search

CellularPrivacy / Android-IMSI-Catcher-Detector

AIMSICD • Fight IMSI-Catcher, StingRay and silent SMS!
https://cellularprivacy.github.io/Android-IMSI-Catcher-Detector/
GNU General Public License v3.0
4.68k stars 942 forks source link

Vulnerabilities detected by AndroBugs Framework #650

Open SecUpwN opened 8 years ago

SecUpwN commented 8 years ago

Mike Kuketz from my beloved Kuketz IT-Security Blog was so kind to analyze the current build of our app created from our development branch using AndroBugs (also on GitHub).

@larsgrefer and @smarek, could you please digg into what is causing these things?

*************************************************************************
**   AndroBugs Framework - Android App Security Vulnerability Scanner  **
**                            version: 1.0.0                           **
**     author: Yu-Cheng Lin (@AndroBugs, http://www.AndroBugs.com)     **
**               contact: androbugs.framework@gmail.com                **
*************************************************************************
Platform: Android
Package Name: com.SecUpwN.AIMSICD
Package Version Name: 0.1.36-alpha-5910cf3
Package Version Code: 36
Min Sdk: 16
Target Sdk: 19
MD5   : 66ffb0d43805f4ef50c5684cfa94d3e7
SHA1  : c4ea4b14b3aac0e3050654d6c638574bdd773514
SHA256: 82e38d2c4043e5f3f14e4f2f771604217a15c8c4376258e255a75728cb6dc491
SHA512: 0a310cbfd994fa48588757ad71ad64af4f2adb44e1840ab809e8f6a5e3ee04439798e7b103d645c7f5133d78484c15ee0bdeb5b1a3297233daee7a3703bc5dea
------------------------------------------------------------
[Critical] <Command> Runtime Command Checking:
           This app is using critical function 'Runtime.getRuntime().exec("...")'.
           Please confirm these following code secions are not harmful:
               => Lcom/SecUpwN/AIMSICD/activities/DebugLogs$6;->run()V (0xc) --->
                    Ljava/lang/Runtime;->exec(Ljava/lang/String;)Ljava/lang/Process;
               => Lcom/SecUpwN/AIMSICD/smsdetection/SmsDetector;->run()V (0x2c) --->
                    Ljava/lang/Runtime;->exec(Ljava/lang/String;)Ljava/lang/Process;
               => Lcom/stericson/RootShell/execution/Shell;-><init>(Ljava/lang/String; Lcom/stericson/RootShell/execution/Shell$ShellType;
                    Lcom/stericson/RootShell/execution/Shell$ShellContext; I)V (0x130) --->
                    Ljava/lang/Runtime;->exec(Ljava/lang/String;)Ljava/lang/Process;
               => Lcom/stericson/RootShell/execution/Shell;-><init>(Ljava/lang/String; Lcom/stericson/RootShell/execution/Shell$ShellType;
                    Lcom/stericson/RootShell/execution/Shell$ShellContext; I)V (0x2c4) --->
                    Ljava/lang/Runtime;->exec(Ljava/lang/String;)Ljava/lang/Process;
               => Lcom/SecUpwN/AIMSICD/activities/DebugLogs;->runProcess([Ljava/lang/String;)Ljava/lang/String; (0x18) --->
                    Ljava/lang/Runtime;->exec(Ljava/lang/String;)Ljava/lang/Process;
[Critical] <Debug> Android Debug Mode Checking:
           DEBUG mode is ON(android:debuggable="true") in AndroidManifest.xml. This is very dangerous. The attackers will be able to sniffer
           the debug messages by Logcat. Please disable the DEBUG mode if it is a released application.
[Critical]  AndroidManifest "intent-filter" Settings Checking:
           Misconfiguration in "intent-filter" of these components (AndroidManifest.xml).
           Config "intent-filter" should have at least one "action".
           Reference: http://developer.android.com/guide/topics/manifest/intent-filter-element.html
                 activity => com.SecUpwN.AIMSICD.activities.PrefActivity
                 activity => com.SecUpwN.AIMSICD.activities.MapPrefActivity
[Critical] <SSL_Security> SSL Connection Checking:
           URLs that are NOT under SSL (Total:42):
               http://a.tile.cloudmade.com/%s/%d/%d/%d/%d/%d%s?token=%s
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://a.tile.opencyclemap.org/cycle/
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://a.tile.openstreetmap.org/
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://a.tiles.mapbox.com/v3/
                   => Lorg/osmdroid/tileprovider/tilesource/MapBoxTileSource;-><clinit>()V
               http://api.geonames.org/findNearbyWikipediaJSON?
                   => Lorg/osmdroid/bonuspack/location/GeoNamesPOIProvider;->getUrlCloseTo(Lorg/osmdroid/util/GeoPoint; I
                    D)Ljava/lang/String;
               http://api.geonames.org/wikipediaBoundingBoxJSON?
                   => Lorg/osmdroid/bonuspack/location/GeoNamesPOIProvider;->getUrlInside(Lorg/osmdroid/util/BoundingBoxE6;
                    I)Ljava/lang/String;
               http://auth.cloudmade.com/token/
                   => Lorg/osmdroid/tileprovider/util/CloudmadeUtil;->getCloudmadeToken()Ljava/lang/String;
               http://b.tile.cloudmade.com/%s/%d/%d/%d/%d/%d%s?token=%s
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://b.tile.opencyclemap.org/cycle/
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://b.tile.openstreetmap.org/
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://b.tiles.mapbox.com/v3/
                   => Lorg/osmdroid/tileprovider/tilesource/MapBoxTileSource;-><clinit>()V
               http://c.tile.cloudmade.com/%s/%d/%d/%d/%d/%d%s?token=%s
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://c.tile.opencyclemap.org/cycle/
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://c.tile.openstreetmap.org/
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://c.tiles.mapbox.com/v3/
                   => Lorg/osmdroid/tileprovider/tilesource/MapBoxTileSource;-><clinit>()V
               http://d.tiles.mapbox.com/v3/
                   => Lorg/osmdroid/tileprovider/tilesource/MapBoxTileSource;-><clinit>()V
               http://maps.googleapis.com/maps/api/directions/xml?
                   => Lorg/osmdroid/bonuspack/routing/GoogleRoadManager;->getUrl(Ljava/util/ArrayList;)Ljava/lang/String;
               http://nominatim.openstreetmap.org/
                   => Lorg/osmdroid/bonuspack/location/GeocoderNominatim;-><init>(Landroid/content/Context; Ljava/util/Locale;)V
                   => Lorg/osmdroid/bonuspack/location/NominatimPOIProvider;-><init>()V
               http://open.mapquestapi.com/guidance/v1/route?
                   => Lorg/osmdroid/bonuspack/routing/MapQuestRoadManager;->getUrl(Ljava/util/ArrayList;)Ljava/lang/String;
               http://openptmap.org/tiles/
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://otile1.mqcdn.com/tiles/1.0.0/map/
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://otile1.mqcdn.com/tiles/1.0.0/sat/
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://otile2.mqcdn.com/tiles/1.0.0/map/
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://otile2.mqcdn.com/tiles/1.0.0/sat/
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://otile3.mqcdn.com/tiles/1.0.0/map/
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://otile3.mqcdn.com/tiles/1.0.0/sat/
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://otile4.mqcdn.com/tiles/1.0.0/map/
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://otile4.mqcdn.com/tiles/1.0.0/sat/
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://overlay.openstreetmap.nl/basemap/
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://overlay.openstreetmap.nl/openfietskaart-overlay/
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://overlay.openstreetmap.nl/roads/
                   => Lorg/osmdroid/tileprovider/tilesource/TileSourceFactory;-><clinit>()V
               http://overpass-api.de/api/interpreter
                   => Lorg/osmdroid/bonuspack/location/OverpassAPIProvider;-><init>()V
               http://picasaweb.google.com/data/feed/api/all?
                   => Lorg/osmdroid/bonuspack/location/PicasaPOIProvider;->getUrlInside(Lorg/osmdroid/util/BoundingBoxE6; I
                    Ljava/lang/String;)Ljava/lang/String;
               http://router.project-osrm.org/viaroute?
                   => Lorg/osmdroid/bonuspack/routing/OSRMRoadManager;-><init>()V
               http://schemas.google.com/photos/2007#canonical
                   => Lorg/osmdroid/bonuspack/location/PicasaXMLHandler;->startElement(Ljava/lang/String; Ljava/lang/String;
                    Ljava/lang/String; Lorg/xml/sax/Attributes;)V
               http://services.gisgraphy.com/
                   => Lorg/osmdroid/bonuspack/location/GeocoderGisgraphy;-><init>(Landroid/content/Context; Ljava/util/Locale;)V
               http://www.PLACEYOURDOMAINHERE.com/anyfolder/gpxuploader/upload.php
                   => Lorg/osmdroid/contributor/GpxToPHPUploader$1;->run()V
               http://www.opencellid.org/cell/get?key=
                   => Lcom/SecUpwN/AIMSICD/AIMSICD;->selectItem(I)V
               http://www.opencellid.org/cell/getInArea?key=
                   => Lcom/SecUpwN/AIMSICD/utils/Helpers;->getOpenCellData(Landroid/content/Context; Lcom/SecUpwN/AIMSICD/utils/Cell; C)V
               http://www.opencellid.org/measure/uploadCsv
                   => Lcom/SecUpwN/AIMSICD/utils/RequestTask;->doInBackground([Ljava/lang/String;)Ljava/lang/String;
               http://www.openstreetmap.org/api/0.5/gpx/create
                   => Lorg/osmdroid/contributor/OSMUploader$1;->run()V
               http://xmlpull.org/v1/doc/features.html#process-namespaces
                   => Lcom/SecUpwN/AIMSICD/utils/StackOverflowXmlParser;->parse(Ljava/io/InputStream;)Ljava/util/List;
[Critical]  AndroidManifest System Use Permission Checking:
           This app should only be released and signed by device manufacturer or Google and put under '/system/app'. If not, it may be a
           malicious app.
               System use-permission found: "android.permission.WRITE_SECURE_SETTINGS"
[Warning]  External Storage Accessing:
           External storage access found (Remember DO NOT write important files to external storages):
               => Lorg/osmdroid/bonuspack/kml/KmlDocument;->getDefaultPathForAndroid(Ljava/lang/String;)Ljava/io/File; (0x4) --->
                    Landroid/os/Environment;->getExternalStorageDirectory()Ljava/io/File;
               => Lorg/osmdroid/tileprovider/constants/OpenStreetMapTileProviderConstants;-><clinit>()V (0x4) --->
                    Landroid/os/Environment;->getExternalStorageDirectory()Ljava/io/File;
               => Lcom/SecUpwN/AIMSICD/AIMSICD;->moveData()V (0x48) --->
                    Landroid/os/Environment;->getExternalStorageDirectory()Ljava/io/File;
[Warning] <Sensitive_Information> Getting IMEI and Device ID:
           This app has code getting the "device id(IMEI)" but there are problems with this "TelephonyManager.getDeviceId()" approach.
           1.Non-phones: Wifi-only devices or music players that don't have telephony hardware just don't have this kind of unique
           identifier.
           2.Persistence: On devices which do have this, it persists across device data wipes and factory resets. It's not clear at all if,
           in this situation, your app should regard this as the same device.
           3.Privilege:It requires READ_PHONE_STATE permission, which is irritating if you don't otherwise use or need telephony.
           4.Bugs: We have seen a few instances of production phones for which the implementation is buggy and returns garbage, for example
           zeros or asterisks.
           If you want to get an unique id for the device, we suggest you use "Installation" framework in the following article.
           Please check the reference: http://android-developers.blogspot.tw/2011/03/identifying-app-installations.html
               => Lcom/SecUpwN/AIMSICD/utils/Device;->refreshDeviceInfo(Landroid/telephony/TelephonyManager; Landroid/content/Context;)V
                    (0x8) ---> Landroid/telephony/TelephonyManager;->getDeviceId()Ljava/lang/String;
[Warning] <Sensitive_Information> Getting ANDROID_ID:
           This app has code getting the 64-bit number "Settings.Secure.ANDROID_ID".
           ANDROID_ID seems a good choice for a unique device identifier. There are downsides: First, it is not 100% reliable on releases of
           Android prior to 2.2 (Froyo).
           Also, there has been at least one widely-observed bug in a popular handset from a major manufacturer, where every instance has
           the same ANDROID_ID.
           If you want to get an unique id for the device, we suggest you use "Installation" framework in the following article.
           Please check the reference: http://android-developers.blogspot.tw/2011/03/identifying-app-installations.html
               => Lorg/osmdroid/tileprovider/util/CloudmadeUtil;->retrieveCloudmadeKey(Landroid/content/Context;)V (0xc) --->
                    Landroid/provider/Settings$Secure;->getString(Landroid/content/ContentResolver; Ljava/lang/String;)Ljava/lang/String;
[Notice] <Command> Executing "root" or System Privilege Checking:
           The app may has the code checking for "root" permission, mounting filesystem operations or monitoring system:
               Lcom/SecUpwN/AIMSICD/smsdetection/SmsDetector;->run()V  => 'su'
               Lcom/stericson/RootShell/execution/Shell;->startRootShell(I Lcom/stericson/RootShell/execution/Shell$ShellContext;
                    I)Lcom/stericson/RootShell/execution/Shell;  => 'su'
               Lcom/stericson/RootShell/RootShell;->isRootAvailable()Z  => 'su'
               Lcom/SecUpwN/AIMSICD/utils/atcmd/TtyPrivFile;-><init>(Ljava/lang/String;)V  => 'su'
               Lcom/SecUpwN/AIMSICD/utils/CMDProcessor;->startSuCommand(Ljava/lang/String;)Lcom/SecUpwN/AIMSICD/utils/ChildProcess;  => 'su'
               Lcom/SecUpwN/AIMSICD/activities/DebugLogs;->getProp()Ljava/lang/String;  => '/system/bin/getprop'
               Lcom/stericson/RootShell/execution/Shell;->startShell(I)Lcom/stericson/RootShell/execution/Shell;  => '/system/bin/sh'
[Notice] <Database><#CVE-2011-3901#> Android SQLite Databases Vulnerability Checking:
           This app is using Android SQLite databases but it's "NOT" suffering from SQLite Journal Information Disclosure Vulnerability.
[Notice]  File Unsafe Delete Checking:
           Everything you delete may be recovered by any user or attacker, especially rooted devices.
           Please make sure do not use "file.delete()" to delete essential files.
           Check this video: https://www.youtube.com/watch?v=tGw1fxUD-uY
               => Lorg/osmdroid/bonuspack/cachemanager/CacheManager$CleaningTask;->cleanArea()I (0x150) ---> Ljava/io/File;->delete()Z
               => Lorg/osmdroid/tileprovider/modules/TileWriter;->cutCurrentCache()V (0xce) ---> Ljava/io/File;->delete()Z
               => Lorg/osmdroid/tileprovider/tilesource/BitmapTileSourceBase;->getDrawable(Ljava/lang/String;)Landroid/graphics/drawable/Dra
                    wable; (0x3a) ---> Ljava/io/File;->delete()Z
               => Lcom/SecUpwN/AIMSICD/AIMSICD;->moveData()V (0x10c) ---> Ljava/io/File;->delete()Z
[Notice]  AndroidManifest Exported Components Checking 2:
           Found "exported" components(except for Launcher) for receiving Google's "Android" actions (AndroidManifest.xml):
                 activity => com.SecUpwN.AIMSICD.activities.MapViewerOsmDroid
                 activity => com.SecUpwN.AIMSICD.activities.PrefActivity
                 activity => com.SecUpwN.AIMSICD.activities.MapPrefActivity
                 receiver => com.SecUpwN.AIMSICD.receiver.BootCompletedReceiver
[Info]  AndroidManifest Adb Backup Checking:
           This app has disabled Adb Backup.
[Info] <Database> SQLiteDatabase Transaction Deprecated Checking:
           Ignore checking "SQLiteDatabase:beginTransactionNonExclusive" because your set minSdk >= 11.
[Info] <Database> Android SQLite Databases Encryption (SQLite Encryption Extension (SEE)):
           This app is "NOT" using SQLite Encryption Extension (SEE) on Android (http://www.sqlite.org/android) to encrypt or decrpyt
           databases.
[Info] <Database> Android SQLite Databases Encryption (SQLCipher):
           This app is "NOT" using SQLCipher(http://sqlcipher.net/) to encrypt or decrpyt databases.
[Info]  Dynamic Code Loading:
           No dynamic code loading(DexClassLoader) found.
[Info] <#BID 64208, CVE-2013-6271#> Fragment Vulnerability Checking:
           Did not detect the vulnerability of "Fragment" dynamically loading into "PreferenceActivity" or "SherlockPreferenceActivity"
[Info] <Framework> Framework - MonoDroid:
           This app is NOT using MonoDroid Framework (http://xamarin.com/android).
[Info] <Hacker> Base64 String Encryption:
           No encoded Base64 String or Urls found.
[Info] <Database><Hacker> Key for Android SQLite Databases Encryption:
           Did not find using the symmetric key(PRAGMA key) to encrypt the SQLite databases (It's still possible that it might use but we
           did not find out).
[Info] <Debug><Hacker> Codes for Checking Android Debug Mode:
           Did not detect codes for checking "ApplicationInfo.FLAG_DEBUGGABLE" in AndroidManifest.xml.
[Info] <Hacker> APK Installing Source Checking:
           Did not detect this app checks for APK installer sources.
[Info] <KeyStore><Hacker> KeyStore File Location:
           Did not find any possible BKS keystores or certificate keystore file (Notice: It does not mean this app does not use keysotre):
[Info] <KeyStore><Hacker> KeyStore Protection Checking:
           Ignore checking KeyStore protected by password or not because you're not using KeyStore.
[Info] <Hacker> Code Setting Preventing Screenshot Capturing:
           Did not detect this app has code setting preventing screenshot capturing.
[Info] <Signature><Hacker> Getting Signature Code Checking:
           Did not detect this app is checking the signature in the code.
[Info]  HttpURLConnection Android Bug Checking:
           Ignore checking "http.keepAlive" because you're not using "HttpURLConnection" and min_Sdk > 8.
[Info] <KeyStore> KeyStore Type Checking:
           KeyStore 'BKS' type check OK
[Info]  Google Cloud Messaging Suggestion:
           Nothing to suggest.
[Info] <#CVE-2013-4787#> Master Key Type I Vulnerability:
           No Master Key Type I Vulnerability in this APK.
[Info]  App Sandbox Permission Checking:
           No security issues "MODE_WORLD_READABLE" or "MODE_WORLD_WRITEABLE" found on 'openOrCreateDatabase' or 'openOrCreateDatabase2' or
           'getDir' or 'getSharedPreferences' or 'openFileOutput'
[Info]  Native Library Loading Checking:
           No native library loaded.
[Info]  AndroidManifest Dangerous ProtectionLevel of Permission Checking:
           No "dangerous" protection level customized permission found (AndroidManifest.xml).
[Info]  AndroidManifest PermissionGroup Checking:
           PermissionGroup in permission tag of AndroidManifest sets correctly.
[Info] <Implicit_Intent> Implicit Service Checking:
           No dangerous implicit service.
[Info]  AndroidManifest Normal ProtectionLevel of Permission Checking:
           No default or "normal" protection level customized permission found (AndroidManifest.xml).
[Info] <#CVE-2013-6272#> AndroidManifest Exported Lost Prefix Checking:
           No exported components that forgot to add "android:" prefix.
[Info]  AndroidManifest ContentProvider Exported Checking:
           No exported "ContentProvider" found (AndroidManifest.xml).
[Info]  Codes for Sending SMS:
           Did not detect this app has code for sending SMS messages (sendDataMessage, sendMultipartTextMessage or sendTextMessage).
[Info] <System> AndroidManifest sharedUserId Checking:
           This app does not use "android.uid.system" sharedUserId.
[Info] <SSL_Security> SSL Implementation Checking (Verifying Host Name in Custom Classes):
           Self-defined HOSTNAME VERIFIER checking OK.
[Info] <SSL_Security> SSL Implementation Checking (Verifying Host Name in Fields):
           Critical vulnerability "ALLOW_ALL_HOSTNAME_VERIFIER" field setting or "AllowAllHostnameVerifier" class instance not found.
[Info] <SSL_Security> SSL Implementation Checking (Insecure component):
           Did not detect SSLSocketFactory by insecure method "getInsecure".
[Info] <SSL_Security> SSL Implementation Checking (HttpHost):
           DEFAULT_SCHEME_NAME for HttpHost check: OK
[Info] <SSL_Security> SSL Implementation Checking (WebViewClient for WebView):
           Did not detect critical usage of "WebViewClient"(MITM Vulnerability).
[Info] <SSL_Security> SSL Certificate Verification Checking:
           Did not find vulnerable X509Certificate code.
[Info]  Unnecessary Permission Checking:
           Permission 'android.permission.ACCESS_MOCK_LOCATION' sets correctly.
[Info]  Accessing the Internet Checking:
           This app is using the Internet via HTTP protocol.
[Info] <WebView> WebView Local File Access Attacks Checking:
           Did not find potentially critical local file access settings.
[Info] <WebView> WebView Potential XSS Attacks Checking:
           Did not detect "setJavaScriptEnabled(true)" in WebView.
[Info] <WebView><Remote Code Execution><#CVE-2013-4710#> WebView RCE Vulnerability Checking:
           WebView addJavascriptInterface vulnerabilities not found.
------------------------------------------------------------
AndroBugs analyzing time: 4.485393 secs
Total elapsed time: 17.949994 secs
<<< Analysis report is generated: /media/sf_Kali/Android/AndroBugs/Reports/com.SecUpwN.AIMSICD_698a47e5e4f4145bfbb0f3dfe1f4df6538a6ca4a642de7172705ad7e7ba2feec1c46b130891cfebae03cfda900f1bce143b375c119252059e51dcbd75576d9b1.txt >>>

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

SecUpwN commented 8 years ago

Have you had a look at this, @larsgrefer?

larsgrefer commented 8 years ago

Most of the critical errors are

SecUpwN commented 8 years ago

Have these been fixed yet, @larsgrefer and @smarek? Would you please be so kind to check it again?

farislivemaker commented 6 years ago

Hi @SecUpwN , Hope you solved some of all vulnerabilities from AndroBugs can you help me how to solve the below error

File Unsafe Delete Checking: Everything you delete may be recovered by any user or attacker, especially rooted devices. Please make sure do not use "file.delete()" to delete essential files.

Expertasif commented 4 years ago

Runtime.exec() how to exploit