Issue Security issues in AppYet apps

Marc

Active Member
Hi @appyet!

I have requested a security analysis of my applications created with AppYet and found some important issues that put the security of the apps at risk.

WEAK HASHING ALGORITHMS [M5] [CWE-916] [SAST]
The mobile application uses weak hashing algorithms. Weak hashing algorithms (e.g. MD2, MD4, MD5 or SHA-1) can be vulnerable to collisions and other security weaknesses, and should not be used when reliable hashing of data is required.
  • There is 'getInstance("SHA-1")' found in file 'f/g/b/l/b.java':
Code:
line 12:         try {
line 13:             MessageDigest instance = MessageDigest.getInstance("SHA-1");
line 14:             instance.update(bArr, 0, bArr.length);

  • There is 'getInstance("SHA-1")' found in file 'f/j/d/j/d1.java':
Code:
line 54:         try {
line 55:             return Base64.encodeToString(MessageDigest.getInstance("SHA-1").digest(this.a.h().getBytes()), 11);
line 56:         } catch (NoSuchAlgorithmException unused) {

  • There is 'getInstance("MD5")' found in file 'f/b/g/g.java':
Code:
line 13:         try {
line 14:             MessageDigest instance = MessageDigest.getInstance("MD5");
line 15:             instance.update(bArr, 0, bArr.length);
line 23:         try {
line 24:             MessageDigest instance = MessageDigest.getInstance("MD5");
line 25:             instance.update(str.getBytes(StandardCharsets.ISO_8859_1), 0, str.length());

  • There is 'getInstance("MD5")' found in file 'f/b/j/c.java':
Code:
line 36:         try {
line 37:             MessageDigest instance = MessageDigest.getInstance("MD5");
line 38:             instance.update(str.getBytes(C.UTF8_NAME));

  • There is 'getInstance("MD5")' found in file 'com/just/agentweb/AgentWebUtils.java':
Code:
line 706:         try {
line 707:             MessageDigest instance = MessageDigest.getInstance("MD5");
line 708:             instance.update(str.getBytes());


CLEARTEXT SQLITE DATABASE [M2] [CWE-312] [DAST]
The mobile application uses an unencrypted SQLite database. This database can be accessed by an attacker with physical access to the mobile device or a malicious application with root access to the device. The application should not store sensitive information in clear text.
  • In file com.google.android.datatransport.events
  • In file data2.db
  • In file androidx.work.workdb
  • In file Web Data
  • In file Cookies

EXPOSURE OF POTENTIALLY SENSITIVE DATA [M2] [CWE-200] [DAST]
The mobile application may expose potentially sensitive information during its runtimes.
  • 06-12 06:04:09.571 V/FA ( 3849): Deferring to Google Analytics for Firebase for event data collection. https://goo.gl/J1sWQy


HARDCODED DATA [M2] [CWE-200] [SAST]
The mobile application contains debugging or other technical information that may be extracted and used by an attacker to facilitate further attacks.
  • In the file f/n/a/f.java, there are links to privacy policies of libraries that do not exist in the AppYet apps. Therefore, I understand that only those from libraries that are used should be kept.

Although I suppose they should not be a major risk, since confidential information is not handled in AppYet apps, it would be nice to be able to fix it. Thanks!
 
Top