vulners.com Open in urlscan Pro
172.67.39.118  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Lucene search
 * Basic search
 * Lucene search
 * Search by product

--------------------------------------------------------------------------------


Subscribe

CTRLK
Start 30-day trial
Database
Vendors

Products

Years

CVSS

Scanner
Agent Scanning

API Scanning

Manual Audit

Perimeter Scanner
Scanning

Projects

Email

Webhook

Plugins

Resources
Documents

Blog

Glossary

FAQ

Pricing

Contacts
About Us

Partners

Branding Guideline

SIGN IN
Hackapp.orgHACKAPP:COM.DIB.APP.APK
HistoryDec 28, 2016 - 1:53 p.m.

--------------------------------------------------------------------------------

 1. Vulners
 2. /
 3. Hackapp
 4. /
 5. DIB MOBILE - Customized SSL, Dangerous filesystem permissions, Redefined SSL
    Common Names verifier vulnerabilities


DIB MOBILE - CUSTOMIZED SSL, DANGEROUS FILESYSTEM PERMISSIONS, REDEFINED SSL
COMMON NAMES VERIFIER VULNERABILITIES

2016-12-2813:53:58
Hackapp.org
hackapp.com
25
JSON

HackApp vulnerability scanner discovered that application DIB MOBILE published
at the ‘play’ market has multiple vulnerabilities.

NAME

DIB MOBILE


VENDOR

Dubai Islamic Bank


LINK

COM.DIB.APP.APK


STORE

play


VERSION

3.0.10

 * CRITICAL
   Redefined SSL Common Names verifier
   
   This app uses self defined certificate verifier. If it is not properly
   configured it could allow attackers to do MITM attacks with their valid
   certificate without your knowledge.
   
   Customized SSL
   
   Check certificate validation. Do not create or redefine X509Certificate class
   methods by yourself, if you don't understand risks. Use the existing API.
   
   Dangerous filesystem permissions
   
   Files created with these methods could be worldwide readable.
   
   WebView code execution
   
   WebView 'addJavascriptInterface' could be used to control the host app with
   JavaScript bindings. Remote Code Execution (RCE) is possible.

 * MEDIUM
   WebView JavaScript enabled
   
   WebView 'setJavaScriptEnabled(true)' could be exploited during cross-site
   scripting attacks.
   
   SD-card access
   
   SD-cards and other external storages have 'worldwide read' policy.
   
   WebView files access
   
   Control of WebView context allows to access local files.
   
   Runtime command execution
   
   Function 'Runtime.getRuntime().exec()' is used, please check where variables
   are come from.
   
   Dynamic Code Loading
   
   Code for 'DexClassLoader' could be tampered.

 * NOTICE
   Unsafe deleting
   
   All items deleted with 'file.delete()' could be recovered.
   
   External URLs
   
   Were do they point?
   
   Possible privilege escalation
   
   This app is looking for root tools.
   
   Suspicious files
   
   Are you sure these files should be here?
   
   Native code usage
   
   Native code (.so) usage 'System.loadLibrary();' is found.

Software

CPENameOperatorVersiondib mobilele3.0.10


REFERENCES

play.google.com/store/apps/details?id=com.dib.app&hl=en

Solutions

 * Vulnerabilities intelligence
 * Perimeter control tool
 * Linux scanner
 * Windows scanner
 * Developers SDK
 * Security Intelligence feeds

Database

 * Vulnerabilities
 * Exploits
 * Security News
 * BugBounty
 * Wild Exploited
 * Top Vulnerabilities
 * CVE Feed

Resources

 * Statics & Sources
 * Plugins
 * API docs
 * FAQ
 * Blog
 * Glossary

Company

 * About
 * Contacts
 * Pricing
 * EULA
 * Privacy Policy
 * Submission Policy
 * OpenSource

@2024 Vulners Inc


JSON