اینستا فارسی - Customized SSL, Dangerous filesystem permissions, Hardcoded secrets vulnerabilities

Name

Vendor

Link

Store

Version

• CRITICAL
Customized SSL

Check certificate validation. Do not create or redefine X509Certificate class methods by yourself, if you don't understand risks. Use the existing API.

Hardcoded secrets

Passwords or tokens here. Everyone can see and use it.

Redefined SSL Common Names verifier

This app uses self defined certificate verifier. If it is not properly configured it could allow attackers to do MITM attacks with their valid certificate without your knowledge.

WebView code execution

WebView 'addJavascriptInterface' could be used to control the host app with JavaScript bindings. Remote Code Execution (RCE) is possible.

Dangerous filesystem permissions

Files created with these methods could be worldwide readable.

• NOTICE
Unsafe deleting

All items deleted with 'file.delete()' could be recovered.

Suspicious files

Are you sure these files should be here?

External URLs

Were do they point?

• MEDIUM
WebView JavaScript enabled

WebView 'setJavaScriptEnabled(true)' could be exploited during cross-site scripting attacks.

SD-card access

SD-cards and other external storages have 'worldwide read' policy.

Exported components

Other applications could access the interfaces.

WebView files access

Control of WebView context allows to access local files.

References