File Name: EMTEK Hub_1.0.52_Apkpure.

xapk

Package Name: id.co.scm.attendance

Scan Date: Jan. 4, 2024, 11:43 a.m.

App Security Score: 38/100 (HIGH RISK)

Grade:
C
Trackers Detection: 2/432
 FINDINGS SEVERITY

 HIGH  MEDIUM  INFO  SECURE  HOTSPOT

3 10 1 0 1

 FILE INFORMATION
File Name: EMTEK Hub_1.0.52_Apkpure.xapk
Size: 7.4MB
MD5: 6036a1c443f413aa553f97006b6fbbaf
SHA1: de8f7f44dc829d68c558924f70fa7a23d082f166
SHA256: a195f6587fcf87c43ed8f43edcff2d4c59a635c29d4a78b42a62d8ea09832c0c

 APP INFORMATION
App Name: EMTEK Hub
Package Name: id.co.scm.attendance
Main Activity: id.co.scm.attendance.MainActivity
Target SDK: 33
Min SDK: 23
Max SDK:
Android Version Name: 1.0.52
Android Version Code: 52

 APP COMPONENTS
Activities: 4
Services: 8
Receivers: 5
Providers: 3
Exported Activities: 0
Exported Services: 2
Exported Receivers: 3
Exported Providers: 0

 CERTIFICATE INFORMATION
Binary is signed
v1 signature: True
v2 signature: True
v3 signature: True
v4 signature: False
X.509 Subject: C=US, ST=California, L=Mountain View, O=Google Inc., OU=Android, CN=Android
Signature Algorithm: rsassa_pkcs1v15
Valid From: 2020-07-06 05:48:32+00:00
Valid To: 2050-07-06 05:48:32+00:00
Issuer: C=US, ST=California, L=Mountain View, O=Google Inc., OU=Android, CN=Android
Serial Number: 0x50fa8f2afa62d87b54a960c661e81054e0d040bb
Hash Algorithm: sha256
md5: 692d87fd758047d35cee16c27d6b8da4
sha1: 593be945620c5d5131a16abf02e0cc9d639b3a8e
sha256: 460fdfa54383136b9d1156d15b4bbe19465d1d4cd1f7ceb350d51016198a068e
sha512: 8f149ba66c0270b1afc7f0fd3756291cf3f524361b4e5394312ddbdfb8d2e2736ba73712658b1297c40f0a937278b5c452b86e00e3d9af4f2063c12525d10a0e
PublicKey Algorithm: rsa
Bit Size: 4096
Fingerprint: 8aad2c531f38a0a553324545ec7a1ebb28d11db0c24464699fee253a3706369c
Found 1 unique certificates
 APPLICATION PERMISSIONS

PERMISSION STATUS INFO DESCRIPTION

Allows an application to create network

android.permission.INTERNET normal full Internet access
sockets.

Allows application to take pictures and

take pictures and videos with the camera. This allows the
android.permission.CAMERA dangerous
videos application to collect images that the
camera is seeing at any time.

Access fine location sources, such as the

Global Positioning System on the phone,
android.permission.ACCESS_FINE_LOCATION dangerous fine (GPS) location where available. Malicious applications can
use this to determine where you are and
may consume additional battery power.

Access coarse location sources, such as the

mobile network database, to determine an
coarse (network- approximate phone location, where
android.permission.ACCESS_COARSE_LOCATION dangerous
based) location available. Malicious applications can use
this to determine approximately where you
are.

Allows the application to control the

android.permission.VIBRATE normal control vibrator
vibrator.

Allows an application to start itself as soon

as the system has finished booting. This
automatically start
android.permission.RECEIVE_BOOT_COMPLETED normal can make it take longer to start the phone
at boot
and allow the application to slow down the
overall phone by always running.
PERMISSION STATUS INFO DESCRIPTION

read external Allows an application to read from external

android.permission.READ_EXTERNAL_STORAGE dangerous
storage contents storage.

read/modify/delete
Allows an application to write to external
android.permission.WRITE_EXTERNAL_STORAGE dangerous external storage
storage.
contents

Allows an application to read image files

android.permission.READ_MEDIA_IMAGES dangerous
from external storage.

Allows an application to read video files

android.permission.READ_MEDIA_VIDEO dangerous
from external storage.

access any Allows an application to access any

android.permission.ACCESS_MEDIA_LOCATION dangerous geographic geographic locations persisted in the user's
locations shared collection.

android.permission.POST_NOTIFICATIONS dangerous Allows an app to post notifications

view network Allows an application to view the status of

android.permission.ACCESS_NETWORK_STATE normal
status all networks.

prevent phone Allows an application to prevent the phone

android.permission.WAKE_LOCK normal
from sleeping from going to sleep.

com.google.android.c2dm.permission.RECEIVE signature C2DM permissions Permission for cloud to device messaging.

Required for apps targeting

android.permission.USE_FULL_SCREEN_INTENT normal Build.VERSION_CODES.Q that want to use
notification full screen intents.
PERMISSION STATUS INFO DESCRIPTION

Allows application to access the audio

android.permission.RECORD_AUDIO dangerous record audio
record path.

Unknown Unknown permission from android

com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE unknown
permission reference

Show notification count or badge on

Show notification
com.sec.android.provider.badge.permission.READ normal application launch icon for samsung
count on app
phones.

Show notification count or badge on

Show notification
com.sec.android.provider.badge.permission.WRITE normal application launch icon for samsung
count on app
phones.

Show notification Show notification count or badge on

com.htc.launcher.permission.READ_SETTINGS normal
count on app application launch icon for htc phones.

Show notification Show notification count or badge on

com.htc.launcher.permission.UPDATE_SHORTCUT normal
count on app application launch icon for htc phones.

Show notification Show notification count or badge on

com.sonyericsson.home.permission.BROADCAST_BADGE normal
count on app application launch icon for sony phones.

Show notification Show notification count or badge on

com.sonymobile.home.permission.PROVIDER_INSERT_BADGE normal
count on app application launch icon for sony phones.

Show notification Show notification count or badge on

com.anddoes.launcher.permission.UPDATE_COUNT normal
count on app application launch icon for apex.

Show notification Show notification count or badge on

com.majeur.launcher.permission.UPDATE_BADGE normal
count on app application launch icon for solid.
PERMISSION STATUS INFO DESCRIPTION

Show notification Show notification count or badge on

com.huawei.android.launcher.permission.CHANGE_BADGE normal
count on app application launch icon for huawei phones.

Show notification Show notification count or badge on

com.huawei.android.launcher.permission.READ_SETTINGS normal
count on app application launch icon for huawei phones.

Show notification Show notification count or badge on

com.huawei.android.launcher.permission.WRITE_SETTINGS normal
count on app application launch icon for huawei phones.

show app Allows an application to show app icon

android.permission.READ_APP_BADGE normal
notification badges.

Show notification Show notification count or badge on

com.oppo.launcher.permission.READ_SETTINGS normal
count on app application launch icon for oppo phones.

Show notification Show notification count or badge on

com.oppo.launcher.permission.WRITE_SETTINGS normal
count on app application launch icon for oppo phones.

Unknown Unknown permission from android

me.everything.badger.permission.BADGE_COUNT_READ unknown
permission reference

Unknown Unknown permission from android

me.everything.badger.permission.BADGE_COUNT_WRITE unknown
permission reference

Unknown Unknown permission from android

id.co.scm.attendance.antibotpermission unknown
permission reference

Allows the application to access the phone

features of the device. An application with
read phone state this permission can determine the phone
android.permission.READ_PHONE_STATE dangerous
and identity number and serial number of this phone,
whether a call is active, the number that
call is connected to and so on.
 APKID ANALYSIS

FILE DETAILS

FINDINGS DETAILS

Build.FINGERPRINT check
Build.MODEL check
Build.MANUFACTURER check
classes.dex Build.PRODUCT check
Anti-VM Code
Build.HARDWARE check
Build.BOARD check
Build.TAGS check
possible VM check

Compiler dexlib 2.x

FINDINGS DETAILS

classes2.dex Anti-VM Code possible Build.SERIAL check

Compiler dexlib 2.x

FILE DETAILS

FINDINGS DETAILS

Build.MODEL check
Build.PRODUCT check
Anti-VM Code
Build.HARDWARE check
classes3.dex network operator name check

Compiler dexlib 2.x

FINDINGS DETAILS

Anti Debug Code Debug.isDebuggerConnected() check

Build.MODEL check
classes4.dex
Build.PRODUCT check
Anti-VM Code possible Build.SERIAL check
subscriber ID check
ro.kernel.qemu check

Compiler dexlib 2.x

 NETWORK SECURITY
 NO SCOPE SEVERITY DESCRIPTION

 CERTIFICATE ANALYSIS
HIGH: 0 | WARNING: 1 | INFO: 1

TITLE SEVERITY DESCRIPTION

Signed Application info Application is signed with a code signing certificate

Application Application is signed with v1 signature scheme, making it vulnerable to Janus vulnerability on Android 5.0-8.0, if signed
vulnerable to Janus warning only with v1 signature scheme. Applications running on Android 5.0-7.0 signed with v1, and v2/v3 scheme is also
Vulnerability vulnerable.

 MANIFEST ANALYSIS
HIGH: 3 | WARNING: 3 | INFO: 0 | SUPPRESSED: 0

NO ISSUE SEVERITY DESCRIPTION

This application can be installed on an older version

App can be installed on a vulnerable Android version of android that has multiple unfixed vulnerabilities.
1 warning
[minSdk=23] Support an Android version > 8, API 26 to receive
reasonable security updates.

Service (io.flutter.plugins.firebasemessaging.FlutterFirebaseMessagingService) is A Service is found to be shared with other apps on the

2 not Protected. high device therefore leaving it accessible to any other
[android:exported=true] application on the device.
NO ISSUE SEVERITY DESCRIPTION

A Broadcast Receiver is found to be shared with other

apps on the device therefore leaving it accessible to
any other application on the device. It is protected by
Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) is a permission which is not defined in the analysed
Protected by a permission, but the protection level of the permission should be application. As a result, the protection level of the
3 checked. warning permission should be checked where it is defined. If it
Permission: com.google.android.c2dm.permission.SEND is set to normal or dangerous, a malicious application
[android:exported=true] can request and obtain the permission and interact
with the component. If it is set to signature, only
applications signed with the same certificate can
obtain the permission.

Broadcast Receiver
A Broadcast Receiver is found to be shared with other
(com.dexterous.flutterlocalnotifications.ScheduledNotificationReceiver) is not
4 high apps on the device therefore leaving it accessible to
Protected.
any other application on the device.
[android:exported=true]

Broadcast Receiver
A Broadcast Receiver is found to be shared with other
(com.dexterous.flutterlocalnotifications.ScheduledNotificationBootReceiver) is
5 high apps on the device therefore leaving it accessible to
not Protected.
any other application on the device.
[android:exported=true]

A Service is found to be shared with other apps on the

device therefore leaving it accessible to any other
application on the device. It is protected by a
Service (com.google.android.gms.auth.api.signin.RevocationBoundService) is
permission which is not defined in the analysed
Protected by a permission, but the protection level of the permission should be
application. As a result, the protection level of the
checked.
6 warning permission should be checked where it is defined. If it
Permission:
is set to normal or dangerous, a malicious application
com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION
can request and obtain the permission and interact
[android:exported=true]
with the component. If it is set to signature, only
applications signed with the same certificate can
obtain the permission.
 CODE ANALYSIS
HIGH: 0 | WARNING: 4 | INFO: 1 | SECURE: 0 | SUPPRESSED: 0

NO ISSUE SEVERITY STANDARDS FILES

NO ISSUE SEVERITY STANDARDS FILES

com/it_nomads/fluttersecurestorage/cip
hers/RSACipher18Implementation.java
com/tekartik/sqflite/Database.java
com/tekartik/sqflite/dev/Debug.java
fae44c8b5/p14349af9.java
io/flutter/Log.java
io/flutter/embedding/engine/loader/Res
ourceExtractor.java
io/flutter/plugins/webviewflutter/Display
ListenerProxy.java
io/flutter/view/AccessibilityViewEmbedd
er.java
mx_com/mixpanel/android/mpmetrics/
ConfigurationChecker.java
mx_com/mixpanel/android/mpmetrics/I
nAppNotification.java
mx_com/mixpanel/android/mpmetrics/
CWE: CWE-532: Insertion of Sensitive Information
The App logs information. Sensitive MPConfig.java
1 info into Log File
information should never be logged. mx_com/mixpanel/android/mpmetrics/
OWASP MASVS: MSTG-STORAGE-3
MPDbAdapter.java
mx_com/mixpanel/android/mpmetrics/
ResourceReader.java
mx_com/mixpanel/android/mpmetrics/S
ystemInformation.java
mx_com/mixpanel/android/mpmetrics/T
weaks.java
mx_com/mixpanel/android/util/ActivityI
mageUtils.java
mx_com/mixpanel/android/viewcrawler/
Caller.java
mx_com/mixpanel/android/viewcrawler/
FlipGesture.java
mx_com/mixpanel/android/viewcrawler/
Pathfinder.java
mx_com/mixpanel/android/viewcrawler/
ViewVisitor.java
 NO ISSUE SEVERITY STANDARDS FILES

App uses SQLite Database and

execute raw SQL query. Untrusted
CWE: CWE-89: Improper Neutralization of Special
user input in raw SQL queries can mx_com/mixpanel/android/mpmetrics/
2 warning Elements used in an SQL Command ('SQL Injection')
cause SQL Injection. Also sensitive MPDbAdapter.java
OWASP Top 10: M7: Client Code Quality
information should be encrypted and
written to the database.

CWE: CWE-327: Use of a Broken or Risky

SHA-1 is a weak hash known to have Cryptographic Algorithm
3 warning com/f5/versafe/PRNGFixes.java
hash collisions. OWASP Top 10: M5: Insufficient Cryptography
OWASP MASVS: MSTG-CRYPTO-4

CWE: CWE-312: Cleartext Storage of Sensitive

Files may contain hardcoded com/tekartik/sqflite/Constant.java
Information
4 sensitive information like usernames, warning io/flutter/embedding/android/FlutterActi
OWASP Top 10: M9: Reverse Engineering
passwords, keys etc. vityLaunchConfigs.java
OWASP MASVS: MSTG-STORAGE-14

App creates temp file. Sensitive CWE: CWE-276: Incorrect Default Permissions
io/flutter/plugins/imagepicker/FileUtils.j
5 information should never be written warning OWASP Top 10: M2: Insecure Data Storage
ava
into a temp file. OWASP MASVS: MSTG-STORAGE-2

 NIAP ANALYSIS v1.3

NO IDENTIFIER REQUIREMENT FEATURE DESCRIPTION

 OFAC SANCTIONED COUNTRIES

This app may communicate with the following OFAC sanctioned list of countries.
DOMAIN COUNTRY/REGION

 DOMAIN MALWARE CHECK

DOMAIN STATUS GEOLOCATION

IP: 130.211.34.183
Country: United States of America
Region: Missouri
decide.mixpanel.com ok City: Kansas City
Latitude: 39.099731
Longitude: -94.578568
View: Google Map

IP: 130.211.34.183
Country: United States of America
Region: Missouri
api.mixpanel.com ok City: Kansas City
Latitude: 39.099731
Longitude: -94.578568
View: Google Map

 TRACKERS

TRACKER CATEGORIES URL

Google Firebase Analytics Analytics https://reports.exodus-privacy.eu.org/trackers/49

 TRACKER CATEGORIES URL

MixPanel Advertisement, Analytics https://reports.exodus-privacy.eu.org/trackers/118

 HARDCODED SECRETS

POSSIBLE SECRETS

"google_api_key" : "AIzaSyBxRDBA5g5QSYhDoB1lTbp0czIu1lMmrkY"

"google_crash_reporting_api_key" : "AIzaSyBxRDBA5g5QSYhDoB1lTbp0czIu1lMmrkY"

 PLAYSTORE INFORMATION
Title: EMTEK Hub

Score: 0 Installs: 1,000+ Price: 0 Android Version Support: Category: Productivity Play Store URL: id.co.scm.attendance

Developer Details: Surya Citra Media, Surya+Citra+Media, None, http://www.emtek.co.id/, developer@scm.co.id,

Release Date: None Privacy Policy: Privacy link

Description:

You can log in anywhere & anytime to manage your working information attendance, medical, allowance, and other transactions related to you and your staff
employment.

Report Generated by - MobSF v3.7.9 Beta

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment
framework capable of performing static and dynamic analysis.