| _id | apk_filename | scan_timestamp | static_report | dynamic_report | scorecard | findings_count | critical_count | high_count | exploitable |
|---|---|---|---|---|---|---|---|---|---|
76c308fac6a655a3534771777780e004feb1d91be03285776…
|
dvba.apk
|
2026-06-02T22:30:38.420998+00:00
|
*** LARGE PROPERTY ***
~927 KB Preview:{"version":"v4.5.0","titl Click to fetch this property |
{
"_status": "failed",
"_errors": [
"MobSFy failed after 3 attempts — device setup incomplete",
"start_dynamic: HTTP 500 — {'error': 'Cannot Connect to host.docker.internal:5555'}"
]
}
|
{
"high": [
{
"title": "Base config is insecurely configured to permit clear text traffic to all domains",
"description": "Scope:\n*\n\n",
"section": "network"
},
{
"title": "Base config is configured to trust user installed certificates",
"description": "Scope:\n*\n\n",
"section": "network"
},
{
"title": "App can be installed on a vulnerable unpatched Android version 5.0-5.0.2, [minSdk=21]",
"description": "This application can be installed on an older version of android that has multiple unfixed vulnerabilities. These devices won't receive reasonable security updates from Google. Support an Android version => 10, API 29 to receive reasonable security updates.",
"section": "manifest"
},
{
"title": "Clear text traffic is Enabled For App[android:usesCleartextTraffic=true]",
"description": "The app intends to use cleartext network traffic, such as cleartext HTTP, FTP stacks, DownloadManager, and MediaPlayer. The default value for apps that target API level 27 or lower is \"true\". Apps that target API level 28 or higher default to \"false\". The key reason for avoiding cleartext traffic is the lack of confidentiality, authenticity, and protections against tampering; a network attacker can eavesdrop on transmitted data and also modify it without being detected.",
"section": "manifest"
},
{
"title": "App Link assetlinks.json file not found[android:name=com.app.damnvulnerablebank.CurrencyRates][android:host=http://xe.com]",
"description": "App Link asset verification URL (http://xe.com/.well-known/assetlinks.json) not found or configured incorrectly. (Status Code: 301). App Links allow users to redirect from a web URL/email to the mobile app. If this file is missing or incorrectly configured for the App Link host/domain, a malicious app can hijack such URLs. This may lead to phishing attacks, leak sensitive data in the URI, such as PII, OAuth tokens, magic link/password reset tokens and more. You must verify the App Link domain by hosting the assetlinks.json file and enabling verification via [android:autoVerify=\"true\"] in the Activity intent-filter.",
"section": "manifest"
},
{
"title": "App Link assetlinks.json file not found[android:name=com.app.damnvulnerablebank.CurrencyRates][android:host=https://xe.com]",
"description": "App Link asset verification URL (https://xe.com/.well-known/assetlinks.json) not found or configured incorrectly. (Status Code: 403). App Links allow users to redirect from a web URL/email to the mobile app. If this file is missing or incorrectly configured for the App Link host/domain, a malicious app can hijack such URLs. This may lead to phishing attacks, leak sensitive data in the URI, such as PII, OAuth tokens, magic link/password reset tokens and more. You must verify the App Link domain by hosting the assetlinks.json file and enabling verification via [android:autoVerify=\"true\"] in the Activity intent-filter.",
"section": "manifest"
}
],
"warning": [
{
"title": "Base config is configured to trust system certificates",
"description": "Scope:\n*\n\n",
"section": "network"
},
{
"title": "Application Data can be Backed up [android:allowBackup=true]",
"description": "This flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.",
"section": "manifest"
},
{
"title": "Activity (com.app.damnvulnerablebank.CurrencyRates) is not Protected. An intent-filter exists.",
"description": "An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Activity is explicitly exported.",
"section": "manifest"
},
{
"title": "Activity (com.app.damnvulnerablebank.SendMoney) is not Protected. [android:exported=true]",
"description": "An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.",
"section": "manifest"
},
{
"title": "Activity (com.app.damnvulnerablebank.ViewBalance) is not Protected. [android:exported=true]",
"description": "An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.",
"section": "manifest"
},
{
"title": "Activity (androidx.biometric.DeviceCredentialHandlerActivity) is not Protected. [android:exported=true]",
"description": "An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.",
"section": "manifest"
},
{
"title": "Activity (com.google.firebase.auth.internal.FederatedSignInActivity) is Protected by a permission, but the protection level of the permission should be checked. Permission: com.google.firebase.auth.api.gms.permission.LAUNCH_FEDERATED_SIGN_IN [android:exported=true]",
"description": "An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.",
"section": "manifest"
},
{
"title": "App can read/write to External Storage. Any App can read data written to External Storage.",
"description": "App can read/write to External Storage. Any App can read data written to External Storage.\nhttps://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage\n\nFiles:\ncom/app/damnvulnerablebank/MainActivity.java, line(s) 175",
"section": "code"
},
{
"title": "This app may contain hardcoded secrets",
"description": "The following secrets were identified from the app. Ensure that these are not secrets or private information.\n\"google_api_key\" : \"AIzaSyBbOHG6DDa6DOcRGEg57mw9nXYXcw6la3c\"\n\"google_crash_reporting_api_key\" : \"AIzaSyBbOHG6DDa6DOcRGEg57mw9nXYXcw6la3c\"\n\"firebase_database_url\" : \"https://damn-vulnerable-bank.firebaseio.com\"\nGmdBWksdEwAZFAlLVEdDX1FKS0JtQU1DHggaBkNXQQFjTkdBTUMJBgMCFQUIFA5MXUFPDxUdBg4PCkNWY05HQU1DFAYaDwgDBlhTTkUSAgwfHQcJBk9rWkkTbRw=",
"section": "secrets"
}
],
"info": [
{
"title": "The App logs information. Sensitive information should never be logged.",
"description": "The App logs information. Sensitive information should never be logged.\nhttps://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs\n\nFiles:\na/a/a/a/a.java, line(s) 219,335,562,571,578,591,761,784,791,1954,1975,1996,2023,2245,2438,3141,3155,3167,145,154,179,188,2354,2364,2472,2481\nb/b/k/h.java, line(s) 396,217,225\nb/b/k/k.java, line(s) 1578,1435,1444,1454,1463,1478,1487,1500,1509,419,1143,1243,1246,1345,1792\nb/b/k/r.java, line(s) 147\nb/b/k/t.java, line(s) 43\nb/b/l/a/a.java, line(s) 80\nb/b/o/f.java, line(s) 140,174,186,196,354\nb/b/o/i/d.java, line(s) 543\nb/b/o/i/g.java, line(s) 592\nb/b/p/a0.java, line(s) 93,102,192,228\nb/b/p/a1.java, line(s) 92,156\nb/b/p/d1.java, line(s) 24,34,52,54,57\nb/b/p/k0.java, line(s) 359,165,170,177,264,342\nb/b/p/m0.java, line(s) 107\nb/b/p/n0.java, line(s) 141,49,65,94,345\nb/b/p/r0.java, line(s) 101,252,377,185,234,339,350,391,405\nb/b/p/s0.java, line(s) 33\nb/b/p/w.java, line(s) 95,149,154,182,583\nb/b/p/z0.java, line(s) 348,387\nb/d/a.java, line(s) 285\nb/d/c.java, line(s) 248,85\nb/d/e.java, line(s) 266\nb/g/c/c.java, line(s) 71\nb/g/c/d.java, line(s) 199,104,163\nb/g/c/e.java, line(s) 612,1408,642,1461\nb/i/d/b.java, line(s) 115\nb/i/d/c.java, line(s) 32\nb/i/d/e.java, line(s) 60,77,94\nb/i/f/c.java, line(s) 50,55\nb/i/f/d.java, line(s) 33\nb/i/f/e.java, line(s) 58\nb/i/f/f.java, line(s) 45\nb/i/f/g.java, line(s) 51,209\nb/i/f/k/d.java, line(s) 45,68\nb/i/g/a/a.java, line(s) 42\nb/i/i/b.java, line(s) 18\nb/i/l/a.java, line(s) 22\nb/i/m/a.java, line(s) 239\nb/i/m/b.java, line(s) 39\nb/i/m/f.java, line(s) 159,177,200\nb/i/m/l.java, line(s) 226\nb/i/m/p.java, line(s) 23,34\nb/i/m/u.java, line(s) 40,50,61,70\nb/j/a/b.java, line(s) 42\nb/k/b/e.java, line(s) 317\nb/l/a/e.java, line(s) 149,151,176,299,301\nb/l/a/k.java, line(s) 2823,2824,2835,1939\nb/p/a/a.java, line(s) 142,147,154,158,174,184\nb/t/b0.java, line(s) 36,60\nb/u/a/a/f.java, line(s) 856,1097\nc/a/b/j.java, line(s) 75\nc/a/b/v.java, line(s) 110,114,13,119\nc/a/b/w/h.java, line(s) 42\nc/b/a/j.java, line(s) 27\nc/b/a/n.java, line(s) 28\nc/c/a/a/c/d.java, line(s) 51,158\nc/c/a/a/c/g.java, line(s) 45,58,102,120,132,138,147\nc/c/a/a/c/h.java, line(s) 26\nc/c/a/a/c/k/k/b0.java, line(s) 46,56\nc/c/a/a/c/k/k/d.java, line(s) 660,778\nc/c/a/a/c/k/k/u.java, line(s) 44\nc/c/a/a/c/l/a.java, line(s) 17\nc/c/a/a/c/l/b.java, line(s) 400,709,724,256,276,416,631,635,640,648\nc/c/a/a/c/l/d.java, line(s) 84,87,91,95,99,103,115,119,122,125,143,152\nc/c/a/a/c/l/d0.java, line(s) 114\nc/c/a/a/c/l/e.java, line(s) 19\nc/c/a/a/c/l/e0.java, line(s) 62\nc/c/a/a/c/l/i.java, line(s) 29\nc/c/a/a/c/l/l.java, line(s) 25\nc/c/a/a/c/m/a.java, line(s) 40,54,59\nc/c/a/a/c/t.java, line(s) 62\nc/c/a/a/f/c/a1.java, line(s) 45,60\nc/c/a/a/g/b/a.java, line(s) 81,86\nc/c/a/b/a0/b.java, line(s) 117\nc/c/a/b/b0/a.java, line(s) 27\nc/c/a/b/l/g.java, line(s) 50\nc/c/b/b.java, line(s) 99,175,184,202,207,211,215,219,223,268\nc/c/b/h/c0/a/e.java, line(s) 37\nc/c/b/h/c0/a/j0.java, line(s) 105,56,94\nc/c/b/h/c0/a/k0.java, line(s) 117,99,110,147,151,89\nc/c/b/h/c0/a/x0.java, line(s) 19\nc/c/b/h/d0/i.java, line(s) 18\nc/c/b/h/d0/k.java, line(s) 98,50,61\nc/c/b/h/d0/p.java, line(s) 71\nc/c/b/h/d0/z.java, line(s) 66,89\nc/c/b/h/y.java, line(s) 52\ncom/app/damnvulnerablebank/BankLogin.java, line(s) 44\ncom/app/damnvulnerablebank/MainActivity.java, line(s) 94,198,201",
"section": "code"
},
{
"title": "App talks to a Firebase database",
"description": "The app talks to Firebase database at https://damn-vulnerable-bank.firebaseio.com",
"section": "firebase"
}
],
"secure": [
{
"title": "This App may have root detection capabilities.",
"description": "This App may have root detection capabilities.\nhttps://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1\n\nFiles:\na/a/a/a/a.java, line(s) 529,508,511,511,511,511,511,511",
"section": "code"
},
{
"title": "Firebase Remote Config disabled",
"description": "Firebase Remote Config is disabled for https://firebaseremoteconfig.googleapis.com/v1/projects/932398433474/namespaces/firebase:fetch?key=AIzaSyBbOHG6DDa6DOcRGEg57mw9nXYXcw6la3c. This is indicated by the response: {'state': 'NO_TEMPLATE'}",
"section": "firebase"
},
{
"title": "This application has no privacy trackers",
"description": "This application does not include any user or device trackers. Unable to find trackers during static analysis.",
"section": "trackers"
}
],
"hotspot": [],
"total_trackers": 432,
"trackers": 0,
"security_score": 44,
"app_name": "DamnVulnerableBank",
"file_name": "dvba.apk",
"hash": "5b40b49cd80dbe20ba611d32045b57c6",
"version_name": "1.0",
"version": "v4.5.0",
"title": "AppSec Scorecard",
"efr01": false
}
|
28
|
1
|
13
|
[
{
"id": "hardcoded_secrets",
"category": "Secrets",
"title": "Hardcoded secrets detected (4 entries, 3 critical)",
"description": "4 potential secrets in APK. 3 appear to be active API keys/credentials.",
"severity": "CRITICAL",
"exploitable": true,
"owasp": "M9 — Reverse Engineering",
"cwe": "CWE-798",
"cvss": 9.8,
"cvss_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"poc": "\"google_api_key\" : \"AIzaSyBbOHG6DDa6DOcRGEg57mw9nXYXcw6la3c\" | \"google_crash_reporting_api_key\" : \"AIzaSyBbOHG6DDa6DOcRGEg5 | \"firebase_database_url\" : \"https://damn-vulnerable-bank.fire",
"evidence": "\"google_api_key\" : \"AIzaSyBbOHG6DDa6DOcRGEg57mw9nXYXcw6la3c\"\n\"google_crash_reporting_api_key\" : \"AIzaSyBbOHG6DDa6DOcRGEg57mw9nXYXcw6la3c\"\n\"firebase_database_url\" : \"https://damn-vulnerable-bank.firebaseio.com\"\nGmdBWksdEwAZFAlLVEdDX1FKS0JtQU1DHggaBkNXQQFjTkdBTUMJBgMCFQUIFA5MXUFPDxUdBg4PCkNWY05HQU1DFAYaDwgDBlhT",
"remediation": "Remove secrets from code; use server-side config or Android Keystore; rotate any exposed credentials immediately",
"source": "static/secrets",
"meta": {
"count": 4,
"critical_samples": [
"\"google_api_key\" : \"AIzaSyBbOHG6DDa6DOcRGEg57mw9nXYXcw6la3c\"",
"\"google_crash_reporting_api_key\" : \"AIzaSyBbOHG6DDa6DOcRGEg57mw9nXYXcw6la3c\"",
"\"firebase_database_url\" : \"https://damn-vulnerable-bank.firebaseio.com\""
]
}
},
{
"id": "exp_act_297265",
"category": "Exported Components",
"title": "Exported Activity: CurrencyRates",
"description": "com.app.damnvulnerablebank.CurrencyRates exported without authentication requirement",
"severity": "HIGH",
"exploitable": true,
"owasp": "M1 — Improper Platform Usage",
"cwe": "CWE-926",
"cvss": 7.5,
"cvss_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"poc": "adb shell am start -n com.app.damnvulnerablebank/com.app.damnvulnerablebank.CurrencyRates\n# Deep link: adb shell am start -a android.intent.action.VIEW -d \"http://xe.com\"",
"evidence": "android:exported=true, no android:permission",
"remediation": "Set android:exported=\"false\" or add android:permission on CurrencyRates",
"source": "static/manifest",
"meta": {
"activity": "com.app.damnvulnerablebank.CurrencyRates",
"browsable": true
}
},
{
"id": "exp_act_847509",
"category": "Exported Components",
"title": "Exported Activity: SendMoney",
"description": "com.app.damnvulnerablebank.SendMoney exported without authentication requirement",
"severity": "HIGH",
"exploitable": true,
"owasp": "M1 — Improper Platform Usage",
"cwe": "CWE-926",
"cvss": 7.5,
"cvss_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"poc": "adb shell am start -n com.app.damnvulnerablebank/com.app.damnvulnerablebank.SendMoney",
"evidence": "android:exported=true, no android:permission",
"remediation": "Set android:exported=\"false\" or add android:permission on SendMoney",
"source": "static/manifest",
"meta": {
"activity": "com.app.damnvulnerablebank.SendMoney",
"browsable": false
}
},
{
"id": "exp_act_861019",
"category": "Exported Components",
"title": "Exported Activity: ViewBalance",
"description": "com.app.damnvulnerablebank.ViewBalance exported without authentication requirement",
"severity": "HIGH",
"exploitable": true,
"owasp": "M1 — Improper Platform Usage",
"cwe": "CWE-926",
"cvss": 7.5,
"cvss_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"poc": "adb shell am start -n com.app.damnvulnerablebank/com.app.damnvulnerablebank.ViewBalance",
"evidence": "android:exported=true, no android:permission",
"remediation": "Set android:exported=\"false\" or add android:permission on ViewBalance",
"source": "static/manifest",
"meta": {
"activity": "com.app.damnvulnerablebank.ViewBalance",
"browsable": false
}
},
{
"id": "exp_act_128475",
"category": "Exported Components",
"title": "Exported Activity: DeviceCredentialHandlerActivity",
"description": "androidx.biometric.DeviceCredentialHandlerActivity exported without authentication requirement",
"severity": "HIGH",
"exploitable": true,
"owasp": "M1 — Improper Platform Usage",
"cwe": "CWE-926",
"cvss": 7.5,
"cvss_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"poc": "adb shell am start -n com.app.damnvulnerablebank/androidx.biometric.DeviceCredentialHandlerActivity",
"evidence": "android:exported=true, no android:permission",
"remediation": "Set android:exported=\"false\" or add android:permission on DeviceCredentialHandlerActivity",
"source": "static/manifest",
"meta": {
"activity": "androidx.biometric.DeviceCredentialHandlerActivity",
"browsable": false
}
},
{
"id": "exp_act_575943",
"category": "Exported Components",
"title": "Exported Activity: FederatedSignInActivity",
"description": "com.google.firebase.auth.internal.FederatedSignInActivity exported without authentication requirement",
"severity": "HIGH",
"exploitable": true,
"owasp": "M1 — Improper Platform Usage",
"cwe": "CWE-926",
"cvss": 7.5,
"cvss_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"poc": "adb shell am start -n com.app.damnvulnerablebank/com.google.firebase.auth.internal.FederatedSignInActivity",
"evidence": "android:exported=true, no android:permission",
"remediation": "Set android:exported=\"false\" or add android:permission on FederatedSignInActivity",
"source": "static/manifest",
"meta": {
"activity": "com.google.firebase.auth.internal.FederatedSignInActivity",
"browsable": false
}
},
{
"id": "firebase_746630",
"category": "Firebase",
"title": "App talks to a Firebase database",
"description": "The app talks to Firebase database at https://damn-vulnerable-bank.firebaseio.com",
"severity": "HIGH",
"exploitable": true,
"owasp": "M2 — Insecure Data Storage",
"cwe": "CWE-200",
"cvss": 7.5,
"cvss_vector": "",
"poc": "curl -s 'https://damn-vulnerable-bank.firebaseio.com/.json' | python3 -m json.tool\n# Non-null response = database publicly readable!",
"evidence": "https://damn-vulnerable-bank.firebaseio.com",
"remediation": "Enable Firebase Security Rules; never leave .read: true in production; test rules with Firebase Rules Playground",
"source": "static/firebase",
"meta": {
"title": "App talks to a Firebase database",
"severity": "info",
"description": "The app talks to Firebase database at https://damn-vulnerable-bank.firebaseio.com"
}
},
{
"id": "permissions_malware",
"category": "Permissions",
"title": "Permissions correlated with malware (1)",
"description": "These permissions frequently appear in malware samples",
"severity": "HIGH",
"exploitable": true,
"owasp": "M1 — Improper Platform Usage",
"cwe": "CWE-250",
"cvss": 7.5,
"cvss_vector": "",
"poc": "",
"evidence": "android.permission.INTERNET",
"remediation": "Review each malware-correlated permission; justify its necessity",
"source": "static/permissions",
"meta": {
"permissions": [
"android.permission.INTERNET"
]
}
},
{
"id": "sc_high_326498",
"category": "Scorecard/Manifest",
"title": "Clear text traffic is Enabled For App[android:usesCleartextTraffic=true]",
"description": "The app intends to use cleartext network traffic, such as cleartext HTTP, FTP stacks, DownloadManager, and MediaPlayer. The default value for apps that target API level 27 or lower is \"true\". Apps that target API level 28 or higher default to \"false\". The key reason for avoiding cleartext traffic is the lack of confidentiality, authenticity, and protections against tampering; a network attacker can eavesdrop on transmitted data and also modify it without being detected.",
"severity": "HIGH",
"exploitable": true,
"owasp": "M1 — Improper Platform Usage",
"cwe": "CWE-319",
"cvss": 7.5,
"cvss_vector": "",
"poc": "mitmproxy / Burp Suite — intercept unencrypted HTTP traffic",
"evidence": "",
"remediation": "Set android:usesCleartextTraffic=\"false\"; use HTTPS everywhere",
"source": "static/scorecard",
"meta": {
"title": "Clear text traffic is Enabled For App[android:usesCleartextTraffic=true]",
"description": "The app intends to use cleartext network traffic, such as cleartext HTTP, FTP stacks, DownloadManager, and MediaPlayer. The default value for apps that target API level 27 or lower is \"true\". Apps that target API level 28 or higher default to \"false\". The key reason for avoiding cleartext traffic is the lack of confidentiality, authenticity, and protections against tampering; a network attacker can eavesdrop on transmitted data and also modify it without being detected.",
"section": "manifest"
}
},
{
"id": "sc_high_991096",
"category": "Scorecard/Manifest",
"title": "App Link assetlinks.json file not found[android:name=com.app.damnvulnerablebank.CurrencyRates][android:host=http://xe.com]",
"description": "App Link asset verification URL (http://xe.com/.well-known/assetlinks.json) not found or configured incorrectly. (Status Code: 301). App Links allow users to redirect from a web URL/email to the mobile app. If this file is missing or incorrectly configured for the App Link host/domain, a malicious app can hijack such URLs. This may lead to phishing attacks, leak sensitive data in the URI, such as PII, OAuth tokens, magic link/password reset tokens and more. You must verify the App Link domain by",
"severity": "HIGH",
"exploitable": true,
"owasp": "M1 — Improper Platform Usage",
"cwe": "CWE-940",
"cvss": 7.5,
"cvss_vector": "",
"poc": "A malicious app can register the same deep link URI and intercept traffic",
"evidence": "",
"remediation": "Host assetlinks.json; set android:autoVerify=\"true\"",
"source": "static/scorecard",
"meta": {
"title": "App Link assetlinks.json file not found[android:name=com.app.damnvulnerablebank.CurrencyRates][android:host=http://xe.com]",
"description": "App Link asset verification URL (http://xe.com/.well-known/assetlinks.json) not found or configured incorrectly. (Status Code: 301). App Links allow users to redirect from a web URL/email to the mobile app. If this file is missing or incorrectly configured for the App Link host/domain, a malicious app can hijack such URLs. This may lead to phishing attacks, leak sensitive data in the URI, such as PII, OAuth tokens, magic link/password reset tokens and more. You must verify the App Link domain by hosting the assetlinks.json file and enabling verification via [android:autoVerify=\"true\"] in the Activity intent-filter.",
"section": "manifest"
}
},
{
"id": "sc_high_913599",
"category": "Scorecard/Manifest",
"title": "App Link assetlinks.json file not found[android:name=com.app.damnvulnerablebank.CurrencyRates][android:host=https://xe.com]",
"description": "App Link asset verification URL (https://xe.com/.well-known/assetlinks.json) not found or configured incorrectly. (Status Code: 403). App Links allow users to redirect from a web URL/email to the mobile app. If this file is missing or incorrectly configured for the App Link host/domain, a malicious app can hijack such URLs. This may lead to phishing attacks, leak sensitive data in the URI, such as PII, OAuth tokens, magic link/password reset tokens and more. You must verify the App Link domain b",
"severity": "HIGH",
"exploitable": true,
"owasp": "M1 — Improper Platform Usage",
"cwe": "CWE-940",
"cvss": 7.5,
"cvss_vector": "",
"poc": "A malicious app can register the same deep link URI and intercept traffic",
"evidence": "",
"remediation": "Host assetlinks.json; set android:autoVerify=\"true\"",
"source": "static/scorecard",
"meta": {
"title": "App Link assetlinks.json file not found[android:name=com.app.damnvulnerablebank.CurrencyRates][android:host=https://xe.com]",
"description": "App Link asset verification URL (https://xe.com/.well-known/assetlinks.json) not found or configured incorrectly. (Status Code: 403). App Links allow users to redirect from a web URL/email to the mobile app. If this file is missing or incorrectly configured for the App Link host/domain, a malicious app can hijack such URLs. This may lead to phishing attacks, leak sensitive data in the URI, such as PII, OAuth tokens, magic link/password reset tokens and more. You must verify the App Link domain by hosting the assetlinks.json file and enabling verification via [android:autoVerify=\"true\"] in the Activity intent-filter.",
"section": "manifest"
}
},
{
"id": "sc_high_750701",
"category": "Scorecard/Network",
"title": "Base config is configured to trust user installed certificates",
"description": "Scope:\n*\n\n",
"severity": "HIGH",
"exploitable": true,
"owasp": "M3 — Insecure Communication",
"cwe": "CWE-295",
"cvss": 7.5,
"cvss_vector": "",
"poc": "Install a user CA cert on device → MitM all HTTPS traffic",
"evidence": "",
"remediation": "Set cleartextTrafficPermitted=false; implement certificate pinning",
"source": "static/scorecard",
"meta": {
"title": "Base config is configured to trust user installed certificates",
"description": "Scope:\n*\n\n",
"section": "network"
}
}
]
|
| Documents | 1 |
| Total doc size | 606.39 KB |
| Average doc size | 606.39 KB |
| Pre-allocated size | 580 KB |
| Indexes | 1 |
| Total index size | 20 KB |
| Padding factor | |
| Extents |
| Name | Columns | Size | Attributes | Actions |
|---|---|---|---|---|
| _id_ |
_id ASC
|
20 KB | DEL |