Android App Detailed Report

BBC News 54/100 83/100 bbc.mobile.news.ww bae42647bc64af3839943d6e53a3a8b4 Scan Engine Version: 4.2.6 MED HIGH Scan Date: 02-28-2018 Privacy Risk Security Risk

This Technical Summary contains a mid-level summary and score information for an app’s identified risk conditions. This digest is intended for a technical audience and provides a listing of items we identified. Findings are separated into analysis areas, followed by categories and additional support details when available. Each finding is represented by a Red, Orange, Yellow or Green colored square.

Red indicates a high level of risk and used to indicate when a test has failed. Orange indicates a moderate level of risk Yellow indicates a low risk or informational finding Green indicates that no risk conditions were identified and used to indicate when a test has passed.

Index Privacy Summary

Security Summary

Analysis

Data Leakage

Libraries

OWASP Summary

Communications

Privacy Summary 54/100

The privacy summary focuses on the application’s access to privacy data, including (but not limited to): user data, contacts access, unique device MED identifiers, adware, SMS, and insecure storage of data and communications.

Content Providers are implicitly insecure. They allow other applications on the device to request and share data. If sensitive information is accidentally leaked in one of these content providers all an attacker needs to do is call the content provider and the sensitive data will be exposed to the attacker by the application.This is cause for concern as any 3rd party application containing malicious code does not require any granted permissions in order to obtain sensitive information from these applications. Full details here.

This app requests the device latitude and longitude. Full details here.

Returns the current enabled/disabled status of the given provider. Full details here. This application uses getLastKnownLocation() to retrieve the last known GPS coordinates. This is used to retrieve the last known location of the device in the event that the location services are not available. Full details here.

This application is requesting the device serial number information from the system build properties. Full details here.

The application retrieves the IMEI/MEID, which is a unique identifier for the device. This opens up the potential for abuse by tracking a user across multiple applications. Further examination should be taken to identify if the IMEI is being sent off device. Full details here.

This application is requesting the device build fingerprint from the system build properties. Full details here.

The app retrieves ClipBoard data contents. Full details here.

This application potentially gains access to the device ID. Full details here.

Security Summary 83/100

The security summary focuses on risks contained in the application. These risks include (but are not limited to): risky functionality and code use, application HIGH capabilities, critical vulnerabilities and threats.

This application is using the WebKit to download a file from the Internet. Full details here.

The app sets the activity content to an explicit view. Full details here.

Additional Android applications have been found bundled with this Android application. This is not an acceptable or standard developer practice and is often used with malicious intent with repackaged applications. Full details here.

The application uses PendingIntent’s. These are dangerous because they can allow other apps to execute with the same level of permissions as this app, potentially resulting in permission elevation for the other app. Full details here.

The app may potentially use WebSocket (https://tools.ietf.org/html/rfc6455) based communications with remote servers. Full details here.

The app enables WebView to execute JavaScript code Full details here. The app uses a method to blindly load all apps and jar files located in a directory. Potential exists for abuse by malicious parties. Full details here.

This application has the ability to load an alternate classes.dex file. Alternate classes.dex files could contain malicious functionality, payloads and at the least open up additional security and privacy risks. This functionality can be seen applications when attempting to evade analysis. If the application requires root access additional precautions should be taken. Full details here.

The app can manipulate its user agent string. Full details here.

This application uses sockets to open up a communications channel. Full details here.

This app is requesting permissions during runtime. Full details here.

This application exposes objects to the WebView's Javascript. This could allow code injection or indirect access to internal objects/methods. CVE-2013-4710, CVE-2012-6636. This vulnerability is mitigated in Android 17 or greater. Full details here.

This app has configured WebView to allow Javascript to open windows without user prompt. Full details here.

Determine whether the calling process of an IPC or you have been granted a particular permission. This is the same as checkCallingPermission(String), except it grants your own permissions if you are not currently processing an IPC. Use with care! Full details here.

The application was found to contain obfuscated method names. This can be used by legitimate developers to protect intellectual property and used by others to conceal potentially malicious code. Full details here.

Code exists to start a service, which could in turn start a separate application on the device if it is not already running. Full details here.

This application uses synthetic method to access private class entries which are normally not accessible. This is a suspicious and unusual coding practice that should be reviewed. Full details here.

This app is invoking the Java reflection method. Full details here.

The app contains exported components not protected by permission. Full details here. The app is not doing active checks for validating SSL certificates. It may allow self- signed, expired or mismatch CN certificates for SSL connections. Full details here.

The app is writing information in the system Log. Full details here.

Analysis

Activity

The app sets the activity content to an explicit view.

Details: uk.co.bbc.smpan.ui.fullscreen.FullScreenPlayoutActivity com.urbanairship.actions.LandingPageActivity com.urbanairship.messagecenter.ThemedActivity com.urbanairship.ChannelCaptureActivity net.hockeyapp.android.ExpiryInfoActivity net.hockeyapp.android.LoginActivity net.hockeyapp.android.FeedbackActivity com.google.android.gms.ads.AdActivity android.support.wearable.activity.ConfirmationActivity android.support.v7.app.AlertController bbc.mobile.news.v3.fragments.managetopics.EditMyNewsActivity bbc.mobile.news.v3.app.ToolbarActivity

26 total classes, shown 10

This app is requesting permissions during runtime.

Details: android.support.v4.app.FragmentActivity

This application requests a list of all running applications to include applications that are frozen in state by the system. This is an informational finding.

Details: com.google.android.gms.internal.zzagy

This app can retrieve the list of running apps.

Details: com.google.android.gms.gcm.zza com.google.android.gms.internal.zzgz com.google.android.gms.internal.zzrr com.google.android.gms.internal.zzagy Address Book

This application access the user's contacts.

Details: com.squareup.picasso.ContactsPhotoRequestHandler

Computes a content URI given a lookup URI.

Details: com.squareup.picasso.ContactsPhotoRequestHandler

Opens an InputStream for the contact's photo and returns the photo as a byte stream.

Details: com.squareup.picasso.ContactsPhotoRequestHandler$ContactPhotoStreamIcs com.squareup.picasso.ContactsPhotoRequestHandler

Binary Protections Testing

This application exposes source level metadata symbols and fails the testing outlined by OWASP Mobile Top 10.

This application fails the Source Code Reverse Engineering Exposure test as outlined by OWASP Mobile Top 10.

Bluetooth

This application checks the current ready state of Bluetooth functionality. This is an informational finding.

Details: com.urbanairship.analytics.data.EventApiClient

Broadcast Action

The app registers a BroadcastReceiver.

Details: uk.co.bbc.smpan.android.DefaultBroadcastReceiverRegistrar com.squareup.picasso.Dispatcher$NetworkBroadcastReceiver com.urbanairship.push.adm.AdmPushProvider com.google.android.gms.iid.zze com.google.android.gms.common.GoogleApiAvailability com.google.android.gms.common.util.zzk com.google.android.gms.internal.zzge com.google.android.gms.internal.zzacb com.google.android.gms.internal.zzfi com.google.android.gms.internal.zzagy com.google.android.exoplayer2.audio.AudioCapabilitiesReceiver com.google.android.exoplayer2.audio.AudioCapabilities

17 total classes, shown 10

Calendar

This application queries the Calendar on the device.

Details: uk.co.bbc.echo.live.Schedule com.urbanairship.preference.QuietTimePickerPreference com.urbanairship.push.QuietTimeInterval com.google.android.gms.internal.zzdg com.google.ads.mediation.MediationAdRequest com.urbanairship.push.PushManager com.urbanairship.analytics.Event android.support.v7.app.TwilightManager bbc.mobile.news.v3.util.BaseNewsDateUtils bbc.mobile.news.v3.modules.item.CopyrightFooterModule bbc.mobile.news.v3.common.util.Utils

Code Analysis

Details: uk.co.bbc.smpan.audio.notification.androidNotificationSystem.AndroidNotificationFactory uk.co.bbc.smpan.audio.notification.androidNotificationSystem.Android16NotificationDrawer uk.co.bbc.smpan.audio.notification.androidNotificationSystem.Android21NotificationDrawer com.urbanairship.CoreReceiver com.urbanairship.job.AlarmScheduler com.urbanairship.push.notifications.NotificationActionButton com.urbanairship.push.IncomingPushRunnable com.urbanairship.location.FusedLocationAdapter com.urbanairship.location.UALocationProvider net.hockeyapp.android.tasks.ParseFeedbackTask com.google.android.gms.gcm.GcmNetworkManager com.google.android.gms.gcm.GoogleCloudMessaging

38 total classes, shown 10

This application uses synthetic method to access private class entries which are normally not accessible. This is a suspicious and unusual coding practice that should be reviewed. The app contains exported components not protected by permission.

Details: bbc.mobile.news.v3.media.RemoteControlReceiver bbc.mobile.news.v3.appwidget.HeadlineViewWidgetProvider bbc.mobile.news.v3.appwidget.GridViewWidgetProvider bbc.mobile.news.v3.provider.Provider bbc.mobile.news.v3.provider.AuthenticatorService bbc.mobile.news.v3.provider.SyncService bbc.mobile.news.wear.services.WearListenerService bbc.mobile.news.v3.app.TopLevelActivity bbc.mobile.news.v3.ui.deeplinking.DeepLinkingActivity bbc.mobile.news.v3.ui.search.SearchActivity bbc.mobile.news.v3.ui.preference.SettingsActivity

The application was found to contain obfuscated method names. This can be used by legitimate developers to protect intellectual property and used by others to conceal potentially malicious code.

Code exists to start a service, which could in turn start a separate application on the device if it is not already running.

Details: uk.co.bbc.smpan.audio.notification.androidNotificationSystem.AndroidNotificationFramework com.urbanairship.actions.ActionService com.google.android.gms.gcm.GcmReceiver com.google.android.gms.gcm.GoogleCloudMessaging com.google.android.gms.iid.zze com.google.android.gms.common.stats.zze com.urbanairship.job.JobDispatcher android.support.v4.media.session.MediaButtonReceiver android.support.v4.content.WakefulBroadcastReceiver bbc.mobile.news.v3.media.RemoteControlReceiver bbc.mobile.news.medianotification.AlbumArtNotificationFramework

This app is invoking the Java reflection method.

Details: com.squareup.okhttp.internal.OptionalMethod com.squareup.okhttp.internal.Util com.squareup.okhttp.internal.Platform com.squareup.okhttp.internal.http.RouteException com.google.protobuf.zzc com.google.protobuf.zzf com.google.protobuf.zze rx.internal.schedulers.NewThreadWorker rx.internal.util.PlatformDependent rx.internal.util.unsafe.UnsafeAccess rx.internal.util.unsafe.SpscUnboundedArrayQueue de.spring.mobile.SpringStreams 194 total classes, shown 10

Retrieve a PendingIntent that will perform a broadcast, like calling Context.sendBroadcast().

Details: uk.co.bbc.smpan.audio.notification.androidNotificationSystem.AndroidNotificationFactory com.urbanairship.push.notifications.NotificationActionButton com.urbanairship.push.IncomingPushRunnable com.google.android.gms.gcm.GcmNetworkManager com.google.android.gms.gcm.GoogleCloudMessaging com.google.android.gms.iid.zze android.support.v4.media.session.MediaSessionCompat bbc.mobile.news.v3.media.MediaRemoteControlClient bbc.mobile.news.v3.appwidget.GridViewWidgetProvider bbc.mobile.news.medianotification.AlbumArtNotificationFactory

This application instantiates a new instance of ZipFile. This will allow the application to create and extract archive file types.

Details: android.support.multidex.MultiDexExtractor android.support.multidex.MultiDex

The application has most likely been packed with ProGuard Packer.

The app has been found to be MultiDex

Content

The app stores key mapped value strings to the SharedPreferences storage.

Details: uk.co.bbc.echo.device.DefaultDeviceDataProvider uk.co.bbc.echo.delegate.comscore.UserPromiseHelper net.hockeyapp.android.utils.VersionCache net.hockeyapp.android.utils.PrefsUtil net.hockeyapp.android.tasks.LoginTask net.hockeyapp.android.CrashManager com.google.android.gms.auth.api.signin.internal.zzy com.google.android.gms.iid.zzh com.google.android.gms.internal.zztl com.google.android.gms.internal.zzahj com.google.android.gms.internal.zzago com.google.android.gms.internal.zzafu

21 total classes, shown 10

Context Determine whether the calling process of an IPC or you have been granted a particular permission. This is the same as checkCallingPermission(String), except it grants your own permissions if you are not currently processing an IPC. Use with care!

Details: com.squareup.picasso.Utils net.hockeyapp.android.UpdateActivity com.google.android.gms.gcm.GcmReceiver com.google.android.gms.internal.zzlz com.google.android.gms.internal.zzbah com.google.android.gms.internal.zzbgy com.google.ads.interactivemedia.v3.impl.g

The application receives a reference to a system service 'getSystemService'

Details: uk.co.bbc.smpan.accessibility.AndroidAccessibility uk.co.bbc.smpan.SMPBuilder uk.co.bbc.smpan.ui.transportcontrols.AudioManagerVolumeControl uk.co.bbc.echo.device.DefaultDeviceDataProvider com.squareup.picasso.Utils com.urbanairship.actions.ClipboardAction com.urbanairship.messagecenter.MessageViewAdapter com.urbanairship.job.AndroidJobScheduler com.urbanairship.job.AlarmScheduler com.urbanairship.push.notifications.NotificationFactory com.urbanairship.push.notifications.StyleNotificationExtender com.urbanairship.location.StandardLocationAdapter

102 total classes, shown 10

Connect to an application service, creating it if needed.

Details: com.google.android.gms.wearable.WearableListenerService com.google.android.gms.common.stats.zza com.google.android.gms.common.internal.zzah com.google.android.gms.internal.zznl com.google.android.gms.ads.identifier.AdvertisingIdClient com.comscore.android.id.IdHelperAndroid android.support.v4.app.NotificationManagerCompat android.support.v4.media.MediaBrowserCompat android.support.customtabs.CustomTabsClient bbc.mobile.news.v3.media.MediaController

Cryptography

This application is requesting an instance of the SHA1 algorithm..

Details: com.google.android.gms.iid.InstanceID This application has functionality for cryptographic applications implementing algorithms for encryption, decryption, or key agreement. This is an informational finding.

Details: okio.HashingSource com.google.android.gms.internal.zzcw com.google.a.a.k com.comscore.utils.Utils android.support.v4.hardware.fingerprint.FingerprintManagerCompatApi23$CryptoObject android.support.v4.hardware.fingerprint.FingerprintManagerCompat$CryptoObject android.support.v4.hardware.fingerprint.FingerprintManagerCompat$Api23FingerprintManagerCom patImpl android.support.v4.hardware.fingerprint.FingerprintManagerCompatApi23 okio.HashingSink

This class provides access to implementations of cryptographic ciphers for encryption and decryption. This is an informational finding.

Details: com.google.android.gms.internal.zzcw com.google.a.a.k com.comscore.utils.Utils

This application uses SecretKeySpec to convert a secret key from the specified byte array according to the specified algorithm and constructs a SecretKeySpec object based on the secret key. This is an informational finding.

Details: com.google.android.gms.internal.zzcw com.google.a.a.k

Database

This application issues SQL database commands. This is an informational finding.

This application uses random read-write access to the result set returned by database queries.

External Storage

The app checks the primary external storage directory and/or state.

Details: net.hockeyapp.android.Constants net.hockeyapp.android.tasks.DownloadFileTask com.google.android.gms.internal.zzmr com.google.android.gms.internal.zzma android.support.v4.content.FileProvider File System

The app uses the primary external storage directories.

Details: android.support.v4.content.ContextCompat

Unsafe delete operation, the deleted file could be recovered by an attacker especially on a rooted device.

Details: com.squareup.okhttp.internal.io.FileSystem$1 com.urbanairship.util.BitmapUtils net.hockeyapp.android.tasks.SendFeedbackTask okhttp3.internal.io.FileSystem$1 com.google.android.gms.common.data.BitmapTeleporter com.google.android.gms.internal.zzdb com.google.android.gms.internal.zzag com.google.android.gms.internal.zzsh com.google.android.exoplayer2.upstream.cache.CacheDataSink com.google.android.exoplayer2.upstream.cache.SimpleCache com.google.android.exoplayer.upstream.cache.CacheDataSink com.google.android.exoplayer.upstream.cache.SimpleCache

19 total classes, shown 10

This facilitates secure sharing of files by creating a content:// Uri for a file instead of a file:/// Uri.

Details: android.support.v4.content.FileProvider

Intents

A RemoteInput object specifies input to be collected from a user to be passed along with an intent inside a PendingIntent that is sent. Care should be taken to see that privacy information is not leaked.

Details: android.support.v4.app.RemoteInputCompatApi20 android.support.v4.app.NotificationCompatApi24 android.support.v4.app.NotificationCompatApi21 android.support.v4.app.NotificationCompatApi20

The apps is creating an Intent from URI.

This app will set the name of a class inside of the application package that will be used as the component for this Intent. This is an unusual coding practice.

Details: uk.co.bbc.smpan.ui.playoutwindow.AndroidPlayoutWindow com.urbanairship.actions.ShareAction com.urbanairship.push.GcmPushReceiver com.google.android.gms.gcm.GcmReceiver com.google.android.gms.iid.zze com.google.android.gms.iid.InstanceIDListenerService com.google.android.gms.internal.zzrr com.google.android.gms.internal.zzagy com.google.android.gms.ads.internal.overlay.zza com.google.android.gms.ads.internal.overlay.zzu android.support.design.widget.TextInputLayout android.support.design.widget.TabLayout

28 total classes, shown 10

The app sets a bundle of additional info data.

Details: uk.co.bbc.smpan.audio.notification.androidNotificationSystem.AndroidNotificationFactory uk.co.bbc.smpan.audio.notification.androidNotificationSystem.AndroidNotificationFramework uk.co.bbc.smpan.SMPBuilder$4 uk.co.bbc.smpan.ui.fullscreen.EmbeddedToFullScreenActivityWithModeAction uk.co.bbc.smpan.fallback.AndroidBBCMediaPlayerLauncher com.urbanairship.CoreReceiver com.urbanairship.actions.ShareAction com.urbanairship.actions.LandingPageAction com.urbanairship.actions.ActionService com.urbanairship.util.HelperActivity com.urbanairship.job.AirshipService com.urbanairship.push.PushProviderBridge

72 total classes, shown 10

The app gets a bundle of additional info data.

Details: uk.co.bbc.smpan.audio.notification.androidNotificationSystem.AndroidBroadcast uk.co.bbc.smpan.audio.notification.androidNotificationSystem.AudioNotificationService uk.co.bbc.smpan.telephony.IncomingCallReceiver com.squareup.picasso.Dispatcher$NetworkBroadcastReceiver com.urbanairship.CoreReceiver com.urbanairship.actions.LandingPageActivity com.urbanairship.util.HelperActivity com.urbanairship.AirshipReceiver com.urbanairship.push.GcmPushReceiver com.urbanairship.push.adm.AdmPushProvider$RegistrationReceiver com.urbanairship.analytics.InstallReceiver com.urbanairship.ChannelCaptureActivity

41 total classes, shown 10

Set an explicit application package name that limits the components this Intent will resolve to. If left to the default value of null, all components in all applications will considered. If non-null, the Intent can only match the components in the given application package.

Details: uk.co.bbc.smpan.audio.notification.androidNotificationSystem.AndroidNotificationFactory uk.co.bbc.smpan.ui.playoutwindow.AndroidPlayoutWindow com.urbanairship.CoreReceiver com.urbanairship.actions.ShareAction com.urbanairship.actions.LandingPageAction com.urbanairship.actions.OverlayRichPushMessageAction com.urbanairship.util.HelperActivity com.urbanairship.messagecenter.MessageCenterFragment com.urbanairship.push.GcmPushReceiver com.urbanairship.push.PushManagerJobHandler com.urbanairship.push.IncomingPushRunnable com.google.android.gms.gcm.zzc

40 total classes, shown 10

Location

This app requests the device latitude and longitude.

Returns the current enabled/disabled status of the given provider.

Details: android.support.v7.app.TwilightManager

This application uses getLastKnownLocation() to retrieve the last known GPS coordinates. This is used to retrieve the last known location of the device in the event that the location services are not available.

Details: android.support.v7.app.TwilightManager

This application requests location updates from the Location Manager.

Details: com.urbanairship.location.StandardLocationAdapter$SingleLocationRequest com.urbanairship.location.StandardLocationAdapter

This app is making a call to the location services to receive the location of the device.

Details: com.urbanairship.location.StandardLocationAdapter android.support.v7.app.TwilightManager

Logging

The app is writing information in the system Log. Details: uk.co.bbc.smpan.monitoring.sumologic.BackgroundExecutorNetworkClient$1 uk.co.bbc.smpan.logging.AndroidLogger uk.co.bbc.smpan.audio.notification.androidNotificationSystem.AudioNotificationService uk.co.bbc.smpan.ui.placeholder.ASyncTaskArtworkFetcher$LoaderTask uk.co.bbc.smpan.ui.playoutwindow.VideoSurface uk.co.bbc.smpan.fallback.AndroidMediaPlayerDetectionHelper uk.co.bbc.mediaselector.logging.AndroidLogger uk.co.bbc.echo.util.EchoDebug uk.co.bbc.echo.device.DefaultDeviceDataProvider com.squareup.picasso.Utils com.urbanairship.Autopilot de.spring.mobile.SpringStreams

373 total classes, shown 10

Network

Potential application update and auto installation routines discovered.

Details: net.hockeyapp.android.tasks.DownloadFileTask

The app may potentially use WebSocket (https://tools.ietf.org/html/rfc6455) based communications with remote servers.

Details: okhttp3.internal.ws.RealWebSocket

The app can manipulate its user agent string.

Creates a new unconnected socket.

Details: com.squareup.okhttp.internal.http.SocketConnector okhttp3.internal.connection.RealConnection

This application can launch a new web page using the browser application. This is an informational finding.

Details: de.spring.mobile.SpringStreams

Network Security

The app is not doing active checks for validating SSL certificates. It may allow self-signed, expired or mismatch CN certificates for SSL connections. The app is not implementing certificate pinning on any domain it communicates with.

Details: http://pubads.g.doubleclick.net/gampad/ads?ad_rule=1&sz=512x288&iu= http://walter-resolver-cdn.api.bbci.co.uk/resolve?uri=

The app uses SSL/TLS secure transport libraries.

Details: de.spring.mobile.SpringStreams com.comscore.utils.Connectivity

This app opens a HTTPS URL Connection

Details: uk.co.bbc.echo.live.AsyncHttpClient com.squareup.okhttp.internal.huc.DelegatingHttpsURLConnection okhttp3.internal.huc.DelegatingHttpsURLConnection

This app used the Java Security interface for parsing and managing certificates, certificate revocation lists (CRLs), and certification paths.

Details: com.squareup.okhttp.Cache com.squareup.okhttp.Handshake com.squareup.okhttp.CertificatePinner com.squareup.okhttp.internal.tls.OkHostnameVerifier com.squareup.okhttp.internal.huc.DelegatingHttpsURLConnection com.squareup.okhttp.internal.ConnectionSpecSelector com.squareup.okhttp.internal.huc.HttpsURLConnectionImpl com.squareup.okhttp.internal.http.SocketConnector com.squareup.okhttp.internal.http.HttpEngine okhttp3.internal.connection.RealConnection okhttp3.internal.connection.ConnectionSpecSelector okhttp3.internal.platform.AndroidPlatform

22 total classes, shown 10

Package Manager

This application can retrieve information about any application package that is installed on the device. This is an informational finding.

Details: de.spring.mobile.SpringStreams net.hockeyapp.android.UpdateFragment net.hockeyapp.android.Constants net.hockeyapp.android.UpdateActivity org.codechimp.apprater.ApplicationRatingInfo com.google.android.gms.gcm.GoogleCloudMessaging com.google.android.gms.iid.InstanceID com.google.android.gms.iid.zze com.google.android.gms.common.util.zzw com.google.android.gms.common.zzo com.google.android.gms.internal.zzdb com.google.android.gms.internal.zzazm

30 total classes, shown 10

Security

Extensible cryptographic service provider infrastructure (SPI) for using and defining services such as Certificates, Keys, KeyStores,MessageDigests, and Signatures.

Details: uk.co.bbc.echo.device.DefaultDeviceDataProvider com.squareup.okhttp.Handshake com.squareup.okhttp.Cache$Entry com.squareup.okhttp.OkHttpClient com.squareup.okhttp.CertificatePinner com.squareup.okhttp.internal.tls.OkHostnameVerifier com.squareup.okhttp.internal.Util com.squareup.okhttp.internal.huc.DelegatingHttpsURLConnection com.squareup.okhttp.internal.huc.HttpURLConnectionImpl com.squareup.okhttp.internal.ConnectionSpecSelector com.squareup.okhttp.internal.huc.HttpsURLConnectionImpl com.squareup.okhttp.internal.http.SocketConnector

67 total classes, shown 10

This app can access the interface to an RSA Private Key,

Details: com.google.android.gms.iid.zze

This app uses a simplified version of the java.security.cert package.

Details: com.squareup.okhttp.Handshake com.squareup.okhttp.internal.tls.DistinguishedNameParser com.squareup.okhttp.internal.tls.OkHostnameVerifier okhttp3.internal.tls.TrustRootIndex$BasicTrustRootIndex okhttp3.internal.tls.DistinguishedNameParser okhttp3.internal.tls.OkHostnameVerifier okhttp3.Handshake This application uses Base64 encoding and decoding. Base64 is typically used in email/web communications but can be applied to any data set. This is an informational finding.

Details: com.urbanairship.widget.UAWebView com.urbanairship.push.GcmPushReceiver com.urbanairship.http.Request com.google.android.gms.gcm.GcmReceiver com.google.android.gms.wearable.DataMapItem com.google.android.gms.iid.InstanceID com.google.android.gms.iid.zzh com.google.android.gms.common.util.zzc com.google.android.gms.internal.zztl com.google.android.gms.internal.zztr com.google.android.gms.internal.zzbs com.google.android.gms.internal.zzhi

21 total classes, shown 10

This app uses a cryptographically strong random number generator (RNG).

Details: com.squareup.okhttp.OkHttpClient com.google.android.gms.wearable.PutDataRequest com.google.android.gms.internal.zzdb com.google.android.gms.internal.zzbv com.google.android.gms.internal.zzcw com.google.a.a.d com.google.a.a.e com.google.a.a.k okhttp3.OkHttpClient

This app can utilize the fingerprint reader on the device.

Details: android.support.v4.hardware.fingerprint.FingerprintManagerCompatApi23

This app is implementing the SafetyNet API.The SafetyNet Attestation API helps assess the security and compatibility of the Android environments in which the app runs. This API can be used to analyze devices that have installed the app.

Details: com.google.android.gms.internal.zzcsm

Storage

The app stores data in the internal storage of the device.

System The app uses a method to blindly load all apps and jar files located in a directory. Potential exists for abuse by malicious parties.

Details: com.google.android.gms.dynamite.zzg

Details: com.google.android.gms.internal.zzdb com.google.android.gms.internal.zzea com.google.a.a.e

This application is requesting the device serial number information from the system build properties.

Details: com.comscore.utils.id.IdChecker com.comscore.utils.API9 com.comscore.android.id.API9

Details: de.spring.mobile.SpringStreams

This application is requesting the device build fingerprint from the system build properties.

Details: com.google.android.gms.internal.zzacb

This application is requesting the device model information from the system build properties.

Details: uk.co.bbc.httpclient.useragent.UserAgent com.urbanairship.widget.UAWebViewClient com.urbanairship.http.Request net.hockeyapp.android.Constants com.google.android.gms.internal.zzagy com.google.android.exoplayer2.util.Util com.google.android.exoplayer.util.AmazonQuirks com.google.android.exoplayer.util.Util com.urbanairship.analytics.data.EventApiClient bbc.mobile.news.v3.fragments.toplevel.TopLevelPagerFragment bbc.mobile.news.v3.common.net.OkHttpClientFactory

This application is requesting the device type from the system build properties.

Details: com.google.android.gms.internal.zzacb com.google.android.gms.internal.zzagy com.google.android.gms.internal.zzaix com.google.android.exoplayer2.util.Util com.google.android.exoplayer.util.Util com.comscore.applications.ApplicationMeasurement

This application accesses the properties of the device and OS. This is an informational finding.

Details: rx.plugins.RxJavaPlugins

This app is querying for the device version release information.

Details: uk.co.bbc.smpan.SMPBuilder uk.co.bbc.httpclient.useragent.UserAgent com.urbanairship.http.Request com.urbanairship.analytics.AppForegroundEvent de.spring.mobile.VideoViewAdapter de.spring.mobile.SpringStreams net.hockeyapp.android.Constants net.hockeyapp.android.tasks.CheckUpdateTask com.google.android.gms.internal.zzmq com.google.android.gms.internal.zzzh com.google.android.gms.internal.zzagy com.google.android.gms.internal.zzaix

18 total classes, shown 10

This application is requesting the device product information from the system build properties.

Details: uk.co.bbc.echo.delegate.rdot.RDotRequest net.hockeyapp.android.Constants com.comscore.utils.Connectivity

This application is requesting the device brand information from the system build properties.

Details: net.hockeyapp.android.Constants

This application is requesting the device build tag information from the system build properties. Details: com.comscore.utils.RootDetector

This application is requesting the device manufacture information from the system build properties.

Details: uk.co.bbc.echo.delegate.rdot.RDotRequest net.hockeyapp.android.Constants com.google.android.gms.internal.zzagy com.google.android.exoplayer2.util.Util com.google.android.exoplayer.util.AmazonQuirks com.google.android.exoplayer.util.Util com.urbanairship.UAirship bbc.mobile.news.v3.fragments.toplevel.TopLevelPagerFragment

This application is requesting the device model information from the system build properties.

This application does contain rooted device detection functionality.

Details: com.comscore.utils.RootDetector

Returns the value of a particular system property.This is an informational finding.

Details: com.squareup.okhttp.ConnectionPool com.squareup.okhttp.internal.huc.HttpURLConnectionImpl rx.internal.util.RxRingBuffer rx.internal.util.ScalarSynchronousObservable rx.internal.util.IndexedRingBuffer rx.internal.util.unsafe.UnsafeAccess net.hockeyapp.android.CrashManager okhttp3.internal.huc.OkHttpURLConnection com.comscore.utils.OfflineMeasurementsCache com.comscore.applications.ApplicationMeasurement android.support.multidex.MultiDex kotlin.text.SystemProperties 13 total classes, shown 10

As a standard practice with many applications, this application loads external libraries at runtime. It will load the native library specified by the libname argument.

Details: com.google.android.exoplayer2.util.LibraryLoader

Telephony

This application potentially gains access to the device ID.

Details: bbc.mobile.news.v3.media.MediaService

Vulnerability

WebKit

The app enables WebView to execute JavaScript code

Details: com.urbanairship.widget.UAWebView com.google.android.gms.internal.zzakn com.google.android.gms.ads.internal.zzbm com.google.ads.interactivemedia.v3.impl.y bbc.mobile.news.v3.ui.visualjournalism.VisualJournalismFragment bbc.mobile.news.v3.ui.web.WebViewActivity

This app has configured WebView to allow Javascript to open windows without user prompt.

Details: com.google.android.gms.internal.zzakn WebView

This application is using the WebKit to download a file from the Internet.

Details: com.google.android.gms.internal.zzakn

This app has enabled the ability for WebKit to access the file system.

Data Leakage

The app retrieves ClipBoard data contents.

Details: com.urbanairship.ChannelCapture android.support.v4.app.RemoteInputCompatJellybean

This application will construct a URL stream to send information off the device.

The application stores inline API keys/values

Libraries

ProGuard

The ProGuard tool shrinks, optimizes, and obfuscates your code by removing unused code and renaming classes, fields, and methods with semantically obscure names. The result is a smaller sized .apk file that is more difficult to reverse engineer. Because ProGuard makes your application harder to reverse engineer, it is important that you use it when your application utilizes features that are sensitive to security like when you are Licensing Your Applications.

HockeyApp

Use our simple yet powerful desktop apps to manage your apps, upload builds, and analyze crash reports. Or use our mobile clients to install builds directly on your devices.

Daggar

A fast dependency injector for Android and Java

JavaX

JavaX is a Java implementation that allows components and resources to be injected into the application as Provider Kotlin

This app references the Kotlin framework. Kotlin is a statically typed programming language for modern multi-platform applications

Google Wear API

This application has access to wearable devices through the Android Wear Message API

OKHttp

HTTP is the way modern applications network. It’s how we exchange data & media. Doing HTTP efficiently makes your stuff load faster and saves bandwidth.

Picasso

A powerful image downloading and caching library for Android

Google Gson

Gson is a Java library that can be used to convert Java Objects into their JSON representation. It can also be used to convert a JSON string to an equivalent Java object. Gson can work with arbitrary Java objects including pre-existing objects that you do not have source-code of.

Google Play Market

Give your apps more features to attract users on a wider range of devices. With Google Play services, your app can take advantage of the latest, Google-powered features such as Maps, Google+, and more, with automatic platform updates distributed as an APK through the Google Play store. This makes it faster for your users to receive updates and easier for you to integrate the newest that Google has to offer.

Double Click

Google Ads

The Google Mobile Ads SDK is the latest generation in Google mobile advertising featuring refined ad formats and streamlined APIs for access to mobile ad networks and advertising solutions. The SDK enables mobile app developers to maximize their monetization on Android, iOS, and Windows Phone 8. The Google Mobile Ads SDK is available to AdMob, DoubleClick for Publishers (DFP), and Ad Exchange customers.

Comscore 3.1608.19

comScore is a leading internet technology company that measures what people do as they navigate the digital world - and turns that information into insights and actions for our clients to maximize the value of their digital investments. SquareUp

Easy-to-use tools for every corner of your business. From mobile point-of-sale tools and appointment scheduling to fast deposits and online invoicing, Square has everything you need to take care of every little thing.

Urban Airship 8.8.0

We’ve built the smartest, most aware, precise, easy-to-use, scalable, secure and powerful push messaging platform on the planet. Our Push messaging platform leverages all that is unique about mobile as a channel, and that lights the spark to create meaningful and valuable mobile experiences. We help put your app in front of your users at the right time, and in the right place to drive usage and brand engagement.

Facebook SDK

Facebook SDK for Android helps you build engaging social apps and get more installs. Includes Bolts, Audience Network, and Facebook packages. Requires Android API 9.

Okio

https://github.com/square/okio

Google Protocol Buffers

Protocol Buffers - Google's data interchange format. https://developers.google.com/protocol-buffers/

Android Wearable SDK

This application invokes the Android Wearable SDK

OWASP Summary 3/10

The OWASP summary contains the results of the testing that was performed on the application against the OWASP Top 10 Mobile categories. Sections that FAIL passed the testing are in green while sections that failed a test are highlighted in red.

M1: Improper Platform Usage

No problems found

M2: Insecure Data Storage

This application will construct a URL stream to send information off the device. Content Providers are implicitly insecure. They allow other applications on the device to request and share data. If sensitive information is accidentally leaked in one of these content providers all an attacker needs to do is call the content provider and the sensitive data will be exposed to the attacker by the application.This is cause for concern as any 3rd party application containing malicious code does not require any granted permissions in order to obtain sensitive information from these applications.

M3: Insecure Communications

URL's were found embedded in the app that do not use a secure protocol. Internal applications should always use HTTPS connections when possible. Ensure sensitive data is not being sent over this in-secure channel. Details: http://pubads.g.doubleclick.net/gampad/ads?ad_rule=1&sz=512x288&iu= http://walter-resolver-cdn.api.bbci.co.uk/resolve?uri=

The app is not implementing certificate pinning on any domain it communicates with.

M4: Insecure Authentication

No problems found

M5: Insufficient Cryptography

No problems found

M6: Insecure Authorization

No problems found

M7: Client Code Quality

No problems found

M8: Code Tampering

No problems found M9: Reverse Engineering

This application exposes source level metadata symbols and fails the testing outlined by OWASP Mobile Top 10. This application fails the Source Code Reverse Engineering Exposure test as outlined by OWASP Mobile Top 10. This application does contain rooted device detection functionality. Details: com.comscore.utils.RootDetector

M10: Extraneous Functionality

No problems found

Communications

www.googleapis.com IP Address: 172.217.14.170 Country: United States Last checked: 11-15-2017