerabilities
HackApp vulnerability scanner discovered that application Slots Free - Big Win Casino™ published at the ‘play’ market has multiple vulnerabilities.
Name
Slots Free - Big Win Casino™Vendor
FiveStar Games - Slots and CasinoLink
COM.FIVESTARGAMES.SLOTS.APKStore
playVersion
1.27- NOTICE
- Possible privilege escalation
This app is looking for root tools.
- External URLs
Where do they point?
- Unsafe deleting
All items deleted with 'file.delete()' could be recovered.
- Suspicious files
Are you sure these files should be here?
- Native code usage
Native code (.so) usage 'System.loadLibrary();' is found.
- CRITICAL
- WebView SSL handling enabled
WebView with 'handler.proceed();' allows connection to continue even if the SSL certificate validation is failed.
- Customized SSL
Check certificate validation. Do not create or redefine X509Certificate class methods by yourself, if you don't understand risks. Use the existing API.
- Dangerous filesystem permissions
Files created with these methods could be worldwide readable.
- AWS Credentials
Everyone can use it to access your resources.
- GPL license
The app should be compliant with open source license requirements.
- WebView code execution
WebView 'addJavascriptInterface' could be used to control the host app with JavaScript bindings. Remote Code Execution (RCE) is possible.
- MEDIUM
- WebView JavaScript enabled
WebView 'setJavaScriptEnabled(true)' could be exploited during cross-site scripting attacks.
- WebView files access
Control of WebView context allows to access local files.
- Exported components
Other applications could access the interfaces.
- SD-card access
SD-cards and other external storages have 'worldwide read' policy.
- Dynamic Code Loading
Code for 'DexClassLoader' could be tampered.
| CPE | Name | Operator | Version |
|---|---|---|---|
| slots free - big win casino™ | le | 1.27 |