Page 14 - FIGI: Security audit of various DFS applications
P. 14

√   T1.3 Android: installLocation is not defined in the      MD5 in file com/appdynamics/eumagent/run-
                manifest.                                         time/p000private/ae.java:
            √   T1.4 We did not find inappropriate Android per-     MessageDigest instance = MessageDigest.getIn-
                missions in the manifest.                         stance("MD5");
                                                                  SHA-1 in file com/App1/android/Security/Sec-
            3.1.2   M2: Insecure Data Storage                     Core/b/a.java:
                                                                  MessageDigest instance = MessageDigest.getIn-
            x   T2.1 The application requires the "android.per-   stance("SHA-1");
                mission.WRITE_EXTERNAL_STORAGE" permis-           ECB in file com/App1/android/Security/Sec-
                sion. Note that this does not imply that the app   Core/b/a.java:
                writes data on external storage and, if it did, that      Cipher instance = Cipher.getInstance("AES/ECB/
                this data is sensible.                            NoPadding");
            √   T2.2 While the app is running, screenshots are   √   T5.2  By  intercepting  the  applications  HTTPS
                disabled.                                         requests with Burp Proxy, the server to which the
                                                                  client connects to could be identified. The TLS
            3.1.3   M3: Insecure Communication                    configuration of the server was assessed using
                                                                  Qualys SSL Labs . It had an overall rating is A+.
                                                                                 9
            √   T3.1 Only HTTPS connections are used.          x   T5.3 By intercepting the applications HTTPS
            √   T3.2 The app refused to establish an HTTPS con-   requests with Burp Proxy, the client requests are
                nection to a proxy with an untrusted certificate.  signed. However, the amount of money trans-
            √   T3.3The app refused to establish HTTPS con-       ferred and the first name, last name and phone
                nection to a proxy with a trusted certificate. This   number of the users participating in the transfer
                shows that certificate pinning is in use.         are in clear text.
            √   T3.4 The application defines a custom network
                security configuration in its manifest. This config-  3.1.6   M8: Code Tampering
                uration disables clear text traffic:
                 <network-security-config>                     √   T8.1 We were able to install and run the app on a
                   <base-config clear textTrafficPermitted="-     rooted device.
                false">
                   ...                                         3.1.7   M9: Reverse Engineering
                  </base-config>
                </network-security-config>                     √   T9.1 The app code has been obfuscated as shown
                                                                  in Figure 1.
            3.1.4   M4: Insecure Authentication

            √   T4.1 Every time the app is started, the app    3�2  App2
                requires a PIN or a fingerprint to authenticate.  App2 is used for  mobile money transfer, payment,
            √   T4.2  The  application  implements  an  inactivity   and micro-financing service. App2 is not backed by
                timeout. After a period of inactivity, the applica-  a bank account. Money can be deposited and with-
                tion logs out.                                 drawn from accounts through different agents like
            √   T4.3 If a fingerprint is added, the application dis-  airtime resellers or retail outlets.
                ables authentication with fingerprints.
            √   T4.4 Money send requests cannot be success-    3.2.1   M1: Improper Platform Usage
                fully replayed. The server responds with a "409
                Conflict" error message and does not process   √   T1.1 Android: allowBackup is set to false in the
                the money send request.                           manifest.
                                                               √   T1.2 Android: debuggable is not defined in the
            3.1.5   M5: Insufficient Cryptography                 manifest.
                                                               √   T1.3 Android: installLocation is not defined in the
            x   T5.1 The application uses the weak MD5 and        manifest.
                SHA-1 hashing algorithms as well as the weak   √   T1.4 We did not find inappropriate Android per-
                ECB mode of encryption.                           missions in the manifest.





            12   Security audit of various DFS applications
   9   10   11   12   13   14   15   16   17   18   19