0% found this document useful (0 votes)

108 views44 pages

Static Analysis

The static analysis report for the TruCell application indicates a security score of 56/100, with various permissions including access to location and Bluetooth. The app is signed with a valid certificate from Craft Silicon Pvt Ltd, but has warnings related to potential vulnerabilities, such as being installable on older Android versions and sharing services with other apps. Additionally, there are concerns regarding logging sensitive information and the use of an insecure random number generator.

Uploaded by

Jeevan Das

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

108 views44 pages

Static Analysis

Uploaded by

Jeevan Das

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 44

7/26/24, 12:03 PM Static Analysis

 APP SCORES  FILE INFORMATION  APP INFORMATION

File NameTruCell.apk App Name TruCell

Size 23.66MB Package Name com.truecell.ui
MD5 d23b2c27edaa2f6b3f7a7c383e09b0c9 Main Activity
Security Score 56/100 SHA1 21a21607ee900faf8c8a29d32ab07e672cd44c1b com.truecell.ui.Splash_Screen_Form
Trackers Detection
SHA256 Target SDK 34 Min SDK 26 Max SDK
0/432
0848fc96fe0ad0ab3987337d22c8daa17f869e8f68d506f26b728fdaca Android Version Name 3.6.91
bb77f1 Android Version Code 123

318 5
ACTIVITIES SERVICES

View  View 

11 2
RECEIVERS PROVIDERS

View  View 

127.0.0.1:8000/static_analyzer/d23b2c27edaa2f6b3f7a7c383e09b0c9/ 1/44
7/26/24, 12:03 PM Static Analysis

Exported Exported
 Activities  Services
0 1

Exported Exported
 Receivers  Providers
1 0

 SCAN OPTIONS

 DECOMPILED CODE

 SIGNER CERTIFICATE

127.0.0.1:8000/static_analyzer/d23b2c27edaa2f6b3f7a7c383e09b0c9/ 2/44
7/26/24, 12:03 PM Static Analysis

Binary is signed
v1 signature: False
v2 signature: True
v3 signature: False
v4 signature: False
X.509 Subject: C=91, ST=karnataka, L=Bangalore, O=Craft Silicon Pvt Ltd, OU=India, CN=Siva kumar
Signature Algorithm: rsassa_pkcs1v15
Valid From: 2015-02-20 10:43:45+00:00
Valid To: 2114-01-27 10:43:45+00:00
Issuer: C=91, ST=karnataka, L=Bangalore, O=Craft Silicon Pvt Ltd, OU=India, CN=Siva kumar
Serial Number: 0x6f0cf331
Hash Algorithm: sha256
md5: c7d220c4d8ace14e659ea411d3fcb0a2
sha1: 1e54e384bd19b2732d208665ebc06a761c11fab2
sha256: ef76ebe83ed98e8590e1538170269366d470f4d0e6a59d2725e5a3c822a69ccc
sha512:
14ea70cffbafc5c9d8b5600110ce4ba9f58e5016dfd904e29c1807ebd74abdd1fcc67671ca312d2b43dbe5c468b47f7b293d41e098e29827b36a
41f2fa1af9bf
PublicKey Algorithm: rsa
Bit Size: 2048
Fingerprint: 6556fd50f0998107af224297ef8fd843ae6bb63dd4758f9b5b8f0f97d86a0ac4
Found 1 unique certificates

 APPLICATION PERMISSIONS

Search:

127.0.0.1:8000/static_analyzer/d23b2c27edaa2f6b3f7a7c383e09b0c9/ 3/44
7/26/24, 12:03 PM Static Analysis

▲ ▲ ▲ ▲ CODE
▼ ▼ ▼ ▼
PERMISSION STATUS INFO DESCRIPTION MAPP

android.permission.ACCESS_COARSE_LOCATION dangerous coarse (network-based) Access coarse location

location sources, such as the
mobile network
database, to determine
an approximate phone
location, where
available. Malicious
applications can use this
to determine
approximately where
you are.

android.permission.ACCESS_FINE_LOCATION dangerous fine (GPS) location Access fine location

sources, such as the
Global Positioning
System on the phone,
where available.
Malicious applications
can use this to
determine where you
are and may consume
additional battery
power.

127.0.0.1:8000/static_analyzer/d23b2c27edaa2f6b3f7a7c383e09b0c9/ 4/44
7/26/24, 12:03 PM Static Analysis

▲ ▲ ▲ ▲ CODE
▼ ▼ ▼ ▼
PERMISSION STATUS INFO DESCRIPTION MAPP

android.permission.ACCESS_NETWORK_STATE normal view network status Allows an application to

view the status of all
networks.

android.permission.BLUETOOTH normal create Bluetooth Allows applications to

connections connect to paired
bluetooth devices.

android.permission.BLUETOOTH_ADMIN normal bluetooth Allows applications to

administration discover and pair
bluetooth devices.

android.permission.BLUETOOTH_CONNECT dangerous necessary for Required to be able to

connecting to paired connect to paired
Bluetooth devices. Bluetooth devices.

android.permission.BLUETOOTH_PRIVILEGED SignatureOrSystem allows privileged Allows applications to

Bluetooth operations pair bluetooth devices
without user interaction. without user interaction,
and to allow or disallow
phonebook access or
message access. This is
not available to third
party applications.

127.0.0.1:8000/static_analyzer/d23b2c27edaa2f6b3f7a7c383e09b0c9/ 5/44
7/26/24, 12:03 PM Static Analysis

▲ ▲ ▲ ▲ CODE
▼ ▼ ▼ ▼
PERMISSION STATUS INFO DESCRIPTION MAPP

android.permission.BLUETOOTH_SCAN dangerous required for discovering Required to be able to

and pairing Bluetooth discover and pair nearby
devices. Bluetooth devices.

android.permission.CAMERA dangerous take pictures and videos Allows application to

take pictures and videos
with the camera. This
allows the application to
collect images that the
camera is seeing at any
time.

android.permission.FOREGROUND_SERVICE normal enables regular apps to Allows a regular

use application to use
Service.startForeground. Service.startForeground.

Showing 1 to 10 of 19 entries

Previous 1 2 Next

 ANDROID API

Search:

127.0.0.1:8000/static_analyzer/d23b2c27edaa2f6b3f7a7c383e09b0c9/ 6/44
7/26/24, 12:03 PM Static Analysis

API ▲ FILES ▲
▼ ▼

Android Notifications

Base64 Decode

Base64 Encode

Certificate Handling

Content Provider

Crypto

Dynamic Class and Dexloading

Execute OS Command

Get Installed Applications

Get Running App Processes

Showing 1 to 10 of 29 entries

Previous 1 2 3 Next

 BROWSABLE ACTIVITIES

127.0.0.1:8000/static_analyzer/d23b2c27edaa2f6b3f7a7c383e09b0c9/ 7/44
7/26/24, 12:03 PM Static Analysis

Search:

ACTIVITY ▲ INTENT ▲
▼ ▼

No data available in table

Showing 0 to 0 of 0 entries

Previous Next

 NETWORK SECURITY

Search:

NO ▲ SCOPE ▲ SEVERITY ▲ DESCRIPTION ▲

▼ ▼ ▼ ▼

No data available in table

Showing 0 to 0 of 0 entries

Previous Next

 CERTIFICATE ANALYSIS

HIGH WARNING INFO

0 0 1

Search:

127.0.0.1:8000/static_analyzer/d23b2c27edaa2f6b3f7a7c383e09b0c9/ 8/44
7/26/24, 12:03 PM Static Analysis

TITLE ▲ SEVERITY ▲ DESCRIPTION ▲

▼ ▼ ▼

Signed Application info Application is signed with a code signing certificate

Showing 1 to 1 of 1 entries

Previous 1 Next

 MANIFEST ANALYSIS

HIGH WARNING INFO SUPPRESSED

0 3 0 0

Search:

NO ▲
▼ ISSUE ▲
▼ SEVERITY ▲
▼ DESCRIPTION ▲
▼ OPTIONS ▲
▼

1 App can be installed on a vulnerable Android version warning This application can be
Android 8.0, minSdk=26] installed on an older
version of android that
has multiple
vulnerabilities. Support
an Android version =>
10, API 29 to receive
reasonable security
updates.

127.0.0.1:8000/static_analyzer/d23b2c27edaa2f6b3f7a7c383e09b0c9/ 9/44
7/26/24, 12:03 PM Static Analysis

NO ▲
▼ ISSUE ▲
▼ SEVERITY ▲
▼ DESCRIPTION ▲
▼ OPTIONS ▲
▼

2 Service warning A Service is found to be

(androidx.work.impl.background.systemjob.SystemJobService) shared with other apps
is Protected by a permission, but the protection level of the on the device therefore
permission should be checked. leaving it accessible to
Permission: android.permission.BIND_JOB_SERVICE any other application
[android:exported=true] on the device. It is
protected by a
permission which is not
defined in the analysed
application. As a result,
the protection level of
the permission should
be checked where it is
defined. If it is set to
normal or dangerous, a
malicious application
can request and obtain
the permission and
interact with the
component. If it is set to
signature, only
applications signed
with the same
certificate can obtain
the permission.

127.0.0.1:8000/static_analyzer/d23b2c27edaa2f6b3f7a7c383e09b0c9/ 10/44
7/26/24, 12:03 PM Static Analysis

NO ▲
▼ ISSUE ▲
▼ SEVERITY ▲
▼ DESCRIPTION ▲
▼ OPTIONS ▲
▼

3 Broadcast Receiver warning A Broadcast Receiver is

(androidx.work.impl.diagnostics.DiagnosticsReceiver) is found to be shared with
Protected by a permission, but the protection level of the other apps on the
permission should be checked. device therefore leaving
Permission: android.permission.DUMP it accessible to any
[android:exported=true] other application on the
device. It is protected
by a permission which
is not defined in the
analysed application.
As a result, the
protection level of the
permission should be
checked where it is
defined. If it is set to
normal or dangerous, a
malicious application
can request and obtain
the permission and
interact with the
component. If it is set to
signature, only
applications signed
with the same
certificate can obtain
the permission.

Showing 1 to 3 of 3 entries
127.0.0.1:8000/static_analyzer/d23b2c27edaa2f6b3f7a7c383e09b0c9/ 11/44
7/26/24, 12:03 PM Static Analysis

Previous 1 Next

 CODE ANALYSIS

HIGH WARNING INFO SECURE SUPPRESSED

2 7 2 2 0

Search:

NO ▲
▼ ISSUE ▲
▼ SEVERITY ▲
▼ STANDARDS ▲
▼ FILES ▲
▼ OPTIONS ▲
▼

1 The App logs information. info CWE: CWE-532:

Sensitive information should Insertion of Sensitive
never be logged. Information into Log
File
OWASP MASVS:
MSTG-STORAGE-3

2 App uses SQLite Database warning CWE: CWE-89:

and execute raw SQL query. Improper
Untrusted user input in raw Neutralization of
SQL queries can cause SQL Special Elements used
Injection. Also sensitive in an SQL Command
information should be ('SQL Injection')
encrypted and written to the OWASP Top 10: M7:
database. Client Code Quality

127.0.0.1:8000/static_analyzer/d23b2c27edaa2f6b3f7a7c383e09b0c9/ 12/44
7/26/24, 12:03 PM Static Analysis

NO ▲
▼ ISSUE ▲
▼ SEVERITY ▲
▼ STANDARDS ▲
▼ FILES ▲
▼ OPTIONS ▲
▼

3 The App uses an insecure warning CWE: CWE-330: Use of w4/a.java

Random Number Generator. Insufficiently Random w4/b.java
Values x4/a.java
OWASP Top 10: M5:
Insufficient
Cryptography
OWASP MASVS:
MSTG-CRYPTO-6

4 Files may contain hardcoded warning CWE: CWE-312: e4/a.java

sensitive information like Cleartext Storage of g1/a.java
usernames, passwords, keys Sensitive Information
etc. OWASP Top 10: M9:
Reverse Engineering
OWASP MASVS:
MSTG-STORAGE-14

5 This App may request root warning CWE: CWE-250: com/truecell/util/RootUtil.java

(Super User) privileges. Execution with t3/a.java
Unnecessary
Privileges
OWASP MASVS:
MSTG-RESILIENCE-1

127.0.0.1:8000/static_analyzer/d23b2c27edaa2f6b3f7a7c383e09b0c9/ 13/44
7/26/24, 12:03 PM Static Analysis

NO ▲
▼ ISSUE ▲
▼ SEVERITY ▲
▼ STANDARDS ▲
▼ FILES ▲
▼ OPTIONS ▲
▼

6 App creates temp file. warning CWE: CWE-276:

Sensitive information should Incorrect Default
never be written into a temp Permissions
file. OWASP Top 10: M2:
Insecure Data Storage
OWASP MASVS:
MSTG-STORAGE-2

7 IP Address disclosure warning CWE: CWE-200:

Information Exposure
OWASP MASVS:
MSTG-CODE-2

8 This App uses SSL certificate secure

pinning to detect or prevent OWASP MASVS:
MITM attacks in secure MSTG-NETWORK-4
communication channel.

9 App can read/write to warning CWE: CWE-276:

External Storage. Any App Incorrect Default
can read data written to Permissions
External Storage. OWASP Top 10: M2:
Insecure Data Storage
OWASP MASVS:
MSTG-STORAGE-2

127.0.0.1:8000/static_analyzer/d23b2c27edaa2f6b3f7a7c383e09b0c9/ 14/44
7/26/24, 12:03 PM Static Analysis

NO ▲
▼ ISSUE ▲
▼ SEVERITY ▲
▼ STANDARDS ▲
▼ FILES ▲
▼ OPTIONS ▲
▼

10 This App uses SQL Cipher. info com/truecell/util/TrucellApplication.java

SQLCipher provides 256-bit OWASP MASVS:
AES encryption to sqlite MSTG-CRYPTO-1
database files.

Showing 1 to 10 of 13 entries

Previous 1 2 Next

 SHARED LIBRARY BINARY ANALYSIS

Search:

127.0.0.1:8000/static_analyzer/d23b2c27edaa2f6b3f7a7c383e09b0c9/ 15/44
7/26/24, 12:03 PM Static Analysis