Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 176 views

    Etsy Com Source

    Uploaded by

    joseph
    This document summarizes the results of a security scan of the Android app "com.etsy.android" version 5.1.0. Several critical vulnerabilities were found, including implicit intents without verification, unencrypted HTTP URLs, and WebView vulnerabilities. Additional issues identified include exported app components, accessing sensitive device IDs, and potential XSS attacks in WebViews. The author and contact information for the security scanning tool are also provided.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd

    Etsy Com Source

    Uploaded by

    joseph
    176 views7 pages
    This document summarizes the results of a security scan of the Android app "com.etsy.android" version 5.1.0. Several critical vulnerabilities were found, including implicit intents without verification, unencrypted HTTP URLs, and WebView vulnerabilities. Additional issues identified include exported app components, accessing sensitive device IDs, and potential XSS attacks in WebViews. The author and contact information for the security scanning tool are also provided.

    Original Description:

    you say

    Original Title

    etsy com source

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document summarizes the results of a security scan of the Android app "com.etsy.android" version 5.1.0. Several critical vulnerabilities were found, including implicit intents without verification, unencrypted HTTP URLs, and WebView vulnerabilities. Additional issues identified include exported app components, accessing sensitive device IDs, and potential XSS attacks in WebViews. The author and contact information for the security scanning tool are also provided.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    176 views7 pages

    Etsy Com Source

    Uploaded by

    joseph
    This document summarizes the results of a security scan of the Android app "com.etsy.android" version 5.1.0. Several critical vulnerabilities were found, including implicit intents without verification, unencrypted HTTP URLs, and WebView vulnerabilities. Additional issues identified include exported app components, accessing sensitive device IDs, and potential XSS attacks in WebViews. The author and contact information for the security scanning tool are also provided.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    You are on page 1of 7

    *************************************************************************

    ** AndroBugs Framework - Android App Security Vulnerability Scanner **


    ** version: 1.0.0 **
    ** author: Yu-Cheng Lin (@AndroBugs, http://www.AndroBugs.com) **
    ** contact: androbugs.framework@gmail.com **
    *************************************************************************
    Platform: Android
    Package Name: com.etsy.android
    Package Version Name: 5.1.0
    Package Version Code: 50100044
    Min Sdk: 16
    Target Sdk: 23
    MD5 : 20aeef4d2f80763e6b78b01f48e37645
    SHA1 : f46f7c0d46b427a71e28ef8edde2017153ae842d
    SHA256: 1cb6d47163e5189e9b388c8733c1e9cfd1146f8a98daffb742615a96bf81f49b
    SHA512:
    cf078d883c65c4e173be4de7990b7a7693329ccbdc7608e8c00a53de525abb070fcce7814bbe6c2fe10
    059a99aceff4bd6e2bcdcc745601dc1c822fa2168f755
    Analyze Signature:
    61a6a86b6a8492933e80ea24fa73e4e81030b744c67d52262c8b48519f56d80a8ed12962b5ff6c2d23a
    809c969e8bdbc55efebcf36b3229d3028fa8201c9cc27
    -----------------------------------------------------------------------------------
    -------------
    [Critical] <Implicit_Intent> Implicit Service Checking:
    To ensure your app is secure, always use an explicit intent when
    starting a Service and DO NOT declare intent filters for your
    services. Using an implicit intent to start a service is a security
    hazard because you cannot be certain what service will
    respond to the intent, and the user cannot see which service starts.
    Reference: http://developer.android.com/guide/components/intents-
    filters.html#Types
    => com.google.firebase.iid.FirebaseInstanceIdService
    [Critical] AndroidManifest "intent-filter" Settings Checking:
    Misconfiguration in "intent-filter" of these components
    (AndroidManifest.xml).
    Config "intent-filter" should have at least one "action".
    Reference: http://developer.android.com/guide/topics/manifest/intent-
    filter-element.html
    service => com.exacttarget.etpushsdk.ETGcmListenerService
    [Critical] <SSL_Security> SSL Connection Checking:
    URLs that are NOT under SSL (Total:1):
    http://api.
    => Lcom/etsy/android/lib/config/b;-
    >a(Lcom/etsy/android/lib/config/EtsyConfigKey$Environment;
    Lcom/etsy/android/lib/config/c$a;)V
    [Critical] <SSL_Security> SSL Implementation Checking (WebViewClient for WebView):
    DO NOT use "handler.proceed();" inside those methods in extended
    "WebViewClient", which allows the connection even if the SSL
    Certificate is invalid (MITM Vulnerability).
    References:
    (1)A View To A Kill: WebView Exploitation:
    https://www.iseclab.org/papers/webview_leet13.pdf
    (2)OWASP Mobile Top 10 doc:
    https://www.owasp.org/index.php/Mobile_Top_10_2014-M3
    (3)https://jira.appcelerator.org/browse/TIMOB-4488
    Vulnerable codes:
    Lcom/etsy/android/uikit/webview/EtsyWebViewClient;-
    >onReceivedSslError(Landroid/webkit/WebView;
    Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V
    [Critical] <WebView><Remote Code Execution><#CVE-2013-4710#> WebView RCE
    Vulnerability Checking:
    Found a critical WebView "addJavascriptInterface" vulnerability. This
    method can be used to allow JavaScript to control the host
    application.
    This is a powerful feature, but also presents a security risk for
    applications targeted to API level JELLY_BEAN(4.2) or below,
    because JavaScript could use reflection to access an injected object's
    public fields. Use of this method in a WebView containing
    untrusted content could allow an attacker to manipulate the host
    application in unintended ways, executing Java code with the
    permissions of the host application.
    Reference:

    1."http://developer.android.com/reference/android/webkit/WebView.html#addJavascript
    Interface(java.lang.Object,
    java.lang.String) "
    2.https://labs.mwrinfosecurity.com/blog/2013/09/24/webview-
    addjavascriptinterface-remote-code-execution/
    3.http://50.56.33.56/blog/?p=314
    4.http://blog.trustlook.com/2013/09/04/alert-android-webview-
    addjavascriptinterface-code-execution-vulnerability/
    Please modify the below code:
    => Lcom/crittercism/internal/am;->a(Landroid/webkit/WebView;)V
    (0xd8) --->
    Landroid/webkit/WebView;-
    >addJavascriptInterface(Ljava/lang/Object; Ljava/lang/String;)V
    => Lcom/etsy/android/ui/cart/googlewallet/c$a;-
    >a(Landroid/webkit/WebView; Landroid/view/View;)V (0xc) --->
    Landroid/webkit/WebView;-
    >addJavascriptInterface(Ljava/lang/Object; Ljava/lang/String;)V
    => Lcom/mparticle/MParticle;-
    >registerWebView(Landroid/webkit/WebView;)V (0x12) --->
    Landroid/webkit/WebView;-
    >addJavascriptInterface(Ljava/lang/Object; Ljava/lang/String;)V
    [Warning] External Storage Accessing:
    External storage access found (Remember DO NOT write important files to
    external storages):
    => Lcom/crittercism/internal/av$b;->c()Ljava/lang/String; (0x14)
    --->
    Landroid/os/Environment;-
    >getExternalStorageDirectory()Ljava/io/File;
    => Lcom/crittercism/internal/av$b;->d()Ljava/lang/String; (0x14)
    --->
    Landroid/os/Environment;-
    >getExternalStorageDirectory()Ljava/io/File;
    => Lcom/crittercism/internal/av$c;->c()Ljava/lang/String; (0x14)
    --->
    Landroid/os/Environment;-
    >getExternalStorageDirectory()Ljava/io/File;
    => Lcom/crittercism/internal/av$c;->d()Ljava/lang/String; (0x14)
    --->
    Landroid/os/Environment;-
    >getExternalStorageDirectory()Ljava/io/File;
    [Warning] AndroidManifest Exported Components Checking:
    Found "exported" components(except for Launcher) for receiving outside
    applications' actions (AndroidManifest.xml).
    These components can be initilized by other apps. You should add or
    modify the attribute to [exported="false"] if you don't want
    to.
    You can also protect it with a customized permission with "signature" or
    higher protectionLevel and specify in
    "android:permission" attribute.
    activity => com.etsy.android.ui.search.v2.SearchV2Activity
    service => com.google.firebase.iid.FirebaseInstanceIdService
    receiver => com.google.android.gms.analytics.AnalyticsReceiver
    receiver => com.exacttarget.etpushsdk.ETPushReceiver
    [Warning] <Sensitive_Information> Getting ANDROID_ID:
    This app has code getting the 64-bit number
    "Settings.Secure.ANDROID_ID".
    ANDROID_ID seems a good choice for a unique device identifier. There are
    downsides: First, it is not 100% reliable on releases of
    Android prior to 2.2 (Froyo).
    Also, there has been at least one widely-observed bug in a popular
    handset from a major manufacturer, where every instance has
    the same ANDROID_ID.
    If you want to get an unique id for the device, we suggest you use
    "Installation" framework in the following article.
    Please check the reference: http://android-
    developers.blogspot.tw/2011/03/identifying-app-installations.html
    => Lcom/bitly/a;->a(Landroid/content/Context; Ljava/lang/String;
    Ljava/util/List; Ljava/util/List; Lcom/bitly/a$a;)V (0x1e)
    ---> Landroid/provider/Settings$Secure;-
    >getString(Landroid/content/ContentResolver;
    Ljava/lang/String;)Ljava/lang/String;
    => Lcom/etsy/android/lib/config/g;-><init>(Landroid/content/Context;
    Ljava/lang/String; I
    Lcom/etsy/android/lib/config/EtsyBuild; Z Ljava/lang/String;)V
    (0x110) --->
    Landroid/provider/Settings$Secure;-
    >getString(Landroid/content/ContentResolver; Ljava/lang/String;)Ljava/lang/String;
    [Warning] <WebView> WebView Local File Access Attacks Checking:
    Found "setAllowFileAccess(true)" or not set(enabled by default) in
    WebView. The attackers could inject malicious script into
    WebView and exploit the opportunity to access local resources. This can
    be mitigated or prevented by disabling local file system
    access. (It is enabled by default)
    Note that this enables or disables file system access only. Assets and
    resources are still accessible using file:///android_asset
    and file:///android_res.
    The attackers can use "mWebView.loadUrl("file:///data/data/
    [Your_Package_Name]/[File]");" to access app's local file.
    Reference:
    (1)https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-
    webviews/

    (2)http://developer.android.com/reference/android/webkit/WebSettings.html#setAllowF
    ileAccess(boolean)
    Please add or modify
    "yourWebView.getSettings().setAllowFileAccess(false)" to your WebView:
    Lcom/crittercism/internal/am;->a(Landroid/webkit/WebView;)V
    Lcom/crittercism/internal/cr;-
    >onPageFinished(Landroid/webkit/WebView; Ljava/lang/String;)V
    [Warning] <WebView> WebView Potential XSS Attacks Checking:
    Found "setJavaScriptEnabled(true)" in WebView, which could exposed to
    potential XSS attacks. Please check the web page code
    carefully and sanitize the output:
    => Lcom/etsy/android/uikit/webview/a;->a(Landroid/webkit/WebView;
    Landroid/webkit/WebViewClient;
    Landroid/webkit/WebChromeClient;)V (0x3a) --->
    Landroid/webkit/WebSettings;->setJavaScriptEnabled(Z)V
    [Notice] <Database><#CVE-2011-3901#> Android SQLite Databases Vulnerability
    Checking:
    This app is using Android SQLite databases but it's "NOT" suffering from
    SQLite Journal Information Disclosure Vulnerability.
    [Notice] File Unsafe Delete Checking:
    Everything you delete may be recovered by any user or attacker,
    especially rooted devices.
    Please make sure do not use "file.delete()" to delete essential files.
    Check this video: https://www.youtube.com/watch?v=tGw1fxUD-uY
    => Landroid/arch/persistence/db/b$a;-
    >deleteDatabaseFile(Ljava/lang/String;)V (0x7a) ---> Ljava/io/File;->delete()Z
    => Lcom/bumptech/glide/a/a;->a(Ljava/io/File; I I
    J)Lcom/bumptech/glide/a/a; (0x64) ---> Ljava/io/File;->delete()Z
    => Lcom/bumptech/glide/a/a;->a(Ljava/io/File;)V (0xc) --->
    Ljava/io/File;->delete()Z
    => Lcom/bumptech/glide/a/a;->d()V (0x198) ---> Ljava/io/File;-
    >delete()Z
    => Lcom/bumptech/glide/a/a;->c(Ljava/lang/String;)Z (0x48) --->
    Ljava/io/File;->delete()Z
    => Lcom/bumptech/glide/a/c;->a(Ljava/io/File;)V (0x58) --->
    Ljava/io/File;->delete()Z
    => Lcom/crittercism/app/CrittercismNDK;-
    >loadLibraryFromAssets(Landroid/content/Context;)Z (0x3e) --->
    Ljava/io/File;->delete()Z
    => Lcom/crittercism/app/CrittercismNDK;-
    >loadLibraryFromAssets(Landroid/content/Context;)Z (0xb4) --->
    Ljava/io/File;->delete()Z
    => Lcom/crittercism/app/CrittercismNDK;-
    >loadLibraryFromAssets(Landroid/content/Context;)Z (0x104) --->
    Ljava/io/File;->delete()Z
    => Lcom/crittercism/internal/cn;->a(Ljava/io/File;)V (0x54) --->
    Ljava/io/File;->delete()Z
    => Lcom/etsy/android/lib/config/a;->b(Landroid/content/Context;
    Ljava/lang/String;)V (0x2e) ---> Ljava/io/File;->delete()Z
    => Lcom/etsy/android/lib/core/img/d$1;-
    >a([Ljava/lang/Void;)Ljava/lang/Void; (0x1c) ---> Ljava/io/File;->delete()Z
    => Lcom/etsy/android/lib/core/img/d$1;-
    >a([Ljava/lang/Void;)Ljava/lang/Void; (0x2c) ---> Ljava/io/File;->delete()Z
    => Lcom/etsy/android/lib/util/d;->a(Ljava/util/List;)V (0x24) --->
    Ljava/io/File;->delete()Z
    => Lcom/etsy/android/uikit/view/ImageAttachmentLayout;-
    >onAbort(Lcom/etsy/android/uikit/view/ImageAttachmentLayout$b;
    Ljava/io/File;)V (0x24) ---> Ljava/io/File;->delete()Z
    => Lcom/android/volley/toolbox/DiskBasedCache;->pruneIfNeeded(I)V
    (0x90) ---> Ljava/io/File;->delete()Z
    => Lcom/android/volley/toolbox/DiskBasedCache;->clear()V (0x20) --->
    Ljava/io/File;->delete()Z
    => Lcom/android/volley/toolbox/DiskBasedCache;->initialize()V (0xb8)
    ---> Ljava/io/File;->delete()Z
    => Lcom/android/volley/toolbox/DiskBasedCache;-
    >put(Ljava/lang/String; Lcom/android/volley/Cache$Entry;)V (0x80) --->
    Ljava/io/File;->delete()Z
    => Lcom/android/volley/toolbox/DiskBasedCache;-
    >remove(Ljava/lang/String;)V (0xa) ---> Ljava/io/File;->delete()Z
    => Lcom/crittercism/internal/az;->b(Lcom/crittercism/internal/bi;)Z
    (0x4a) ---> Ljava/io/File;->delete()Z
    => Lcom/crittercism/internal/az;->b(Lcom/crittercism/internal/bi;)Z
    (0x82) ---> Ljava/io/File;->delete()Z
    => Lcom/crittercism/internal/az;->b(Lcom/crittercism/internal/bi;)Z
    (0xbc) ---> Ljava/io/File;->delete()Z
    => Lcom/crittercism/internal/az;->b(Lcom/crittercism/internal/bi;)Z
    (0xdc) ---> Ljava/io/File;->delete()Z
    => Lcom/crittercism/internal/az;->a(Ljava/lang/String;)V (0x22) --->
    Ljava/io/File;->delete()Z
    => Lcom/crittercism/internal/az;->a(Lcom/crittercism/internal/bi;)Z
    (0x3a) ---> Ljava/io/File;->delete()Z
    => Lcom/etsy/android/lib/util/CameraHelper$e;-
    >a([Ljava/lang/Void;)Lcom/etsy/android/lib/util/CameraHelper$c; (0x60) --->
    Ljava/io/File;->delete()Z
    => Lcom/etsy/android/lib/util/CameraHelper;-
    >getBitmapFromMediaUri(Landroid/content/Context; Landroid/net/Uri; I)V (0xc) --->
    Ljava/io/File;->delete()Z
    => Lcom/etsy/android/lib/util/CameraHelper;->onActivityResult(I I
    Landroid/content/Intent; I)V (0x15e) --->
    Ljava/io/File;->delete()Z
    => Lcom/etsy/android/lib/util/CameraHelper;->onActivityResult(I I
    Landroid/content/Intent; I)V (0x1aa) --->
    Ljava/io/File;->delete()Z
    => Lcom/etsy/android/lib/util/e$c;->a(Ljava/io/File;
    Ljava/lang/String;)V (0x34) ---> Ljava/io/File;->delete()Z
    => Lcom/etsy/android/lib/util/e$c;->a([B)Z (0x94) --->
    Ljava/io/File;->delete()Z
    => Lcom/etsy/android/lib/util/e$c;->a(Ljava/lang/Boolean;)V (0x112)
    ---> Ljava/io/File;->delete()Z
    => Lcom/etsy/android/lib/util/e$c;->a(Ljava/lang/Boolean;)V (0x11e)
    ---> Ljava/io/File;->delete()Z
    [Notice] <Hacker> Code Setting Preventing Screenshot Capturing:
    This app has code setting the preventing screenshot capturing.
    Example: getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE,
    WindowManager.LayoutParams.FLAG_SECURE);
    It is used by the developers to protect the app:
    => Lcom/etsy/android/ui/EtsyWebFragment;->loadWebView()V (0xb0) --->
    Landroid/view/Window;->setFlags(I I)V
    [Notice] <Signature><Hacker> Getting Signature Code Checking:
    This app has code checking the package signature in the code. It might
    be used to check for whether the app is hacked by the
    attackers.
    => Lcom/etsy/android/lib/core/q;->a(Landroid/content/Context;
    Ljava/lang/String;)Z (0x14) --->
    Landroid/content/pm/PackageManager;-
    >getPackageInfo(Ljava/lang/String; I)Landroid/content/pm/PackageInfo;
    [Notice] Native Library Loading Checking:
    Native library loading codes(System.loadLibrary(...)) found:
    [lib64libcrittercism-v3.so]
    => Lcom/crittercism/app/CrittercismNDK;-
    >installNdkLib(Landroid/content/Context;)V (0x1c) --->
    Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
    [Notice] AndroidManifest Exported Components Checking 2:
    Found "exported" components(except for Launcher) for receiving Google's
    "Android" actions (AndroidManifest.xml):
    activity => com.etsy.android.ui.user.auth.SignInActivity
    activity => com.etsy.android.deeplinking.bitly.BitlyActivity
    activity => com.etsy.android.ui.nav.NotificationActivity
    activity => com.facebook.CustomTabActivity
    receiver => com.etsy.android.util.InstallReferrerReceiver
    receiver => com.etsy.android.lib.core.InstallStateReceiver
    receiver =>
    androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryChargingProxy
    receiver =>
    androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryNotLowProxy
    receiver =>
    androidx.work.impl.background.systemalarm.ConstraintProxy$StorageNotLowProxy
    receiver =>
    androidx.work.impl.background.systemalarm.ConstraintProxy$NetworkStateProxy
    receiver =>
    androidx.work.impl.background.systemalarm.RescheduleReceiver
    receiver => org.altbeacon.beacon.startup.StartupBroadcastReceiver
    [Info] AndroidManifest Adb Backup Checking:
    This app has disabled Adb Backup.
    [Info] <Command> Runtime Command Checking:
    This app is not using critical function
    'Runtime.getRuntime().exec("...")'.
    [Info] <Command> Executing "root" or System Privilege Checking:
    Did not find codes checking "root" permission(su) or getting system
    permission (It's still possible we did not find out).
    [Info] <Database> SQLiteDatabase Transaction Deprecated Checking:
    Ignore checking "SQLiteDatabase:beginTransactionNonExclusive" because
    your set minSdk >= 11.
    [Info] <Database> Android SQLite Databases Encryption (SQLite Encryption Extension
    (SEE)):
    This app is "NOT" using SQLite Encryption Extension (SEE) on Android
    (http://www.sqlite.org/android) to encrypt or decrpyt
    databases.
    [Info] <Database> Android SQLite Databases Encryption (SQLCipher):
    This app is "NOT" using SQLCipher(http://sqlcipher.net/) to encrypt or
    decrpyt databases.
    [Info] <Debug> Android Debug Mode Checking:
    DEBUG mode is OFF(android:debuggable="false") in AndroidManifest.xml.
    [Info] Dynamic Code Loading:
    No dynamic code loading(DexClassLoader) found.
    [Info] <#BID 64208, CVE-2013-6271#> Fragment Vulnerability Checking:
    Did not detect the vulnerability of "Fragment" dynamically loading into
    "PreferenceActivity" or "SherlockPreferenceActivity"
    [Info] <Framework> Framework - MonoDroid:
    This app is NOT using MonoDroid Framework (http://xamarin.com/android).
    [Info] <Hacker> Base64 String Encryption:
    No encoded Base64 String or Urls found.
    [Info] <Database><Hacker> Key for Android SQLite Databases Encryption:
    Did not find using the symmetric key(PRAGMA key) to encrypt the SQLite
    databases (It's still possible that it might use but we
    did not find out).
    [Info] <Debug><Hacker> Codes for Checking Android Debug Mode:
    Did not detect codes for checking "ApplicationInfo.FLAG_DEBUGGABLE" in
    AndroidManifest.xml.
    [Info] <Hacker> APK Installing Source Checking:
    Did not detect this app checks for APK installer sources.
    [Info] <KeyStore><Hacker> KeyStore File Location:
    Did not find any possible BKS keystores or certificate keystore file
    (Notice: It does not mean this app does not use keysotre):
    [Info] <KeyStore><Hacker> KeyStore Protection Checking:
    Ignore checking KeyStore protected by password or not because you're not
    using KeyStore.
    [Info] HttpURLConnection Android Bug Checking:
    Ignore checking "http.keepAlive" because you're not using
    "HttpURLConnection" and min_Sdk > 8.
    [Info] <KeyStore> KeyStore Type Checking:
    KeyStore 'BKS' type check OK
    [Info] Google Cloud Messaging Suggestion:
    Nothing to suggest.
    [Info] <#CVE-2013-4787#> Master Key Type I Vulnerability:
    No Master Key Type I Vulnerability in this APK.
    [Info] App Sandbox Permission Checking:
    No security issues "MODE_WORLD_READABLE" or "MODE_WORLD_WRITEABLE" found
    on 'openOrCreateDatabase' or 'openOrCreateDatabase2' or
    'getDir' or 'getSharedPreferences' or 'openFileOutput'
    [Info] AndroidManifest Dangerous ProtectionLevel of Permission Checking:
    No "dangerous" protection level customized permission found
    (AndroidManifest.xml).
    [Info] AndroidManifest PermissionGroup Checking:
    PermissionGroup in permission tag of AndroidManifest sets correctly.
    [Info] AndroidManifest Normal ProtectionLevel of Permission Checking:
    No default or "normal" protection level customized permission found
    (AndroidManifest.xml).
    [Info] <#CVE-2013-6272#> AndroidManifest Exported Lost Prefix Checking:
    No exported components that forgot to add "android:" prefix.
    [Info] AndroidManifest ContentProvider Exported Checking:
    No exported "ContentProvider" found (AndroidManifest.xml).
    [Info] <Sensitive_Information> Getting IMEI and Device ID:
    Did not detect this app is getting the "device id(IMEI)" by
    "TelephonyManager.getDeviceId()" approach.
    [Info] Codes for Sending SMS:
    Did not detect this app has code for sending SMS messages
    (sendDataMessage, sendMultipartTextMessage or sendTextMessage).
    [Info] <System> AndroidManifest sharedUserId Checking:
    This app does not use "android.uid.system" sharedUserId.
    [Info] <SSL_Security> SSL Implementation Checking (Verifying Host Name in Custom
    Classes):
    Self-defined HOSTNAME VERIFIER checking OK.
    [Info] <SSL_Security> SSL Implementation Checking (Verifying Host Name in Fields):
    Critical vulnerability "ALLOW_ALL_HOSTNAME_VERIFIER" field setting or
    "AllowAllHostnameVerifier" class instance not found.
    [Info] <SSL_Security> SSL Implementation Checking (Insecure component):
    Did not detect SSLSocketFactory by insecure method "getInsecure".
    [Info] <SSL_Security> SSL Implementation Checking (HttpHost):
    DEFAULT_SCHEME_NAME for HttpHost check: OK
    [Info] <SSL_Security> SSL Certificate Verification Checking:
    Did not find vulnerable X509Certificate code.
    [Info] Unnecessary Permission Checking:
    Permission 'android.permission.ACCESS_MOCK_LOCATION' sets correctly.
    [Info] Accessing the Internet Checking:
    This app is using the Internet via HTTP protocol.
    [Info] AndroidManifest System Use Permission Checking:
    No system-level critical use-permission found.
    ------------------------------------------------------------
    AndroBugs analyzing time: 18.517852 secs
    Total elapsed time: 78.573087 secs

    You might also like