MobSF Application Security Scorecard
- InsecureShop 1.0
Security Score
Security Score 44/100
Risk Rating
Grade
- A
- B
- C
- F
Severity Distribution (%)
Privacy Risk
0
User/Device Trackers
Findings
High
3
Medium
10
Info
2
Secure
1
Hotspot
1
high App can be installed on a vulnerable upatched Android version
Android 4.1-4.1.2, [minSdk=16] This application can be installed on an older version of android that has multiple unfixed vulnerabilities. These devices won't receive reasonable security updates from Google. Support an Android version => 10, API 29 to receive reasonable security updates.
high Clear text traffic is Enabled For App
[android:usesCleartextTraffic=true] The app intends to use cleartext network traffic, such as cleartext HTTP, FTP stacks, DownloadManager, and MediaPlayer. The default value for apps that target API level 27 or lower is "true". Apps that target API level 28 or higher default to "false". The key reason for avoiding cleartext traffic is the lack of confidentiality, authenticity, and protections against tampering; a network attacker can eavesdrop on transmitted data and also modify it without being detected.
high Insecure WebView Implementation. WebView ignores SSL Certificate errors and accept any SSL Certificate. This application is vulnerable to MITM attacks
Insecure WebView Implementation. WebView ignores SSL Certificate errors and accept any SSL Certificate. This application is vulnerable to MITM attacks https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification
medium Application Data can be Backed up
[android:allowBackup=true] This flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.
medium Activity (com.insecureshop.ChooserActivity) is not Protected.
An intent-filter exists. An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Activity is explicitly exported.
medium Activity (com.insecureshop.AboutUsActivity) is not Protected.
[android:exported=true] An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
medium Activity (com.insecureshop.WebViewActivity) is not Protected.
An intent-filter exists. An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Activity is explicitly exported.
medium Activity (com.insecureshop.WebView2Activity) is not Protected.
An intent-filter exists. An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Activity is explicitly exported.
medium Activity (com.insecureshop.ResultActivity) is not Protected.
[android:exported=true] An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
medium Content Provider (com.insecureshop.contentProvider.InsecureShopProvider) is not Protected.
[android:exported=true] A Content Provider is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
medium Service (net.gotev.uploadservice.UploadService) is not Protected.
[android:exported=true] A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
medium Files may contain hardcoded sensitive information like usernames, passwords, keys etc.
Files may contain hardcoded sensitive information like usernames, passwords, keys etc. https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10
medium App can read/write to External Storage. Any App can read data written to External Storage.
App can read/write to External Storage. Any App can read data written to External Storage. https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage
info The App logs information. Sensitive information should never be logged.
The App logs information. Sensitive information should never be logged. https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs
info App can write to App Directory. Sensitive Information should be encrypted.
App can write to App Directory. Sensitive Information should be encrypted.
secure This application has no privacy trackers
This application does not include any user or device trackers. Unable to find trackers during static analysis.
hotspot Found 3 critical permission(s)
Ensure that these permissions are required by the application. android.permission.READ_EXTERNAL_STORAGE (dangerous): read external storage contents - Allows an application to read from external storage. android.permission.WRITE_EXTERNAL_STORAGE (dangerous): read/modify/delete external storage contents - Allows an application to write to external storage. android.permission.READ_CONTACTS (dangerous): read contact data - Allows an application to read all of the contact (address) data stored on your phone. Malicious applications can use this to send your data to other people.