When the filterTouchesWhenObscured attribute is set to false, the app will be subject to tapjacking attacks. Tapjacking is an attack where an adversary puts an invisible overlay over the app and requests permissions without the user knowing it.
<Button
android:id="@+id/buttonLogin"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_marginTop="20dp"
android:text="LOGIN"
app:layout_constraintBottom_toTopOf="@id/textViewRegister"
app:layout_constraintLeft_toLeftOf="parent"
app:layout_constraintRight_toRightOf="parent"
app:layout_constraintTop_toBottomOf="@id/textInputPasswordL"
android:filterTouchesWhenObscured="false"/> // vulnerable
MODE_PRIVATE: File creation mode: the default mode, where the created file can only be accessed by the calling application (or all applications sharing the same user ID).
MODE_WORLD_READABLE: File creation mode: allow all other applications to have read access to the created file.
MODE_WORLD_WRITEABLE: File creation mode: allow all other applications to have write access to the created file.
As of API 17, the MODE_WORLD_READABLE and MODE_WORLD_WRITEABLE are deprecated:
This constant was deprecated in API level 17. Creating world-readable files is very dangerous, and likely to cause security holes in applications. It is strongly discouraged; instead, applications should use more formal mechanism for interactions such as ContentProvider, BroadcastReceiver, and Service. There are no guarantees that this access mode will remain on a file, such as when it goes through a backup and restore.
var prefs = context.getSharedPreferences(PREFS_KEY, Context.MODE_PRIVATE) // use this instead of MODE_WORLD_READABLE or MODE_WORLD_WRITEABLE
prefs.edit().putString(IMAGE_KEY, base64pic).commit()
Caching response for offline usage can be a security threat even when the data is saved to cipher database.
Tracking a login event should exclude user name and definitely password, an attacker could obtain this information during the transfer to the analytics server or in the analytics server database.
private fun login() {
val email = textInputEmailL.editText!!.text.toString()
val password = textInputPasswordL.editText!!.text.toString()
loginViewModel!!.login(email, password, this).observe(this,
Observer { loginResponse ->
when (loginResponse.status) {
Status.LOADING -> showLoading()
Status.SUCCESS -> {
onSuccesLogin(loginResponse.data!!.user)
trackEvent("login succesful", email + password) // dont track or track but remove sensitive info
}
Status.ERROR -> showError(loginResponse.message.orEmpty())
}
})
}
By printing network calls requests and responses the app is extremely vulnerable, exposing sensitive information not only from the app but also from the backend
fun makeUserService(deviceID: String, context: Context): UserService {
var okHttpClient = createSSLPinningOkHttp(context)
okHttpClient.authenticator(TokenAuthenticator(deviceID, context))
val interceptor = HttpLoggingInterceptor() // this is the vulnerability
interceptor.level = HttpLoggingInterceptor.Level.BODY // this is the vulnerability
okHttpClient.addInterceptor(interceptor) // this is the vulnerability
return Retrofit.Builder()
.baseUrl(BASE_URL)
.client(okHttpClient.build())
.addConverterFactory(MoshiConverterFactory.create())
.build()
.create(UserService::class.java)
}