Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackappHackapp.orgHACKAPP:COM.TIBO.MOBILEWEBTV.APK
HistoryApr 28, 2017 - 8:18 a.m.

TiBO mobile TV - Dangerous filesystem permissions, WebView SSL handling enabled, WebView code execution vulnerabilities

2017-04-2808:18:54
Hackapp.org
hackapp.com
109
JSON

HackApp vulnerability scanner discovered that application TiBO mobile TV published at the β€˜play’ market has multiple vulnerabilities.

Name

TiBO mobile TV

Vendor

TIBO SHPK

Link

COM.TIBO.MOBILEWEBTV.APK

Store

play

Version

Tibo
  • MEDIUM
  • Exported components

    Other applications could access the interfaces.

  • WebView files access

    Control of WebView context allows to access local files.

  • WebView JavaScript enabled

    WebView 'setJavaScriptEnabled(true)' could be exploited during cross-site scripting attacks.

  • CRITICAL
  • WebView code execution

    WebView 'addJavascriptInterface' could be used to control the host app with JavaScript bindings. Remote Code Execution (RCE) is possible.

  • WebView SSL handling enabled

    WebView with 'handler.proceed();' allows connection to continue even if the SSL certificate validation is failed.

  • Dangerous filesystem permissions

    Files created with these methods could be worldwide readable.

  • NOTICE
  • External URLs

    Were do they point?

  • Unsafe deleting

    All items deleted with 'file.delete()' could be recovered.

  • Suspicious files

    Are you sure these files should be here?

CPENameOperatorVersion
tibo mobile tvleTibo
JSON