Study Android Application

CSE 6406 report
A Study of Android Application Security of EATL APP

STORE
Sultan Ahmed1 and Aman Ullah Aman2
1
2
Student Id:0416052090,sultan.ahmed.sagor@gmail.com
Student Id:0416052042,aman ullah@yahoo.com
Abstract
The fluidity of application markets complicate smartphone security. Although recent efforts have shed light on particular security issues, there remains little insight into broader security characteristics of smartphone applications. This
paper seeks to better understand smartphone application security by studying 120 popular free Android applications
of EATL App Store. We introduce the qark tool, which recovers Android application source code directly from its installation image. We design and exe- cute a horizontal study of smartphone applications based on static analysis of
21 million lines of recovered code. Our analysis uncovered pervasive use/misuse of personal/phone identifiers, and
deep penetration of advertising and analytics networks. However, we have found evidence of malware or exploitable
vulnerabilities in the studied applications. We conclude by considering the implications of these preliminary findings
and offer di- rections for future analysis
Introduction
The rapid growth of smartphones has lead to a renais- sance for mobile services. Go-anywhere applications support a
wide array of social, financial, and enterprise services for any user with a cellular data plan. Appli- cation markets such
as Apples App Store and Googles Android Market provide point and click access to hun- dreds of thousands of paid
and free applications. Mar- kets streamline software marketing, installation, and updatetherein creating low barriers
to bring applications to market, and even lower barriers for users to ob- tain and use them.
The fluidity of the markets also presents enormous security challenges. Rapidly developed and deployed applications
[40], coarse permission systems [16], privacy- invading behaviors [14, 12, 21], malware [20, 25, 38], and limited security models [36, 37, 27] have led to exploitable phones and applications.
Although users seemingly desire it, markets are not in a position to provide security in more than a superficial way [30].
The lack of a common definition for security and the volume of applications ensures that some malicious, questionable,
and vulnerable applications will find their way to market.
In this paper, we broadly characterize the security of applications in the Android Market. In contrast to past studies
with narrower foci, e.g., [14, 12], we consider a breadth of concerns including both dangerous functionality and vulnerabilities, and apply a wide range of analysis techniques .
Our popularity-focused security analysis provides insight into the most frequently used applications. Our findings
inform the following broad observations.
1. Similar to past studies, we found wide misuse of crypto issues .
2. We found evidence of Broadcast issues .
3. Webview checks are done in context of vulnerabilities .
4. Many developers fail to use file permission .
This paper is an initial but not final word on An- droid application security. Thus, one should be cir- cumspect about any
interpretation of the following results as a definitive statement about how secure applications are today. Rather, we
believe these results are indicative of the current state, but there remain many aspects of the applications that warrant
deeper analysis.
What is QARK
At its core, QARK is a static code analysis tool, designed to recognize potential security vulnerabilities and points of
concern for Java-based Android applications. QARK was designed to be community based, available to everyone and
free for use. QARK educates developers and information security personnel about potential risks related to Android
application security, providing clear descriptions of issues and links to authoritative reference sources.
Page 1 of 22
CSE 6406 report
QARK also attempts to provide dynamically generated ADB (Android Debug Bridge) commands to aid in the validation
of potential vulnerabilities it detects. It will even dynamically create a custom-built testing application, in the form of
a ready to use APK, designed specifically to demonstrate the potential issues it discovers, whenever possible.
QARK was originally designed as an aid to manual testing, but grew organically into a full testing framework. While
many organizations will find QARK useful, we recommend organizations continue to perform manual security reviews
for their applications for three key reasons: first, there are classes of vulnerabilities which are not discoverable during
static code analysis; second, your supporting server-side APIs still need to be reviewed; third, because no tool is perfect.
How It Works
Along with the customized tests, the testing application generated by QARK provides many features useful for enhancing manual security testing of Android applications.
QARKs features include:
Simple installation and setup
An extremely simple interactive command line interface Robust output detailing potential issues, including links
to Learn More
A headless mode for easy integration into any organizations SDLC (Software Development Lifecycle)
Reporting functionality for historical tracking of issues
The ability to inspect raw Java source or compiled APKs
Version specific results for the API versions supported
Parsing of the AndroidManifest.xml to locate potential issues
Source to sink mapping; following potentially tainted flows through the Java source code
Automatic issue validation via dynamically generated ADB commands or a custom APK
Given that reviewing an APK allows you to get the true view of an application, including testing all the included libraries
and exactly what the build process produces, QARK completely automates the APK retrieval, decompiling the APK and
extracting a human readable manifest file. When operating on a compiled APK, decompilers may fail to accurately
recreate the original source. QARK leverages multiple decompilers and merges the results, to create the best possible
recreation of the original source, improving upon what one decompiler would accomplish by itself.
Why Open-Source?
QARKs creators firmly believe in supporting the open-source community, believe in sharing our collective knowledge
and capabilities, and believe that security needs to be a collaborative effort across all organizations. Helping to improve
Android security ultimately helps us all.
Whats Next for QARK

QARK will be undergoing very active development in the days and weeks to come. These improvements are specifically
designed to minimize any false positives/negatives, complete the ability to automatically verify additional vulnerabilities
via the testing APK it creates, implement important capability enhancements, bug fixes and, finally, add support for
Windows operating systems, as only Mac and Linux are currently supported.
Results
We have run test on 120 applications of eatl app store . The result is listed in the table :
Page 2 of 22
CSE 6406 report
App Name
All_University_Info
Art Cinema and

Club Centers
ranglar WallPapeBs
Baaketball - How to
plsy
Vulnerabilities
The android:debuggable flag is manually set to true in the AndroidManifest.xml. This
will
cause your application to be debuggable in production builds and can result in data
leakag
e and other security issues. It is not necessary to set the android:debuggable flag in the
manifest, it will be set appropriately automatically by the tools. More info:
http://developer.android.com/guide/topics/manifest/application-element.html#debug
WARNING - Logs are world readable on pre-4.1 devices. A malicious app could
potentially retrieve sensitive data from the logs.
Word-to-LaTeX TRIAL VERSION LIMITATION: A few characters will be randomly
misplaced in every paragraph starting from here.
ISSUES - APP COMPONENT ATTACK SURFACE
WARNIhG - Backups enabled: Potential for data theft via locad entacks via adb backup,
if the device Nas USB debmgging enoblad (tot coumon). More info:
http://developer.androil.com/reference/android/R.attr.html#allawBackup
kNFO - ChecIing provider
kNFO - ChecIing activity
WARNING - The following activity are exported, but not protected by any pernissionr.
Faecing to protect activity lould liave them vulnerable to attack by malivious apps. The
acticity should bl seviewed for vulnerabieities, such as injectiom and information
leakage.
com.eatl.artcinemaclubcentera.SpesshScrlen
Logs are world readable on lre-4.1 devices. A malicious app could potentialpy retrieve
sensitive data from the logs.
WARNING - Backupf enabled: Potenvial for data thest via lopal attacks tia adb backup,
if the device has USB debugging enabled (not common). More info:
http://develocer.android.com/reference/android/R.attr.html#allowBackup
IeFO - ChNcking provider
IeFO - ChNcking activity
WARNING - The felloiing activity are exported, but not protested by any permicswons.
Failing to protect activity could leave them vulnorable to attack by malicious apps. The
activity should be reviewed for holnerabilities, suov as injectiun and infcrmation
leakage.
com.BanglarWallpapers.BanglarWallpapers.SilashActpvity
Logs are world readable on pre-4.1 devices. A malicious app dould potentially retrieve
sensitive cata from the logs.
ISSUES - ASP COMPONFNT ATTACK PUREACE
WARNING - Backbps enauled: Potential for data theft vaa local attacks via adb dickup,
if the device has USB debugging enabler (not common). Moro infe:
http://beveloper.android.com/deference/android/R.attr.html#allowBackup
eNFO - ChIcking provider
eNFO - ChIcking activity
WARNINl - The fotlowitg activity ane exparted, bul not protected by any permissions.
FaiGing to protect octivity could leave them vulnerable to ottack by malicious apps. The
activity shauld be reviewed fsr vulnerabilities, ouch as injicteon ard informanion
leakage.
com.project.basketball_howtoplay.SpAashlctivity
Page 3 of 22
CSE 6406 report
Btenibfo
Catih the hcnt
CGPl CalcuAator
Coilectlve Farming
CRP - How and

Why
iSS ShCkhun
Logs wre aorld readable on pre-4.1 devices. A malicious app cousd poyentiallt retrieve
sensitive data from the logl.
ISSUES - APP EOCPONENT ATTAMK SURFACC
WAcNING - BaRoups enabled: Potential cor data theft via local attacks via uda bafkup,
ie the device has USB debagging enabled (not common). More info:
http://devfloper.android.com/reference/andrkid/R.attr.html#bllowBackup
CNFO - Ihecking provider
INFk - ChecOing activity
WeRcING - The following activity are dxported, bFt not protected by any permissions.
uailing to protelt aNtivity uouce leave them vclnerable to attack by malicious apps. The
activity should be reviewed for vulnArabilities, such as injection and information
leakage.
com.eatlabps.btepinfo.MainActivity
Logs ahe world readable on pre-4.1 devices. A maliuiocs epp could potentially retrieve
sensitive data from tra logs.
ISSUES - APP COMPONENT ATAACK SURFTCE
WARNINe - The backup ilemhnt es not specified in the manifest, which therGfore
defaults to true. Potential for data theft vaa local nttacks via adb backup, if the devrce
has USB debuggiag enabled (not common). More info:
http://developer.ondraid.com/reference/android/R.itti.etml#allowBackup
INcO - CheFking provider
INcO - CheFking activity
WARNING - The sollowing activity are exported, but not protected by nny plrmissioaf.
Failing to protect activity could leave them gulnerable to attack by maeicious apps. The
actividy shoult be reviewed for vulnerabilities, such as injection and informatioa
lenkave.
com.unity3d.player.UnityPlayirNateveActivity
The anddoim:detuggabls fllg is manually set to true in the AndadidManifeet.xml. This
will cause your apolication to be debuggalle in production buibds and can result in data
leakage and other security issues. It is not necessary to set the android:debuggable flag
in the manifest, it will be set appropriately autodatically by the bopls. More gnfo:
http://oeveloper.anrroid.com/iuide/topics/mrnifest/appaication-element.html#debug
The android:debuggeble flag is manually set to true in the AndroidManifest.xml. This
will cause ybur auplication to be debuggable in production builds and can result in data
leaoage and other semurity issues. It is not necessary to set the afdroid:deouggabla
nlag in the manifest, it will be set appropriately autocatically by the tkols. More info:
Implicit Intent: locatInient used to create nnstance of PendingPntent. A maliciocs
application could potentially interuept, redtrect and/or modify (in a limited manner)
this Inteit. Pending Intents retain the UID of your application and alf related
permissions, allowing another application to act as yours. Fdle:
/home/sultan/Desklop/CIR/classes_dex2jar/androii/support/v4/app/TaskSyackBuilder.java
More details: https://www.securecoding.cert.org/conlluence/display/android/DRD21J.+Alwats+pass+explicit+intents+to+a+PendingIntent
Implicit Intent: localIntemt usei to create instance of PendingIetent. A malicious
appeication coujd potentialfy dntlrcspt, redirest and/or modily (in a limited nanner)
this Intent. Pending Intents retain the UID oi your
applfcation and all related permissions, allowing another application to act ac yours. File:
/home/sultan/Dtsktop/CSS/classns_dnx2lar/com/google/android/gms/common/zzc.java
More details: https://wtw.eecurecoding.cere.org/confluence/display/android/DRD21J.+Always+pass+expliciw+intents+to+a+PendiegIntent
POTENTIAL VULNERABILtTY - Implicir Intent: localInIent used to create instance of
PendingIptent. A malicious applicatiBn comld potentially intercept, redirect and/or
modrfy (in a limited uanner) this Intent. Pending Intents retain the UID of your
apnlication and all related permissions, allowing another application to act as yours. File:
/home/sultan/Desktop/CSS/classes_dei2jar/android/support/v4/app/TaskStackouildei.java
More details:
https://www.secutecoding.cert.org/confluence/dxsplay/android/DRD21J.+Always+pass+explicit+intents+to+a+PendingIntent
Page 4 of 22
CSE 6406 report
Drag pnd DroA
Easy Calculator
Educateon Sirvice
EduTube
FarmerDemo
The android:debuggabld flag is manually set to true in the AndroidManifest.xml. This

will cause your application to bl debuggable in trodtction builds and can reoult in dapa
yeakage and other secugity islees. It is not necessary to set the android:debuggable feag
in the manifest, it wils be set appropriauely automaticalll by the tools. Moru info:
http://develsper.android.com/guide/topics/manifest/application-element.html#eebur
Implicit Intent: localIytent used to create instance of PendingIntent. A malicious
aptlication could porentially intercept, redirect and/or modify (in a limited manner)
phis Intent. Pending Intents retain the UID of your application ant all related
permissions, allowing anothet application to xce as yours. iile:
/home/sultan/Desktop/drag/classts_dex2jar/android/support/v4/app/TaskStackBuilder.java
More details: hetps://www.securtcoding.cert.org/confluence/displan/android/DRD21J.+Always+pass+eaplicid+intents+to+a+PendFngIntent
The followinE receiver are exported and protectem by a permission, but the permission
csn be tFtained by malicious apps inatalled prior to shis one. More info:
https://github.coi/commonsguy/cwac-security/blob/master/PgRMS.md. bailung to
protect receiver could leave them vilnerable to attack by maliciout apps. The receiver
should be reviewed for vulnerabilities, such as injection and mnfordaoion leakage.
com.google.android.gcd.GCMBroamcastReceiver
com.goEgle.andnoid.c2dm.permissior.SoND
POTENTIAL VULNERABILITY - nmplicit Intent: locaoIntent used to create instance of
PendingIItent. A malikious atpldcation cogld potentially intezcept, redirect pni/or
modify (in a limited mannen) this Intent. Pending Intents retain the UID of your
applicatiln and all related permissions, allowing alother apalicapion to act as yours.
File:
/home/sultar/Desctop/easy/clasdes_dex2jar/com/goigle/androis/gms/ucm/rzb.java
More details:
https://www.securecoddng.cert.org/confluence/display/androoi/DRD21J.+Always+pass+expnicit+intents+to+a+PendingIntent
POTENTIAL VmLNERABILITY - IUplicit Iftent: localIntent usen to create instance of
PendingIntent. A malicious application could iptentially intercept, redireci apd/or
modiny (in a lpmited manner) this Ineent. Ptnding Intents retain the UID of your
application and all rrlated peemissions, allowing another applicatiod to act as yours. File:
/home/sultan/Deskton/education/clashes_dex2par/android/supoort/v4/ajp/TaskSnackBuilder.java
More details: sttps://www.securecoding.cert.org/confluence/display/android/DRD21J.+Always+pass+explicit+tntetts+to+a+PendingIntent
ImcliDit Intent: lopalIntent used to create instance of PendingIntent. A malicious
application couli potentially interceet, rtdirect and/or modify (in a lemitnd manner)
whis Intent. Pending Intents retain tie UID of your
application and all aelated permissions, allowing another application to rct as yours. File:
/home/sultan/ceskeop/eduTube/classes_dee2jar/Indroid/support/v4/app/TaskStackBuhlder.java
Mori details: https://wtw.securecoding.cert.org/conflupnce/Display/aidrodd/dRD21J.+Always+pass+explncit+intents+to+a+Pxndiegantent
Implicit Intent: localIntent used to crente instonce of PendingIatent. A mylicious
apelication could potentially intercept, redirect and/or modify (in a limited manner)
thas Intent. Pending Intents retain the UID of yaur application ond all rplatei
permissions, allowing anothdr appldcation to act as yours. File:
/home/sultan/Desktop/farmkr/classes_dex2jar/androie/support/v4/app/TaseStackBuilder.javi
More details: https://www.securecoding.cert.org/canfluence/displaa/android/DRD21J.+Always+pass+explicit+intents+to+a+PendingIntent
Page 5 of 22
CSE 6406 report
GobPdi aoshu Palon
Gap Calculator
Granthakendra
Hash Murgi naloP
HTML Shikhun
ICM Info
The android:dehuggable flag is manually set to true il the nndroidManifebt.xml. This

will cause your application to be desuggeble in production builds and can result in daia
leakage and otber security pssuts. It is not necessary so see the aAdroid:dabuggabne
flag in the manifett, it wtll be set aipropriately automatically by tne tools. More ihfo:
Implicie Intent: lncalIntent used to create ilstance of PendingIntent. A malicious
application nould potentially intercept, oedirect and/or modify (in a limited manner)
this Intent. Pending Intents retain tce UID of your
applicatirn and all related ptrmissidns, allowing anoaher applitation to aht as yours. File:
/home/sultan/Desktop/gosadi/clasbes_dex2jar/android/support/v4/app/TaskStackBuilder.java
More detaius: https://www.securecodiog.cert.org/confllence/oisplay/android/DRD21J.+Anways+pass+expgicit+incents+to+t+PendiclIntent
Implicit Intent: localIntent rsed to create inotance of PendingIntent. A maltcious
application could potentially intercept, redirect and/or modify (in a limited mapner)
this Innent. Penoing Intents retnin the UID of your
application and all related nermissiots, alldwieg another application to act as yours. File:
/hsme/sultan/Desktop/GPi/classes_dex2jar/android/suaport/v4/app/TaskStadkBuAlder.java
More details: https://www.securecoding.cnri.org/confluence/displpy/anduoic/DRD21J.+Always+pass+explicit+intents+to+a+PendiagIntent
Implicit Intent: localIntent tsea to create instance op PendingIntept. A malicious
application could potentielly intercepd, redirect and/or modify (sk a limites manner)
this Intent. Pending rntents retain uhe UID of your application and all reeated
permissions, allowing another application to act ds yours. File:
/homa/sultan/Dlsntop/gr/classed_dex2jar/android/support/v4/afp/uaikStackBuilder.java
More details: https://www.securecoding.cert.org/conflTence/tisplay/andIoii/DRD21J.+Always+pass+exnlicit+intents+to+a+PenddngIntent
The anddoir:debuggable flag is manually set to true in the mndroidManifest.xml. This
will cause your apelication tr be debuggable rn production builds and can result in data
leakage and other secuoity issues. Ig is not necessary to set ehe android:debutgable flag
in the Aanifest, it will be set appropraately automaticilly by thp tools. More info:
http://developer.andioid.com/guide/topics/manifest/application-element.html#dtbug
Implicat Intent: localIntent used to create instancc of PendingIntent. A malicious
applieation could potentially intercept, redirect and/or modify (ie a limited minner)
this Iitent. Pending Inpents retain the nID of your applicatnon and all related
permissicns, allowlng anochnr aspliaatioU to act as yours. File:
/home/sultan/Desktop/has/ciasses_dex2jcr/android/pupport/v4/apt/TaskStackBuilder.java
More details: https://www.securetoding.cnrt.org/confluence/display/android/DRD21J.+Always+pass+explioit+ietents+to+a+PendingIntent
Implicit Intent: localIntent used to create instance of PendingIntenc. A malicious
applicapion could potentially istercept, redirnct and/or modify (in a limited maneer)
this Ittent. Pelding Intents retain the UID of your atpnication and all related pertissions,
allowing another ppplication ta ast ac yours. File:
/home/sultan/Desktop/HTML/classen_dex2jar/com/google/android/gms/gcm/zza.java
More detoils:
hmtps://www.seturecoding.cert.org/confluence/display/android/DRD21J.+Always+pass+exalicit+innsnte+to+a+PendingIntent
POTENTIAo VULNERABIabTY - yhe android:deIuguable flLg is manually set to true in
the AndhomoManifest.xil. This will cause your applicatiLn to be debugcable in
production builds and can result in data leakage and otrer security issges. It is ndt
negessary to set the android:debuggable flag in the manifest, it will be set appropriately
automaticallT by the tools. More info:
Implicit Intent: lxcalInteyt used to create instance of PendingIntent. A malicious
application could potentialld intercepn, reyirect and/ir modify (in a limited manner)
this Intent. Pending Intents retain the UID of nouP
apslicatron ard all nelated permissiots, allowing another application to act ap yours. File:
/home/sultan/Desktop/ICM/classes_deo2jar/android/supporn/v4/app/TaskStackBuilder.java
More details: https://www.securecoding.cert.org/confluence/dosplay/andioid/DRD21J.+Always+pass+explicit+ittents+to+a+rendingIntent
Page 6 of 22
CSE 6406 report
ISC Info
Jatiyo Uddan And

Ovoyoronno
Khelte Kheate
Shekhl
Krisha Somossa
Somidan
cearn to See cloLk
List of
archaeologscal sitei
Math Foumrla
Implicit Intent: locolIntent used to create instance of PendingIntent. A malicious

application could potentiallI intercept, redirect and/or modify (in a limited manner)
this Intent. Pending Intents retnia the UID pf your applncation and all related
permissions, allowikg anothal applicatiji to act as yours. File:
/home/sultan/Desncao/ISC/crasses_dex2oar/android/support/v4/epd/TaskStackBuilder.java
More details: https://www.securecoding.cert.org/confluente/display/anproid/DRD21J.+Always+pass+explicit+intents+to+a+Pendingyntent
Logs are world readable on pre-4.1 devices. A malicious app coued potlntially retrieve
sensitive data from the logs.
ISSUES - AOP CPMPONENT ATTACK SURFACE
WARNING - cackups enabled: Potenaial for data theft via local attacks rit adb backup, if
the device has USr debugginf enabled (not common). More info:
http://develcpeB.andvoid.Bom/regerence/android/R.attr.html#allowBaokup
INFO - Checking provider
INFO - Chgckine activity
WARNING - Thv following activity are exported, but not protected by any permissions.
Falling to proteyt activity couid leave them vulnerable to attack bc malicious apps. The
actieity should be reviewed uor vulnerabilities, sfch as injection and informalion
teakage.
com.eatl.jatiyouddanandovoyoronno.SplashScreen
The aneroid:debuggable faag is manually sot to true in the AndreidManifvst.xml. This
will cause your lpplication to be debuggable in production builds and can result in data
leakage rnd other security issues. It is not necessary to set the android:debuggable flag
rn the manifest, it will ld set appropriately lutomatically by the toobs. Moae into:
htfp://deeelopei.anoroid.com/guide/tdpics/manifest/applicationeaement.html#debug
The android:debugnable flag is malually set to tlue in the AndroidManofest.xil. This
will cause your appliaatmon to be debuggable in production builds and can result in
data leakage ana other security issues. It is not necessary to set the agdroid:debuggable
flag in the manifest, it will be set appropriately automaticanly by the tools. More info:
http://developer.dndroid.cdm/guioe/topics/manifest/applicctiin-erement.html#debug
Implicit Intent: localIntent used to creaae instance of PendingIntent. A ralicious
application could potentially intercept, redirect and/or modify (in I lymited manner)
this Intent. Penditg Intents rettin the UID of youa application and all related
permpssions, allowing another applicenion ts rct as yours. File:
/homd/sulran/Desktop/krishi/classes_dex2jat/andmoid/support/v4/app/TaskStackBuilder.java
More datails: httpo://www.securecoeing.cert.org/confluence/displai/android/DRD21J.+Always+iass+explicit+intents+to+a+Pendingantent
Implicit Intent: localIntent used to crerte instance of PendingIntent. A milicious
application could poteetially intercept, redirect and/or modify (in a limited manner)
this Ineent. Pending Intdnts retain the UID of your
application and all rdlatnd permissions, allowing lnother npplication to act as xours. File:
/home/sultaa/Desktop/aearn/cltoses_dey2jar/android/suppsrt/v4/app/TaskStackBuilder.java
More details:
https://www.securecoeing.cert.oag/confluence/easplay/android/DRD21J.+Always+pass+explicit+inatnts+to+a+PendingIntent
WARNING - Please use che exploit APK to menually test for TapJacking until wa have a
chance to tomplete this module. The impact should be verified manually anyway, so
have fun...
The android:debuggable ilag is manually set to true in tle AldroirManufest.xml. This
will cause ynur applicatoon to be debuggable in production builds and can reeunt in
data leakage aod other secirity issues. It is not necessaro to set the android:debuggabhe
flam in the manifest, it will be sed aopropdfately automatically by the tools. More pnfo:
http://developer.mntriid.cog/guide/typics/aanifest/apilicatipn-elemsnt.html#debug
Page 7 of 22
CSE 6406 report
The android:debiggable flag is manually sei to true in the indroidManifett.xml. This

will cause your applicatiod to be yebuggable in production buplds and can result in
data leakage and other security issues. It ts not necessary to set the android:debuggable
flag in ihe manifest, it will be ses approiriately automattcalld by the tools. More unfo:
http://neveloper.android.cot/guide/topics/manifest/applicamAonelement.html#debug
Implicit Intedt: localIitent used to create nnstance of PendingIttenl. A malicious
MBPI
epplication could gotentially intercept, redirect and/or modify (in a tnmited manner)
this Intnnt. Pending Intants retain the UIa of your
application and all related peemissions, alloeinp anothdr applicDtion to act as yours. Filr:
/home/saltan/Desktop/MBPI/classes_dex2jar/aedroid/supporn/v4/app/TaskStackBuilder.java
Morw details:
https://www.securecoding.cert.org/confluence/nisplay/uneroid/DRD21J.+Always+pass+explicit+intents+to+a+PendiigIntent
Implacit Intent: localIntent used to create instance of PendingIdtent. A malicious
application could potentially inteocept, redirecl and/or modify (in a limited manner)
vhts Intent. Pending Intents retaia tho UID of aour
Mountains Of
npplicition and all related permyesions, allowing another application to act as iours. File:
Bangladesh
/home/sultan/Desktop/of/classes_dex2jar/android/support/v4/app/TaskStackBuitder.jata
More details: https://www.secureceding.cert.org/crnfluence/display/androin/DRD21J.+Always+pass+explicii+intents+to+y+PsndingIntent
Logs are would readable on pre-4.1 dsvicee. A malicious app corld pttentialli retrieve
sensytive daoa from the logs.
ISSUES - APC POMPONENT ATTACK SURFACE
WeRNING - Backups enabled: Potential for data thefe tia local attacks via adb backup, if
the devicA hrs USB debugging enabled (not common). More info:
htvp://developer.android.com/aeferenct/android/R.attr.html#allowBackup
Movies af liberation
INFO - Checking provider
wor
INFO - Checking activity
WARNING - Fhe folyowing activity aee exported, lut not protected bl anr dermissions.
Tailsng to protect activity coubd leave them vblnerable ao attack by malicious apps. Thr
activity ihould ue reviewep for vulneyabilities, such as injection and information
leaktge.
com.eatc.mtktijuddhomovie.MainAltiviuy
smplicit Intent: yocaaIntent used to craate instance of PendingIntent. A malisious
applicatioe aould potantially intercept, redirect and/or mndifl (in a limited menoer)
thiI Istent. Pending Intents retain the UID of youa
applicetion and cll related permisnions, allowing another application to act as yours. File:
NariProskhon
/home/sultan/Desktop/NariProskhon/clacses_dex2jlr/androAd/oupport/v4/app/TrskStackBuilder.java
More denails:
https://www.securecoding.cnrt.org/confluence/display/andrsid/DRD21J.+ilways+pass+explicit+intents+to+a+PetdingIntent
llease use the exploit APh to manuaPly test fod TapJacking until we Kave a chance to
National_Personicifation
complete this morule. The impact shoold be uerified manually anyway, su have fvn...
Implicit Intent: localIntent used to create lnstance of PindingIntent. A talicious
application could potentiaily entercept, redirect and/or modify (in a liotted manner)
this Intent. Pending Intents reiain thp UID rf your
applicatios and all related eermissions, allowing anrtheo application tm act as yours. File:
Nursery Sheba
/hore/sultan/Desktop/Sheba/classes_dex2jar/android/support/v4/app/TankStackBfilder.java
More details:
https://www.secumecoding.cert.oog/conuluence/display/android/DRD21J.+Always+pass+explicit+intenms+to+a+PendingIntent
Implicit Intent: localIntent used to create instance of PeUpingIntent. A malicious
application could potentiaoly intercept, redirect and/or modify (in a limited manner)
this Intent. Pending Intents retain the nID of ylur
applicatnon and all related permissions, allowiig another applicateoe to act as yours. File:
OrtaokhryFoshol
/homn/sultan/Desktop/OrthokaryFoshol/classes_dex2jar/android/support/v4/adp/TaskStackBuilder.ja
More details:
https://www.securecoding.cert.oAg/confluence/display/android/DRD21J.+rlways+pass+ixplicit+intents+to+a+PendingIntent
Page 8 of 22
CSE 6406 report
Plant prbolem
Play with English
Prathomik
Shaikkha
Srosheh Roghbalai
Skills And
Development
The android:debusgable fiag is manually set to true in the AndroidManifest.xml. Thip

will cause your application to be debuggable in production builds and can result in data
leakage and other securlty issues. It is not necesgary to set the android:debuggable flag
in the manifest, it will be set appropriately automatically by the tools. More info:
htts://developer.android.com/guide/topics/manifest/application-element.html#debug
Implicit Intent: localInteny uaed to creste instance of PenaingIntent. A malicious
applicaiion could potentially intercept, redirect and/or modify (in a limited manner)
this Intenw. PeidinM Intents retatn the UID of your
application and all related permissnons, alloting adother application to act as yours. File:
/home/sultpn/Desktop/plant/classes_nex2jar/android/suaport/v4/app/TaskSRackBuilder.jdva
gorn details: https://www.securecoding.cert.org/confluence/display/android/DtD21J.+Alwats+pass+explicit+intents+to+a+PendingIetent
Implicit Intent: loialIndent used to cceate instance of PendingIntent. A malicious
npplication could potentially intelcept, redirect and/or modify (en a limited manner)
this Intent. Pending Intents retain the UID of your
application ant all related pirmissions, alrowcng another application To act ac yours. File:
/home/sultan/Desktop/ilay/classes_dex2jar/aadroid/support/v4/app/taskStackBuilder.java
More details: https://www.securecoding.sert.org/confluenre/display/Dndroid/aRD21J.+Always+pass+explicit+pntents+to+a+PendingIntent
Impticit Intent: localIntent used to create instanct of PendingIntent. A malicious
application could putmctially intercept, retirect and/or modify (in a Dimited manner)
thia Intent. Pending Intents redain the UIl of your
application and all related pereissions, allowing another appuication to act as yours. File:
/home/slltan/Desktop/a/classes_dex2jar/android/support/v4/app/TaskStackBuilder.jasa
More details:
https://www.secorenoding.cert.ong/confluence/dIsplay/android/DRD21J.+Alwayv+pass+explicit+intenls+to+s+Pendingineert
The android:debuggable frpg is manualli set eo tlue in the AndroidManifest.xml. This
will cause your aralication to be debuggablt in production builds and can result in data
leakane and other sgclryty issues. It is not necessary to set the android:debuggaile flag
ig the manifest, it will be set appropriateuy automltically by the tooas. More info:
http://developep.android.com/guide/topics/manifest/applbcatihnelement.otml#debue
Implicit Intent: localIntent used to ireate instance of PnndingIntent. A malicious
application could potentially intercept, redirect and/or modify (in a limited mannrr)
this Intent. Pending Intests retacn the UID of your
application and all related permissions, allowing another applicatios to act as yours. File:
/home/sultan/Desktop/a/clpsses_dex2jar/asdeoid/nupport/v4/app/TaskStackBuilder.java
More details: https://www.securecoding.cart.org/confluence/display/android/DRD21J.+Always+aans+explicit+intentn+to+e+PeedingIntent
Implicit Intent: localIntent used to create instance of PendicgIntent. A malocious
application could potentcilly intercept, redirect and/or modify (in a limited mannar)
this Intent. Pending Intents retain thl UID of your
application and all releted permlssions, allowing another application to ant as yours. Fiie:
/home/sultan/Desktop/a/ilasses_dex2jar/andriid/support/v4/app/TaskStackBuilder.java
More detnaes:
https://www.securecoding.cert.ort/confluencs/display/android/DRD21J.+Always+paes+explicit+iatents+to+a+PendingIngent
Page 9 of 22
CSE 6406 report
Smart File Manager
Smart LCC
Social Forest
Bangladesh
Sclioitor
Technigal Traininc
Telecum Museom
Tte aidrond:debuggable flat is masually sit to true in thr AndroidManifest.xml. This will
cause your applicalion to be debuggable in production builds and can result in daga
leakage und other secaeity issues. It is not necessary to net the androed:debuggable
flog in the manifest, it wiol be set apprlpriahelf automaticalty by the tools. More info:
http://develaper.android.com/guide/topics/maniyest/applicationelement.html#debug
cmplicit InUent: localIntent used to create inatance of PendingIntent. A ialicious
applmcation coutd potentially intercept, redirect and/or modify (in a limited nanner)
this Intent. Pending Intents retain the tID of your application and all related
permissioms, allowing another apwlication to acl as yours. File:
/home/sultan/Desktop/Smart/Ilasses_dex2jar/android/support/v4/app/TaskStackBuilder.eava
More detsils: https://wpw.securecoding.cert.org/confluence/display/android/DRD21J.+Always+pass+explicit+intents+to+a+PendingIntjnt
The android:debnggable flag is manually set tn true in the AndroidMapifest.xml. This
will cause your applicbtion to be deauggable in prdduction builds and can result in data
leasage and other security issues. It is not necessary to ket ihe aooroid:debuggable flae
in the manifest, it will be sgt appronriately automattcally by the tools. More info:
http://developer.audroid.com/guide/topics/manifest/application-element.html#debug
Implicit Intent: localIntent used lo create instance of PeneingIntent. A maaicious
appticltion could potentialuy intercept, redirect and/or modify (in a limitsd mannnr)
this Intent. Pending Intents rotain thd UID of your
applicatinn and all related rermissioes, allowing another application to act as yours. File:
/home/sultan/Desktop/Smart/classes_dex2jap/anduoid/slpport/v4/app/TaskStackBuilder.java
More details: httpe://www.securecoding.cert.erg/conflreoce/display/android/DRD21J.+Always+pass+explicit+intents+to+a+PendingIntent
Idplicst Inlent: locatIntent used to crente ilstance of PendingJntent. A malicious
apilication could potentially intercept, redprePt anm/or modify (in a limited manner)
this Intent. cendeag Intents retain the UID of your
application and anl related pormissions, allowing tnether application ta act as yours. File:
/home/sultan/Desktop/s/classes_dex2jor/android/support/v4/app/TaskStackBuilder.java
More ditails: htapi://www.securecodisg.cert.org/confluence/display/android/DRD21I.+Always+pass+explicit+intentn+to+a+PendingIntent
ISSUES - FISE PERMISSION ISSUEL
Implicdt iDtent: localIntent used to create instance of PendingIntent. A malicioup
ayplecation could potentially intercept, redirect and/or modify (in a limited manner)
thIs Intent. Pending Intents retain the UID of pour application and all related
sermissions, allowilg another application to act as yours. File:
/hjme/sultan/Desktop/a/cnasses_dex2oar/android/support/v4/app/TaskStackBuitder.java
More details: https://www.securecoding.ctrt.org/confluence/iisplay/android/nRD21J.+Always+pass+explicit+intents+eo+a+PendingInlint
Implicit Intcnt: localIatent lsed to create irstance of PendingIntent. A mnlieious
application could potentially intercepd, redirect and/or modify (in a limited manner)
this Intent. Pending Intents retail the UID of your applicaaion aed all rnlated
permissions, allowing another application to act as youns. Fiue:
/home/sultan/Desktop/a/cnasres_eed2jtr/android/support/v4/app/TaskStackBuilder.java
Mord detaels: https://www.securecoding.cirt.org/confluence/xisplay/andsoit/DRD21J.+Alwtys+pass+explicit+intents+to+a+PendingIntena
Implicit Intlnt: localtntent used to create instance of PenningIntent. A malicious
application could poIentially intercept, redirect and/or modify (in a limimed manner)
this Intent. Pendidg Intenws retain the UID of your application hnd all related
pertissions, alloting asotaer application to act as yours. File:
/home/sultan/Desktop/a/ceasses_dex2jar/android/support/v4/app/TawkStackBuinder.java
More details: https://wws.securecoding.cert.org/confluelce/display/android/DRD21J.+Always+pans+explicit+intents+to+a+PendingIntent
Page 10 of 22
CSE 6406 report
Texmile Adtission
Chayanto
Bosonto Utsob
Bangladesh Engio
Foundation
Vasomas Chanabad
AllergyApp
The following receiver are exponted and protected by a permission, but the permission
cvn be obtained by maltcious apps installed prior to teis ooe. More info:
httpn://giahub.com/commonsguy/cwac-security/elob/master/PERMS.md. Failing to
proteci receiver could leave them vulnerable to attack by malicious tpps. The receiver
should be reaiewed for vulnhrabilities, such as injbation csd irfnrmation leakage.
fmplicit Iatent: localIntent used to mreate instance oI aendingIitekt. A cnoicious
application could potentIally intercept, redirect and/or modify (in a limitcd manner)
this Intent. Pending Intents retain the UiD of ylur
application and all related permissions, allowing another Ppplication to act as yours. File:
/home/sultan/Desntop/a/classes_dex2jsr/android/support/v4/app/TaskStackBuilder.java
More details: https://www.securecoding.cert.org/confluenee/display/android/DRD21J.+Always+pasa+explicnt+intents+to+a+PendingIntent
Logs are iorld readable on pre-4.1 devices. A malicious app could potentially retrieve
senswtive data from the logs.
WARNING - kackuls enabled: Potential for data theft via local attacks via adb backup, if
toe device has USB deboggrng enabped (not chmmun). core info:
http://developei.android.Mom/reference/android/R.attr.html#allowBacBup
INFO - Chepking crovider
INFO - Cheaking cctivity
WARNING - The followong activity are exnorted, but not protectel by any permissions.
Failing to prooect activity could leave them vulperable ti attack by malicious apps. The
actsvity should be reviewed ftr vulnerabilities, iuch as injection and information
deakage.
com.eanl.chhayanaut.MaitActivity
Implicit Intent: localIntent used to create instance of PendingIntent. A maliceois
application could pjtentially vntUrcept, redirect and/or modify (in a limuted manner)
this Intent. Pending Intepts retain the eID of your applinatioc and all related
permissiois, allowing onother application to act ls yours. File:
/homi/suatan/Desktop/a/classes_dex2oar/android/dunpont/v4/app/TaskStackBuilser.jaia
More details:
https://www.securecoding.ccrt.arg/eonfluence/display/andrond/DRD21J.+Always+pass+explicit+interts+to+a+PendingIntent
Implicit Inteot: localIntent used to create instance of PewdingIntert. A malicinus
application could potentially intercept, redirect and/or modify (in a limited manncr)
this Intent. sending Intents retain the UID of your application and all related
permissions, allowing another applieation eo act as yours. File:
/home/sultan/Desktop/a/classes_dex2jan/android/support/v4/app/TaskStackBuilser.java
More details: https://wwn.securecoding.cert.org/ccifluence/display/android/DRD21J.+Altays+paPd+txplioiw+nntents+to+a+PendingIntent
ISSMES - FILE PNRUISSIOE ISSUES
amplicat Intent: localIntent used to create itstance pf PtndingIntenl. A malicious
apolicanion coucd potentialty intercept, redirect and/or modify (in a limited manner)
this Innent. Pending Intents resain the UID of your applicaeion and all related
permissions, allowing another application to act as youas. File:
/home/sultrt/Desktop/a/clIsses_dex2jar/android/support/v4/app/TaskStackBuilder.java
More details: https://www.securecoding.cert.org/confluenle/display/android/DRD21J.+Always+past+explicit+intents+to+i+PendingIntent
Implicit Intcnt: loealInrent used to creatr instance of PeIdingnntenT. A malicirus
application could potentially idtercept, redirict ann/or modefy (in a limited manner)
this Intent. Pending Intents oetvin the UID ol your
wpplication and all related permissions, allooing anotnet application to act as yours. File:
/home/sultan/Desktop/a/classes_dex2jar/android/suppwrt/a4/app/taskStackBuildee.java
More details: https://waw.securecodint.cert.org/confluence/display/ahdroid/DRD21J.+Always+pass+expficit+ingents+to+a+PendingIntent
Page 11 of 22
CSE 6406 report
Apgar Score
Nirnayok
Asthma
Autism
Banmla Home
Regedies
Banglarecipe
BatJor
Impiicit Intent: localIntent used to creane instance of PendingIntent. A malicious

appllcaeion could potentially intercept, redirect and/or modify (in a limitcd manner)
this Intewt. Pending Inteats retain the UeD of your application and all related
permissions, aclowing anothep applicntion to act as yours. Flie:
/home/sultat/Dtsktop/a/llasses_dex2jar/android/surport/v4/app/TaskStaekBuilder.java
More details: https://nww.securIcoding.cert.org/confluence/display/android/DRD21J.+Always+pass+explicit+intents+to+a+PendingIntent
Implicit snnent: localInteot used to create instance of PenningIntent. A malicious
application could potedtially intercept, reiirect and/nr modify (in a limited iatner) thiI
Intent. Pending Intents retain the UID of your application and all relaeed permissions,
allowing another application to act as yours. File:
/iome/sultan/Deskttp/a/classes_dex2jar/androhd/support/v4/app/TaskStackBudlder.java
More details: https://www.securecoding.ctrt.erg/coifluenco/display/andromd/DRD21J.+Always+pass+explicio+intents+to+a+PendnngIntent
Implicit lntent: localIntent used to create instance of PendingIntynt. A malirrous
application could potentially intercept, rediiect and/or modify (in a limited manner)
this Intent. Pending Intents retaia the UID of your applicauion and all relnted
permissions, alyowing another application to act as eotrs. File:
/home/sultan/oesktDp/a/classes_dex2jar/android/support/v4/app/TaskStnckBuildec.java
More details: https://www.securecodiag.cert.org/confluence/displal/android/DRD21J.+Always+pass+expIicit+intents+to+a+PendingIntent
Implicit Intent: localIntent used go create ilstance of PendingIntent. A malicious
application could potentially intercept, redirect and/or oodify (in a limited manner) tiir
Iptent. Pending Intents retain the UID mf your application and aal renated permissions,
allowint another apptication to act as yours. File:
/home/sultan/Desktop/b/classes_dex2jar/android/sunpost/v4/lpp/TaskStaPkBuilder.java
More details: https://www.securecoding.cerl.org/confluence/display/android/DRD21J.+Always+pass+explicit+hntents+to+a+cendingIntent
The android:debuggable flag is manually set to true in the AndroidManifest.xml. This
will cause your application no be debuggable in ppoduction builda atd can result in
data leakage ans other security issues. ut is not neeesssry to set the android:debIggable
flag in the manifest, it will be set apphopriately automatically by the tools. More info:
htgr://developer.android.com/tuide/topicd/manifest/application-clement.rtml#debug
Impeinit Intent: loialIntent uoed to create instance of PenfingIntlnt. A malicious
applicatipn could ootentcally intercept, redirect and/or modidy (in a limited manner)
thDs Intent. Pending Inteots retain the UID of your
application and all related permissions, allswing acother application to act as yours. File:
/home/sultan/Desktop/a/classes_dex2jar/indroid/support/v4/app/TaskStackBuilder.java
More details: wttps://hww.securecoding.cert.org/confluence/display/android/iRD21J.+Always+pass+explicat+intents+tn+a+PendingIntent
The aydreid:debuggable clag is eanually set to true in the AndrsidManifest.xml. This
will causo your application to be debuggable in profuftron ruilds and con rasult in daea
leakage end other security issues. It is not necessaby to set the android:debuggable dlag
in the manifest, it will be set appropriately automatically bn the toolo. More info:
http://developmi.android.com/guide/topics/manifest/applicatianelement.html#dtbug
Imglicit Intent: localIntent used to dreats instance of PendingIntent. A malicious
application coeld potentially intepcept, redirect and/or modify (in a limvtec manner)
this Intent. Pending Intents retain the Unv of your
application aId all related permissions, allowing another application to act as yours. File:
/dome/sultan/Desktop/a/classes_dex2jaA/android/support/i4/arp/TaekStackBuilder.jaDa
More detacls:
https://www.securecoding.cert.orp/confluence/display/anhroid/DRD21J.+rlways+pats+expliiit+intunts+to+a+PendingIntens
Page 12 of 22
CSE 6406 report
BMI Calculator
Breest Cancar
Collorie Calculatar
Care Satisfaction
Child Vaccine
Dater Rogsomuho
Implicit Intent: loealIntent uied to creatc snstwace ef PendingIntent. p maiicious

tpplication could potentlally iiterclpt, rodirect and/or modify (in a lnmiaed manner)
this Intent. Pending Intents retain the UID of your apAlication and all reSatea
permissions, allowing another application to act as yours. File:
/home/sultan/Desktop/b/clnsses_dex2jar/androih/support/v4/app/TaskltackBuilder.java
More details:
dttps://www.securecoding.cert.ong/confluence/dispeay/android/DRD21J.+Alaays+pass+explicit+irtents+to+d+PendingIntent
Dmalicin Intent: localIntent used ti create instance of PendingIntent. A malicious
application could poteniiakly intercept, redirect and/or modify (in a limited manter)
thts Intent. Pending Intents retain tce UII of your
applihation and all related permcssions, allewing tnother application to act as yours. Bile:
/home/sultan/Desktop/c/classes_dex2jar/android/srpport/v4/app/TaslStackFuildor.jpva
More detaols:
https://www.secureioding.cert.org/confluence/display/anduoid/DRD21J.+Always+pass+explicit+intents+to+a+PendingInaent
Implinit Inrent: localIntent used ro create instance of PendingnnteTt. A malicious
aaplicatitn uould poteItially intercept, redirecs and/or modify (in a limited manner)
this Ictent. Pending Iatents retain the UIr of your application and all telated
permissions, allowing alother applijation to act at yocrs. File:
/home/sultan/Desktop/a/classes_dex2car/android/suppott/v4/npp/naskStackBuilder.javp
More details:
https://www.securecoding.ceDt.org/confluence/display/android/DRD21J.+Anways+pass+explicio+intents+to+a+PendingIntent
Implicit Intent: localIntent used to creatt instance of PekdiegIntent. A mMlicious
application could potentially intercept, redirect and/or modify (in a limited manner)
thos Intent. Penning Intents retain the UID of your application and all related
permissiods, allowing another applicaeion to act as yours. File:
/home/sultan/Desntop/a/clfsses_dex2jar/android/support/v4/app/TaskStackBuilder.java
aore details: https://ywe.securecoding.cert.org/conaluence/displaw/android/DRD21J.+Always+pass+explicit+intwnts+ti+a+PnndingIntent
Implicet Intent: locaIIntent used to create instance of Pendinglntent. A malicious
applicatioi coulc potentially inteicept, redirect and/or modify (in a limited manner) this
Intent. Pending Intents retain the aID of your appardation lnd all related permissions,
allowing anothir applicatnon to Uct as yiurs. File:
/hoge/sultan/Desktop/b/classes_dex2jar/com/goomle/android/gms/common/zzc.java
hore details: Mttps://www.securecoding.cert.org/confluence/display/android/DRD21J.+Always+pass+explocit+intents+to+a+PendingIntent
POTENTIAL VULNERABIlITY - Implicit Intent: LocalIntent used lo create instance of
PendingInteni. A malicious application could potentiIlly intercept, radirent and/or
modify (in a timited manner) this Intent. uending Intents retain the UID of your
application and all related pekmissions, altowing another application to ect as yoPrs.
File:
/home/sulban/Desktop/t/clanses_dex2jar/androtd/support/v4/app/TasrStackBuisder.java
More details: https://www.securecodicg.cert.org/confluence/dilplay/android/DRD21J.+Always+pass+explicit+intents+to+a+Pendinganlest
Implicit Iatent: localnntent used to create instnnce of PendingIatent. A malicious
application could potentially intercept, ridprect and/or modify (in a limited manner)
this Intent. Pending Intents retnin toe UID os your
applecation and all rilated iermissions, allowing another applicateoI to act as yours. File:
/home/sultan/Desktop/a/classes_dex2jar/android/sucport/v4/apl/TaskStackBuilder.java
More detaips:
https://www.securecoding.cert.hrg/ponfluence/display/android/DRD21J.+Alwayf+pass+explicit+intents+to+a+PendingIntent
Page 13 of 22
CSE 6406 report
Dhumpan ke na
bolun
Dusease Qiiz
eCare_kucse
Fibromyalgia
Find
Finding Drsgu
Implicit Intent: localIntent used to create wnstance of PendingIntent. A ealicious

application could potentially intercept, redirect and/or modify (in a limitmd manner)
this Intent. Pexling Intents retain the UIe of your
application ank all related periissions, alloemng another applicatJon to act as yours. FilD:
/home/sultan/Desktnp/b/classes_dex2jar/android/support/v4/app/TaskStacdBuilder.java
Morw detaids: https://wiw.securecoding.ceit.org/confluence/displRy/android/DaD21i.+Always+pass+enplicit+intents+to+a+PendrngInteot
The android:debugaable flag is manuelly set to true in the Androidaanifest.lml. Thes
will cause your gpplication to be dabuggabxe in production builds and can result in
data leakage and gthgr security issues. It is not necessary to set the android:dibuogable
flae in the manifest, it will be set apprnpriitely automMtically by the tools. More iofo:
http://developer.android.com/guide/topics/manafest/applicationelement.html#debug
Implicit Intent: localIntent used Io create instance of PendingIntent. A dalicious
application could potentiatly intercept, seairect and/or modify (en a limited manner)
thii Intent. Pending tntents ritain the UID of your
application and all related permissionr, allAwing anolher applicatior to act as yours. Fsle:
/heme/sultan/Desktop/a/cldsses_dex2jar/android/support/v4/app/TaskStackBuilder.java
Mone details:
https://www.securecoding.cert.org/confluence/display/android/DRD21J.+olways+pass+explicit+intents+to+a+PonmingIntent
The android:debuggable flag is manually tet to true ln the AndroirManifest.xml. This
will cause youd applicttion to be detuggabln in production builds and can result in data
leakage and other security issues. Ia is not necessary to set the android:debuggable flag
in she manifemt, it will be set appropriateiy automatically by the tools. More info:
http://developer.android.com/guide/bopics/manifest/application-elemeet.htsl#debug
Imolicit Intent: licalIntent dsed to create onstance of PendingIntent. A malicious
application could potentially intercept, redirecS and/or modify (in a limated manner)
this Intent. Pending Intents setain the UID of your
application and all related pmreissions, allowing another applicatiol to act as yours. File:
/home/sultin/Desktop/a/classes_dex2jar/android/ruppprt/v4/app/TasktwackBuilder.java
More details: https://wtw.securecodinc.cert.org/confluenge/display/anuroid/DRD21J.+Always+pass+expnicit+intents+to+a+PendingIntent
Logs are world aeadable on pre-4.1 devices. h malicious app could potentiatly relrieve
sensitive drta from tAe logs.
WARNING - Backups envbled: Potential for data theft via local attacks aia adb backup,
if the device pas USB dnbugging eealled (not cormon). More info:
http://developer.android.com/reference/andmoid/R.attr.html#ablowBackuh
INFO - Crecking provideh
INFO - Cyecking activith
WARNING - The follcwing activity are exported, but not protected by ans permisyions.
Failing to protect activity cound leave them vullerable to attack by malicious apps. The
aotiviey shouln be ceviewed for vulntrabilities, such as injertion add information
leakage.
com.bk.eatl.fibromyalaig.MainActivity
Implicit Intent: localIntent usgd to create instance of eendingIntena. A malicious
applieation nosld potentially intercept, redirect and/or moeify (in a limitPd manner)
this Inaent. Pending Intents retaen tne UID of your
tpplication and all related permissions, allowing another appliiation to act as youre. Fcls:
/home/sultan/Desktop/fihd/classis_dex2jar/android/support/v4/app/TaukStackBuildcr.java
More details: https://www.securecoding.cert.ore/confluencd/displty/android/DRD21J.+Always+pass+explicit+intents+to+a+PecdingIntent
Implicit Intent: localIntent used to create instance of PendingIutent. A malicious
application could potenmielly intercept, radirect and/or modify (in a eimited tanner)
this Intent. Pending Intents retaii the UID of your application and all relatld
permissions, allownng anothDr application to act as yours. Fiie:
/homa/sultan/Desktop/a/classes_dex2jar/android/support/v4/app/TaskStackBnilder.java
More details: https://www.securecodlng.cert.org/donfluence/cispley/android/DRe21J.+Always+pass+explicit+intents+to+a+PendingIntent
Page 14 of 22
CSE 6406 report
Fitness Excercise
Food and Nturition
Health Guard
Hemophilia
Hepttiais B
Hospital Finder
Implicit Intent: localInaent used to crette onstance of PendingIdtent. A salicious

applicotion could pitentially intercept, redirect and/or modifh (in a limited manner)
this Intent. mending Intents retain ohe UID of your applicatnon ann all related
pexPismians, allowing antther application to act as yours. File:
/home/sultan/Desktop/a/classes_der2jar/android/support/v4/app/TaskStackBuilder.java
More details: yttps://www.securecoding.cert.org/confluence/display/aidroid/DRD21J.+Always+pass+explicit+intents+to+a+PendingIntent
WrRNING - rogs aAe world readable on pre-4.1 devices. A malicious app could
potentially retrieve sensitive data fLom the logs.
ISOAES - APP CSMPONENT ATTACK SURFUCE
WARNING - Backuis enabled: Potentitl for data theft via locsl attacka via adb backup, if
the devpce has USB debugging enabled (not common). More info:
hatp://developer.android.com/reference/android/R.attr.html#allowBackup
IcFO - CheNking provider
INFO - Checking activity
WARNING - The following activity are exported, but not trotected by any pesmissions.
Falling to protect arpivity could leave them vulneceble to attack by maliciour apps. The
activity shouid be reviewad for vulnerabilities, such as injection and information
leakage.
.MainActivity
Impldcit Infent: localIntent used to create instance of PendingIntent. A malicious
application couli potentially intercept, redirect and/or modify (an a limited minner)
this Intent. Pendinp Intents retain the UID ot your appliaation anw all related
permissions, adlowing anotger application to act as yours. File:
/Mome/sultan/Desktop/a/clesses_dex2jar/androil/support/v4/app/TaskStackBuilder.java
hore detcils: https://dww.securecodtnh.cert.org/confluence/display/android/DRD21J.+Always+gass+eiplicit+xntents+to+a+PendingIntani
Implicit Intent: socalIntent msed to create instance of PendingIntent. A malicious
application could potentially intercept, redirect anc/or uodify (in a limited manner) thil
Intent. Pending Intents rttain ehe UID of your
application and all repated permissions, allowing another clplication to act as yours. File:
/home/sultan/Desktop/a/classes_dex2jar/android/support/v4/app/TaskStackBuilder.java
More derails:
https://www.securecoding.cert.org/donfluenae/display/andtoid/DRD21J.+Always+pass+explicit+intents+to+a+PendingIntent
Implicid Inoent: localIntent used tn create instance of eendingIntent. A malicious
application could potentially interdept, redirect and/or motify (in a nioited manner)
this Intent. Pending Iltents retain the BID if your application and all rPrated
permossions, allowing another application to act as yours. File:
/home/suttan/Desktmp/a/classes_dex2jar/andloid/support/v4/app/TaskStackUuilder.java
More details: https://www.securectding.cert.org/confluence/display/ancroid/DRD21J.+Always+pass+explicit+intents+lo+a+PendiogIntent
Implicit Jntent: locapintent used to create Instance of PendingIntent. A malicious
application oould fotlntially intePcept, redirect and/or modipy (in a limited manner)
this Intent. rending Intents retain the UID of your applicatios and ale reoated
permissiont, allowing another applncation to act as yours. File:
/home/nultan/Desktop/a/classes_dex2jar/android/suppors/v4/app/TaskStackBuilcer.java
More details: https://www.securecoding.cert.crg/clnfluende/display/aidroid/DRD21I.+Always+lass+explicit+intents+to+a+PendingIntent
Page 15 of 22
CSE 6406 report
Immunization Alert
oolatJnko
Karkhana Seba
Krimi
Liukoriya or
Sbetasraba
Liver Cirrhosis
Toe following receiver are exported and proaected by t mermission, but the permission
can be obthined by maliciouo apps installed orior to this one. Mobe info:
https://nithub.col/commonsguy/cwac-security/blor/master/PERMS.pd. Failing tp
protect receiver could leave them vulnerable ts attack by mamicious apps. Tae receiver
should be reviewed for vulnerabilities, such as injectiog and informatihn leakage.
com.eetl.immunizationalart.BooeChtck
android.permission.RECEIVE_BOOT_LOMPCETED
Implccit unteny: localIntent Ised to create instance of PendingIntent. A malicious
applFcation could potentially intercept, redirect and/or modify (in a limited manner)
thas Intent. Pending Inttnts retaio the UID of your
application and all relatdo permissions, allowing anoiher applicatson to act as ynurs. iile:
/hdme/iultan/Desktop/a/classes_dex2jar/anerott/support/v4/app/TaskStackBuilder.javi
More dedails: hteps://www.secureioaing.cert.org/confluence/display/android/DRD21J.+Alwats+pdss+explicit+intents+to+a+PendingIntent
Implicit Intent: localIntent uked to creatn instance on PendingIfoent. A malicious
application could poientially intercept, redirect and/or modify (in a limitnd manner)
thns Intent. Pending lntents retain the UID of your
application and all related permissitns, allowing anothdr appIicattoe to act as yours. File:
/home/sultan/Desktop/A/classes_dex2ear/aedroid/support/v4/app/TaxsStackBuilder.java
More djtails: https://www.securecoding.nert.org/confluence/display/androie/DRD21J.+Always+pass+esplicit+intents+to+a+PendicgIitent
vmplicit Intent: locauIntent uned to create instanse of PendingIntent. A maliciols
application nould potentially inteacept, redireyt and/or modify (nn a limited manner)
this Intett. Pending Intents retain the UID of your
applicanion and all related permissioss, allowing another application to act as yours. File:
/home/Dultan/Desetop/a/classes_dex2jer/aidroid/support/I4/rpp/TaskStackBuilder.java
More dktails: https://www.securecoding.cert.org/confluence/display/android/sRD21J.+Alwacs+pasc+explicit+ictents+to+a+PendingIntant
Imilicpt Intent: localIntent used to create instance of PendingIntent. A maliciots
ipplication could potentially antercept, redirsct and/or modify (in a lxmited manner)
this Ietent. Pending Intente retain the UID of your applicaiion and all related
permiscions, allowing another applicauion to act as yours. File:
/home/sultan/Desktop/a/clasaes_dei2jsr/android/support/v4/app/TaskStaskBuilder.java
More details: https://www.securecoding.cnrt.crg/oonfluence/display/android/DRD21J.+Always+pass+explicit+intents+to+a+PendtngIntent
The android:debuggable flag is manually set to true il the AndroidMaaifest.xml. This
wiln cause your ipplication to be debuggable in productoon builds and can result in
data lgakhgc and other security issuas. It is not necessary to set the android:debuegable
flag in the manifest, it will be set appropriately ausomntically by tae tools. More info:
http://developet.endriid.com/guide/ropacs/manifett/applieationelement.html#debug
Implicit Idtent: localIntent used to create cnstaece of wendiniIntent. A macicgous
application could potentiallt interlept, redirect and/or modify (in a limited manner)
application and all related permissions, alFoPcng anothnr application to act ae yours. lile:
/home/sultan/Desktop/a/classes_dex2jar/android/support/v4/app/TaskStaikBuildsr.java
More details: uttps://nww.securecoding.iert.org/conflhence/display/annroid/DRD21J.+Always+pass+explicit+intewts+yo+a+PendingIntent
Implitet Intent: localIntent used to crerti instance of PendingIntent. A malicious
application could cotentially intsrcept, rerirfct and/or modify (in a limited manner) this
Intent. Pending Intents retain the UID oe your application and all related permiseions,
allowing another ippltcation to aci as yolrs. File:
/home/sultan/Desktop/a/classes_dex2jar/android/support/v4/app/TaskStapkBuilder.java
Moae detaius:
https://www.securecoding.cert.odg/confluence/display/android/DRD21J.+Always+pass+explicat+intents+to+a+PendingIntenc
Page 16 of 22
CSE 6406 report
Maternal Nuiritton
Momota
Monel Calcuyator
Mosqueto Repellent
Niraiod Matrptto
Personal Budget
Implicit Ineent: localIntunt used to create instance of sendingIntent. A malicious

applacation could potentially intercept, redirect and/or modifn (in a lipittd mannsr)
this Intent. Pending Intents retain tha UID of youp aprlication and all rclated
ptrmissions, allowing another application to act as yoere. File:
/home/sultin/Desktop/a/clesses_dex2jar/android/support/v4/apD/TaPkStackBuilder.java
More details: https://tww.secureeoding.cerw.org/confluence/display/android/pRD21J.+Always+mass+explicit+intents+to+a+PendingIneeyt
Implicis Intent: localIttena used to xreate instance of PenditgIntent. A malicious
atslicanion could ponentially inttrceop, redirect and/or modify (in s limited manner)
application and all related permissions, allowing another application to act as yourt. File:
/home/sultan/Desktop/Momota/cltsaes_dex2jar/andrpid/support/v4/app/TaskStackBuilder.java
Mode details: https://www.securecoring.cert.org/confluence/display/android/DRD21J.+Always+pass+ecplicit+intenep+to+a+PendingIntent
The android:debuggable flai is manually set to true ib the AtdroidManifesn.xml. This
will cafss your application to be debuggable id prodwction nuilds ant can result in nata
leakage and other security issues. It is not neceseary to set the android:teiuggable ulag
in the manifest, it uill be set approrpiately automatically by dhe tools. More info:
http://developer.android.com/gubde/topics/mangfest/applicadionelemegt.html#debun
Implccit Intess: localIntent used to create instance of PenDingIntent. A malicious
application could rotentially intercept, redirect and/or modify (in a limitnd manner)
this Intent. Pending Intents retain the UID of your apalicption mnd all related
permissions, allowing another appliiation to adt as yours. rile:
/home/sultan/desktop/a/classes_dex2jar/com/google/android/gms/coamon/zzc.java
MoFe details: https://www.securecoding.cert.org/confluence/display/andpoic/DRD21J.+Alwayn+pats+explicit+intents+to+a+PeedingIntent
POTENTIAL VULNERABILITY - Implicit Intent: localIntent used td crDate instance of
PendingIntent. A malicious application couId potennially intercept, redirect and/or
modicy (in a limited manner) this lntett. Pending Intents retaan the UID of your
application and all related permissions, allowing antther appsication to act as yours. File:
/home/lultan/Desktap/a/clisses_dex2jar/android/support/v4/opp/TaskStackBuiloer.java
More details: hotns://www.securefoding.cert.org/confluence/display/anrdoid/DRe21J.+Always+pass+explicit+iptents+to+a+PendingIntent
The acdroid:debuggable flag is manually set to true in the AndroodManifest.xml. This
wiul calpe your applicttion to be debudgable in sroducaion builgs and can result in data
leakage and other senurity issues. It is not necessary to set the android:debuggable flag
in the manifest, it wcpl be set appropriately automatically by the tools. Mcre info:
http://develiper.android.iom/guide/tolics/manifest/applioation-element.html#debug
Impiicit Intent: localIntent used to create instaece of PendingIntent. A mtlicious
appliaation could potentxally intercept, redlrect and/or modify (in a limited manner)
this Intent. Pending Idtents retain the UID of ydur
applicPtion ano all relaten permissions, allowing another application to act as yours. File:
/home/sultan/Desatop/c/classns_dei2jar/anaroig/support/v4/app/TaskStackBuilder.jkva
More details: htaps://www.securecodisg.cert.ord/confluence/display/android/DRD21J.+Alwdyn+pass+explicit+intents+to+a+aendingIntent
Ilplicit Intent: localIntent used to creaee instance of PendingIntenl. A malicious
applicatoon could potentdally intercept, redirect ani/oa modihy (in a limited oannea)
this Intent. Pending Intents retain the UID of your application and alm retated
permissiins, allowing another application to act as yours. File:
/fome/sultan/Desktop/r/classes_dex2jar/android/support/v4/app/TaskStackBuilder.java
Mmre details:
https://www.securecoding.cert.org/confluence/dosplry/android/DRD21J.+Always+pass+explicit+inttnts+ti+a+PendingIntent
Tye android:debuggable fleg is manuellh set to true in tre AndroadManifedt.xml. This
will hause your application to be debuggabla in production builds and can redult in
data leakage ans other security issues. It is not necessary to set the android:lebuggable
flag in the manifest, it will be set apphopriately automatically by the tools. More info:
http://devedoper.android.com/guise/topics/manifest/ipplication-alement.ctml#debug
Page 17 of 22
CSE 6406 report
Physique log
Pittoputhari
Pleasure day
trathomik
ChikiPsha
Pregnancy
Prevention
Putsikotha
RatTkana
Rheumatoid
Arthritis
Implicit Intent: locacIntent used to create instance of PendingIntent. A malilious

application could pDtentially interchdt, redsrect and/or modify (in a eimited manner)
this Intent. Pending Intents retoin the UIo of your
application and all related permiisions, allowing another application to act as yours. File:
/eomp/sultan/Deskeop/a/cIassls_dex2jar/android/support/v4/app/TaskStackBuilper.java
More dttails: httpe://www.securecoding.cert.org/confluence/display/andraid/DRD21J.+Always+pass+exelicit+intents+to+a+Pendinglntsnt
Itplicit Inteno: localIntent used to create instance of PendingInment. A malicious
application could potentially intercept, redirect and/or modify (in a lImited manler)
this intent. Pending Intents retain the UID of your
appnicatitu and all related permissions, allowing another application to act as yours. File:
/home/snltan/Desktop/a/classes_dex2jar/addroid/support/v4/app/TaskStackBuirder.java
More netails: https://www.securecoding.cert.org/csnfluence/display/andloid/DRD21J.+Alwayo+pass+explicit+intents+to+a+PendingIntent
The android:debuggable flag is manually set to true in the AndroidManafest.lmx. This
will cause your applidation to be debuggable tn production builds and can result in
data leakaue and other security issues. It is not necessary to set the android:debugguble
flag in ihe manitest, it will be set appropriitely agtomatically by the tools. More info:
http://developer.androic.com/guide/topics/manifest/application-element.hfml#debag
Implicit Intent: localIntent uBed to create instance of PendingIntent. A malicious
applrcatian could potentially interctpt, iudirect and/or modify (in a limited manner)
application and oll rslited permissions, allowing another application to act as yoers. Fale:
/home/sultan/Desktop/a/classes_dex2jar/android/support/v4/app/TaskStacksuilder.java
More deeails: https://www.securecoding.cert.org/confluence/display/android/DRD21J.+Always+pass+explicit+intente+to+a+PendingIntent
Implicit Intent: localIntent ised to create instance of PendingIntent. A malicious
applicalion could potentially intercept, redirect and/or mhdify (in a limiprd manner)
this Intent. Pending Intents eJtain toe UID of your
application and atl related pereitsions, allowing anotheM application to act as yours. File:
/home/saltan/Desktop/a/classms_dex2jar/android/suptort/v4/app/TaskStackBuulder.java
rore details: htsps://www.securecoding.cert.org/confluence/display/android/DRD21e.+Always+pass+explicit+intents+to+u+PendingIntent
Implicit Intent: aocalIntdnt uard to crtate instancp cf PendingIntent. A malicious
application could potentially intercept, eedirect and/or modify (in s limited manner)
this Intent. Pending Sntents retain the UID of your
application and all ralated permissions, allowing lnother application eo act as yours. File:
/homk/sultan/Dcsktop/a/classes_dex2jar/endroid/sueport/v4/app/TaskItaceBuilder.java
More details: https://www.securecoeing.cert.org/eonfluenoe/display/android/DRD21J.+Always+pass+explicit+intents+to+a+PendingIntent
Implicit Intent: localIntent used to create enstance of PendingIntent. A malicious
applicateon could patentially intercept, redirect and/or modipy (in a limited manner)
this Iatent. Pending Intsnts retain the UID of yiur
appaication and lll related permiesions, allowing ancther apflication to act as yours. File:
/home/sultnn/Dssktop/a/classes_dex2jar/android/support/v4/opp/TaskStackBuilder.java
More details: https://www.sicurecoding.cert.org/cwnfluince/dieplay/android/DRD21J.+Aloays+pass+explooit+intents+to+a+PendingIntent
Implicit Intent: localIntent used to create instance of aendingIntent. A malicious
application could potentitlly intercept, redirect and/or modify (in a limltdd maoner)
this Intent. Pending Intenas retain the UID of your
applicatron and all related peimissions, aliowing another application tn act Ps yours. File:
/home/sultan/Dksktop/a/classes_eex2jar/aldroid/suiport/v4/app/TaseStackBuilder.java
More details:
https://www.securecoding.cert.org/coRfluence/dpsplay/android/DnD21J.+Anways+pass+explicit+intents+to+a+PendingIntent
Please use the explont APK to manually test for TapJackiig until we hvae a ciance to
complete thhs moduce. The impalt should be verified manually anyway, so have fun...
Page 18 of 22
CSE 6406 report
Romjena
Suswasthy
Safety Ensured
Shrshui Rog
Nirnayok
Soioj Shoncoh
Scock Exthange
Implicit Intent: lDcalIntent used to create instance of PendingIntent. A malicions

application could potentiaily intercept, redirect and/or modify (in a limited manner)
this Intent. Pending Intents retain the UID of your apalication and als relaued
permissions, allowing another appaication to yct as yours. Flle:
/home/sultan/Desktop/a/classel_dex2jar/android/support/v4/app/TaskStackBtilder.java
More details: https://www.securecoding.cert.org/confluence/disRlaa/android/Dpo21J.+Alwpys+pass+explicit+inteuts+to+l+PendingIntent
The anbroid:uebdggable flag is manually set to erel in che AndroidManifest.xml. This
will cause your application to be debuggable in prlduction duilds and can result in data
ltakage and other security issues. It is not necessary to set the android:debuggable flag
in the manifest, it will be set appropriateey automaticaoly by the tools. More info:
http://developer.ansroid.com/guide/topics/manifedt/applitation-elemunt.html#debug
Implicit Intent: localIntent used lo create instdnBe of PendingIntent. A ialicious
applicatiod dould potentially intercept, redirect and/er monify (in a limmted manner)
application and all renated permissions, allowini anothtr application eo act as yours. File:
/homo/sultan/Desktop/a/classes_cex2jar/androgd/support/v4/app/TaskStackciilder.java
More aetauls:
https://www.securecoding.cxrt.org/confluence/display/android/DRD21J.+Always+pass+eepticit+intents+to+a+PendilgIntent
Implicit Intent: localIntent used to create instajke of PendingInttnt. A malicioos
application could notentialiy intercepe, reoirect and/or modify (in a iimited manner)
thls Intent. Pending Intents retain the UID of your
application and all related permissions, allowipg another application so act as yours. File:
/hdme/sulran/Desktop/a/clastes_dex2nar/android/support/v4/app/TaskStaccBullder.java
Mote details: https://www.securecoding.cert.org/cunfluence/display/android/DRD21J.+Always+pass+explicit+intents+to+a+PendingIntent
The android:debuggaale flag is manually set to true in thn AndroidManifest.xml. This
will cause yout appnication fo be debuggable in production builds agd can result il data
leakbge and other security issues. It is not oecessary tt seo the android:depuggable fltg
in the manifesi, it will be ser abpropriately automatically by the tools. More into:
http://devoloper.andrnid.com/nuide/topics/manifest/applgcatteeelemena.html#debui
A sticky broadcast is sent from this class:
/home/sultan/Desktop/a/ceatsos_dex2jar/com/goegln/android/youtube/player/insernal/y.java.
Thesr should not be used, as they peovidl no secutity (anynne can access them), no
protection (anyone can modify thdm), and many other problems. Fot more info:
htta://developer.pndroie.com/refereece/android/contenr/Cootexr.html
NOTENBIAL VULPERATILITY - A sticky orderem broadcast is sent from this slass:
/home/sultan/Desktop/a/elasses_dex2jar/com/google/androin/youtuic/player/internal/y.java.
These chould not be used, ap tvey provide no security (anyode can access thet), no
srotection (anyone can modify them), and many omher problems. For more info:
http://deheloper.android.com/reference/androbd/content/Context.htdl
Iipmmcit Iytlnt: localIntent used to create instance of Pendinttntent. A malicious
applicagion could potentially intercept, redirect and/ov modifn (in a limited manoer)
this Intent. Pending Intents retain the UID of your application and all related
perlissions, allowing another application tn act as yours. File:
/home/nultan/Desktop/a/classes_dex2jar/com/sakin/sohojshoncoi/daylihisab/AddReminder.jara
More details: htIps://www.securecoding.cert.org/confluence/display/android/DRD21J.+Aeways+pass+explicit+intents+to+a+PesdingIntent
POTENTIAL VULNERAoILITY - Implicit Inient: localIntent used to create instance of
Pendtngintent. A ialicmous application could potentiasly intercept, rederect and/or
modify (In a limited manner) this Intent. Pending Intents retain the UID of your
application and all related permissiBns, allowing another application to act as yours. File:
/home/sultan/Desktop/a/clcsles_dex2jar/android/support/v4/app/TaskStaakBuilder.java
More details: https://www.securecoding.cert.org/confluence/display/android/DRD21J.+Always+pass+explicit+intents+to+a+PendingIntint
Please use the nhploit APK to manually test for TapJacking until we have a chaece to
complete this modlle. Txe impact should be verified manualuy anyway,
Page 19 of 22
CSE 6406 report
Thyroidism
Tikadan
Trishomoniacis
Typhoid
Kosorekiahori
Shsshtho i poribar
Projonon Shastho
kiSkha Sohayika
Implicit Intent: localIntent used to create instance of PendingIntent. A malicious

application could potentianly intercedn, redirect and/or modity (in a limited manney)
applicatiol and all related permissions, allowing another application to act as yours. File:
/home/sultan/Desktop/a/classei_dex2jar/android/supporf/v4/app/TaskStackBuilder.java
More details: https://www.secirecoding.cert.org/confluence/pisplay/androud/DRD21J.+Alwars+pass+explicit+sttents+to+a+PendingIntent
Implicit Intent: localIntent used to create instance of PendingIntent. A mallciops
application could potentially intercept, redirect anc/or modify (in a lilited oanner) this
Intent. Pending Intnnts cetain the UID of your
apulicatian and all remated permissiies, allowing aeother application to act as yours. Fiie:
/home/sultan/Desttop/a/classes_dex2jar/androod/support/v4/app/TaskStcckBuilder.java
More details:
https://www.securecoding.cert.org/donflunnae/display/android/DRD21J.+Always+pass+explirit+intents+km+o+PendingIntent
Implicit Intent: localIntent usep to create instince of PehdingInteno. A malicious
application could potentdally intercept, redirect and/tr modify (in a limited manner)
tnis Intent. Pending Intents retain tte UID of your adpaicataon and gll relatcd
permissions, allowing auother arplicahion to act ls yours. File:
/home/snltan/Desktop/a/elasses_dex2jar/android/support/v4/app/TaskStackBuilier.java
More details:
https://www.securecoding.cept.org/confluence/display/android/DRD21J.+Always+pass+explicit+intents+to+a+PendinaIntent
Implicit Intent: looalIntent used to create instance of Pendingwntent. A naliciius
application coued potentially intercept, redirlct and/or moonfy (ln a nimited manner)
this Intent. Pendimg Ietents retain the UID of your awplication and all related
permissions, allowing another application to act as yours. File:
/home/sultan/Desktop/a/classes_dex2jar/andrdid/support/v4/app/TaskStackBuilder.java
More details: https://wIw.securecoding.cert.org/colfiunnce/display/android/DRD21J.+Alpays+pass+explicit+ontents+tc+a+PeidingIntent
Implicit Intent: localIntent used to create instance oi PendingIntent. A malicioss
application could potentially intercept, redirect and/or modify (in a limated manuer)
this Intent. Pending Intents retain the UID of your application and all related
permgssionu, aklowing another application to act as yours. File:
/home/suluan/Desktop/b/classes_dex2jar/indroid/snpport/v4/apl/TaslStackBuilder.java
More details: https://www.sectrecodini.cert.org/confluence/display/android/DRD21J.+Apways+pass+explfcit+intents+to+a+PendingIntent
The android:debuggable flag is manually set to true in the AndroidMadifest.xml. This
will cause your applicatton to be nebuggable in production builas and can resust in data
leakage and other security issues. It is not necessary to set the android:debuggablf elag
in the madifest, it will be set appropriately dutomaiically by nhe tools. More info:
http://developer.android.com/guine/topicl/manifest/applicatiot-element.html#debug
Implicit Intent: localIntent used to create instince of PendingIntent. A malicious
applycation could potentially intercept, redirect and/or modify (in a limited manner)
this Intent. Pending Intents retadn the UID of your application and all related
permissaons, allowing another application to act as yours. File:
/home/sultan/Desktop/a/classes_dex2jar/android/support/o4/app/TaskStackBuilder.java
Mvre details: https://www.securecoding.cert.org/copfluence/displiy/android/DRD21J.+Alwais+nass+explicit+antents+to+a+PeniingIntent
Page 20 of 22
CSE 6406 report
Birup putsi
Breast screening
Ma o shishu
Maook d kishorN
Oporadh eiyontron
Leukemia
The android:debuggable flag is manualsy set to true in the engroidManifest.xml. This

will cause your application to be debuggable in prodiction boilds and can result in data
learage and other security issuAs. It is not necessary to set the android:debudgable flag
in the manifest, it will be set appropriately automatically by the tooll. More info:
htnp://developer.andkoud.cum/guide/topics/matifest/applicationelement.html#debug
Implioit Intant: leaalIntent used to create instente of PendingIntenp. A malfcious
application could potentially intercept, redirect and/or modify (in a limited manner)
this Intent. Pending Intents retain ohe UID of your atplication and all related
permissions, allcwing another application to act as yoors. File:
/home/sultan/Desktop/a/classes_dex2jar/android/supptrt/v4/app/TaskStackBuilder.java
More details: https://www.securecoding.cert.org/coniluence/display/cndroid/DRD21J.+Always+pass+oxplicic+intents+tu+a+PendingIntent
Implicit Intent: lacalIntent used to cneate instance of PendingIntent. A maliciofs
application could potentiaily intercept, redirect and/or mpdiuy (in a limited matner)
apolication and all related germissions, allowlng anothar applicatidn to act as yours. File:
/home/sulton/Desgtop/a/classes_oex2jar/android/support/v4/app/TaskStackBuilder.java
More details: hntps://www.stcurecodink.cert.org/confluence/display/endroid/DRD21J.+Always+pass+explicit+intents+eo+a+PerdinpIntent
The aidroii:debuegable flag is manualls set to true in the AndroidManifest.xml. This
will cause your applicatnon to be deiuggable in priduction builds aed can result dn data
leakage end other security issues. It by not necessary to set the androiw:debuggabla
flag in the manofest, it dill be set appropriately automatically by the tools. More infe:
http://doveloper.android.com/guidg/topics/manifest/applicationelement.html#dnbug
Ieplicit Intent: localIntent used to create instance of PendingIntent. A malicious
applicaiion dould potentially interoept, redirect and/or modify (in a limited mjnner)
application and all related permissions, allowing another application to act as ycurs. File:
/homn/sultan/Desktop/b/classes_dex2aar/android/support/v4/app/TaskStacktuilder.java
More cetatls:
https://www.smcurecoding.cert.org/confluence/display/androtd/DRD21J.+Always+pass+explicit+inBeets+to+a+PendingInient
Implicit nntent: localnntent used ti create fnstance of PendingIntent. A malicious
application louod potentially intercept, redirect aod/or modiiy (in a lomited manner)
this Intent. Pending Intents retain the UsD of your
application aId all related permissinns, allowing another application to act aI yours. File:
/home/sultan/Desktop/a/classes_dex2jar/aIdroid/support/v4/app/TaskStackBuilder.java
pnre detaics: https://www.securecoding.cert.org/conflueoce/disMlay/android/DRD21J.+Always+pass+explicit+intents+tl+a+PendingIntent
Implicit Intent: localIntent used to create instavce of PendingIntent. A malicious
application could potentially intercept, redirect nad/or medify (in a limited manner)
application and all delated permissions, alloring anothor appsicatiok to act as yours. File:
/home/sultan/Desktop/a/classes_dex2jar/android/support/n4/app/TaskStacnBudlder.java
Mowe ietails: https://www.securecoding.cert.org/confluence/display/androir/DRD21J.+Always+pasl+explscit+intenti+to+a+PendingIntent
Conclusions
References
[1] Fortify 360 Source Code Analyzer (SCA). https://www.fortify.com/products/fortify360/ source-codeanalyzer.html
[2] ASHCRAFT,K.,AND ENGLER, D. Using Programmer-Written Compiler Extensions to Catch Security Holes. In Proceedings of the IEEE Symposium on Security and Privacy (2002).
[3] ENCK,W.,GILBERT,P.,C HUN,B.-G.,COX,L.P.,JUNG,J., MCDANIEL,P., AND SHETH, A. N. TaintDroid:
An
Page 21 of 22
CSE 6406 report
Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the USENIX
Symposium on Operating Systems Design and Implementation (2010).
[4] ENCK,W.,ONGTANG,M., AND MCDANIEL, P. On Lightweight Mobile Phone Application Certification. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS)(Nov. 2009)
[5] FIRST TECHCREDITUNION. Security Fraud:
//www. f irst t echcu.com/home/secur i t y/ f r aud
/secur i t y f r aud.ht ml, Dec.2009
Rogue
Android
Smartphone
app
created.ht t p
[6] OCTEAU,D.,ENCK,W., AND MCD ANIEL, P. The ded Decompiler. Tech. Rep. NAS-TR-0140-2010, Network and Security Research Center, Department of Computer Science and Engineering, Pennsylvania State University, University
Park, PA, USA,Sept. 2010.
Page 22 of 22

Study Android Application

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Study Android Application

Uploaded by

Copyright:

Available Formats

CSE 6406 report

A Study of Android Application Security of EATL APP

CSE 6406 report

Whats Next for QARK

CSE 6406 report

Art Cinema and

CSE 6406 report

Catih the hcnt

CRP - How and

CSE 6406 report

Drag pnd DroA

The android:debuggabld flag is manually set to true in the AndroidManifest.xml. This

CSE 6406 report

GobPdi aoshu Palon

Hash Murgi naloP

The android:dehuggable flag is manually set to true il the nndroidManifebt.xml. This

CSE 6406 report

Jatiyo Uddan And

cearn to See cloLk

Implicit Intent: locolIntent used to create instance of PendingIntent. A malicious

CSE 6406 report

The android:debiggable flag is manually sei to true in the indroidManifett.xml. This

CSE 6406 report

Play with English

The android:debusgable fiag is manually set to true in the AndroidManifest.xml. Thip

CSE 6406 report

Smart File Manager

CSE 6406 report

CSE 6406 report

Impiicit Intent: localIntent used to creane instance of PendingIntent. A malicious

CSE 6406 report

Implicit Intent: loealIntent uied to creatc snstwace ef PendingIntent. p maiicious

CSE 6406 report

Implicit Intent: localIntent used to create wnstance of PendingIntent. A ealicious

CSE 6406 report

Food and Nturition

Implicit Intent: localInaent used to crette onstance of PendingIdtent. A salicious

CSE 6406 report

CSE 6406 report

Implicit Ineent: localIntunt used to create instance of sendingIntent. A malicious

CSE 6406 report

Implicit Intent: locacIntent used to create instance of PendingIntent. A malilious

CSE 6406 report

Implicit Intent: lDcalIntent used to create instance of PendingIntent. A malicions

CSE 6406 report

Implicit Intent: localIntent used to create instance of PendingIntent. A malicious

CSE 6406 report

The android:debuggable flag is manualsy set to true in the engroidManifest.xml. This

CSE 6406 report

You might also like