[HELP] : Android/iOS Vulnerability
-
wrote on 5 Sept 2022, 03:21 last edited by jhayar 11 Oct 2022, 01:01
Hi ,
I ran a simple pen test on an APK built with release configuration
And found out that building simple Hello world apk has some vulnerability , although it is rated as low risk , but still those findings were in medium riskPlease see below
What i can fix on this is the 1 2nd findings "Application data can be backed up" android manifest, what i cannot fix is the 1st and 3rd because i have no access on the code is the 3rd medium finding "Files may contain hardcoded sensitive information" because it was related on the QT default java codes , please see below
and has no idea on janus vulnerabilityhow can we fix this concern ?
If the developer works on the company that has strict policy this is something that needs to be fix first before releasing the app otherwise it will not be publish
Update:
i can fix the 1st finding "Janus Vulnerability" . but the 3rd still no ideas , but for documentation , please see below highlighted code that triggers the 3rd findingsQtActivityDelegate.java
QtServiceDelegate.java
QtLoader.java
-
Hi ,
I ran a simple pen test on an APK built with release configuration
And found out that building simple Hello world apk has some vulnerability , although it is rated as low risk , but still those findings were in medium riskPlease see below
What i can fix on this is the 1 2nd findings "Application data can be backed up" android manifest, what i cannot fix is the 1st and 3rd because i have no access on the code is the 3rd medium finding "Files may contain hardcoded sensitive information" because it was related on the QT default java codes , please see below
and has no idea on janus vulnerabilityhow can we fix this concern ?
If the developer works on the company that has strict policy this is something that needs to be fix first before releasing the app otherwise it will not be publish
Update:
i can fix the 1st finding "Janus Vulnerability" . but the 3rd still no ideas , but for documentation , please see below highlighted code that triggers the 3rd findingsQtActivityDelegate.java
QtServiceDelegate.java
QtLoader.java
wrote on 5 Sept 2022, 05:05 last edited byEven companies with strict policies should understand false positives (here triggered by _KEY) in strings and that they are detection tool issues, not flaws of the system tested.
-
wrote on 10 Nov 2022, 01:00 last edited by jhayar 11 Oct 2022, 01:09
okay got that , but theres a vulnerability on 5 files from the qt default java class that needs to enable the antitapjacking ,
you may test it in immuniweb to see it on your self, i think this is not a false positive because it can be prevented by adding the one line code on that.
MISSING TAPJACKING PROTECTION
EDIT ,
Btw , ios has there own vulnerabilityadding the QT library on the simple app (empty /blank) also adds below immuniweb findings
HARDCODED data:
-
wrote on 18 Nov 2022, 12:01 last edited by
Please @QT developer core team if anyone hear me ,
On android i can't convince them that the tapjacking protection findings is a False positive since they need a documentation atleast on QT Website that the said Vulnerabilities are false positive.
on ios , i can't convince them on random and srand function as well as on hardcoded data that it was a false positive , they need a documentation also on this.
Maybe someone can help me with this. thanks
-
Please @QT developer core team if anyone hear me ,
On android i can't convince them that the tapjacking protection findings is a False positive since they need a documentation atleast on QT Website that the said Vulnerabilities are false positive.
on ios , i can't convince them on random and srand function as well as on hardcoded data that it was a false positive , they need a documentation also on this.
Maybe someone can help me with this. thanks
@jhayar said in [HELP] : Android/iOS Vulnerability:
Please @QT developer core team if anyone hear me
If you want to reach Qt developers you should use their developers mailing list or bug tracker.