You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
The mobile application uses an unencrypted SQLite database.
This database can be accessed by an attacker with physical access to the mobile device or a malicious application with
root access to the device. The application should not store sensitive information in clear text.
Details:
In file com.google.android.datatransport.events:
TABLES:
android_metadata
events
event_metadata
transport_contexts
events_backend_id
contexts_backend_priority_extras
event_payloads
sqlite_autoindex_event_payloads_1
RAW DUMP:
CREATE TABLE android_metadata (locale TEXT);CREATE TABLE events (_id INTEGER PRIMARY
KEY, context_id INTEGER NOT NULL, transport_name TEXT NOT NULL, timestamp_ms INTEGER
NOT NULL, uptime_ms INTEGER NOT NULL, payload BLOB NOT NULL, code INTEGER, num_attempts
INTEGER NOT NULL, payload_encoding TEXT, inline BOOLEAN NOT NULL DEFAULT 1,FOREIGN KEY
(context_id) REFERENCES transport_contexts(_id) ON DELETE CASCADE);CREATE TABLE
event_metadata (_id INTEGER PRIMARY KEY, event_id INTEGER NOT NULL, name TEXT NOT NULL,
value TEXT NOT NULL,FOREIGN KEY (event_id) REFERENCES events(_id) ON DELETE
CASCADE);CREATE TABLE transport_contexts (_id INTEGER PRIMARY KEY, backend_name TEXT
NOT NULL, priority INTEGER NOT NULL, next_request_ms INTEGER NOT NULL, extras
BLOB);CREATE INDEX events_backend_id on events(context_id);CREATE UNIQUE INDEX
contexts_backend_priority_extras on transport_contexts(backend_name, priority,
extras);CREATE TABLE event_payloads (sequence_num INTEGER NOT NULL, event_id INTEGER
NOT NULL, bytes BLOB NOT NULL,FOREIGN KEY (event_id) REFERENCES events(_id) ON DELETE
CASCADE,PRIMARY KEY (sequence_num, event_id));
In file com.amplitude.api:
TABLES:
android_metadata
store
sqlite_autoindex_store_1
long_store
sqlite_autoindex_long_store_1
events
sqlite_sequence
identifys
RAW DUMP:
CREATE TABLE android_metadata (locale TEXT);CREATE TABLE store (key TEXT PRIMARY KEY
NOT NULL, value TEXT);CREATE TABLE long_store (key TEXT PRIMARY KEY NOT NULL, value
INTEGER);CREATE TABLE events (id INTEGER PRIMARY KEY AUTOINCREMENT, event TEXT);CREATE
TABLE sqlite_sequence(name,seq);CREATE TABLE identifys (id INTEGER PRIMARY KEY
AUTOINCREMENT, event TEXT);
In file RKStorage:
TABLES:
android_metadata
catalystLocalStorage
sqlite_autoindex_catalystLocalStorage_1
RAW DUMP:
CREATE TABLE android_metadata (locale TEXT);CREATE TABLE catalystLocalStorage (key TEXT
PRIMARY KEY, value TEXT NOT NULL);
In file Cookies:
TABLES:
meta
sqlite_autoindex_meta_1
cookies
sqlite_autoindex_cookies_1
RAW DUMP:
CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value
LONGVARCHAR);CREATE TABLE cookies (creation_utc INTEGER NOT NULL,host_key TEXT NOT
NULL,name TEXT NOT NULL,value TEXT NOT NULL,path TEXT NOT NULL,expires_utc INTEGER NOT
NULL,is_secure INTEGER NOT NULL,is_httponly INTEGER NOT NULL,last_access_utc INTEGER
NOT NULL, has_expires INTEGER NOT NULL DEFAULT 1, is_persistent INTEGER NOT NULL
DEFAULT 1,priority INTEGER NOT NULL DEFAULT 1,encrypted_value BLOB DEFAULT
'',firstpartyonly INTEGER NOT NULL DEFAULT 0,UNIQUE (host_key, name, path));
CVSSv3 Base Score:
7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
EXTERNAL DATA STORAGE [M2] [CWE-921] [SAST] -- Medium
Description:
The mobile application can access external storage (e.g. SD card) in read or write mode. The application's data stored on
the external data storage may be accessed by other applications (including malicious ones) under certain conditions and
bring risks of data corruption or tampering.
Example of insecure code:
/* Checks if external storage is available for read and write /
public boolean isExternalStorageWritable() {
String state = Environment.getExternalStorageState();
if (Environment.MEDIA_MOUNTED.equals(state)) {
return true;
}
return false;
}
/ Checks if external storage is available to at least read */
public boolean isExternalStorageReadable() {
String state = Environment.getExternalStorageState();
if (Environment.MEDIA_MOUNTED.equals(state) ||
Environment.MEDIA_MOUNTED_READ_ONLY.equals(state)) {
return true;
}
return false;
}
Example of secure code:
// If you use external storage you should perform input validation.
// In the case that you use external storage for executables files,
// these files should be signed and cryptographically verified.
Details:
There is 'getExternalFilesDir()' found in file 'io/invertase/firebase/utils/ReactNativeFirebaseUtilsModule.java':
[line 116: hashMap.put(KEY_CACHE_DIRECTORY,
reactApplicationContext.getCacheDir().getAbsolutePath());]
[line 117: File externalFilesDir =
reactApplicationContext.getExternalFilesDir(null);]
[line 118: int i = VERSION.SDK_INT;]
There is 'getExternalFilesDir()' found in file 'a/f/e/b.java':
[line 105: }]
[line 106: return new File[]{context.getExternalFilesDir(str)};]
[line 107: }]
There is 'getExternalFilesDir()' found in file 'com/rnfs/RNFSManager.java':
[line 703: }]
[line 704: externalStorageDirectory =
getReactApplicationContext().getExternalFilesDir(null);]
[line 705: str = RNFSExternalDirectoryPath;]
The text was updated successfully, but these errors were encountered:
Description:
The mobile application uses an unencrypted SQLite database.
This database can be accessed by an attacker with physical access to the mobile device or a malicious application with
root access to the device. The application should not store sensitive information in clear text.
Details:
In file com.google.android.datatransport.events:
TABLES:
android_metadata
events
event_metadata
transport_contexts
events_backend_id
contexts_backend_priority_extras
event_payloads
sqlite_autoindex_event_payloads_1
RAW DUMP:
CREATE TABLE android_metadata (locale TEXT);CREATE TABLE events (_id INTEGER PRIMARY
KEY, context_id INTEGER NOT NULL, transport_name TEXT NOT NULL, timestamp_ms INTEGER
NOT NULL, uptime_ms INTEGER NOT NULL, payload BLOB NOT NULL, code INTEGER, num_attempts
INTEGER NOT NULL, payload_encoding TEXT, inline BOOLEAN NOT NULL DEFAULT 1,FOREIGN KEY
(context_id) REFERENCES transport_contexts(_id) ON DELETE CASCADE);CREATE TABLE
event_metadata (_id INTEGER PRIMARY KEY, event_id INTEGER NOT NULL, name TEXT NOT NULL,
value TEXT NOT NULL,FOREIGN KEY (event_id) REFERENCES events(_id) ON DELETE
CASCADE);CREATE TABLE transport_contexts (_id INTEGER PRIMARY KEY, backend_name TEXT
NOT NULL, priority INTEGER NOT NULL, next_request_ms INTEGER NOT NULL, extras
BLOB);CREATE INDEX events_backend_id on events(context_id);CREATE UNIQUE INDEX
contexts_backend_priority_extras on transport_contexts(backend_name, priority,
extras);CREATE TABLE event_payloads (sequence_num INTEGER NOT NULL, event_id INTEGER
NOT NULL, bytes BLOB NOT NULL,FOREIGN KEY (event_id) REFERENCES events(_id) ON DELETE
CASCADE,PRIMARY KEY (sequence_num, event_id));
In file com.amplitude.api:
TABLES:
android_metadata
store
sqlite_autoindex_store_1
long_store
sqlite_autoindex_long_store_1
events
sqlite_sequence
identifys
RAW DUMP:
CREATE TABLE android_metadata (locale TEXT);CREATE TABLE store (key TEXT PRIMARY KEY
NOT NULL, value TEXT);CREATE TABLE long_store (key TEXT PRIMARY KEY NOT NULL, value
INTEGER);CREATE TABLE events (id INTEGER PRIMARY KEY AUTOINCREMENT, event TEXT);CREATE
TABLE sqlite_sequence(name,seq);CREATE TABLE identifys (id INTEGER PRIMARY KEY
AUTOINCREMENT, event TEXT);
In file RKStorage:
TABLES:
android_metadata
catalystLocalStorage
sqlite_autoindex_catalystLocalStorage_1
RAW DUMP:
CREATE TABLE android_metadata (locale TEXT);CREATE TABLE catalystLocalStorage (key TEXT
PRIMARY KEY, value TEXT NOT NULL);
In file Cookies:
TABLES:
meta
sqlite_autoindex_meta_1
cookies
sqlite_autoindex_cookies_1
RAW DUMP:
CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value
LONGVARCHAR);CREATE TABLE cookies (creation_utc INTEGER NOT NULL,host_key TEXT NOT
NULL,name TEXT NOT NULL,value TEXT NOT NULL,path TEXT NOT NULL,expires_utc INTEGER NOT
NULL,is_secure INTEGER NOT NULL,is_httponly INTEGER NOT NULL,last_access_utc INTEGER
NOT NULL, has_expires INTEGER NOT NULL DEFAULT 1, is_persistent INTEGER NOT NULL
DEFAULT 1,priority INTEGER NOT NULL DEFAULT 1,encrypted_value BLOB DEFAULT
'',firstpartyonly INTEGER NOT NULL DEFAULT 0,UNIQUE (host_key, name, path));
CVSSv3 Base Score:
7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
EXTERNAL DATA STORAGE [M2] [CWE-921] [SAST] -- Medium
Description:
The mobile application can access external storage (e.g. SD card) in read or write mode. The application's data stored on
the external data storage may be accessed by other applications (including malicious ones) under certain conditions and
bring risks of data corruption or tampering.
Example of insecure code:
/* Checks if external storage is available for read and write /
public boolean isExternalStorageWritable() {
String state = Environment.getExternalStorageState();
if (Environment.MEDIA_MOUNTED.equals(state)) {
return true;
}
return false;
}
/ Checks if external storage is available to at least read */
public boolean isExternalStorageReadable() {
String state = Environment.getExternalStorageState();
if (Environment.MEDIA_MOUNTED.equals(state) ||
Environment.MEDIA_MOUNTED_READ_ONLY.equals(state)) {
return true;
}
return false;
}
Example of secure code:
// If you use external storage you should perform input validation.
// In the case that you use external storage for executables files,
// these files should be signed and cryptographically verified.
Details:
There is 'getExternalFilesDir()' found in file 'io/invertase/firebase/utils/ReactNativeFirebaseUtilsModule.java':
[line 116: hashMap.put(KEY_CACHE_DIRECTORY,
reactApplicationContext.getCacheDir().getAbsolutePath());]
[line 117: File externalFilesDir =
reactApplicationContext.getExternalFilesDir(null);]
[line 118: int i = VERSION.SDK_INT;]
There is 'getExternalFilesDir()' found in file 'a/f/e/b.java':
[line 105: }]
[line 106: return new File[]{context.getExternalFilesDir(str)};]
[line 107: }]
There is 'getExternalFilesDir()' found in file 'com/rnfs/RNFSManager.java':
[line 703: }]
[line 704: externalStorageDirectory =
getReactApplicationContext().getExternalFilesDir(null);]
[line 705: str = RNFSExternalDirectoryPath;]
The text was updated successfully, but these errors were encountered: