Scribd
Upload
164 views

Mob SF

The Android static analysis report contains information about an app called SGB Mobile. It found 4 high risk issues and 7 medium risk issues. The app was assigned an overall security score of 59 out of 100, indicating a medium risk level. It was signed properly but supports older Android versions without important security updates. It also exposes a service that could potentially be accessed by other apps.

Uploaded by

iot.syria
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
164 views

Mob SF

The Android static analysis report contains information about an app called SGB Mobile. It found 4 high risk issues and 7 medium risk issues. The app was assigned an overall security score of 59 out of 100, indicating a medium risk level. It was signed properly but supports older Android versions without important security updates. It also exposes a service that could potentially be accessed by other apps.

Uploaded by

iot.syria
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

ANDROID STATIC ANALYSIS REPORT

 SGB Mobile (42)


File Name: SGB_ANDROID_TEST.apk

Package Name: com.icsfs.sgb

Scan Date: Jan. 27, 2024, 8:57 a.m.

App Security Score: 59/100 (MEDIUM RISK)

Grade:
B
 FINDINGS SEVERITY

 HIGH  MEDIUM  INFO  SECURE  HOTSPOT

4 7 1 5 1

 FILE INFORMATION
File Name: SGB_ANDROID_TEST.apk
Size: 16.28MB
MD5: ad5106226b1d83f5ff9db90595c517b6
SHA1: 1127ca3061db253cd94f39d74a4989bef1b894fb
SHA256: 4482d15e34304e380cbb71ce88cce5d1a6864ee59fc908eae34c0d41d6ec7250

 APP INFORMATION
App Name: SGB Mobile
Package Name: com.icsfs.sgb
Main Activity: com.icsfs.mobile.common.Splash
Target SDK: 33
Min SDK: 24
Max SDK:
Android Version Name: 42
Android Version Code: 42
 APP COMPONENTS
Activities: 220
Services: 1
Receivers: 0
Providers: 1
Exported Activities: 0
Exported Services: 1
Exported Receivers: 0
Exported Providers: 0

 CERTIFICATE INFORMATION
Binary is signed
v1 signature: False
v2 signature: True
v3 signature: False
v4 signature: False
X.509 Subject: C=JO, ST=amman, L=amman, O=icsfs, OU=icsfs, CN=icsfs
Signature Algorithm: rsassa_pkcs1v15
Valid From: 2021-02-16 10:57:15+00:00
Valid To: 2046-02-10 10:57:15+00:00
Issuer: C=JO, ST=amman, L=amman, O=icsfs, OU=icsfs, CN=icsfs
Serial Number: 0x521c7257
Hash Algorithm: sha256
md5: 1847bf1f1f48c8fd822972f91f50235d
sha1: ac7adee54f2c94902be1a240ba7c60730bb75aa0
sha256: 49e633ce39464f66285007c897f89058e085cad8b2237aad18552523a50aeedb
sha512: ef6dc899c9f913a89d849f25e85329f680961f1defa6d4a99556710a5279611654ed94d3fc5735c5e7df9bc54b45346ac796058e169100c1f57295c7f535eba2
PublicKey Algorithm: rsa
Bit Size: 2048
Fingerprint: aef2ee049b2ac98572435f2226f095adc4f6002359e604cc84372f2ee7b225bf
Found 1 unique certificates
 APPLICATION PERMISSIONS

PERMISSION STATUS INFO DESCRIPTION

read/modify/delete
android.permission.WRITE_EXTERNAL_STORAGE dangerous external storage Allows an application to write to external storage.
contents

read external storage


android.permission.READ_EXTERNAL_STORAGE dangerous Allows an application to read from external storage.
contents

Allows application to take pictures and videos with the camera. This
take pictures and
android.permission.CAMERA dangerous allows the application to collect images that the camera is seeing at
videos
any time.

Allows an application to read all of the contact (address) data stored


android.permission.READ_CONTACTS dangerous read contact data on your phone. Malicious applications can use this to send your data
to other people.

create Bluetooth
android.permission.BLUETOOTH normal Allows applications to connect to paired bluetooth devices.
connections

android.permission.INTERNET normal full Internet access Allows an application to create network sockets.

change network
android.permission.CHANGE_NETWORK_STATE normal Allows applications to change network connectivity state.
connectivity

android.permission.ACCESS_NETWORK_STATE normal view network status Allows an application to view the status of all networks.

allow use of This constant was deprecated in API level 28. Applications should
android.permission.USE_FINGERPRINT normal
fingerprint request USE_BIOMETRIC instead.
PERMISSION STATUS INFO DESCRIPTION

allows use of device-


android.permission.USE_BIOMETRIC normal supported biometric Allows an app to use device supported biometric modalities.
modalities.

 APKID ANALYSIS

FILE DETAILS

FINDINGS DETAILS
classes2.dex

Compiler dx

FINDINGS DETAILS

Build.FINGERPRINT check
classes.dex Build.MANUFACTURER check
Anti-VM Code
possible Build.SERIAL check
Build.TAGS check

Compiler unknown (please file detection issue!)

 NETWORK SECURITY
HIGH: 0 | WARNING: 0 | INFO: 0 | SECURE: 2
NO SCOPE SEVERITY DESCRIPTION

1 * secure Base config is configured to disallow clear text traffic to all domains.

ebank.sgbsy.com
2 secure Domain config is securely configured to disallow clear text traffic to these domains in scope.
test.sgbsy.com

 CERTIFICATE ANALYSIS
HIGH: 0 | WARNING: 0 | INFO: 1

TITLE SEVERITY DESCRIPTION

Signed Application info Application is signed with a code signing certificate

 MANIFEST ANALYSIS
HIGH: 1 | WARNING: 1 | INFO: 0 | SUPPRESSED: 0

NO ISSUE SEVERITY DESCRIPTION

This application can be installed on an older version


of android that has multiple unfixed vulnerabilities.
App can be installed on a vulnerable upatched Android version
1 high These devices won't receive reasonable security
Android 7.0, [minSdk=24]
updates from Google. Support an Android version =>
10, API 29 to receive reasonable security updates.
NO ISSUE SEVERITY DESCRIPTION

The Network Security Configuration feature lets apps


customize their network security settings in a safe,
App has a Network Security Configuration
2 info declarative configuration file without modifying app
[android:networkSecurityConfig=@xml/network_security_config]
code. These settings can be configured for specific
domains and for a specific app.

A Service is found to be shared with other apps on the


device therefore leaving it accessible to any other
application on the device. It is protected by a
Service (com.google.android.gms.auth.api.signin.RevocationBoundService) is
permission which is not defined in the analysed
Protected by a permission, but the protection level of the permission should be
application. As a result, the protection level of the
checked.
3 warning permission should be checked where it is defined. If it
Permission:
is set to normal or dangerous, a malicious application
com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION
can request and obtain the permission and interact
[android:exported=true]
with the component. If it is set to signature, only
applications signed with the same certificate can
obtain the permission.

 CODE ANALYSIS
HIGH: 3 | WARNING: 5 | INFO: 1 | SECURE: 2 | SUPPRESSED: 0

NO ISSUE SEVERITY STANDARDS FILES


NO ISSUE SEVERITY STANDARDS FILES

com/icsfs/mobile/home/account/Acco
unts.java
com/icsfs/mobile/home/account/Chart
CWE: CWE-749: Exposed Dangerous Method or s.java
Insecure WebView Implementation.
Function com/icsfs/mobile/home/account/Offer
1 Execution of user controlled code in warning
OWASP Top 10: M1: Improper Platform Usage sAndProducts.java
WebView is a critical Security Hole.
OWASP MASVS: MSTG-PLATFORM-7 com/icsfs/mobile/home/account/Offer
sAndProducts2.java
com/icsfs/mobile/main/TermsAndCon
ditions.java

com/bumptech/glide/Glide.java
com/bumptech/glide/load/data/media
store/ThumbFetcher.java
com/bumptech/glide/load/engine/Dec
odeJob.java
com/bumptech/glide/load/engine/Engi
ne.java
com/bumptech/glide/load/engine/Sour
ceGenerator.java
com/bumptech/glide/load/engine/exec
utor/RuntimeCompat.java
com/bumptech/glide/load/model/Byte
BufferFileLoader.java
com/bumptech/glide/load/model/FileL
oader.java
com/bumptech/glide/load/model/Reso
urceLoader.java
com/bumptech/glide/load/resource/bit
map/Downsampler.java
com/bumptech/glide/load/resource/gif
/ByteBufferGifDecoder.java
com/bumptech/glide/load/resource/gif
/StreamGifDecoder.java
com/bumptech/glide/manager/Reques
tManagerFragment.java
com/bumptech/glide/manager/Reques
tManagerRetriever.java
NO ISSUE SEVERITY STANDARDS FILES
com/bumptech/glide/manager/Suppor
tRequestManagerFragment.java
com/bumptech/glide/request/SingleRe
quest.java
com/bumptech/glide/util/ContentLengt
hInputStream.java
com/icsfs/mobile/Login.java
com/icsfs/mobile/common/SessionAcc
ountStatement.java
com/icsfs/mobile/common/SessionCar
d.java
com/icsfs/mobile/database/DataBaseH
elper.java
com/icsfs/mobile/fatoracards/DebitCar
dsList.java
com/icsfs/mobile/home/beneficiary/N
ewBeneficiaryInternational.java
CWE: CWE-532: Insertion of Sensitive Information into
The App logs information. Sensitive com/icsfs/mobile/home/cards/cardless
2 info Log File
information should never be logged. /FragmentCardLess.java
OWASP MASVS: MSTG-STORAGE-3
com/icsfs/mobile/home/registration/U
serRegistrationConf.java
com/icsfs/mobile/home/registration/U
serRegistrationOTP.java
com/icsfs/mobile/main/kyc/fragment/_
1_BasicInfo.java
com/icsfs/mobile/main/kyc/fragment/_
2_ResidAddress.java
com/icsfs/mobile/main/kyc/fragment/_
3_PersInfo.java
com/icsfs/mobile/main/kyc/fragment/_
4_EmpInfo.java
com/icsfs/mobile/main/kyc/fragment/_
5_inancialInfo.java
com/icsfs/mobile/main/kyc/fragment/_
6_Beneficiary.java
com/icsfs/mobile/main/kyc/fragment/_
7_Politicals.java
com/icsfs/mobile/main/kyc/fragment/_
8_FATCA.java
com/icsfs/mobile/mobilepayment/MT
NO ISSUE SEVERITY STANDARDS FILES
N.java
com/icsfs/mobile/mobilepayment/MT
NConfirm.java
com/icsfs/mobile/mobilepayment/Syri
atel.java
com/icsfs/mobile/mobilepayment/Syri
atelConf.java
com/icsfs/mobile/notification/Incomin
gSms.java
com/icsfs/mobile/ocr/_1_PersonalDeta
ils_2.java
com/journeyapps/barcodescanner/Cap
tureManager.java
com/journeyapps/barcodescanner/Dec
oderThread.java
com/journeyapps/barcodescanner/ca
mera/CameraInstance.java
com/smarteist/autoimageslider/SliderV
iew.java
org/mobile/banking/sep/CallHttpsTrust
Manager.java
org/mobile/banking/sep/common/Co
mmonMethodsSy.java

com/icsfs/mobile/ocr/_1_PersonalDeta
ils_2.java
App creates temp file. Sensitive CWE: CWE-276: Incorrect Default Permissions
com/journeyapps/barcodescanner/Cap
3 information should never be written warning OWASP Top 10: M2: Insecure Data Storage
tureManager.java
into a temp file. OWASP MASVS: MSTG-STORAGE-2
com/theartofdev/edmodo/cropper/Cro
pImageActivity.java
NO ISSUE SEVERITY STANDARDS FILES

com/bumptech/glide/manager/Reques
tManagerRetriever.java
com/icsfs/efawatercom/datatransfer/R
equestCommonDT.java
com/icsfs/mobile/common/ConstantsP
arams.java
com/icsfs/mobile/database/DBMetaDa
ta.java
com/icsfs/mobile/home/account/Cont
ents.java
com/icsfs/mobile/ocr/dt/OtinfWfObj.ja
va
com/icsfs/ws/datatransfer/BankParam
eterDT.java
com/icsfs/ws/datatransfer/GenericRes
ponse.java
CWE: CWE-312: Cleartext Storage of Sensitive
Files may contain hardcoded com/icsfs/ws/datatransfer/RequestCo
Information
4 sensitive information like usernames, warning mmonDT.java
OWASP Top 10: M9: Reverse Engineering
passwords, keys etc. com/icsfs/ws/datatransfer/blc/BLCSucc
OWASP MASVS: MSTG-STORAGE-14
essRespDT.java
com/icsfs/ws/datatransfer/chequeboo
k/PostDateChequeDT.java
com/icsfs/ws/datatransfer/client/Benef
iciaryDT.java
com/icsfs/ws/datatransfer/client/Cheq
ueBookDT.java
com/icsfs/ws/datatransfer/client/Trans
ferDT.java
com/icsfs/ws/datatransfer/loan/LoanD
T.java
com/icsfs/ws/datatransfer/prepaid/dt/
CommonReqDt.java
org/mobile/banking/sep/webServices/
customerAuth/type/CustAuthOutDT.jav
a
NO ISSUE SEVERITY STANDARDS FILES

The App uses the encryption mode CWE: CWE-649: Reliance on Obfuscation or Encryption
CBC with PKCS5/PKCS7 padding. This of Security-Relevant Inputs without Integrity Checking
5 high com/icsfs/mobile/Login.java
configuration is vulnerable to OWASP Top 10: M5: Insufficient Cryptography
padding oracle attacks. OWASP MASVS: MSTG-CRYPTO-3

Insecure Implementation of SSL.


Trusting all the certificates or CWE: CWE-295: Improper Certificate Validation
org/mobile/banking/sep/CallHttpsTrust
6 accepting self signed certificates is a high OWASP Top 10: M3: Insecure Communication
Manager.java
critical Security Hole. This application OWASP MASVS: MSTG-NETWORK-3
is vulnerable to MITM attacks

CWE: CWE-327: Use of a Broken or Risky


SHA-1 is a weak hash known to have Cryptographic Algorithm com/icsfs/mobile/common/HashingSe
7 warning
hash collisions. OWASP Top 10: M5: Insufficient Cryptography ssion.java
OWASP MASVS: MSTG-CRYPTO-4

This App may have root detection com/icsfs/mobile/common/ROMTestin


8 secure
capabilities. OWASP MASVS: MSTG-RESILIENCE-1 g.java

This App uses SSL certificate pinning


com/icsfs/mobile/common/MyRetrofit.
9 to detect or prevent MITM attacks in secure
OWASP MASVS: MSTG-NETWORK-4 java
secure communication channel.

App can read/write to External CWE: CWE-276: Incorrect Default Permissions


com/icsfs/mobile/ocr/_1_PersonalDeta
10 Storage. Any App can read data warning OWASP Top 10: M2: Insecure Data Storage
ils_2.java
written to External Storage. OWASP MASVS: MSTG-STORAGE-2

CWE: CWE-276: Incorrect Default Permissions


The file or SharedPreference is World com/icsfs/mobile/drawer/NavigationD
11 high OWASP Top 10: M2: Insecure Data Storage
Writable. Any App can write to the file rawerFragment.java
OWASP MASVS: MSTG-STORAGE-2

 NIAP ANALYSIS v1.3


NO IDENTIFIER REQUIREMENT FEATURE DESCRIPTION

 ABUSED PERMISSIONS

TYPE MATCHES PERMISSIONS

Malware android.permission.WRITE_EXTERNAL_STORAGE, android.permission.READ_EXTERNAL_STORAGE, android.permission.CAMERA,


6/24
Permissions android.permission.READ_CONTACTS, android.permission.INTERNET, android.permission.ACCESS_NETWORK_STATE

Other
Common 2/45 android.permission.BLUETOOTH, android.permission.CHANGE_NETWORK_STATE
Permissions

Malware Permissions:
Top permissions that are widely abused by known malware.
Other Common Permissions:
Permissions that are commonly abused by known malware.

 OFAC SANCTIONED COUNTRIES


This app may communicate with the following OFAC sanctioned list of countries.

DOMAIN COUNTRY/REGION

 DOMAIN MALWARE CHECK


DOMAIN STATUS GEOLOCATION

IP: 142.250.189.206
Country: United States of America
Region: California
maps.google.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map

IP: 157.240.22.35
Country: United States of America
Region: California
m.facebook.com ok City: San Jose
Latitude: 37.339390
Longitude: -121.894958
View: Google Map

IP: 91.144.21.179
Country: Syrian Arab Republic
Region: Hims
test.sgbsy.com ok City: Homs
Latitude: 34.726822
Longitude: 36.723389
View: Google Map

IP: 172.67.163.163
Country: Japan
Region: Tokyo
www.ajib.com ok City: Tokyo
Latitude: 35.689507
Longitude: 139.691696
View: Google Map
DOMAIN STATUS GEOLOCATION

IP: 91.144.21.180
Country: Syrian Arab Republic
Region: Hims
ebank.sgbsy.com ok City: Homs
Latitude: 34.726822
Longitude: 36.723389
View: Google Map

IP: 18.160.46.124
Country: United States of America
Region: Washington
journeyapps.com ok City: Seattle
Latitude: 47.627499
Longitude: -122.346199
View: Google Map

IP: 192.30.255.112
Country: United States of America
Region: California
github.com ok City: San Francisco
Latitude: 37.775700
Longitude: -122.395203
View: Google Map

IP: 142.251.46.174
Country: United States of America
Region: California
play.google.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map
 HARDCODED SECRETS

POSSIBLE SECRETS

"library_zxingandroidembedded_author" : "JourneyApps"

"library_zxingandroidembedded_authorWebsite" : "https://journeyapps.com/"

"password" : "Password"

01360240043788015936020505

PW21CUS06/customerOnboarding

sha256/ZnSm3MWSUxiL+EhkzEDaCA+3qEr3pd7fRIOzMQSXq0U=

258EAFA5-E914-47DA-95CA-C5AB0DC85B11

 PLAYSTORE INFORMATION
Title: SGB Mobile

Score: 4.1666665 Installs: 5,000+ Price: 0 Android Version Support: Category: Finance Play Store URL: com.icsfs.sgb

Developer Details: Syria Gulf Bank, Syria+Gulf+Bank, None, None, [email protected],

Release Date: Jun 23, 2022 Privacy Policy: Privacy link

Description:

Syrian Gulf Bank (SGB) E-banking


Report Generated by - MobSF v3.9.3 Beta
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment
framework capable of performing static and dynamic analysis.

© 2024 Mobile Security Framework - MobSF | Ajin Abraham | OpenSecurity.

You might also like