Horusec Mobile (Java and Kotlin)

In this section, you will find vulnerabilities for mobile applications written in Java or Kotlin.

What is it?

Horusec-Kotlin and Horusec-Java are SAST tools created by the Horusec team to search vulnerabilities in projects using Kotlin and Java.

You can apply specific rules for your languages ​​and also identify some generic rules for mobile apps that use Kotlin/Java for Android or IOS.

Examples of vulnerabilities

No Log Sensitive Information

The App logs information. Sensitive information should never be logged. For more information checkout the CWE-532 (https://cwe.mitre.org/data/definitions/532.html) advisory.

Example of a vulnerable code:


const DatabaseURI = "..."

Log.info("Connection string of the database: " + DatabaseURI)

HTTP Requests, Connections and Sessions

No uses Http request, connections and sessions with insecure.

Example of a vulnerable code:

import http.client.HttpClient

No uses safety API

No uses safety api in your application.

Example of a vulnerable code:

import com.google.android.gms.safetynet.SafetyNetApi

No uses Content Provider

No uses Content Provider.

Example of a vulnerable code:

import android.content.ContentProvider

No Use With Unsafe Bytes

Using this implementation of ‘.withUnsafeBytes’ can lead to the compiler’s decision to use unsafe APIs, such as _malloc and _strcpy, as the method calls closing with an UnsafeRawBufferPointer. For more information checkout the CWE-789 advisory.

Local File I/O Operations

No use operations of input or output in files.

Example of a vulnerable code:

var query: [String: Any] = [kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlocked]

WebView Component

No use WebView Component.

Encryption API

No use Encryption API with vulnerabilities.

No Use Prohibited APIs

The application may contain prohibited APIs. These APIs are insecure and should not be used. For more information checkout the CWE-676 (https://cwe.mitre.org/data/definitions/676.html) advisory.

  • strcpy
  • memcpy
  • strcat
  • strncat
  • strncpy
  • sprintf
  • vsprintf

Application allow MITM attacks

The application allows self-signed or invalid SSL certificates. The application is vulnerable to MITM (Man-In-The-Middle) attacks. For more information checkout the CWE-295 advisory.

UIWebView in application ignoring errors SSL

The in-app UIWebView ignores SSL errors and accepts any SSL certificate. The application is vulnerable to attacks from MITM (Man-In-The-Middle). For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.

No List changes on the clipboard

The application allows you to list the changes on the Clipboard. Some malware also lists changes to the Clipboard.

Exemplo de código vulnerável:

const NSNotificationName UIPasteboardChangedNotification

The application is using SQLite

The application is using SQLite. Confidential information must be encrypted.

Example of a vulnerable code:

sqlite3_exec(...)

No use NSTemporaryDirectory

User use in “NSTemporaryDirectory ()” is unreliable, it can result in vulnerabilities in the directory. For more information checkout the CWE-22 (https://cwe.mitre.org/data/definitions/22.html) advisory.

Example of a vulnerable code:

const tempDirectory NSTemporaryDirectory

No copies data to the Clipboard

The application copies data to the Clipboard. Confidential data must not be copied to the Clipboard, as other applications can access it. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.

Example of a vulnerable code:

var clipboard UIPasteboard

No Download File Using Android Download Manager

This App downloads files using Android Download Manager.

import android.app.DownloadManager;

Android Keystore

No use Android Keystore to manager.

Android Notifications

No read android notifications

Potential Android SQL Injection

The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory and OWASP: Top 10 2017-A1-Injection.

Example of a vulnerable code:

String query = "SELECT * FROM  messages WHERE uid= '"+userInput+"'" ;
Cursor cursor = this.getReadableDatabase().rawQuery(query,null);

Example of an invulnerable code:

String query = "SELECT * FROM  messages WHERE uid= ?" ;
Cursor cursor = this.getReadableDatabase().rawQuery(query,new String[] {userInput});

SQL Injection With SQLite

App uses SQLite Database and execute raw SQL query. Untrusted user input in raw SQL queries can cause SQL Injection. Also sensitive information should be encrypted and written to the database. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory and OWASP: Top 10 2017-A1-Injection..

Example of a vulnerable code:

import android.database.sqlite;

...
String query = "SELECT * FROM  messages WHERE uid= '"+userInput+"'" ;
Cursor cursor = conn.rawQuery(query,null);

Example of an invulnerable code:

import android.database.sqlite;

...
String query = "SELECT * FROM  messages WHERE uid= ?" ;
Cursor cursor = conn.rawQuery(query,new String[] {userInput});

WebView GET Request

WebView GET Request

WebView POST Request

WebView POST Request

Base64 Decode

Basic authentication’s only means of obfuscation is Base64 decoding. Since Base64 decoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used. For more information checkout the OWASP Top Ten 2017 A3(https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html) advisory and CWE-522 (https://cwe.mitre.org/data/definitions/522.html).

Example of a vulnerable code:

var password = "PASSWORD_IN_BASE64";
String passwordDecoded = Base64Encoder.decode(password);

WebView Load Request

WebView Load Request.

WebView Load Request

WebView Load Request.

No use cookie storage to save sensitive information. NSHTTPCookieStorage. sharedHTTPCookieStorage

28 Set or Read Clipboard

Using LoadHTMLString can result Inject

User input not sanitized in ‘loadHTMLString’ can result in an injection of JavaScript in the context of your application, allowing access to private data. For more information checkout the CWE-95 (https://cwe.mitre.org/data/definitions/95.html) advisory.

No Use SFAntiPiracy Jailbreak

Verifications found of type SFAntiPiracy Jailbreak.

Send SMS

This App is send sms without security.

Example of a vulnerable code:

import telephony.SmsManager

No Use SFAntiPiracy IsPirated

Verifications found of type SFAntiPiracy isPirated.

Weak md5 hash using

MD5 is a weak hash, which can generate repeated hashes. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.

Weak sha1 hash using

SHA1 is a weak hash, which can generate repeated hashes. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.

Weak ECB encryption algorithm using

The application uses ECB mode in the encryption algorithm. It is known that the ECB mode is weak, as it results in the same ciphertext for identical blocks of plain text. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.

The application has anti-debugger using ptrace()

The application has anti-debugger using ptrace().

Super User Privileges

This App may request root (Super User) privileges. For more information checkout the CWE-250 (https://cwe.mitre.org/data/definitions/250.html) advisory.

Example of a vulnerable code:

import com.noshufou.android.su

Send SMS

Send SMS. For more information checkout the OWASP-M3 advisory.

Base64 Encode

Basic authentication’s only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used. For more information checkout the OWASP Top Ten 2017 A3(https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html) advisory and CWE-522 (https://cwe.mitre.org/data/definitions/522.html).

Example of a vulnerable code:

// Using HttpPost from Apache HttpClient
String encoding = Base64Encoder.encode ("login:passwd");
org.apache.http.client.methods.HttpPost httppost = new HttpPost(url);
httppost.setHeader("Authorization", "Basic " + encoding);  // Noncompliant

GPS Location Known

No use GPS Location to get last known location.

Jailbreak Detection Methods

The application may contain Jailbreak detection mechanisms.

Possible vulnerabilities when use:

/Applications/Cydia.app
/Applications/FakeCarrier.app
/Applications/Icy.app
/Applications/IntelliScreen.app
/Applications/SBSettings.app
/etc/apt
/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist
/Library/MobileSubstrate/MobileSubstrate.dylib
/Library/MobileSubstrate/DynamicLibraries/Veency.plist
/System/Library/LaunchDaemons/com.ikey.bbot.plist
/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
/etc/ssh/sshd_config
/Applications/MxTube.app
/Applications/RockApp.app
/Applications/WinterBoard.app
/Applications/blackra1n.app
/private/var/tmp/cydia.log
/private/var/lib/apt
/private/var/lib/cydia
/private/var/mobile/Library/SBSettings/Themes
/private/var/stash
/var/lib/cydia
/var/cache/apt
/var/lib/apt
/usr/sbin/sshd
/usr/sbin/frida-server
/usr/libexec/ssh-keysign
/usr/libexec/sftp-server
/usr/bin/sshd
/usr/bin/cycript
/usr/local/bin/cycript
/usr/lib/libcycript.dylib
cydia://
frida-server

Last modified October 22, 2021: Added ids to analysis tools (#127) (d3bd89bf)