ANDROSAST

Dated: 31/5/2019

APK Details

Package: com.mobile.swedsmsbank
Version: 1.1
Version number: 2
Minimum SDK version: 8 (Android 2.2 Froyo)
Target SDK: 8 (Android 2.2 Froyo)
Fingerprints: MD5: 4aa04f35f0f004a176b9e9f713cefdee
SHA-1: 66b12b185d15b0fd176341bd7c8145ae0a8b3fa6
SHA-256: 78946ed6f3001d07eca4f7f09a1ece8152b760a122569e848bf5217137ef7eac
Total vulnerabilities found: 1
Critical: 0

Vulnerability Chart

Vulnerability

Priority Count
Critical 0
High 0
Medium 1
Low 3
Warning 6

Vulnerability List

# Priority Name Description
1 Medium Allows Backup This option allows backups of the application data via adb. Malicious people with physical access could use adb to get private data of your app into their PC.
1 Low Generic Exception in catch Exception catching should be specific. Generic Exception type could not be safe and lead to silent error suppresion
2 Low Generic Exception in catch Exception catching should be specific. Generic Exception type could not be safe and lead to silent error suppresion
3 Low Math Random method This method is not as random as it is supossed to be. It should not be use to generate OTP codes.
1 Warning Exported activity Exported activity was found. It can be used by other applications.
2 Warning Exported activity Exported activity was found. It can be used by other applications.
3 Warning Exported receiver Exported receiver was found. It can be used by other applications.
4 Warning Exported receiver Exported receiver was found. It can be used by other applications.
5 Warning Receive SMS permission Allows the app to receive and process SMS messages. This means the app could monitor or delete messages sent to your device without showing them to you. Check if the permission is actually needed.
6 Warning URL Disclosure The decompilation of the source code could lead to the disclosure of private URLs.

Medium Vulnerability List

Allows Backup

Description:
This option allows backups of the application data via adb. Malicious people with physical access could use adb to get private data of your app into their PC.
File
AndroidManifest.xml
Language
xml
Line
6
Affected code
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.mobile.swedsmsbank" android:versionName="1.1" android:versionCode="2">
<uses-sdk android:targetSdkVersion="8" android:minSdkVersion="8" />
<uses-permission android:name="android.permission.READ_SMS" />
<uses-permission android:name="android.permission.RECEIVE_SMS" />
<application android:icon="@com.mobile.swedsmsbank:drawable/ic_launcher" android:label="@com.mobile.swedsmsbank:string/app_name" android:theme="@com.mobile.swedsmsbank:style/AppTheme" android:allowBackup="true">
<activity android:name="com.mobile.swedsmsbank.SBActivity" android:label="@com.mobile.swedsmsbank:string/app_name">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />

Low Vulnerability List

Generic Exception in catch

Description:
Exception catching should be specific. Generic Exception type could not be safe and lead to silent error suppresion
File
classes/com/mobile/swedsmsbank/ItemListBaseAdapter.java
Language
java
Line
67
Affected code
        localImageView.setImageResource(2130837504);
return paramViewGroup;
}
}
catch (Exception paramView)
{
for (;;)
{
paramView = "N/A";

Generic Exception in catch

Description:
Exception catching should be specific. Generic Exception type could not be safe and lead to silent error suppresion
File
classes/com/mobile/swedsmsbank/SBAccountInfo.java
Language
java
Line
38
Affected code
        Total = Available;
Currency = paramString.group(2);
return;
}
catch (Exception paramString)
{
IsValid = false;
continue;
}

Math Random method

Description:
This method is not as random as it is supossed to be. It should not be use to generate OTP codes.
File
classes/com/mobile/swedsmsbank/SBActivity.java
Language
java
Line
39
Affected code
  }

private void AddHistory()
{
Random localRandom = new Random();
SBAccountInfo localSBAccountInfo = new SBAccountInfo();
localSBAccountInfo.setCurrency("LVL");
double d = localRandom.nextDouble() * 1000.0D;
localSBAccountInfo.setTotal(d);

Warning List

Exported activity

Description:
Exported activity was found. It can be used by other applications.
File
AndroidManifest.xml
Language
xml
Line
7
Affected code
  <uses-sdk android:targetSdkVersion="8" android:minSdkVersion="8" />
<uses-permission android:name="android.permission.READ_SMS" />
<uses-permission android:name="android.permission.RECEIVE_SMS" />
<application android:icon="@com.mobile.swedsmsbank:drawable/ic_launcher" android:label="@com.mobile.swedsmsbank:string/app_name" android:theme="@com.mobile.swedsmsbank:style/AppTheme" android:allowBackup="true">
<activity android:name="com.mobile.swedsmsbank.SBActivity" android:label="@com.mobile.swedsmsbank:string/app_name">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>

Exported activity

Description:
Exported activity was found. It can be used by other applications.
File
AndroidManifest.xml
Language
xml
Line
25
Affected code
        <action android:name="android.appwidget.action.APPWIDGET_UPDATE" />
</intent-filter>
<meta-data android:resource="@com.mobile.swedsmsbank:xml/sbwidget" android:name="android.appwidget.provider" />
</receiver>
<activity android:label="@com.mobile.swedsmsbank:string/title_activity_sbsettings" android:name="com.mobile.swedsmsbank.SBSettingsActivity" />
</application>
</manifest>

Exported receiver

Description:
Exported receiver was found. It can be used by other applications.
File
AndroidManifest.xml
Language
xml
Line
13
Affected code
        <action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<receiver android:name="com.mobile.swedsmsbank.SmsReceiver">
<intent-filter android:priority="2147483647">
<action android:name="android.provider.Telephony.SMS_RECEIVED" />
</intent-filter>
</receiver>

Exported receiver

Description:
Exported receiver was found. It can be used by other applications.
File
AndroidManifest.xml
Language
xml
Line
18
Affected code
      <intent-filter android:priority="2147483647">
<action android:name="android.provider.Telephony.SMS_RECEIVED" />
</intent-filter>
</receiver>
<receiver android:label="@com.mobile.swedsmsbank:string/app_name" android:name="com.mobile.swedsmsbank.SBWidget">
<intent-filter>
<action android:name="android.appwidget.action.APPWIDGET_CONFIGURE" />
<action android:name="android.appwidget.action.APPWIDGET_UPDATE" />
</intent-filter>

Receive SMS permission

Description:
Allows the app to receive and process SMS messages. This means the app could monitor or delete messages sent to your device without showing them to you. Check if the permission is actually needed.
File
AndroidManifest.xml
Language
xml
Line
5
Affected code
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.mobile.swedsmsbank" android:versionName="1.1" android:versionCode="2">
<uses-sdk android:targetSdkVersion="8" android:minSdkVersion="8" />
<uses-permission android:name="android.permission.READ_SMS" />
<uses-permission android:name="android.permission.RECEIVE_SMS" />
<application android:icon="@com.mobile.swedsmsbank:drawable/ic_launcher" android:label="@com.mobile.swedsmsbank:string/app_name" android:theme="@com.mobile.swedsmsbank:style/AppTheme" android:allowBackup="true">
<activity android:name="com.mobile.swedsmsbank.SBActivity" android:label="@com.mobile.swedsmsbank:string/app_name">
<intent-filter>
<action android:name="android.intent.action.MAIN" />

URL Disclosure

Description:
The decompilation of the source code could lead to the disclosure of private URLs.
File
classes/com/mobile/swedsmsbank/SBSettings.java
Language
java
Line
19
Affected code
  public static boolean DEFAULT_ACCUMULATE;
public static String DEFAULT_REGEXP;
public static float DEFAULT_SUPPLEMENT;
private static ArrayList<SBAccountInfo> History;
public static String INTERNET_BANK = "http://ib.swedbank.lv";
private static boolean IsInitialized;
private static String PREFS_ACCUMULATE = "sbAccumulate";
public static String PREFS_NAME = "SBSettings";
private static String PREFS_REG_EXP;