Solve security problems by "Immuniweb" Mobile Application Security Test

[beerisgood]

DroidShows 7.10.2 has some security flaws. See https://www.immuniweb.com/mobile/?id=AxyphSJF

[ltguillaume]

None of DroidShows' data is sensitive in any way, so I'd say almost none of this amounts to a security flaw. I'll have a look at the usage of HTTP, because that in fact shouldn't be the case.

[ltguillaume]

What the hell?

The report states that the app requests the following URLs: https://pagead2.googlesyndication.com/pagead/gen_204?id=gmob-apps&device=Google%20Android%20SDK%20built%20for%20x86&js=16089022.16089000&os=8.1.0&api=27&lat=0&eids=318475418%2C318484909%2C318484606&tslu=4&appid=com.google.android.gms

https://www.googleadservices.com/pagead/conversion/1001680686/?bundleid=com.google.android.youtube&appversion=12.17.41&osversion=8.1.0&sdkversion=ct-sdk-a-v2.2.4&gms=1&lat=0&rdid=b28c23ea-d3b7-49b3-a497-0b12e84dcf5a×tamp=1593797320.589&remarketing_only=1&usage_tracking_enabled=0&data.screen_name=%3CAndroid_YT_Open_App%3E

https://www.youtube.com/csi_204?v=3&s=youtube_android&action=process&yt_lt=frozen&mod_li=0&conn=3&it=ndps.389,proc_k.-130,app_l.474,f_proc.523&cplatform=mobile&cbr=com.google.android.youtube&c=android&cmodel=Android%20SDK%20built%20for%20x86&cos=Android&csdk=27&cbrver=12.17.41&cver=12.17.41&cosver=8.1.0&cbrand=Google&proc=2

...and two others.

To me, this makes no sense at all. How would that be possible?

[beerisgood]

Maybe their automatic service run that with GAPPS which then make the connections. Or because of used SDK which do that. Google already include some stuff in past by default. So the dev need to disable it

[ltguillaume]

Maybe their automatic service run that with GAPPS which then make the connections.

I thought of that, but that would render their reports to be quite sloppy.

Or because of used SDK which do that. Google already include some stuff in past by default. So the dev need to disable it

Crossed my mind as well, but don't like it... If you find anything that I can do about it if these connections are indeed initiated by (running this) app, please do let me know.

As for the HTTP warning, this version should fix that (see https://github.com/ltGuillaume/DroidShows/commit/cbcc03a7ec35d420761147daf03a974e6c2f8e66) DroidShows_7.11.0https.zip

[Ibuprophen]

@ltGuillaume, this is a false positive. As one of the team of developers for the Open Shell Start Menu Software, we occasionally encounter issues opened by someone with those types of "false positive" results from a handful of different websites.

Just wanted to let you know my friend... :-))

~Ibuprophen

[ltguillaume]

Thanks @Ibuprophen, makes sense!