1

Mobile Application Vulnerability Scanner Lab Report

Student’s Name

University Affiliation

Course Name

Instructor’s Name

Due Date
 2

Mobile Application Vulnerability Scanner Lab Report

Many mobile applications and softwares are vulnerable and prone to malicious attacks. Software

vulnerabilities can compromise the systems integrity and can also leak confidential information

to unauthorized persons who can have malicious intent. Vulnerability analysis is an important

task in both the development of application and in the maintenance phase of the same. The main

aim of doing vulnerability scanning and analysis is to identify the most vulnerable parts of the

software and to try to mitigate the risk that such threats can cause if compromised (Owoh et al.,

2020). This reports looks at the vulnerability that were found after scanning a mobile application

using quixxi web application.

Vulnerabilities found

There are 12 vulnerabilities that were identified after analyzing the Dr Driving mobile

application using quixxi. Two of those vulnerability scanned presented high severity threats,

seven had medium severity threats and three had low severity threats. The first vulnerable aspect

was found in the data storage and privacy is that the application allowed for the unsafe deletion

of files (santos et al., 2017). The other feature of the application that presents high threat to the

system is that it allowed for the improper exportation of android components. Also the

application was found to expose the backup file which are not protected to unauthorized

personnel (Martin, 2019). The application generated random numbers that are weak and can be

predicted easily because of its algorithm. It also used a weak algorithm in hashing which can be

easily broken. Moreover the application also inserted information which is sensitive into the

debugging code and was not disabled during the production leading to information leakage.

Attacks and exploits that can be performed on identified vulnerabilities

 3

There are several exploits and attacks that a hacker can use to take advantage of the application

and also to still information. There is a bug that was found in the code that made files to be

unsafe to delete (santos et al., 2017). Sql injections into can be used to exploit the bug and even

to access other information in the application database. Spoofing methods and techniques can be

used on the application network to access the components and information which the android

application exports. The exported components are not protected or restricted from any other

application leaving the system prone to spoofing attacks. The application allowed the backup of

sensitive information which the attacker can access using the “adb backup –f” command. Brute

force attacks can also be used to break the random numbers that are generator by the application

this is because the application uses a predictable algorithm. The password and other sensitive

information can be broken by brute force methods because of the weak hashing algorithm that is

used in the application. Reverse engineering techniques can be used to access the sensitive

information that was stored in the code when it was debugged.

Measures that can be taken to fix the identified vulnerabilities

To fix the unsafe deletion problem first should not be allowed to save a copy of the photos in the

secret chats that are accessible by other parties even after being deleted by the users. The

application should also limit the access of this sensitive data and add firewalls so as to prevent

Sql attacks. The exported components which are vulnerable should be fixed by using

“android:exported= ‘false’”in the manifest file of the android application (Chaim et al., 2017). It

will prevent the exportation of components that contain confidential data. To prevent the

compromise of the android app through the backup file, the app should prevent the backing up of

files by placing “android_allowBackup= ‘false’” in the AndroidManifest.xml file (Amin et al.,

2019). The breaking of the hashed data can be prevented by use of complex hashing algorithms.
 4

Conclusion

Most of the vulnerabilities and error that occur during the production of a mobile application can

have devastating effects. Hackers are well known to exploit these vulnerable functions of the

application. Vulnerability can lead to loss of confidential information and other sensitive

information. Through the bugs that are found in the application, a hacker can take advantage of

the application and do malicious things even without raising any suspicions. The mobile

application should be analyzed well and all vulnerability identified and fixed before being

deployed.
 5

References
Amin, A., Eldessouki, A., Magdy, M. T., Abdeen, N., Hindy, H., & Hegazy, I. (2019).

AndroShield: automated android applications vulnerability detection, a hybrid static and

dynamic analysis approach. Information, 10(10), 326.

Chaim, M. L., & Oyetoyan, T. D. (2017). Technical Report PPgSI-003/2017 Selecting

Weaknesses for Security Assessment of Android Applications.

Martin, B. (2019). Common Vulnerabilities Enumeration (CVE), Common Weakness

Enumeration (CWE), and Common Quality Enumeration (CQE) Attempting to

systematically catalog the safety and security challenges for modern, networked,

software-intensive systems. ACM SIGAda Ada Letters, 38(2), 9-42.

https://cwe.mitre.org/data/definitions/530.html

Owoh, N. P., & Singh, M. M. (2020). Security analysis of mobile crowd sensing

applications.Applied Computing and Informatics.

https://www.emerald.com/insight/content/doi/10.1016/j.aci.2018.10.002/full/html

Santos, J. C., Peruma, A., Mirakhorli, M., Galstery, M., Vidal, J. V., & Sejfia, A. (2017, April).

Understanding software vulnerabilities related to architectural security tactics: An

empirical investigation of chromium, php and thunderbird. In 2017 IEEE International

Conference on Software Architecture (ICSA) (pp. 69-78). IEEE.

 6

Appendix: Screenshots