Figure 1 – Names of files, classes and variables have been replaced, making the code more difficult to under-
            stand

























































            3.2.2   M2: Insecure Data Storage                  √   T3.2 The app refused to establish an HTTPS con-
                                                                  nection to a proxy with an untrusted certificate
            √   T2.1 The applications require the "android.per-  √   T3.3The app refused to establish HTTPS con-
                mission.WRITE_EXTERNAL_STORAGE" permis-           nection to a proxy with a trusted certificate. This
                sion. Note that this does not imply that the app   shows that certificate pinning is in use.
                actually writes data on external storage and, if it   x   T3.4 Android: usesClear textTraffic is set to true
                did, that this data is sensible.                  in the manifest.
            √   T2.2 While the app is running, screenshots are
                disabled.                                      3.2.4   M4: Insecure Authentication

            3.2.3   M3: Insecure Communication                 x   T4.1 The application does not require a PIN or fin-
                                                                  gerprint every time it is started. Thus, an intruder
            √   T3.1 Only HTTPS connections are used.             stealing an unlocked device can run the applica-



                                                                           Security audit of various DFS applications  13