Hbo Max
Hbo Max
Hbo Max
Grade:
3 17 2 2 2
FILE INFORMATION
File Name: com.hbo.hbonow_53.50.0.7.apk
Size: 52.69MB
MD5: 0b9790076e28b213e7a6a7c1237b898f
SHA1: c2d973e7135f761cb8f8dd7cba1110ae1fa0309b
SHA256: b521dcea330c65f46f37817ad6f65e3b636270db75e163d98da96699d7e5c304
APP INFORMATION
App Name: HBO MAX
Package Name: com.hbo.hbonow
Main Activity: com.hbo.hbonow.LaunchActivity
Target SDK: 33
Min SDK: 21
Max SDK:
Android Version Name: 53.50.0.7
Android Version Code: 35350007
APP COMPONENTS
Activities: 13
Services: 12
Receivers: 8
Providers: 5
Exported Activities: 1
Exported Services: 2
Exported Receivers: 3
Exported Providers: 1
CERTIFICATE INFORMATION
Binary is signed
v1 signature: True
v2 signature: True
v3 signature: True
v4 signature: False
X.509 Subject: C=1, ST=NY, L=New York, O=MLB Advanced Media, CN=MLB Advanced Media - HBO NOW
Signature Algorithm: rsassa_pkcs1v15
Valid From: 2015-03-06 20:01:02+00:00
Valid To: 2114-02-10 20:01:02+00:00
Issuer: C=1, ST=NY, L=New York, O=MLB Advanced Media, CN=MLB Advanced Media - HBO NOW
Serial Number: 0x608decbf
Hash Algorithm: sha256
md5: faa3b912b4a0b3a9d951d3958bbd7dfa
sha1: dbb137f426e973bf003f6e614464ded7d86a8f24
sha256: 619cbb027b715560b843d15a5599f900485af1cd4294097811a77609bc8273a8
sha512: 131e51dcb9f98a74c441d3f55c55d024832cacf9cd8be243db66e85792dd551a3067ef1ee3d8d910d800b921dd299f4aa3a602ebc0eb74f1149f4e339f544468
PublicKey Algorithm: rsa
Bit Size: 2048
Fingerprint: b74c0250180f1750fe390d65e84a1f697bc4f7479736e5b85d483a89f753f6e0
Found 1 unique certificates
APPLICATION PERMISSIONS
PERMISSION STATUS INFO DESCRIPTION
Unknown
com.hbo.hbonow.ACCOUNT_READ unknown permission Unknown permission from android reference
android.permission.ACCESS_NETWORK_STATE normal view network Allows an application to view the status of all
status networks.
android.permission.ACCESS_WIFI_STATE normal view Wi-Fi status Allows an application to view the information
about the status of Wi-Fi.
Unknown
com.android.vending.CHECK_LICENSE unknown permission Unknown permission from android reference
PERMISSION STATUS INFO DESCRIPTION
read/modify/delete
android.permission.WRITE_EXTERNAL_STORAGE dangerous external storage Allows an application to write to external
contents storage.
Unknown
com.android.vending.BILLING unknown permission Unknown permission from android reference
FINDINGS DETAILS
Build.FINGERPRINT check
Build.MODEL check
Build.MANUFACTURER check
Build.PRODUCT check
Build.HARDWARE check
classes.dex Anti-VM Code Build.BOARD check
possible Build.SERIAL check
Build.TAGS check
SIM operator check
network operator name check
possible VM check
BROWSABLE ACTIVITIES
ACTIVITY INTENT
Schemes: https://, http://, hbomax://,
Hosts: play.hbomax.com, ablink.mail.hbomax.com, ablink.marketing.hbomax.com, ablink.message.hbomax.com,
com.hbo.hbonow.MainActivity ablink.alerts.hbomax.com, ablink.info.hbomax.com, ablink.service.hbomax.com, hbomax.onelink.me, redirect,
Path Prefixes: /uni,
NETWORK SECURITY
HIGH: 1 | WARNING: 0 | INFO: 0 | SECURE: 0
NO SCOPE SEVERITY DESCRIPTION
1 * high Base config is insecurely configured to permit clear text traffic to all domains.
CERTIFICATE ANALYSIS
HIGH: 0 | WARNING: 1 | INFO: 1
TITLE SEVERITY DESCRIPTION
Signed Application info Application is signed with a code signing certificate
Application vulnerable Application is signed with v1 signature scheme, making it vulnerable to Janus vulnerability on Android 5.0-8.0, if signed only
warning
to Janus Vulnerability with v1 signature scheme. Applications running on Android 5.0-7.0 signed with v1, and v2/v3 scheme is also vulnerable.
MANIFEST ANALYSIS
HIGH: 2 | WARNING: 6 | INFO: 0 | SUPPRESSED: 0
Activity (com.hbo.hbonow.MainActivity) is not Protected. An Activity is found to be shared with other apps
3 high on the device therefore leaving it accessible to
[android:exported=true] any other application on the device.
CODE ANALYSIS
HIGH: 0 | WARNING: 8 | INFO: 2 | SECURE: 2 | SUPPRESSED: 0
com/amazon/a/a/o/b/a.java
This App uses SSL certificate pinning to yh/c.java
5 detect or prevent MITM attacks in secure yh/d.java
secure communication channel. OWASP MASVS: MSTG-NETWORK-4 yh/g.java
yh/h.java
NO ISSUE SEVERITY STANDARDS FILES
CWE: CWE-327: Use of a Broken or Risky Cryptographic com/amazon/a/a/o/b/a.java
SHA-1 is a weak hash known to have Algorithm d6/c.java
6 warning
hash collisions. OWASP Top 10: M5: Insufficient Cryptography le/f.java
OWASP MASVS: MSTG-CRYPTO-4 ob/w.java
bo/app/d1.java
c9/d1.java
c9/h0.java
ce/a.java
ci/d.java
ci/h.java
com/amazon/a/a/b/b.java
com/amazon/a/a/i/b.java
com/amazon/a/a/l/c.java
The App uses an insecure Random CWE: CWE-330: Use of Insufficiently Random Values d9/e0.java
7 warning OWASP Top 10: M5: Insufficient Cryptography dh/a.java
Number Generator.
OWASP MASVS: MSTG-CRYPTO-6 dh/b.java
eh/a.java
gc/b.java
ha/l0.java
ka/a.java
mb/a.java
o2/f0.java
oc/s4.java
qc/s6.java
za/s.java
com/hbo/hbonow/recaptcha/ReCaptc
CWE: CWE-312: Cleartext Storage of Sensitive
Files may contain hardcoded sensitive ha.java
Information
8 information like usernames, warning com/reactnative/ivpusic/imagepicker/
passwords, keys etc. OWASP Top 10: M9: Reverse Engineering PickerModule.java
OWASP MASVS: MSTG-STORAGE-14
l3/p.java
NO ISSUE SEVERITY STANDARDS FILES
com/reactnative/ivpusic/imagepicker/
PickerModule.java
App creates temp file. Sensitive CWE: CWE-276: Incorrect Default Permissions d1/d.java
9 information should never be written warning OWASP Top 10: M2: Insecure Data Storage k4/a.java
into a temp file. OWASP MASVS: MSTG-STORAGE-2 r0/a.java
t1/a.java
zb/a.java
com/ReactNativeBlobUtil/ReactNativeB
lobUtil.java
com/learnium/RNDeviceInfo/RNDevice
Module.java
com/reactnative/ivpusic/imagepicker/
App can read/write to External CWE: CWE-276: Incorrect Default Permissions PickerModule.java
11 Storage. Any App can read data written warning OWASP Top 10: M2: Insecure Data Storage com/reactnative/ivpusic/imagepicker/a
to External Storage. OWASP MASVS: MSTG-STORAGE-2 .java
k4/a.java
oc/v1.java
t1/g.java
u4/a.java
x/b.java
DOMAIN COUNTRY/REGION
https://wide-graph-93016.firebaseio.com info
App talks to a Firebase Database.
EMAILS
EMAIL FILE
u0013android@android.com0 ob/r.java
u0013android@android.com
TRACKERS
TRACKER CATEGORIES URL
Braze (formerly Appboy) Analytics, Advertisement, Location https://reports.exodus-privacy.eu.org/trackers/17
HARDCODED SECRETS
POSSIBLE SECRETS
"com_braze_image_is_read_tag_key" : "com_appboy_image_is_read_tag_key"
"com_appboy_firebase_cloud_messaging_sender_id" : "963047972405"
"google_crash_reporting_api_key" : "AIzaSyAx8gXyjYGIyC5S22gy7qPpSXPb3uwRR0g"
"com_braze_image_lru_cache_image_url_key" : "com_braze_image_lru_cache_image_url_key"
"com_braze_image_resize_tag_key" : "com_appboy_image_resize_tag_key"
"firebase_database_url" : "https://wide-graph-93016.firebaseio.com"
"google_api_key" : "AIzaSyAx8gXyjYGIyC5S22gy7qPpSXPb3uwRR0g"
37a6259cc0c1dae299a7866489dff0bd
e2719d58-a985-b3c9-781a-b030af78d30e
16a09e667f3bcc908b2fb1366ea957d3e3adec17512775099da2f590b0667322a
258EAFA5-E914-47DA-95CA-C5AB0DC85B11
9a04f079-9840-4286-ab92-e65be0885f95
edef8ba9-79d6-4ace-a3c8-27dcd51d21ed