Professional Documents
Culture Documents
Grade:
B
Trackers Detection: 2/428
FINDINGS SEVERITY
2 12 1 2 1
FILE INFORMATION
File Name: nic.goi.aarogyasetu.apk
Size: 3.36MB
MD5: 61ab1ae41fe86360d2610b1d6f1b1d85
SHA1: 8a33b0dd2040787e57b7a1442a5cecc39d744971
SHA256: 2214545309eaa5c1e069eb87b0135b53c08f100d93ce7ce73cb99cf3d41f9e46
APP INFORMATION
App Name: Aarogya Setu
Package Name: nic.goi.aarogyasetu
Main Activity: nic.goi.aarogyasetu.views.SplashActivity
Target SDK: 31
Min SDK: 21
Max SDK:
Android Version Name: 2.2.4
Android Version Code: 1072
APP COMPONENTS
Activities: 17
Services: 12
Receivers: 14
Providers: 3
Exported Activities: 0
Exported Services: 2
Exported Receivers: 2
Exported Providers: 0
CERTIFICATE INFORMATION
Binary is signed
v1 signature: True
v2 signature: True
v3 signature: True
v4 signature: False
X.509 Subject: C=91, ST=Delhi, L=New Delhi, O=NITI Aayog, OU=NITI Aayog, CN=NITI Aayog
Signature Algorithm: rsassa_pkcs1v15
Valid From: 2020-03-28 06:18:35+00:00
Valid To: 2045-03-22 06:18:35+00:00
Issuer: C=91, ST=Delhi, L=New Delhi, O=NITI Aayog, OU=NITI Aayog, CN=NITI Aayog
Serial Number: 0xba294b3
Hash Algorithm: sha256
md5: 34073824749a0a089c167ef8abc9cc4b
sha1: 2c848c2d2bc92cfb2aa7f5eac3bd391922555251
sha256: c70f65be3100a5f7d5fa05b7c170bda1d7345b5a3868d5af6dc3f4146000ad88
sha512: b905e59a3f0e7549f457bddb9ada134ce8ea8b2b5c331b2bf0d26f33e1a9ce2c3dc4c20a6e3175c34cf92349c7badbdc4b8f17b92c1516041649681b999d4e74
PublicKey Algorithm: rsa
Bit Size: 2048
Fingerprint: 91919c7af17c205d1a3c9c91f51877d2cd74d34df33b9ea86e8b6b4fee4d53d5
Found 1 unique certificates
APPLICATION PERMISSIONS
read/modify/delete
Allows an application to write to external
android.permission.WRITE_EXTERNAL_STORAGE dangerous external storage
storage.
contents
APKID ANALYSIS
FILE DETAILS
FINDINGS DETAILS
Build.FINGERPRINT check
Build.MODEL check
Build.MANUFACTURER check
Anti-VM Code Build.PRODUCT check
classes.dex Build.HARDWARE check
Build.TAGS check
possible VM check
Compiler r8
BROWSABLE ACTIVITIES
ACTIVITY INTENT
Schemes: https://,
nic.goi.aarogyasetu.views.SplashActivity Hosts: www.aarogyasetu.gov.in, phrsbx.abdm.gov.in,
Path Prefixes: /app,
NETWORK SECURITY
HIGH: 0 | WARNING: 0 | INFO: 0 | SECURE: 1
NO SCOPE SEVERITY DESCRIPTION
1 * secure Base config is configured to disallow clear text traffic to all domains.
CERTIFICATE ANALYSIS
HIGH: 0 | WARNING: 1 | INFO: 1
Application Application is signed with v1 signature scheme, making it vulnerable to Janus vulnerability on Android 5.0-8.0, if signed
vulnerable to Janus warning only with v1 signature scheme. Applications running on Android 5.0-7.0 signed with v1, and v2/v3 scheme is also
Vulnerability vulnerable.
MANIFEST ANALYSIS
HIGH: 1 | WARNING: 4 | INFO: 0 | SUPPRESSED: 0
Service
A Service is found to be shared with other apps on the device
(com.google.android.play.core.assetpacks.AssetPackExtractionService)
6 high therefore leaving it accessible to any other application on the
is not Protected.
device.
[android:exported=true]
CODE ANALYSIS
HIGH: 1 | WARNING: 5 | INFO: 1 | SECURE: 1 | SUPPRESSED: 0
com/bumptech/glide/load/engi
ne/GlideException.java
e/a/g/d.java
e/a0/c0.java
e/b/k/u.java
e/b/l/a/a.java
e/b/o/i/g.java
e/b/p/b1.java
e/b/p/f0.java
e/b/p/q0.java
e/b/p/w.java
e/d0/a/b.java
e/e0/a0/a.java
e/e0/f.java
e/e0/n.java
e/i/e/b.java
e/i/e/c.java
e/i/e/m.java
e/i/f/b/a.java
e/i/f/b/h.java
e/i/g/g.java
e/i/g/k/d.java
e/i/i/f.java
e/i/m/b.java
e/i/m/q.java
e/i/m/s.java
e/i/m/x.java
e/n/a/a.java
e/o/d/y0.java
e/q/a/a.java
e/t/a.java
e/t/c.java
e/v/i.java
e/v/i.java
e/y/a/c.java
NO ISSUE SEVERITY STANDARDS FILES
e/y/a/f/c.java
f/b/a/l/d.java
f/b/a/l/e.java
f/b/a/m/s/b.java
f/b/a/m/s/l.java
f/b/a/m/t/b0/j.java
f/b/a/m/t/c0/j.java
f/b/a/m/t/d0/a.java
f/b/a/m/u/c.java
f/b/a/m/u/t.java
f/b/a/m/v/c/a0.java
f/b/a/m/v/c/m.java
f/b/a/m/v/c/q.java
f/b/a/m/v/c/y.java
f/b/a/q/h/i.java
f/b/a/r/b.java
CWE: CWE-532: Insertion of Sensitive Information into Log
The App logs information. Sensitive f/b/a/s/k/a.java
1 info File
information should never be logged. f/c/a/a/j/s/k.java
OWASP MASVS: MSTG-STORAGE-3
f/c/a/b/a/a/a.java
f/c/a/b/a/a/b.java
f/c/a/b/d/a.java
f/c/a/b/d/f.java
f/c/a/b/d/p.java
f/c/a/b/d/r.java
f/c/a/b/d/w.java
f/c/a/b/e/h.java
f/c/a/b/e/m/a.java
f/c/a/b/e/m/b0.java
f/c/a/b/e/y.java
f/c/a/b/g/b.java
f/c/a/b/h/g/m5.java
f/c/a/b/h/g/t0.java
f/c/a/b/h/g/v0.java
f/c/a/b/h/g/v5.java
f/c/a/b/j/a/a.java
f/c/a/b/j/b/i3.java
f/c/a/b/m/a.java
f/c/a/c/c0/c.java
f/c/a/c/f0/b.java
f/c/a/c/g0/a.java
f/c/a/c/g0/a.java
f/c/a/c/m/g.java
NO ISSUE SEVERITY STANDARDS FILES
f/c/a/d/a/d/a.java
f/c/a/d/a/d/u.java
f/c/d/a0/j0.java
f/c/d/a0/o0.java
f/c/d/a0/p0.java
f/c/d/a0/q0.java
f/c/d/a0/s0.java
f/c/d/o/q.java
f/c/d/q/g.java
f/c/d/q/j/f.java
f/c/d/q/j/j/f0.java
f/c/d/q/j/j/k0.java
f/c/d/q/j/j/l.java
f/c/d/q/j/j/p.java
f/c/d/q/j/k/d.java
f/c/d/q/j/k/g.java
f/c/d/q/j/p/a.java
f/c/d/y/g.java
f/c/g/s/a/d.java
f/c/g/s/a/f.java
f/c/g/s/a/n/a.java
f/c/g/s/a/n/b/a.java
f/d/a/y/e.java
f/d/a/y/f.java
f/d/a/y/g.java
f/d/a/y/k.java
f/d/a/y/m.java
e/a/g/d.java
CWE: CWE-330: Use of Insufficiently Random Values
The App uses an insecure Random h/p/a.java
3 warning OWASP Top 10: M5: Insufficient Cryptography
Number Generator. h/p/b.java
OWASP MASVS: MSTG-CRYPTO-6
h/p/d/a.java
NO ISSUE SEVERITY STANDARDS FILES
Files may contain hardcoded CWE: CWE-312: Cleartext Storage of Sensitive Information f/b/a/m/t/q.java
5 sensitive information like usernames, warning OWASP Top 10: M9: Reverse Engineering io/jsonwebtoken/JwsHeader.jav
passwords, keys etc. OWASP MASVS: MSTG-STORAGE-14 a
App creates temp file. Sensitive CWE: CWE-276: Incorrect Default Permissions
e/t/c.java
6 information should never be written warning OWASP Top 10: M2: Insecure Data Storage
f/c/d/y/q/c.java
into a temp file. OWASP MASVS: MSTG-STORAGE-2
DOMAIN COUNTRY/REGION
IP: 65.0.164.227
Country: India
Region: Maharashtra
web.swaraksha.gov.in ok City: Mumbai
Latitude: 19.014410
Longitude: 72.847939
View: Google Map
IP: 140.82.121.4
Country: United States of America
Region: California
github.com ok City: San Francisco
Latitude: 37.775700
Longitude: -122.395203
View: Google Map
DOMAIN STATUS GEOLOCATION
IP: 34.120.160.131
Country: United States of America
Region: Missouri
covid19-6c396.firebaseio.com ok City: Kansas City
Latitude: 39.099731
Longitude: -94.578568
View: Google Map
IP: 104.16.45.99
Country: United States of America
Region: Texas
tools.ietf.org ok City: Dallas
Latitude: 32.783058
Longitude: -96.806671
View: Google Map
IP: 43.204.225.169
Country: Australia
Region: Queensland
static.swaraksha.gov.in ok City: Brisbane
Latitude: -27.467939
Longitude: 153.028091
View: Google Map
IP: 108.156.22.21
Country: United States of America
Region: Washington
journeyapps.com ok City: Redmond
Latitude: 47.682899
Longitude: -122.120903
View: Google Map
DOMAIN STATUS GEOLOCATION
IP: 216.58.207.226
Country: United States of America
Region: California
pagead2.googlesyndication.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map
IP: 142.250.74.110
Country: United States of America
Region: California
plus.google.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map
FIREBASE DATABASES
info
https://covid19-6c396.firebaseio.com
App talks to a Firebase Database.
EMAILS
EMAIL FILE
u0013android@android.com0
f/c/a/b/e/x.java
u0013android@android.com
TRACKERS
HARDCODED SECRETS
POSSIBLE SECRETS
"com.google.firebase.crashlytics.mapping_file_id" : "449a3c7f29a846ab887988be90a83b65"
"firebase_database_url" : "https://covid19-6c396.firebaseio.com"
"google_api_key" : "AIzaSyCgqPpLQ5fRS9imi6g3CmFYbluHxqp9HkE"
"google_crash_reporting_api_key" : "AIzaSyCgqPpLQ5fRS9imi6g3CmFYbluHxqp9HkE"
"library_zxingandroidembedded_author" : "JourneyApps"
POSSIBLE SECRETS
"library_zxingandroidembedded_authorWebsite" : "https://journeyapps.com/"
PLAYSTORE INFORMATION
Title: Aarogya Setu
Score: 3.343662 Installs: 100,000,000+ Price: 0 Android Version Support: Category: Health & Fitness Play Store URL: nic.goi.aarogyasetu
Developer Details: National Informatics Centre., 9076108670215860604, National Informatics Centre, Ministry of Electronics & IT (MeitY) A-Block, Lodhi Road, CGO Complex
New Delhi-110003, None, support.aarogyasetu@gov.in,
Description:
Aarogya Setu is a mobile application developed by the Government of India which connects the various essential health services with the people of India. The application
is playing a crucial role in our combined fight against COVID-19 and now, has evolved as the National Health application to serve the people of India in an exemplary way.
The application has come up with an intuitive User Interface and comprehensive features such as ABHA (Health ID) creation, discovery & linking of health records to
enable longitudinal digital health records, Simplified Consent Management for sharing these records, and a Seamless Search feature to find Nearby Hospitals, Labs and
Blood Banks. The following are some of the key features of the Aarogya Setu platform: ● Creation of ABHA (Ayushman Bharat Health Account) that helps in building and
maintaining longitudinal health records and allow accessing your information right from admission to treatment and discharge in a paperless manner ● Discovery and
linking of health records, Consent Management for sharing health records ● eRaktKosh API (provided by CDAC) integration that allows users to search for nearby Blood
Banks and the availability of blood units in real-time for different Blood Groups. Various filters and some crucial information like contact number, email, distance,
direction, navigation, etc. are also provided for users’ convenience. ● Self-Assessment test based on ICMR guidelines ● Facilitates the Registration of Covid-19 vaccine
registration ● Facilitates the download of the Covid-19 vaccine certificate ● A completely revamped User Interface and User Experience ● Open API based Health Status
Check ● Updates, advisory, and best practices related to COVID-19 ● Nation-wide COVID-19 statistics ● Emergency COVID-19 Helpline contacts ● List of ICMR approved
Labs with COVID-19 testing facilities ● Provides the infection Status of the User ● QR Code scan feature to share Health Status ● Support for over 12 Languages Key
Permissions required by the App: ● Camera permission for scanning QR code ● Location Permission to provide location-based services like nearby blood banks,
hospitals, labs, etc. ● Media Permission to allow downloading Health Records, Vaccination Certificate, and others.