confidential
15th February, 2017

Android Security Report

For Internal Purpose
Prepared For: {{file.name}}

Prepared by XYSec Labs Pte. Ltd. Portions of this document and the templates used in its production are the property of XYSec Labs Pte. Ltd. and cannot be copied without permission.

While precautions have been taken in the preparation of this document, XYSec Labs Pte. Ltd., the publisher, and the author(s) assume no responsibility for errors, omissions, or for damages resulting from the use of the information contained herein. Use of XYSec Labs Pte. Ltd. services does not guarantee the security of a system, or that intrusions will not occur.

Table Of Contents

  1. Report Summary
    1. Application Details
    2. Types Of Vulnerabilities
    3. OWASP Top 10 Vulnerabilities
    4. Severity Of Risks
    5. Audit Summary
  2. Configuration Management
    1. Do not provide addJavascriptInterface method access in a WebView which could contain untrusted content (API level JELLY_BEAN or below)
      1. Risk Assessment
      2. Noncompliant Code Example
      3. Compliant Solution
      4. Related Vulnerabilities

Report Summary

Appknox conducted a security assessment of the mobile application for the Android platform. This report contains all the findings during the automated auditing process. It also contains the process of discovering those vulnerabilities in the first place, and ways to remediate those issues.

Application Details
Application Namecom.flipkart.android
Application Namespacecom.flipkart.android
Version5.8
Audit Date2017-02-15 06:13
Application SHA1 Hashc4da68e075c5d098f14909e9ded51916e8238b46
Application MD5 Hashf68e50276da5ec2958003dd1270c9a72
Types Of Vulnerabilities
  1. Information Disclosure :  

    Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

OWASP Top 10 Vulnerabilities
  1. Improper Platform Usage :  

    This category covers misuse of a platform feature or failure to use platform security controls. It might include Android intents, platform permissions, misuse of TouchID, the Keychain, or some other security control that is part of the mobile operating system. There are several ways that mobile apps can experience this risk.

Severity Of Risks
  1. HIGH :  

    Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Audit Summary
Android Unprotected Exported Service

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Medium Risk

Configuration Management

{% for analysis in file.analyses %}
  1. {{ analysis.vulnerability.name }} :

{{ analysis.vulnerability.intro | safe }} :

Risk Rating : High
Risk Assessment

The Android application exports Service for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.

Noncompliant Code Example

Using HTTP with SSL or TLS to connect to internet, or without a proper certificate the connection can be easily eavesdropped by attacker without the knowledge of the user.

String link = "http://www.google.com";
Compliant Solution

If you are using a Service for sharing data between only your own apps, it is preferable to use the android:protectionLevel attribute set to "signature" protection. Signature permissions do not require user confirmation, so they provide a better user experience and more controlled access to the Service when the apps accessing the data are signed with the same key

Related Vulnerabilities

{% endfor %}