HackApp vulnerability scanner discovered that application TiBO mobile TV published at the βplayβ market has multiple vulnerabilities.
Other applications could access the interfaces.
Control of WebView context allows to access local files.
WebView 'setJavaScriptEnabled(true)' could be exploited during cross-site scripting attacks.
WebView 'addJavascriptInterface' could be used to control the host app with JavaScript bindings. Remote Code Execution (RCE) is possible.
WebView with 'handler.proceed();' allows connection to continue even if the SSL certificate validation is failed.
Files created with these methods could be worldwide readable.
Were do they point?
All items deleted with 'file.delete()' could be recovered.
Are you sure these files should be here?
CPE | Name | Operator | Version |
---|---|---|---|
tibo mobile tv | le | Tibo |