Page 14 - FIGI: Security audit of various DFS applications
P. 14
√ T1.3 Android: installLocation is not defined in the MD5 in file com/appdynamics/eumagent/run-
manifest. time/p000private/ae.java:
√ T1.4 We did not find inappropriate Android per- MessageDigest instance = MessageDigest.getIn-
missions in the manifest. stance("MD5");
SHA-1 in file com/App1/android/Security/Sec-
3.1.2 M2: Insecure Data Storage Core/b/a.java:
MessageDigest instance = MessageDigest.getIn-
x T2.1 The application requires the "android.per- stance("SHA-1");
mission.WRITE_EXTERNAL_STORAGE" permis- ECB in file com/App1/android/Security/Sec-
sion. Note that this does not imply that the app Core/b/a.java:
writes data on external storage and, if it did, that Cipher instance = Cipher.getInstance("AES/ECB/
this data is sensible. NoPadding");
√ T2.2 While the app is running, screenshots are √ T5.2 By intercepting the applications HTTPS
disabled. requests with Burp Proxy, the server to which the
client connects to could be identified. The TLS
3.1.3 M3: Insecure Communication configuration of the server was assessed using
Qualys SSL Labs . It had an overall rating is A+.
9
√ T3.1 Only HTTPS connections are used. x T5.3 By intercepting the applications HTTPS
√ T3.2 The app refused to establish an HTTPS con- requests with Burp Proxy, the client requests are
nection to a proxy with an untrusted certificate. signed. However, the amount of money trans-
√ T3.3The app refused to establish HTTPS con- ferred and the first name, last name and phone
nection to a proxy with a trusted certificate. This number of the users participating in the transfer
shows that certificate pinning is in use. are in clear text.
√ T3.4 The application defines a custom network
security configuration in its manifest. This config- 3.1.6 M8: Code Tampering
uration disables clear text traffic:
<network-security-config> √ T8.1 We were able to install and run the app on a
<base-config clear textTrafficPermitted="- rooted device.
false">
... 3.1.7 M9: Reverse Engineering
</base-config>
</network-security-config> √ T9.1 The app code has been obfuscated as shown
in Figure 1.
3.1.4 M4: Insecure Authentication
√ T4.1 Every time the app is started, the app 3�2 App2
requires a PIN or a fingerprint to authenticate. App2 is used for mobile money transfer, payment,
√ T4.2 The application implements an inactivity and micro-financing service. App2 is not backed by
timeout. After a period of inactivity, the applica- a bank account. Money can be deposited and with-
tion logs out. drawn from accounts through different agents like
√ T4.3 If a fingerprint is added, the application dis- airtime resellers or retail outlets.
ables authentication with fingerprints.
√ T4.4 Money send requests cannot be success- 3.2.1 M1: Improper Platform Usage
fully replayed. The server responds with a "409
Conflict" error message and does not process √ T1.1 Android: allowBackup is set to false in the
the money send request. manifest.
√ T1.2 Android: debuggable is not defined in the
3.1.5 M5: Insufficient Cryptography manifest.
√ T1.3 Android: installLocation is not defined in the
x T5.1 The application uses the weak MD5 and manifest.
SHA-1 hashing algorithms as well as the weak √ T1.4 We did not find inappropriate Android per-
ECB mode of encryption. missions in the manifest.
12 Security audit of various DFS applications