ANDROID STATIC ANALYSIS REPORT

 Aarogya Setu (2.2.4)

File Name: nic.goi.aarogyasetu.apk

Package Name: nic.goi.aarogyasetu

Scan Date: Sept. 10, 2023, 7:19 p.m.

App Security Score: 52/100 (MEDIUM RISK)

Grade:
B
Trackers Detection: 2/428
 FINDINGS SEVERITY

 HIGH  MEDIUM  INFO  SECURE  HOTSPOT

2 12 1 2 1

 FILE INFORMATION
File Name: nic.goi.aarogyasetu.apk
Size: 3.36MB
MD5: 61ab1ae41fe86360d2610b1d6f1b1d85
SHA1: 8a33b0dd2040787e57b7a1442a5cecc39d744971
SHA256: 2214545309eaa5c1e069eb87b0135b53c08f100d93ce7ce73cb99cf3d41f9e46

 APP INFORMATION
App Name: Aarogya Setu
Package Name: nic.goi.aarogyasetu
Main Activity: nic.goi.aarogyasetu.views.SplashActivity
Target SDK: 31
Min SDK: 21
Max SDK:
Android Version Name: 2.2.4
Android Version Code: 1072

 APP COMPONENTS
Activities: 17
Services: 12
Receivers: 14
Providers: 3
Exported Activities: 0
Exported Services: 2
Exported Receivers: 2
Exported Providers: 0

 CERTIFICATE INFORMATION
Binary is signed
v1 signature: True
v2 signature: True
v3 signature: True
v4 signature: False
X.509 Subject: C=91, ST=Delhi, L=New Delhi, O=NITI Aayog, OU=NITI Aayog, CN=NITI Aayog
Signature Algorithm: rsassa_pkcs1v15
Valid From: 2020-03-28 06:18:35+00:00
Valid To: 2045-03-22 06:18:35+00:00
Issuer: C=91, ST=Delhi, L=New Delhi, O=NITI Aayog, OU=NITI Aayog, CN=NITI Aayog
Serial Number: 0xba294b3
Hash Algorithm: sha256
md5: 34073824749a0a089c167ef8abc9cc4b
sha1: 2c848c2d2bc92cfb2aa7f5eac3bd391922555251
sha256: c70f65be3100a5f7d5fa05b7c170bda1d7345b5a3868d5af6dc3f4146000ad88
sha512: b905e59a3f0e7549f457bddb9ada134ce8ea8b2b5c331b2bf0d26f33e1a9ce2c3dc4c20a6e3175c34cf92349c7badbdc4b8f17b92c1516041649681b999d4e74
PublicKey Algorithm: rsa
Bit Size: 2048
Fingerprint: 91919c7af17c205d1a3c9c91f51877d2cd74d34df33b9ea86e8b6b4fee4d53d5
Found 1 unique certificates
 APPLICATION PERMISSIONS

PERMISSION STATUS INFO DESCRIPTION

Access coarse location sources, such as the

android.permission.ACCESS_COARSE_LOCATION
mobile network database, to determine an
coarse (network- approximate phone location, where
dangerous
based) location available. Malicious applications can use
this to determine approximately where you
are.

Access fine location sources, such as the

Global Positioning System on the phone,
android.permission.ACCESS_FINE_LOCATION dangerous fine (GPS) location where available. Malicious applications can
use this to determine where you are and
may consume additional battery power.

read/modify/delete
Allows an application to write to external
android.permission.WRITE_EXTERNAL_STORAGE dangerous external storage
storage.
contents

Unknown Unknown permission from android

android.permission.ACCESS_NETWORK_STPermisATE unknown
permission reference

Allows an application to create network

android.permission.INTERNET normal full Internet access
sockets.

Allows a regular application to use

android.permission.FOREGROUND_SERVICE normal
Service.startForeground.
PERMISSION STATUS INFO DESCRIPTION

Allows an application to start itself as soon

as the system has finished booting. This
automatically start
android.permission.RECEIVE_BOOT_COMPLETED normal can make it take longer to start the phone
at boot
and allow the application to slow down the
overall phone by always running.

access location in Allows an app to access location in the

android.permission.ACCESS_BACKGROUND_LOCATION dangerous
background background.

Allows application to take pictures and

take pictures and videos with the camera. This allows the
android.permission.CAMERA dangerous
videos application to collect images that the
camera is seeing at any time.

prevent phone Allows an application to prevent the phone

android.permission.WAKE_LOCK normal
from sleeping from going to sleep.

view network Allows an application to view the status of

android.permission.ACCESS_NETWORK_STATE normal
status all networks.

com.google.android.c2dm.permission.RECEIVE signature C2DM permissions Permission for cloud to device messaging.

Unknown Unknown permission from android

com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE unknown
permission reference

Unknown Unknown permission from android

com.google.android.gms.permission.AD_ID unknown
permission reference

 APKID ANALYSIS
 FILE DETAILS

FINDINGS DETAILS

Build.FINGERPRINT check
Build.MODEL check
Build.MANUFACTURER check
Anti-VM Code Build.PRODUCT check
classes.dex Build.HARDWARE check
Build.TAGS check
possible VM check

Anti Debug Code Debug.isDebuggerConnected() check

Compiler r8

 BROWSABLE ACTIVITIES

ACTIVITY INTENT

Schemes: https://,
nic.goi.aarogyasetu.views.SplashActivity Hosts: www.aarogyasetu.gov.in, phrsbx.abdm.gov.in,
Path Prefixes: /app,

 NETWORK SECURITY
HIGH: 0 | WARNING: 0 | INFO: 0 | SECURE: 1
 NO SCOPE SEVERITY DESCRIPTION

1 * secure Base config is configured to disallow clear text traffic to all domains.

 CERTIFICATE ANALYSIS
HIGH: 0 | WARNING: 1 | INFO: 1

TITLE SEVERITY DESCRIPTION

Signed Application info Application is signed with a code signing certificate

Application Application is signed with v1 signature scheme, making it vulnerable to Janus vulnerability on Android 5.0-8.0, if signed
vulnerable to Janus warning only with v1 signature scheme. Applications running on Android 5.0-7.0 signed with v1, and v2/v3 scheme is also
Vulnerability vulnerable.

 MANIFEST ANALYSIS
HIGH: 1 | WARNING: 4 | INFO: 0 | SUPPRESSED: 0

NO ISSUE SEVERITY DESCRIPTION

This application can be installed on an older version of android

App can be installed on a vulnerable Android version
1 warning that has multiple unfixed vulnerabilities. Support an Android
[minSdk=21]
version > 8, API 26 to receive reasonable security updates.

The Network Security Configuration feature lets apps customize

App has a Network Security Configuration their network security settings in a safe, declarative
2 info
[android:networkSecurityConfig=@xml/network_security_config] configuration file without modifying app code. These settings
can be configured for specific domains and for a specific app.
NO ISSUE SEVERITY DESCRIPTION

A Service is found to be shared with other apps on the device

Service (androidx.work.impl.background.systemjob.SystemJobService)
is Protected by a permission, but the protection level of the
3 permission should be checked.
Permission: android.permission.BIND_JOB_SERVICE
[android:exported=true]
therefore leaving it accessible to any other application on the
device. It is protected by a permission which is not defined in the
analysed application. As a result, the protection level of the
warning permission should be checked where it is defined. If it is set to
normal or dangerous, a malicious application can request and
obtain the permission and interact with the component. If it is
set to signature, only applications signed with the same
certificate can obtain the permission.

A Broadcast Receiver is found to be shared with other apps on

the device therefore leaving it accessible to any other application
Broadcast Receiver
on the device. It is protected by a permission which is not
(androidx.work.impl.diagnostics.DiagnosticsReceiver) is Protected by a
defined in the analysed application. As a result, the protection
permission, but the protection level of the permission should be
4 warning level of the permission should be checked where it is defined. If
checked.
it is set to normal or dangerous, a malicious application can
Permission: android.permission.DUMP
request and obtain the permission and interact with the
[android:exported=true]
component. If it is set to signature, only applications signed with
the same certificate can obtain the permission.

A Broadcast Receiver is found to be shared with other apps on

the device therefore leaving it accessible to any other application
Broadcast Receiver
on the device. It is protected by a permission which is not
(com.google.firebase.iid.FirebaseInstanceIdReceiver) is Protected by a
defined in the analysed application. As a result, the protection
permission, but the protection level of the permission should be
5 warning level of the permission should be checked where it is defined. If
checked.
it is set to normal or dangerous, a malicious application can
Permission: com.google.android.c2dm.permission.SEND
request and obtain the permission and interact with the
[android:exported=true]
component. If it is set to signature, only applications signed with
the same certificate can obtain the permission.

Service
A Service is found to be shared with other apps on the device
(com.google.android.play.core.assetpacks.AssetPackExtractionService)
6 high therefore leaving it accessible to any other application on the
is not Protected.
device.
[android:exported=true]
 CODE ANALYSIS
HIGH: 1 | WARNING: 5 | INFO: 1 | SECURE: 1 | SUPPRESSED: 0

NO ISSUE SEVERITY STANDARDS FILES

com/bumptech/glide/load/engi
ne/GlideException.java
e/a/g/d.java
e/a0/c0.java
e/b/k/u.java
e/b/l/a/a.java
e/b/o/i/g.java
e/b/p/b1.java
e/b/p/f0.java
e/b/p/q0.java
e/b/p/w.java
e/d0/a/b.java
e/e0/a0/a.java
e/e0/f.java
e/e0/n.java
e/i/e/b.java
e/i/e/c.java
e/i/e/m.java
e/i/f/b/a.java
e/i/f/b/h.java
e/i/g/g.java
e/i/g/k/d.java
e/i/i/f.java
e/i/m/b.java
e/i/m/q.java
e/i/m/s.java
e/i/m/x.java
e/n/a/a.java
e/o/d/y0.java
e/q/a/a.java
e/t/a.java
e/t/c.java
e/v/i.java
 e/v/i.java
e/y/a/c.java
NO ISSUE SEVERITY STANDARDS FILES
e/y/a/f/c.java
f/b/a/l/d.java
f/b/a/l/e.java
f/b/a/m/s/b.java
f/b/a/m/s/l.java
f/b/a/m/t/b0/j.java
f/b/a/m/t/c0/j.java
f/b/a/m/t/d0/a.java
f/b/a/m/u/c.java
f/b/a/m/u/t.java
f/b/a/m/v/c/a0.java
f/b/a/m/v/c/m.java
f/b/a/m/v/c/q.java
f/b/a/m/v/c/y.java
f/b/a/q/h/i.java
f/b/a/r/b.java
CWE: CWE-532: Insertion of Sensitive Information into Log
The App logs information. Sensitive f/b/a/s/k/a.java
1 info File
information should never be logged. f/c/a/a/j/s/k.java
OWASP MASVS: MSTG-STORAGE-3
f/c/a/b/a/a/a.java
f/c/a/b/a/a/b.java
f/c/a/b/d/a.java
f/c/a/b/d/f.java
f/c/a/b/d/p.java
f/c/a/b/d/r.java
f/c/a/b/d/w.java
f/c/a/b/e/h.java
f/c/a/b/e/m/a.java
f/c/a/b/e/m/b0.java
f/c/a/b/e/y.java
f/c/a/b/g/b.java
f/c/a/b/h/g/m5.java
f/c/a/b/h/g/t0.java
f/c/a/b/h/g/v0.java
f/c/a/b/h/g/v5.java
f/c/a/b/j/a/a.java
f/c/a/b/j/b/i3.java
f/c/a/b/m/a.java
f/c/a/c/c0/c.java
f/c/a/c/f0/b.java
f/c/a/c/g0/a.java
 f/c/a/c/g0/a.java
f/c/a/c/m/g.java
NO ISSUE SEVERITY STANDARDS FILES
f/c/a/d/a/d/a.java
f/c/a/d/a/d/u.java
f/c/d/a0/j0.java
f/c/d/a0/o0.java
f/c/d/a0/p0.java
f/c/d/a0/q0.java
f/c/d/a0/s0.java
f/c/d/o/q.java
f/c/d/q/g.java
f/c/d/q/j/f.java
f/c/d/q/j/j/f0.java
f/c/d/q/j/j/k0.java
f/c/d/q/j/j/l.java
f/c/d/q/j/j/p.java
f/c/d/q/j/k/d.java
f/c/d/q/j/k/g.java
f/c/d/q/j/p/a.java
f/c/d/y/g.java
f/c/g/s/a/d.java
f/c/g/s/a/f.java
f/c/g/s/a/n/a.java
f/c/g/s/a/n/b/a.java
f/d/a/y/e.java
f/d/a/y/f.java
f/d/a/y/g.java
f/d/a/y/k.java
f/d/a/y/m.java

This App may have root detection f/c/a/d/a/d/l.java

2 secure
capabilities. OWASP MASVS: MSTG-RESILIENCE-1 f/c/d/q/j/j/l.java

e/a/g/d.java
CWE: CWE-330: Use of Insufficiently Random Values
The App uses an insecure Random h/p/a.java
3 warning OWASP Top 10: M5: Insufficient Cryptography
Number Generator. h/p/b.java
OWASP MASVS: MSTG-CRYPTO-6
h/p/d/a.java
 NO ISSUE SEVERITY
The App uses ECB mode in
Cryptographic encryption algorithm.
4 ECB mode is known to be weak as it high
results in the same ciphertext for
identical blocks of plaintext.
Files may contain hardcoded
5 sensitive information like usernames, warning
passwords, keys etc.
App creates temp file. Sensitive
6 information should never be written warning
into a temp file.
App uses SQLite Database and
execute raw SQL query. Untrusted
user input in raw SQL queries can
7 warning
cause SQL Injection. Also sensitive
information should be encrypted and
written to the database.
SHA-1 is a weak hash known to have
8 warning
hash collisions.
 NIAP ANALYSIS v1.3
NO IDENTIFIER REQUIREMENT
STANDARDS FILES
CWE: CWE-327: Use of a Broken or Risky Cryptographic
Algorithm f/c/c/a/b0/f.java
OWASP Top 10: M5: Insufficient Cryptography j/a/a/p/t0.java
OWASP MASVS: MSTG-CRYPTO-2
CWE: CWE-312: Cleartext Storage of Sensitive Information f/b/a/m/t/q.java
OWASP Top 10: M9: Reverse Engineering io/jsonwebtoken/JwsHeader.jav
OWASP MASVS: MSTG-STORAGE-14 a
CWE: CWE-276: Incorrect Default Permissions
e/t/c.java
OWASP Top 10: M2: Insecure Data Storage
f/c/d/y/q/c.java
OWASP MASVS: MSTG-STORAGE-2
CWE: CWE-89: Improper Neutralization of Special Elements
f/c/a/a/j/v/i/e.java
used in an SQL Command ('SQL Injection')
f/c/a/a/j/v/i/v.java
OWASP Top 10: M7: Client Code Quality
CWE: CWE-327: Use of a Broken or Risky Cryptographic
Algorithm
f/c/d/q/j/j/l.java
OWASP Top 10: M5: Insufficient Cryptography
OWASP MASVS: MSTG-CRYPTO-4
FEATURE DESCRIPTION
 OFAC SANCTIONED COUNTRIES
This app may communicate with the following OFAC sanctioned list of countries.

DOMAIN COUNTRY/REGION

 DOMAIN MALWARE CHECK

DOMAIN STATUS GEOLOCATION

IP: 65.0.164.227
Country: India
Region: Maharashtra
web.swaraksha.gov.in ok City: Mumbai
Latitude: 19.014410
Longitude: 72.847939
View: Google Map

IP: 140.82.121.4
Country: United States of America
Region: California
github.com ok City: San Francisco
Latitude: 37.775700
Longitude: -122.395203
View: Google Map
DOMAIN STATUS GEOLOCATION

covid19-6c396.firebaseio.com
IP: 34.120.160.131
Country: United States of America
Region: Missouri
ok City: Kansas City
Latitude: 39.099731
Longitude: -94.578568
View: Google Map

IP: 104.16.45.99
Country: United States of America
Region: Texas
tools.ietf.org ok City: Dallas
Latitude: 32.783058
Longitude: -96.806671
View: Google Map

static.swaraksha.gov.in
IP: 43.204.225.169
Country: Australia
Region: Queensland
ok City: Brisbane
Latitude: -27.467939
Longitude: 153.028091
View: Google Map

IP: 108.156.22.21
Country: United States of America
Region: Washington
journeyapps.com ok City: Redmond
Latitude: 47.682899
Longitude: -122.120903
View: Google Map
DOMAIN STATUS GEOLOCATION

IP: 216.58.207.226
Country: United States of America
Region: California
pagead2.googlesyndication.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map

IP: 142.250.74.110
Country: United States of America
Region: California
plus.google.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map

 FIREBASE DATABASES

FIREBASE URL DETAILS

info
https://covid19-6c396.firebaseio.com
App talks to a Firebase Database.

 EMAILS
EMAIL FILE

u0013android@android.com0
f/c/a/b/e/x.java
u0013android@android.com

 TRACKERS

TRACKER CATEGORIES URL

Google CrashLytics Crash reporting https://reports.exodus-privacy.eu.org/trackers/27

Google Firebase Analytics Analytics https://reports.exodus-privacy.eu.org/trackers/49

 HARDCODED SECRETS

POSSIBLE SECRETS

"com.google.firebase.crashlytics.mapping_file_id" : "449a3c7f29a846ab887988be90a83b65"

"firebase_database_url" : "https://covid19-6c396.firebaseio.com"

"google_api_key" : "AIzaSyCgqPpLQ5fRS9imi6g3CmFYbluHxqp9HkE"

"google_crash_reporting_api_key" : "AIzaSyCgqPpLQ5fRS9imi6g3CmFYbluHxqp9HkE"

"library_zxingandroidembedded_author" : "JourneyApps"
 POSSIBLE SECRETS

"library_zxingandroidembedded_authorWebsite" : "https://journeyapps.com/"

 PLAYSTORE INFORMATION
Title: Aarogya Setu

Score: 3.343662 Installs: 100,000,000+ Price: 0 Android Version Support: Category: Health & Fitness Play Store URL: nic.goi.aarogyasetu

Developer Details: National Informatics Centre., 9076108670215860604, National Informatics Centre, Ministry of Electronics & IT (MeitY) A-Block, Lodhi Road, CGO Complex
New Delhi-110003, None, support.aarogyasetu@gov.in,

Release Date: Apr 11, 2020 Privacy Policy: Privacy link

Description:

Aarogya Setu is a mobile application developed by the Government of India which connects the various essential health services with the people of India. The application
is playing a crucial role in our combined fight against COVID-19 and now, has evolved as the National Health application to serve the people of India in an exemplary way.
The application has come up with an intuitive User Interface and comprehensive features such as ABHA (Health ID) creation, discovery & linking of health records to
enable longitudinal digital health records, Simplified Consent Management for sharing these records, and a Seamless Search feature to find Nearby Hospitals, Labs and
Blood Banks. The following are some of the key features of the Aarogya Setu platform: ● Creation of ABHA (Ayushman Bharat Health Account) that helps in building and
maintaining longitudinal health records and allow accessing your information right from admission to treatment and discharge in a paperless manner ● Discovery and
linking of health records, Consent Management for sharing health records ● eRaktKosh API (provided by CDAC) integration that allows users to search for nearby Blood
Banks and the availability of blood units in real-time for different Blood Groups. Various filters and some crucial information like contact number, email, distance,
direction, navigation, etc. are also provided for users’ convenience. ● Self-Assessment test based on ICMR guidelines ● Facilitates the Registration of Covid-19 vaccine
registration ● Facilitates the download of the Covid-19 vaccine certificate ● A completely revamped User Interface and User Experience ● Open API based Health Status
Check ● Updates, advisory, and best practices related to COVID-19 ● Nation-wide COVID-19 statistics ● Emergency COVID-19 Helpline contacts ● List of ICMR approved
Labs with COVID-19 testing facilities ● Provides the infection Status of the User ● QR Code scan feature to share Health Status ● Support for over 12 Languages Key
Permissions required by the App: ● Camera permission for scanning QR code ● Location Permission to provide location-based services like nearby blood banks,
hospitals, labs, etc. ● Media Permission to allow downloading Health Records, Vaccination Certificate, and others.

Report Generated by - MobSF v3.7.8 Beta

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment
framework capable of performing static and dynamic analysis.
© 2023 Mobile Security Framework - MobSF | Ajin Abraham | OpenSecurity.