VPN Master-Free·unblock·proxy - Customized SSL, Dangerous filesystem permissions, Hardcoded secrets vulnerabilities

Name

Vendor

Link

Store

Version

• CRITICAL
Customized SSL

Check certificate validation. Do not create or redefine X509Certificate class methods by yourself, if you don't understand risks. Use the existing API.

Runtime privilege escalation

Privilege escalation 'Runtime.getRuntime().exec("su")' is found.

Hardcoded secrets

Passwords or tokens here. Everyone can see and use it.

Redefined SSL Common Names verifier

This app uses self defined certificate verifier. If it is not properly configured it could allow attackers to do MITM attacks with their valid certificate without your knowledge.

Dangerous filesystem permissions

Files created with these methods could be worldwide readable.

WebView SSL handling enabled

WebView with 'handler.proceed();' allows connection to continue even if the SSL certificate validation is failed.

WebView code execution

WebView 'addJavascriptInterface' could be used to control the host app with JavaScript bindings. Remote Code Execution (RCE) is possible.

• MEDIUM
WebView JavaScript enabled

WebView 'setJavaScriptEnabled(true)' could be exploited during cross-site scripting attacks.

Runtime command execution

Function 'Runtime.getRuntime().exec()' is used, please check where variables are come from.

WebView files access

Control of WebView context allows to access local files.

Dynamic Code Loading

Code for 'DexClassLoader' could be tampered.

Exported components

Other applications could access the interfaces.

SD-card access

SD-cards and other external storages have 'worldwide read' policy.

• NOTICE
External URLs

Were do they point?

Native code usage

Native code (.so) usage 'System.loadLibrary();' is found.

Suspicious files

Are you sure these files should be here?

Possible privilege escalation

This app is looking for root tools.

Unsafe deleting

All items deleted with 'file.delete()' could be recovered.

References