ANDROID STATIC ANALYSIS REPORT

 Banco antigua (1.0.0)

File Name: banco_antigua 1.apk

Package Name: com.universales.banco_antigua

Scan Date: March 24, 2023, 10:26 p.m.

App Security Score: 64/100 (LOW RISK)

Grade:
A
Trackers Detection: 1/428
 FINDINGS SEVERITY

 HIGH  MEDIUM  INFO  SECURE  HOTSPOT

0 8 2 2 0

 FILE INFORMATION
File Name: banco_antigua 1.apk
Size: 61.28MB
MD5: 55883a17c8dcc421442c4e13d3b11cc3
SHA1: 018e24e7e2aef84568a1b0846d54731a526cf061
SHA256: 807fd677ab268a1f33430831b2c2304f92e604aa6d7a6f8ad8728b5375aa890c

 APP INFORMATION
App Name: Banco antigua
Package Name: com.universales.banco_antigua
Main Activity: com.universales.banco_antigua.MainActivity
Target SDK: 33
Min SDK: 26
Max SDK:
Android Version Name: 1.0.0
Android Version Code: 1

 APP COMPONENTS
Activities: 9
Services: 5
Receivers: 4
Providers: 2
Exported Activities: 0
Exported Services: 1
Exported Receivers: 2
Exported Providers: 0

 CERTIFICATE INFORMATION
APK is signed
v1 signature: False
v2 signature: True
v3 signature: False
Found 1 unique certificates
Subject: CN=Seguros Universales SA, OU=SU, O=Seguros Universales, L=Guatemala, ST=Guatemala, C=502
Signature Algorithm: rsassa_pkcs1v15
Valid From: 2023-03-24 20:08:58+00:00
Valid To: 2048-03-17 20:08:58+00:00
Issuer: CN=Seguros Universales SA, OU=SU, O=Seguros Universales, L=Guatemala, ST=Guatemala, C=502
Serial Number: 0x1
Hash Algorithm: sha256
md5: 60f5ee0825fe5ce259173848bdb71466
sha1: 65be6a5169ff965df4713af7dfda9b112a822719
sha256: ddb05a04bbf851cc97eed85705727cc928d0958fabc03f97a7744de0fc305e09
sha512: 01131415ee04f2433c669096a0b728be077010222fd4df2600a850f7e97974e5fbff296d9acce727d607b7e64d011ff28248cfc1f0e57d103a8525d17a52cd91
PublicKey Algorithm: rsa
Bit Size: 2048
Fingerprint: 366ea44123f9c9970e76677f005678edcef7ee02a404817e4ec2fb6015bb8520
 APPLICATION PERMISSIONS

PERMISSION STATUS INFO DESCRIPTION

android.permission.INTERNET normal full Internet access Allows an application to create network sockets.

com.universales.banco_antigua.CountlyPush.BROADCAST_PERMISSION unknown Unknown permission Unknown permission from android reference

android.permission.BROADCAST_CLOSE_SYSTEM_DIALOGS unknown Unknown permission Unknown permission from android reference

Allows an application to view the status of all

android.permission.ACCESS_NETWORK_STATE normal view network status
networks.

prevent phone from Allows an application to prevent the phone from

android.permission.WAKE_LOCK normal
sleeping going to sleep.

com.google.android.c2dm.permission.RECEIVE signature C2DM permissions Permission for cloud to device messaging.

 APKID ANALYSIS

FILE DETAILS
FILE DETAILS

FINDINGS DETAILS

Build.FINGERPRINT check
classes.dex Anti-VM Code Build.MANUFACTURER check
network operator name check

Compiler dx

 NETWORK SECURITY

NO SCOPE SEVERITY DESCRIPTION

 CERTIFICATE ANALYSIS

TITLE SEVERITY DESCRIPTION

Signed Application info Application is signed with a code signing certificate

 MANIFEST ANALYSIS
NO ISSUE SEVERITY DESCRIPTION

A Broadcast Receiver is found to be shared with other apps on the device

Broadcast Receiver
therefore leaving it accessible to any other application on the device. It is
(com.google.firebase.iid.FirebaseInstanceIdReceiver)
protected by a permission which is not defined in the analysed application. As a
is Protected by a permission, but the protection level
result, the protection level of the permission should be checked where it is
1 of the permission should be checked. warning
defined. If it is set to normal or dangerous, a malicious application can request
Permission:
and obtain the permission and interact with the component. If it is set to
com.google.android.c2dm.permission.SEND
signature, only applications signed with the same certificate can obtain the
[android:exported=true]
permission.

TaskAffinity is set for activity
2 warning
(ly.count.android.sdk.messaging.CountlyPushActivity)
If taskAffinity is set, then other application could read the Intents sent to Activities
belonging to another task. Always use the default setting keeping the affinity as
the package name in order to prevent sensitive information inside sent or
received Intents from being read by another application.

 CODE ANALYSIS

NO ISSUE SEVERITY STANDARDS FILES

a1/a.java
a1/b.java
a1/b0.java
a1/d.java
a1/e.java
a1/h0.java
a2/c.java
com/pichillilorenzo/flutter_inappwebview/Java
ScriptBridgeInterface.java
com/pichillilorenzo/flutter_inappwebview/Ser
viceWorkerManager.java
com/pichillilorenzo/flutter_inappwebview/Util.
java
com/pichillilorenzo/flutter_inappwebview/chr

NO ISSUE
The App logs information. Sensitive
1 info
information should never be logged.
SEVERITY STANDARDS
CWE: CWE-532: Insertion of Sensitive
Information into Log File
OWASP MASVS: MSTG-STORAGE-3
ome_custom_tabs/CustomTabsHelper.java
FILES
com/pichillilorenzo/flutter_inappwebview/con
tent_blocker/ContentBlockerHandler.java
com/pichillilorenzo/flutter_inappwebview/in_a
pp_browser/InAppBrowserActivity.java
com/pichillilorenzo/flutter_inappwebview/in_a
pp_browser/InAppBrowserManager.java
com/pichillilorenzo/flutter_inappwebview/in_a
pp_webview/DisplayListenerProxy.java
com/pichillilorenzo/flutter_inappwebview/in_a
pp_webview/FlutterWebView.java
com/pichillilorenzo/flutter_inappwebview/in_a
pp_webview/InAppWebView.java
com/pichillilorenzo/flutter_inappwebview/in_a
pp_webview/InAppWebViewChromeClient.java
com/pichillilorenzo/flutter_inappwebview/in_a
pp_webview/InAppWebViewClient.java
com/pichillilorenzo/flutter_inappwebview/in_a
pp_webview/InAppWebViewRenderProcessCli
ent.java
com/pichillilorenzo/flutter_inappwebview/in_a
pp_webview/InputAwareWebView.java
d1/a.java
d1/d.java
e0/b.java
e1/m.java
f2/b.java
k1/l.java
ly/count/android/sdk/messaging/d.java
ly/count/dart/countly_flutter/CountlyFlutterPl
ugin.java
ly/count/dart/countly_flutter/CountlyMessagin
gService.java
m0/k.java
m1/a.java
n0/a.java
n1/a.java
p1/c.java
q/d.java
r1/f.java
 w1/b.java
NO ISSUE SEVERITY STANDARDS FILES
w1/c.java
w1/l.java
w1/n.java
w1/o.java
x0/d.java
x0/g.java
x0/h.java
x0/m.java
x0/n.java
x3/d0.java
y2/a.java
y2/b.java
y2/c.java
z0/b.java
z0/o.java
z0/s.java
z1/b.java
CWE: CWE-330: Use of Insufficiently Random
l3/a.java
The App uses an insecure Random Values
2 warning l3/b.java
Number Generator. OWASP Top 10: M5: Insufficient Cryptography
m3/a.java
OWASP MASVS: MSTG-CRYPTO-6

App uses SQLite Database and com/pichillilorenzo/flutter_inappwebview/cre

execute raw SQL query. Untrusted CWE: CWE-89: Improper Neutralization of dential_database/CredentialDatabaseHelper.ja
user input in raw SQL queries can Special Elements used in an SQL Command va
3 warning
cause SQL Injection. Also sensitive ('SQL Injection') r0/d0.java
information should be encrypted and OWASP Top 10: M7: Client Code Quality r0/e0.java
written to the database. r0/z.java

This App copies data to clipboard.

Sensitive data should not be copied io/flutter/plugin/editing/e.java
4 info
to clipboard as other applications can OWASP MASVS: MSTG-STORAGE-10 io/flutter/plugin/platform/f.java
access it.

This App uses SSL certificate pinning

x3/b.java
5 to detect or prevent MITM attacks in secure
OWASP MASVS: MSTG-NETWORK-4 z3/e.java
secure communication channel.
NO ISSUE SEVERITY STANDARDS FILES

Files may contain hardcoded
6 sensitive information like usernames,
passwords, keys etc.
com/pichillilorenzo/flutter_inappwebview/cre
CWE: CWE-312: Cleartext Storage of Sensitive
dential_database/URLCredentialContract.java
Information
warning com/pichillilorenzo/flutter_inappwebview/typ
OWASP Top 10: M9: Reverse Engineering
es/URLCredential.java
OWASP MASVS: MSTG-STORAGE-14
x3/d.java

CWE: CWE-327: Use of a Broken or Risky

SHA-1 is a weak hash known to have Cryptographic Algorithm
7 warning z1/b.java
hash collisions. OWASP Top 10: M5: Insufficient Cryptography
OWASP MASVS: MSTG-CRYPTO-4

App creates temp file. Sensitive CWE: CWE-276: Incorrect Default Permissions
d2/c.java
8 information should never be written warning OWASP Top 10: M2: Insecure Data Storage
z1/c.java
into a temp file. OWASP MASVS: MSTG-STORAGE-2

This App may have root detection

9 secure x3/i.java
capabilities. OWASP MASVS: MSTG-RESILIENCE-1

 SHARED LIBRARY BINARY ANALYSIS

SYMBOLS
NO SHARED OBJECT NX STACK CANARY RPATH RUNPATH FORTIFY
STRIPPED
 SYMBOLS
NO SHARED OBJECT NX STACK CANARY RPATH RUNPATH FORTIFY
STRIPPED

True True None None False True

info info info info warning info
The shared This shared object has a The The shared The shared object does Symbols are
object has NX stack canary value added shared object does not have any fortified stripped.
bit set. This to the stack so that it will object not have functions. Fortified
marks a be overwritten by a stack does not RUNPATH functions provides
memory page buffer that overflows the have set. buffer overflow checks
1 lib/armeabi-v7a/libflutter.so
non- return address. This run-time against glibc's commons
executable allows detection of search insecure functions like
making overflows by verifying path or strcpy, gets etc. Use the
attacker the integrity of the RPATH compiler option -
injected canary before function set. D_FORTIFY_SOURCE=2
shellcode non- return. to fortify functions.
executable.

True False None None False True

info high info info warning info
The shared This shared object does The The shared The shared object does Symbols are
object has NX not have a stack canary shared object does not have any fortified stripped.
bit set. This value added to the stack. object not have functions. Fortified
marks a Stack canaries are used does not RUNPATH functions provides
memory page to detect and prevent have set. buffer overflow checks
2 lib/armeabi-v7a/libapp.so
non- exploits from overwriting run-time against glibc's commons
executable return address. Use the search insecure functions like
making option -fstack-protector- path or strcpy, gets etc. Use the
attacker all to enable stack RPATH compiler option -
injected canaries. set. D_FORTIFY_SOURCE=2
shellcode non- to fortify functions.
executable.
 SYMBOLS
NO SHARED OBJECT NX STACK CANARY RPATH RUNPATH FORTIFY
STRIPPED

True False None None True True

info high info info info info
The shared This shared object does The The shared The shared object has Symbols are
object has NX not have a stack canary shared object does the following fortified stripped.
bit set. This value added to the stack. object not have functions:
marks a Stack canaries are used does not RUNPATH ['__vsnprintf_chk',
memory page to detect and prevent have set. '__read_chk',
3 lib/x86_64/libflutter.so
non- exploits from overwriting run-time '__memcpy_chk',
executable return address. Use the search '__strcpy_chk',
making option -fstack-protector- path or '__strlen_chk',
attacker all to enable stack RPATH '__strncpy_chk',
injected canaries. set. '__memmove_chk']
shellcode non-
executable.

True False None None False True

info high info info warning info
The shared This shared object does The The shared The shared object does Symbols are
object has NX not have a stack canary shared object does not have any fortified stripped.
bit set. This value added to the stack. object not have functions. Fortified
marks a Stack canaries are used does not RUNPATH functions provides
memory page to detect and prevent have set. buffer overflow checks
4 lib/x86_64/libapp.so
non- exploits from overwriting run-time against glibc's commons
executable return address. Use the search insecure functions like
making option -fstack-protector- path or strcpy, gets etc. Use the
attacker all to enable stack RPATH compiler option -
injected canaries. set. D_FORTIFY_SOURCE=2
shellcode non- to fortify functions.
executable.
 SYMBOLS
NO SHARED OBJECT NX STACK CANARY RPATH RUNPATH FORTIFY
STRIPPED

True False None None True True

info high info info info info
The shared This shared object does The The shared The shared object has Symbols are
object has NX not have a stack canary shared object does the following fortified stripped.
bit set. This value added to the stack. object not have functions:
marks a Stack canaries are used does not RUNPATH ['__vsnprintf_chk',
memory page to detect and prevent have set. '__read_chk',
5 lib/arm64-v8a/libflutter.so
non- exploits from overwriting run-time '__memcpy_chk',
executable return address. Use the search '__strcpy_chk',
making option -fstack-protector- path or '__strlen_chk',
attacker all to enable stack RPATH '__strncpy_chk',
injected canaries. set. '__memmove_chk']
shellcode non-
executable.

True False None None False True

info high info info warning info
The shared This shared object does The The shared The shared object does Symbols are
object has NX not have a stack canary shared object does not have any fortified stripped.
bit set. This value added to the stack. object not have functions. Fortified
marks a Stack canaries are used does not RUNPATH functions provides
memory page to detect and prevent have set. buffer overflow checks
6 lib/arm64-v8a/libapp.so
non- exploits from overwriting run-time against glibc's commons
executable return address. Use the search insecure functions like
making option -fstack-protector- path or strcpy, gets etc. Use the
attacker all to enable stack RPATH compiler option -
injected canaries. set. D_FORTIFY_SOURCE=2
shellcode non- to fortify functions.
executable.

 NIAP ANALYSIS v1.3

NO IDENTIFIER REQUIREMENT FEATURE DESCRIPTION

Random Bit
Security Functional
1 FCS_RBG_EXT.1.1 Generation The application use no DRBG functionality for its cryptographic operations.
Requirements
Services

Security Functional Storage of

2 FCS_STO_EXT.1.1 The application does not store any credentials to non-volatile memory.
Requirements Credentials

Cryptographic
Security Functional
3 FCS_CKM_EXT.1.1 Key Generation The application generate no asymmetric cryptographic keys.
Requirements
Services

Access to
Security Functional
4 FDP_DEC_EXT.1.1 Platform The application has access to ['network connectivity'].
Requirements
Resources

Access to
Security Functional
5 FDP_DEC_EXT.1.2 Platform The application has access to no sensitive information repositories.
Requirements
Resources

Security Functional Network

6 FDP_NET_EXT.1.1 The application has user/application initiated network communications.
Requirements Communications

Encryption Of
Security Functional
7 FDP_DAR_EXT.1.1 Sensitive The application does not encrypt files in non-volatile memory.
Requirements
Application Data

Supported
Security Functional The application invoke the mechanisms recommended by the platform vendor for
8 FMT_MEC_EXT.1.1 Configuration
Requirements storing and setting configuration options.
Mechanism

Security Functional Protection of The application does encrypt some transmitted data with HTTPS/TLS/SSH between
9 FTP_DIT_EXT.1.1
Requirements Data in Transit itself and another trusted IT product.
NO IDENTIFIER REQUIREMENT FEATURE DESCRIPTION

Selection-Based Cryptographic The application perform cryptographic hashing services in accordance with a specified
10 FCS_COP.1.1(2) Security Functional Operation - cryptographic algorithm SHA-1/SHA-256/SHA-384/SHA-512 and message digest sizes
Requirements Hashing 160/256/384/512 bits.

Selection-Based
11 FCS_HTTPS_EXT.1.1 Security Functional HTTPS Protocol The application implement the HTTPS protocol that complies with RFC 2818.
Requirements

Selection-Based
12 FCS_HTTPS_EXT.1.2 Security Functional HTTPS Protocol The application implement HTTPS using TLS.
Requirements

Selection-Based The application notify the user and not establish the connection or request
13 FCS_HTTPS_EXT.1.3 Security Functional HTTPS Protocol application authorization to establish the connection if the peer certificate is deemed
Requirements invalid.

Selection-Based The application invoked platform-provided functionality to validate certificates in

X.509 Certificate
14 FIA_X509_EXT.1.1 Security Functional accordance with the following rules: ['The certificate path must terminate with a
Validation
Requirements trusted CA certificate'].

Selection-Based
X.509 Certificate The application use X.509v3 certificates as defined by RFC 5280 to support
15 FIA_X509_EXT.2.1 Security Functional
Authentication authentication for HTTPS , TLS.
Requirements

Selection-Based Integrity for

The application shall be distributed using the format of the platform-supported
16 FPT_TUD_EXT.2.1 Security Functional Installation and
package manager.
Requirements Update

 DOMAIN MALWARE CHECK

DOMAIN STATUS GEOLOCATION

IP: 52.72.150.222
Country: United States of America
Region: Virginia
via.placeholder.com ok City: Ashburn
Latitude: 39.043720
Longitude: -77.487488
View: Google Map

IP: 104.18.22.19
Country: United States of America
Region: California
www.w3.org ok City: San Francisco
Latitude: 37.775700
Longitude: -122.395203
View: Google Map

IP: 104.20.216.102
Country: United States of America
Region: California
ww2.universales.com ok City: San Francisco
Latitude: 37.775700
Longitude: -122.395203
View: Google Map

IP: 93.184.216.34
Country: United States of America
Region: Virginia
www.example.com ok City: Ashburn
Latitude: 39.043720
Longitude: -77.487488
View: Google Map
DOMAIN STATUS GEOLOCATION

IP: 140.82.114.3
Country: United States of America
Region: California
github.com ok City: San Francisco
Latitude: 37.775700
Longitude: -122.395203
View: Google Map

IP: 142.250.189.142
Country: United States of America
Region: California
i3.ytimg.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map

IP: 142.250.217.238
Country: United States of America
Region: California
developer.android.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map

IP: 207.241.239.241
Country: United States of America
Region: California
purl.org ok City: San Francisco
Latitude: 37.781734
Longitude: -122.459435
View: Google Map
DOMAIN STATUS GEOLOCATION

IP: 199.36.158.100
Country: United States of America
Region: California
api.flutter.dev ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map

IP: 199.36.158.100
Country: United States of America
Region: California
flutter.dev ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map

IP: 142.250.217.206
Country: United States of America
Region: California
plus.google.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map

IP: 142.250.217.206
Country: United States of America
Region: California
www.youtube.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map
 EMAILS

EMAIL FILE

[email protected]
x0/s.java
[email protected]

_typeerror@0150898._create
[email protected]
_growablelist@0150898._literal
_bytebuffer@7027147._new lib/armeabi-v7a/libapp.so
_casterror@0150898._create
_assertionerror@0150898._create
_immutablelist@0150898._jk

[email protected] lib/arm64-v8a/libflutter.so

 TRACKERS

TRACKER CATEGORIES URL

Countly Analytics, Profiling https://reports.exodus-privacy.eu.org/trackers/122

Report Generated by - MobSF v3.6.3 Beta

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment
framework capable of performing static and dynamic analysis.

© 2023 Mobile Security Framework - MobSF | Ajin Abraham | OpenSecurity.