Skip to content

Instantly share code, notes, and snippets.

@pentestguy
Created January 19, 2024 18:36
Show Gist options
  • Save pentestguy/3aa43c6dadd215b2ddc2326b40f372be to your computer and use it in GitHub Desktop.
Save pentestguy/3aa43c6dadd215b2ddc2326b40f372be to your computer and use it in GitHub Desktop.
mobsfscan dummy report
mobsfscan: v0.3.4 | Ajin Abraham | opensecurity.in
<table>
<tbody>
<tr><td>RULE ID </td><td>default_http_client_tls </td></tr>
<tr><td>CWE </td><td>CWE-757: Selection of Less-Secure Algorithm During Negotiation </td></tr>
<tr><td>MASVS </td><td>MSTG-NETWORK-2 </td></tr>
<tr><td>OWASP-MOBILE</td><td>M3: Insecure Communication </td></tr>
<tr><td>REFERENCE </td><td>https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04f-Testing-Network-Communication.md#verifying-data-encryption-on-the-network-mstg-network-1-and-mstg-network-2 </td></tr>
<tr><td>DESCRIPTION </td><td>DefaultHTTPClient() with default constructor is not compatible with TLS 1.2. </td></tr>
<tr><td>SEVERITY </td><td>WARNING </td></tr>
<tr><td>FILES </td><td><table>
<tbody>
<tr><td>File </td><td>/home/pentestguy/myagent/_work/1/a/InsecureBankv2/main/java/com/android/insecurebankv2/ChangePassword.java</td></tr>
<tr><td>Match Position</td><td>28 - 51 </td></tr>
<tr><td>Line Number(s)</td><td>128 </td></tr>
<tr><td>Match String </td><td><pre> HttpClient httpclient = new DefaultHttpClient();</pre> </td></tr>
<tr><td>File </td><td>/home/pentestguy/myagent/_work/1/a/InsecureBankv2/main/java/com/android/insecurebankv2/DoLogin.java </td></tr>
<tr><td>Match Position</td><td>28 - 51 </td></tr>
<tr><td>Line Number(s)</td><td>116 </td></tr>
<tr><td>Match String </td><td><pre> HttpClient httpclient = new DefaultHttpClient();</pre> </td></tr>
<tr><td>File </td><td>/home/pentestguy/myagent/_work/1/a/InsecureBankv2/main/java/com/android/insecurebankv2/DoTransfer.java </td></tr>
<tr><td>Match Position</td><td>28 - 51 </td></tr>
<tr><td>Line Number(s)</td><td>131 </td></tr>
<tr><td>Match String </td><td><pre> HttpClient httpclient = new DefaultHttpClient();</pre> </td></tr>
<tr><td>File </td><td>/home/pentestguy/myagent/_work/1/a/InsecureBankv2/main/java/com/android/insecurebankv2/DoTransfer.java </td></tr>
<tr><td>Match Position</td><td>28 - 51 </td></tr>
<tr><td>Line Number(s)</td><td>262 </td></tr>
<tr><td>Match String </td><td><pre> HttpClient httpclient = new DefaultHttpClient();</pre> </td></tr>
</tbody>
</table></td></tr>
</tbody>
</table>
<table>
<tbody>
<tr><td>RULE ID </td><td>hardcoded_password </td></tr>
<tr><td>CWE </td><td>CWE-798: Use of Hard-coded Credentials </td></tr>
<tr><td>MASVS </td><td>MSTG-STORAGE-14 </td></tr>
<tr><td>OWASP-MOBILE</td><td>M9: Reverse Engineering </td></tr>
<tr><td>REFERENCE </td><td>https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#storing-a-key---example </td></tr>
<tr><td>DESCRIPTION </td><td>A hardcoded password in plain text is identified. </td></tr>
<tr><td>SEVERITY </td><td>WARNING </td></tr>
<tr><td>FILES </td><td><table>
<tbody>
<tr><td>File </td><td>/home/pentestguy/myagent/_work/1/a/InsecureBankv2/main/java/com/android/insecurebankv2/ChangePassword.java </td></tr>
<tr><td>Match Position</td><td>5 - 67 </td></tr>
<tr><td>Line Number(s)</td><td>61: 62 </td></tr>
<tr><td>Match String </td><td><pre> private static final String PASSWORD_PATTERN =
&quot;((?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%]).{6,20})&quot;;</pre></td></tr>
</tbody>
</table></td></tr>
</tbody>
</table>
<table>
<tbody>
<tr><td>RULE ID </td><td>hardcoded_api_key </td></tr>
<tr><td>CWE </td><td>CWE-798: Use of Hard-coded Credentials </td></tr>
<tr><td>MASVS </td><td>MSTG-STORAGE-14 </td></tr>
<tr><td>OWASP-MOBILE</td><td>M9: Reverse Engineering </td></tr>
<tr><td>REFERENCE </td><td>https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#storing-a-key---example </td></tr>
<tr><td>DESCRIPTION </td><td>A hardcoded Key is identified. </td></tr>
<tr><td>SEVERITY </td><td>WARNING </td></tr>
<tr><td>FILES </td><td><table>
<tbody>
<tr><td>File </td><td>/home/pentestguy/myagent/_work/1/a/InsecureBankv2/main/java/com/android/insecurebankv2/CryptoClass.java</td></tr>
<tr><td>Match Position</td><td>2 - 49 </td></tr>
<tr><td>Line Number(s)</td><td>25 </td></tr>
<tr><td>Match String </td><td><pre> String key = &quot;This is the super secret key 123&quot;;</pre> </td></tr>
</tbody>
</table></td></tr>
</tbody>
</table>
<table>
<tbody>
<tr><td>RULE ID </td><td>world_readable </td></tr>
<tr><td>CWE </td><td>CWE-276: Incorrect Default Permissions </td></tr>
<tr><td>MASVS </td><td>MSTG-STORAGE-2 </td></tr>
<tr><td>OWASP-MOBILE</td><td>M2: Insecure Data Storage </td></tr>
<tr><td>REFERENCE </td><td>https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 </td></tr>
<tr><td>DESCRIPTION </td><td>The file is World Readable. Any App can read from the file. </td></tr>
<tr><td>SEVERITY </td><td>WARNING </td></tr>
<tr><td>FILES </td><td><table>
<tbody>
<tr><td>File </td><td>/home/pentestguy/myagent/_work/1/a/InsecureBankv2/main/java/com/android/insecurebankv2/MyBroadCastReceiver.java </td></tr>
<tr><td>Match Position</td><td>84 - 111 </td></tr>
<tr><td>Line Number(s)</td><td>29 </td></tr>
<tr><td>Match String </td><td><pre> SharedPreferences settings = context.getSharedPreferences(MYPREFS, Context.MODE_WORLD_READABLE);</pre></td></tr>
</tbody>
</table></td></tr>
</tbody>
</table>
<table>
<tbody>
<tr><td>RULE ID </td><td>android_hidden_ui </td></tr>
<tr><td>CWE </td><td>CWE-919: Weaknesses in Mobile Applications </td></tr>
<tr><td>MASVS </td><td>MSTG-STORAGE-7 </td></tr>
<tr><td>OWASP-MOBILE</td><td>M1: Improper Platform Usage </td></tr>
<tr><td>REFERENCE </td><td>https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-for-sensitive-data-disclosure-through-the-user-interface-mstg-storage-7 </td></tr>
<tr><td>DESCRIPTION </td><td>Hidden elements in view can be used to hide data from user. But this data can be leaked. </td></tr>
<tr><td>SEVERITY </td><td>ERROR </td></tr>
<tr><td>FILES </td><td><table>
<tbody>
<tr><td>File </td><td>/home/pentestguy/myagent/_work/1/a/InsecureBankv2/main/java/com/android/insecurebankv2/LoginActivity.java</td></tr>
<tr><td>Match Position</td><td>4 - 47 </td></tr>
<tr><td>Line Number(s)</td><td>55 </td></tr>
<tr><td>Match String </td><td><pre> button_CreateUser.setVisibility(View.GONE);</pre> </td></tr>
</tbody>
</table></td></tr>
</tbody>
</table>
<table>
<tbody>
<tr><td>RULE ID </td><td>android_logging </td></tr>
<tr><td>CWE </td><td>CWE-532: Insertion of Sensitive Information into Log File </td></tr>
<tr><td>MASVS </td><td>MSTG-STORAGE-3 </td></tr>
<tr><td>OWASP-MOBILE</td><td>M1: Improper Platform Usage </td></tr>
<tr><td>REFERENCE </td><td>https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs </td></tr>
<tr><td>DESCRIPTION </td><td>The App logs information. Please ensure that sensitive information is never logged. </td></tr>
<tr><td>SEVERITY </td><td>INFO </td></tr>
<tr><td>FILES </td><td><table>
<tbody>
<tr><td>File </td><td>/home/pentestguy/myagent/_work/1/a/InsecureBankv2/main/java/com/android/insecurebankv2/ChangePassword.java </td></tr>
<tr><td>Match Position</td><td>3 - 46 </td></tr>
<tr><td>Line Number(s)</td><td>86 </td></tr>
<tr><td>Match String </td><td><pre> System.out.println(&quot;newpassword=&quot; + uname);</pre> </td></tr>
<tr><td>File </td><td>/home/pentestguy/myagent/_work/1/a/InsecureBankv2/main/java/com/android/insecurebankv2/ChangePassword.java </td></tr>
<tr><td>Match Position</td><td>37 - 79 </td></tr>
<tr><td>Line Number(s)</td><td>165 </td></tr>
<tr><td>Match String </td><td><pre> System.out.println(&quot;phonno:&quot;+phoneNumber);</pre> </td></tr>
<tr><td>File </td><td>/home/pentestguy/myagent/_work/1/a/InsecureBankv2/main/java/com/android/insecurebankv2/DoTransfer.java </td></tr>
<tr><td>Match Position</td><td>9 - 191 </td></tr>
<tr><td>Line Number(s)</td><td>200 </td></tr>
<tr><td>Match String </td><td><pre> System.out.println(&quot;Message:&quot; + jsonObject.getString(&quot;message&quot;) + &quot; From:&quot; + from.getText().toString() + &quot; To:&quot; + to.getText().toString() + &quot; Amount:&quot; + amount.getText().toString());</pre></td></tr>
<tr><td>File </td><td>/home/pentestguy/myagent/_work/1/a/InsecureBankv2/main/java/com/android/insecurebankv2/DoTransfer.java </td></tr>
<tr><td>Match Position</td><td>29 - 189 </td></tr>
<tr><td>Line Number(s)</td><td>220 </td></tr>
<tr><td>Match String </td><td><pre> System.out.println(&quot;Message:&quot; + &quot;Failure&quot; + &quot; From:&quot; + from.getText().toString() + &quot; To:&quot; + to.getText().toString() + &quot; Amount:&quot; + amount.getText().toString());</pre> </td></tr>
<tr><td>File </td><td>/home/pentestguy/myagent/_work/1/a/InsecureBankv2/main/java/com/android/insecurebankv2/MyBroadCastReceiver.java </td></tr>
<tr><td>Match Position</td><td>17 - 119 </td></tr>
<tr><td>Line Number(s)</td><td>39 </td></tr>
<tr><td>Match String </td><td><pre> System.out.println(&quot;For the changepassword - phonenumber: &quot;+textPhoneno+&quot; password is: &quot;+textMessage);</pre> </td></tr>
<tr><td>File </td><td>/home/pentestguy/myagent/_work/1/a/InsecureBankv2/main/java/com/android/insecurebankv2/ViewStatement.java </td></tr>
<tr><td>Match Position</td><td>3 - 46 </td></tr>
<tr><td>Line Number(s)</td><td>32 </td></tr>
<tr><td>Match String </td><td><pre> System.out.println(fileToCheck.toString());</pre> </td></tr>
</tbody>
</table></td></tr>
</tbody>
</table>
<table>
<tbody>
<tr><td>RULE ID </td><td>cbc_padding_oracle </td></tr>
<tr><td>CWE </td><td>CWE-649: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking </td></tr>
<tr><td>MASVS </td><td>MSTG-CRYPTO-3 </td></tr>
<tr><td>OWASP-MOBILE</td><td>M5: Insufficient Cryptography </td></tr>
<tr><td>REFERENCE </td><td>https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations </td></tr>
<tr><td>DESCRIPTION </td><td>The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks. </td></tr>
<tr><td>SEVERITY </td><td>ERROR </td></tr>
<tr><td>FILES </td><td><table>
<tbody>
<tr><td>File </td><td>/home/pentestguy/myagent/_work/1/a/InsecureBankv2/main/java/com/android/insecurebankv2/CryptoClass.java</td></tr>
<tr><td>Match Position</td><td>12 - 54 </td></tr>
<tr><td>Line Number(s)</td><td>55 </td></tr>
<tr><td>Match String </td><td><pre> cipher = Cipher.getInstance(&quot;AES/CBC/PKCS5Padding&quot;);</pre> </td></tr>
<tr><td>File </td><td>/home/pentestguy/myagent/_work/1/a/InsecureBankv2/main/java/com/android/insecurebankv2/CryptoClass.java</td></tr>
<tr><td>Match Position</td><td>19 - 61 </td></tr>
<tr><td>Line Number(s)</td><td>77 </td></tr>
<tr><td>Match String </td><td><pre> Cipher cipher = Cipher.getInstance(&quot;AES/CBC/PKCS5Padding&quot;);</pre> </td></tr>
</tbody>
</table></td></tr>
</tbody>
</table>
<table>
<tbody>
<tr><td>RULE ID </td><td>android_manifest_allow_backup </td></tr>
<tr><td>CWE </td><td>cwe-921 </td></tr>
<tr><td>OWASP-MOBILE</td><td>m1 </td></tr>
<tr><td>MASVS </td><td>storage-8 </td></tr>
<tr><td>REFERENCE </td><td>https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#static-analysis-7 </td></tr>
<tr><td>DESCRIPTION </td><td>This flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device. </td></tr>
<tr><td>SEVERITY </td><td>WARNING </td></tr>
<tr><td>FILES </td><td><table>
<tbody>
<tr><td>File </td><td>/home/pentestguy/myagent/_work/1/a/InsecureBankv2/main/AndroidManifest.xml</td></tr>
<tr><td>Match Position</td><td>1 - 1 </td></tr>
<tr><td>Line Number(s)</td><td>1 </td></tr>
<tr><td>Match String </td><td><pre>android:allowBackup=true</pre> </td></tr>
</tbody>
</table></td></tr>
</tbody>
</table>
<table>
<tbody>
<tr><td>RULE ID </td><td>android_certificate_pinning </td></tr>
<tr><td>CWE </td><td>CWE-295: Improper Certificate Validation </td></tr>
<tr><td>OWASP-MOBILE</td><td>M3: Insecure Communication </td></tr>
<tr><td>MASVS </td><td>MSTG-NETWORK-4 </td></tr>
<tr><td>REFERENCE </td><td>https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 </td></tr>
<tr><td>DESCRIPTION </td><td>This app does not use a TLS/SSL certificate or public key pinning in code to detect or prevent MITM attacks in secure communication channel. Please verify if pinning is enabled in `network_security_config.xml`.</td></tr>
<tr><td>SEVERITY </td><td>INFO </td></tr>
</tbody>
</table>
<table>
<tbody>
<tr><td>RULE ID </td><td>android_root_detection </td></tr>
<tr><td>CWE </td><td>CWE-919: Weaknesses in Mobile Applications </td></tr>
<tr><td>OWASP-MOBILE</td><td>M8: Code Tampering </td></tr>
<tr><td>MASVS </td><td>MSTG-RESILIENCE-1 </td></tr>
<tr><td>REFERENCE </td><td>https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 </td></tr>
<tr><td>DESCRIPTION </td><td>This app does not have root detection capabilities. Running a sensitive application on a rooted device questions the device integrity and affects users data.</td></tr>
<tr><td>SEVERITY </td><td>INFO </td></tr>
</tbody>
</table>
<table>
<tbody>
<tr><td>RULE ID </td><td>android_prevent_screenshot </td></tr>
<tr><td>CWE </td><td>CWE-200: Information Exposure </td></tr>
<tr><td>OWASP-MOBILE</td><td>M2: Insecure Data Storage </td></tr>
<tr><td>MASVS </td><td>MSTG-STORAGE-9 </td></tr>
<tr><td>REFERENCE </td><td>https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#finding-sensitive-information-in-auto-generated-screenshots-mstg-storage-9</td></tr>
<tr><td>DESCRIPTION </td><td>This app does not have capabilities to prevent against Screenshots from Recent Task History/ Now On Tap etc. </td></tr>
<tr><td>SEVERITY </td><td>INFO </td></tr>
</tbody>
</table>
<table>
<tbody>
<tr><td>RULE ID </td><td>android_certificate_transparency </td></tr>
<tr><td>CWE </td><td>CWE-295: Improper Certificate Validation </td></tr>
<tr><td>OWASP-MOBILE</td><td>M3: Insecure Communication </td></tr>
<tr><td>MASVS </td><td>MSTG-NETWORK-4 </td></tr>
<tr><td>REFERENCE </td><td>https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 </td></tr>
<tr><td>DESCRIPTION </td><td>This app does not enforce TLS Certificate Transparency that helps to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority.</td></tr>
<tr><td>SEVERITY </td><td>INFO </td></tr>
</tbody>
</table>
<table>
<tbody>
<tr><td>RULE ID </td><td>android_safetynet_api </td></tr>
<tr><td>CWE </td><td>CWE-353: Missing Support for Integrity Check </td></tr>
<tr><td>OWASP-MOBILE</td><td>M8: Code Tampering </td></tr>
<tr><td>MASVS </td><td>MSTG-RESILIENCE-1 </td></tr>
<tr><td>REFERENCE </td><td>https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 </td></tr>
<tr><td>DESCRIPTION </td><td>This app does not uses SafetyNet Attestation API that provides cryptographically-signed attestation, assessing the device's integrity. This check helps to ensure that the servers are interacting with the genuine app running on a genuine Android device.</td></tr>
<tr><td>SEVERITY </td><td>INFO </td></tr>
</tbody>
</table>
<table>
<tbody>
<tr><td>RULE ID </td><td>android_detect_tapjacking </td></tr>
<tr><td>CWE </td><td>CWE-200: Information Exposure </td></tr>
<tr><td>OWASP-MOBILE</td><td>M1: Improper Platform Usage </td></tr>
<tr><td>MASVS </td><td>MSTG-PLATFORM-9 </td></tr>
<tr><td>REFERENCE </td><td>https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-for-overlay-attacks-mstg-platform-9 </td></tr>
<tr><td>DESCRIPTION </td><td>This app does not have capabilities to prevent tapjacking attacks. An attacker can hijack the user's taps and tricks him into performing some critical operations that he did not intend to.</td></tr>
<tr><td>SEVERITY </td><td>INFO </td></tr>
</tbody>
</table>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment