Hi @appyet!
I have requested a security analysis of my applications created with AppYet and found some important issues that put the security of the apps at risk.
WEAK HASHING ALGORITHMS [M5] [CWE-916] [SAST]
The mobile application uses weak hashing algorithms. Weak hashing algorithms (e.g. MD2, MD4, MD5 or SHA-1) can be vulnerable to collisions and other security weaknesses, and should not be used when reliable hashing of data is required.
CLEARTEXT SQLITE DATABASE [M2] [CWE-312] [DAST]
The mobile application uses an unencrypted SQLite database. This database can be accessed by an attacker with physical access to the mobile device or a malicious application with root access to the device. The application should not store sensitive information in clear text.
EXPOSURE OF POTENTIALLY SENSITIVE DATA [M2] [CWE-200] [DAST]
The mobile application may expose potentially sensitive information during its runtimes.
HARDCODED DATA [M2] [CWE-200] [SAST]
The mobile application contains debugging or other technical information that may be extracted and used by an attacker to facilitate further attacks.
Although I suppose they should not be a major risk, since confidential information is not handled in AppYet apps, it would be nice to be able to fix it. Thanks!
I have requested a security analysis of my applications created with AppYet and found some important issues that put the security of the apps at risk.
WEAK HASHING ALGORITHMS [M5] [CWE-916] [SAST]
The mobile application uses weak hashing algorithms. Weak hashing algorithms (e.g. MD2, MD4, MD5 or SHA-1) can be vulnerable to collisions and other security weaknesses, and should not be used when reliable hashing of data is required.
- There is 'getInstance("SHA-1")' found in file 'f/g/b/l/b.java':
Code:
line 12: try {
line 13: MessageDigest instance = MessageDigest.getInstance("SHA-1");
line 14: instance.update(bArr, 0, bArr.length);
- There is 'getInstance("SHA-1")' found in file 'f/j/d/j/d1.java':
Code:
line 54: try {
line 55: return Base64.encodeToString(MessageDigest.getInstance("SHA-1").digest(this.a.h().getBytes()), 11);
line 56: } catch (NoSuchAlgorithmException unused) {
- There is 'getInstance("MD5")' found in file 'f/b/g/g.java':
Code:
line 13: try {
line 14: MessageDigest instance = MessageDigest.getInstance("MD5");
line 15: instance.update(bArr, 0, bArr.length);
line 23: try {
line 24: MessageDigest instance = MessageDigest.getInstance("MD5");
line 25: instance.update(str.getBytes(StandardCharsets.ISO_8859_1), 0, str.length());
- There is 'getInstance("MD5")' found in file 'f/b/j/c.java':
Code:
line 36: try {
line 37: MessageDigest instance = MessageDigest.getInstance("MD5");
line 38: instance.update(str.getBytes(C.UTF8_NAME));
- There is 'getInstance("MD5")' found in file 'com/just/agentweb/AgentWebUtils.java':
Code:
line 706: try {
line 707: MessageDigest instance = MessageDigest.getInstance("MD5");
line 708: instance.update(str.getBytes());
CLEARTEXT SQLITE DATABASE [M2] [CWE-312] [DAST]
The mobile application uses an unencrypted SQLite database. This database can be accessed by an attacker with physical access to the mobile device or a malicious application with root access to the device. The application should not store sensitive information in clear text.
- In file com.google.android.datatransport.events
- In file data2.db
- In file androidx.work.workdb
- In file Web Data
- In file Cookies
EXPOSURE OF POTENTIALLY SENSITIVE DATA [M2] [CWE-200] [DAST]
The mobile application may expose potentially sensitive information during its runtimes.
- 06-12 06:04:09.571 V/FA ( 3849): Deferring to Google Analytics for Firebase for event data collection. https://goo.gl/J1sWQy
HARDCODED DATA [M2] [CWE-200] [SAST]
The mobile application contains debugging or other technical information that may be extracted and used by an attacker to facilitate further attacks.
- In the file f/n/a/f.java, there are links to privacy policies of libraries that do not exist in the AppYet apps. Therefore, I understand that only those from libraries that are used should be kept.
Although I suppose they should not be a major risk, since confidential information is not handled in AppYet apps, it would be nice to be able to fix it. Thanks!