Android APK Scanner Sample report



SUMMARY OF FINDINGS (Project Name: Insecure Bank)


Risk Count
High 0
Medium 7
Low 0
Total 7

No Vulnerability Name Risk Severity Cvss score Occurrences
1 Improper Export of Activity-com.android.insecurebankv2.ChangePassword Medium Medium 4.9 1
2 Improper Export of Receivers-com.android.insecurebankv2.MyBroadCastReceiver Medium Medium 4.9 1
3 Improper Export of Activity-com.android.insecurebankv2.ViewStatement Medium Medium 4.9 1
4 Improper Export of Activity-com.android.insecurebankv2.DoTransfer Medium Medium 4.9 1
5 Improper Export of Activity-com.android.insecurebankv2.PostLogin Medium Medium 4.9 1
6 Android backup vulnerability Medium Medium 4.9 1
7 Android Debuggable enabled Medium Medium 4.9 1


Findings: 1 Improper Export of Activity-com.android.insecurebankv2.ChangePassword

Risk Medium
Severity Medium
CVSS Score 4.9
Occurrences 1
Details The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application. This is not an issue if an activity does not have any sensitive information. REF: https://cwe.mitre.org/data/definitions/926.html
Recommendation Add the attribute android:exported=false in the activity tag.
Evidence <activity android:label="@string/title_activity_change_password" android:name="com.android.insecurebankv2.ChangePassword" android:exported="true"/>

Findings: 2 Improper Export of Receivers-com.android.insecurebankv2.MyBroadCastReceiver

Risk Medium
Severity Medium
CVSS Score 4.9
Occurrences 1
Details The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. If access to the receiver is not restricted, it is possible for the external applications too to receive them. This is not an issue if the receiver does not involved with any sensitive data.
Recommendation Add the attribute android:exported=false in the receiver tag.
Evidence <receiver android:name="com.android.insecurebankv2.MyBroadCastReceiver" android:exported="true">

Findings: 3 Improper Export of Activity-com.android.insecurebankv2.ViewStatement

Risk Medium
Severity Medium
CVSS Score 4.9
Occurrences 1
Details The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application. This is not an issue if an activity does not have any sensitive information. REF: https://cwe.mitre.org/data/definitions/926.html
Recommendation Add the attribute android:exported=false in the activity tag.
Evidence <activity android:label="@string/title_activity_view_statement" android:name="com.android.insecurebankv2.ViewStatement" android:exported="true"/>

Findings: 4 Improper Export of Activity-com.android.insecurebankv2.DoTransfer

Risk Medium
Severity Medium
CVSS Score 4.9
Occurrences 1
Details The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application. This is not an issue if an activity does not have any sensitive information. REF: https://cwe.mitre.org/data/definitions/926.html
Recommendation Add the attribute android:exported=false in the activity tag.
Evidence <activity android:label="@string/title_activity_do_transfer" android:name="com.android.insecurebankv2.DoTransfer" android:exported="true"/>

Findings: 5 Improper Export of Activity-com.android.insecurebankv2.PostLogin

Risk Medium
Severity Medium
CVSS Score 4.9
Occurrences 1
Details The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application. This is not an issue if an activity does not have any sensitive information. REF: https://cwe.mitre.org/data/definitions/926.html
Recommendation Add the attribute android:exported=false in the activity tag.
Evidence <activity android:label="@string/title_activity_post_login" android:name="com.android.insecurebankv2.PostLogin" android:exported="true"/>

Findings: 6 Android backup vulnerability

Risk Medium
Severity Medium
CVSS Score 4.9
Occurrences 1
Details android:allowBackup= 'true' property is present in the application tag which means application user can backup the app internal data which resides under /data/data/.
Recommendation Its recommended setting android:allowBackup=false within the android manifest file to disallow the access.
Evidence <application android:theme="@style/Theme.Holo.Light.DarkActionBar" android:label="@string/app_name" android:icon="@mipmap/ic_launcher" android:debuggable="true" android:allowBackup="true">

Findings: 7 Android Debuggable enabled

Risk Medium
Severity Medium
CVSS Score 4.9
Occurrences 1
Details android:debuggable= 'true' property is present in the application tag which means an application can be debugged even when running on a device.
Recommendation Its recommended setting this property as false in the release build of the android app.
Evidence <application android:theme="@style/Theme.Holo.Light.DarkActionBar" android:label="@string/app_name" android:icon="@mipmap/ic_launcher" android:debuggable="true" android:allowBackup="true">