Vulnerability Types - adisorbo/vulnerability_proneness GitHub Wiki
In the following Table, we report the vulnerability types considered in our study.
| Id | Vulnerability Type | Severity | Description | # of vulnerable apps |
|---|---|---|---|---|
| v1 | <SSL_Security> SSL Connection Checking | Critical | The app connects to URLs that are NOT under SSL | 938 |
| v2 | <WebView><Remote Code Execution><#CVE-2013-4710#> WebView RCE Vulnerability Checking | Critical | The app makes use of the addJavascriptInterface method. This method can be used to allow JavaScript to control the host application. | 692 |
| v3 | <Implicit_Intent> Implicit Service Checking | Critical | The app uses an implicit intent to start a service. This is a security hazard because one cannot be certain what service will respond to the intent, and the user cannot see which service starts. | 420 |
| v4 | App Sandbox Permission Checking | Critical | Creating world-readable or word-writeable files is very dangerous, and likely to cause security holes in applications. It is strongly discouraged: applications should use more formal mechanism for interactions. | 279 |
| v5 | <SSL_Security> SSL Certificate Verification Checking | Critical | The app does not check the validation of SSL Certificate. This allows self-signed, expired or mismatch CN certificates for SSL connection allowing attackers to perform MITM attacks. | 201 |
| v6 | <KeyStore><Hacker> KeyStore Protection Checking | Critical | The app uses KeyStore(s) not protected by password. | 200 |
| v7 | <Command> Runtime Command Checking | Critical | The app uses the critical function Runtime.getRuntime().exec("...").This could allow an attacker to inject arbitrary system commands into the application | 191 |
| v8 | <#BID 64208 CVE-2013-6271#> Fragment Vulnerability Checking | Critical | PreferenceActivity class is extended without overriding the isValidFragment method. This could expose the app to fragment injection when it is used on devices running a version of Android < 4.4 | 158 |
| v9 | AndroidManifest ContentProvider Exported Checking | Critical | The app uses exported ContentProvider, allowing any other app on the device to access it. | 156 |
| v10 | <SSL_Security> SSL Implementation Checking (Verifying Host Name in Custom Classes) | Critical | The app allows Self-defined HOSTNAME VERIFIER to accept all Common Names(CN). This allows attackers to do MITM attacks. | 148 |
| v11 | <SSL_Security> SSL Implementation Checking (Verifying Host Name in Fields) | Critical | The app does not check the validation of the CN(Common Name) of the SSL certificate, allowing attackers to perform MITM attacks | 114 |
| v12 | <Hacker> Base64 String Encryption | Critical | The app uses Base64 encoding String(s). The presence of Base64-encoded data may indicate security-sensitive information or functionality that is worthy of further investigation. The data should be reviewed to determine whether it contains any interesting information, or provides any additional entry points for malicious input. | 93 |
| v13 | <SSL_Security> SSL Implementation Checking (WebViewClient for WebView) | Critical | SSL errors are not properly handled in WebViewClient. This allows the connection even if the SSL Certificate is invalid (MITM Vulnerability). | 82 |
| v14 | AndroidManifest "intent-filter" Settings Checking | Critical | The app uses intent-filter without any specific action. | 31 |
| v15 | AndroidManifest Critical Use Permission Checking | Critical | The app has very high privileges. | 21 |
| v16 | <Command> Runtime Critical Command Checking | Critical | The app requests for root privileges: Runtime.getRuntime().exec("su") found. | 13 |
| v17 | AndroidManifest Dangerous ProtectionLevel of Permission Checking | Critical | The protection level of some classes is dangerous, allowing any other apps to access to the same permission. | 8 |
| v18 | Unnecessary Permission Checking | Critical | The app requires permissions that only work in emulator environment. | 8 |
| v19 | <SSL_Security> SSL Implementation Checking (Insecure component) | Critical | The app creates sockets using the insecure method getInsecure. Such sockets are vulnerable to man-in-the-middle attacks. | 8 |
| v20 | AndroidManifest System Use Permission Checking | Critical | The app requires system-only permissions | 6 |
| v21 | <SSL_Security><Hacker> Base64 String Encryption | Critical | The app uses Base64 for encoding HTTP URLs without SSL | 6 |
| v22 | <Debug> Android Debug Mode Checking | Critical | DEBUG mode is ON. This is very dangerous, as the attackers would be able to sniffer the debug messages. | 2 |
| v23 | Accessing the Internet Checking | Critical | The app has some internet accessing codes but does not require internet connection permission in AndroidManifest. | 2 |
| v24 | <Database> SQLiteDatabase Transaction Deprecated Checking | Critical | The app uses the beginTransactionNonExclusive method even if it declares a minSdk < 11. | 1 |
| v25 | <WebView> WebView Local File Access Attacks Checking | Warning | The app uses setAllowFileAccess(true) or not set(enabled by default) in WebView. The attackers could inject malicious script into WebView and exploit the opportunity to access local resources. | 910 |
| v26 | <WebView> WebView Potential XSS Attacks Checking | Warning | The app uses setJavaScriptEnabled(true) in WebView, which could expose the app to potential XSS attacks. | 895 |
| v27 | <Sensitive_Information> Getting ANDROID_ID | Warning | The app has code getting the 64-bit number Settings.Secure.ANDROID_ID. | 892 |
| v28 | External Storage Accessing | Warning | The app accesses to external storage | 848 |
| v29 | AndroidManifest Exported Components Checking | Warning | The app uses exported components(except for Launcher) for receiving outside applications' actions | 573 |
| v30 | Dynamic Code Loading | Warning | The app loads code dynamically | 515 |
| v31 | <Sensitive_Information> Getting IMEI and Device ID | Warning | The app has code for getting the device id(IMEI). | 328 |
| v32 | <SSL_Security> SSL Certificate Verification Checking | Warning | The app uses weak conditions to check the validation of SSL Certificate. If it's not properly checked, it may allow self-signed, expired or mismatch CN certificates for SSL connection. | 259 |
| v33 | AndroidManifest Normal ProtectionLevel of Permission Checking | Warning | The protection level of some classes is normal or default. This could allow malicious apps to register and receive messages for this app. | 33 |
| v34 | Codes for Sending SMS | Warning | The app has code for sending SMS messages (sendDataMessage, sendMultipartTextMessage or sendTextMessage) | 21 |
| v35 | AndroidManifest "intent-filter" Settings Checking | Warning | The app presents misconfigurations in intent-filter | 2 |
| v36 | File Unsafe Delete Checking | Notice | The app uses the method file.delete(). Deleted files may be recovered by any user or attacker. | 958 |
| v37 | <Database><#CVE-2011-3901#> Android SQLite Databases Vulnerability Checking | Notice | The app uses Android SQLite databases and can be installed on devices having Android version <= 4.0. Prior to Android 4.0.1 the journal file of SQLite databases can be read by all applications. Malicious applications can access to database information without the need for declaring adequate privileges. | 875 |
| v38 | <Signature><Hacker> Getting Signature Code Checking | Notice | The app has code checking the package signature in the code. It might be used by the attackers to check for whether the app is hacked. | 860 |
| v39 | AndroidManifest Adb Backup Checking | Notice | ADB Backup is ENABLED for the app (default: ENABLED). A malicious BackupAgent is able to inject additional applications (APKs) into the backup archive without the user's consent. Upon restoration of the backup archive, the system installs the injected, additional application | 769 |
| v40 | <Hacker> APK Installing Source Checking | Notice | The app has code checking APK installer sources (e.g. from Google Play, from Amazon, etc.). It might be used by attackers to check for whether the app is hacked. | 742 |
| v41 | AndroidManifest Exported Components Checking 2 | Notice | The app presents exported components for receiving Google's Android actions | 702 |
| v42 | <Debug><Hacker> Codes for Checking Android Debug Mode | Notice | The app has code for checking ApplicationInfo.FLAG_DEBUGGABLE. Debug mode can be exploited by attackers to help better understand how the app works. | 538 |
| v43 | <Command> Executing "root" or System Privilege Checking | Notice | The app may have code for checking for root permission, mounting filesystem operations or monitoring system. | 339 |
| v44 | Native Library Loading Checking | Notice | The app uses code for loading native libraries System.loadLibrary(…). This could be exploited by attackers through a crafted version of the library. | 332 |
| v45 | <KeyStore><Hacker> KeyStore Protection Information | Notice | The app uses Keystores protected by password and seems using SSL-pinning | 244 |
| v46 | HttpURLConnection Android Bug Checking | Notice | The app uses HttpURLConnection. Prior to Android 2.2 (Froyo), HttpURLConnection had some frustrating bugs. In particular, calling close() on a readable InputStream could poison the connection pool. | 74 |
| v47 | <KeyStore><Hacker> Possible KeyStore File Location | Notice | The app is likely to use a BKS keystore. If a BKS keystore is in use, keys are stored within a file that can be accessed by a privileged user. | 70 |
| v48 | <KeyStore><Hacker> KeyStore File Location | Notice | The app uses BKS keystore files. This could expose the app to security flaws. | 60 |
| v49 | <Hacker> Code Setting Preventing Screenshot Capturing | Notice | The app uses code for preventing from screenshot capturing. This indicates that the app is likely to manage highly sensitive information, and attackers can use this information to identify source code portions aimed at managing this information. | 44 |
| v50 | Google Cloud Messaging Suggestion | Notice | The app uses GCM with a minSdk <= 8. This could expose the app to security flaws. | 43 |
| v51 | <Database> Android SQLite Databases Encryption (SQLCipher) | Notice | The app uses SQLCipher to encrypt or decrpyt databases. This could expose the app to security flaws. | 12 |
| v52 | <Database> Android SQLite Databases Encryption (SQLite Encryption Extension (SEE)) | Notice | The app uses SQLite Encryption Extension (SEE) on Android to encrypt or decrpyt databases. This could expose the app to security flaws. | 3 |
| v53 | <Database><Hacker> Key for Android SQLite Databases Encryption | Notice | The app uses the symmetric key(PRAGMA key) to encrypt the SQLite databases and this could expose the app to security flaws | 1 |