Page 15 - FIGI: Security audit of various DFS applications
P. 15
Figure 1 – Names of files, classes and variables have been replaced, making the code more difficult to under-
stand
3.2.2 M2: Insecure Data Storage √ T3.2 The app refused to establish an HTTPS con-
nection to a proxy with an untrusted certificate
√ T2.1 The applications require the "android.per- √ T3.3The app refused to establish HTTPS con-
mission.WRITE_EXTERNAL_STORAGE" permis- nection to a proxy with a trusted certificate. This
sion. Note that this does not imply that the app shows that certificate pinning is in use.
actually writes data on external storage and, if it x T3.4 Android: usesClear textTraffic is set to true
did, that this data is sensible. in the manifest.
√ T2.2 While the app is running, screenshots are
disabled. 3.2.4 M4: Insecure Authentication
3.2.3 M3: Insecure Communication x T4.1 The application does not require a PIN or fin-
gerprint every time it is started. Thus, an intruder
√ T3.1 Only HTTPS connections are used. stealing an unlocked device can run the applica-
Security audit of various DFS applications 13