CLEARTEXT SQLITE DATABASE [M2] [CWE-312] [DAST] - High Vulnerability Report

[dilip90]

Description: The mobile application uses an unencrypted SQLite database. This database can be accessed by an attacker with physical access to the mobile device or a malicious application with root access to the device. The application should not store sensitive information in clear text. Details: In file com.google.android.datatransport.events: TABLES: android_metadata events event_metadata transport_contexts events_backend_id contexts_backend_priority_extras event_payloads sqlite_autoindex_event_payloads_1 RAW DUMP: CREATE TABLE android_metadata (locale TEXT);CREATE TABLE events (_id INTEGER PRIMARY KEY, context_id INTEGER NOT NULL, transport_name TEXT NOT NULL, timestamp_ms INTEGER NOT NULL, uptime_ms INTEGER NOT NULL, payload BLOB NOT NULL, code INTEGER, num_attempts INTEGER NOT NULL, payload_encoding TEXT, inline BOOLEAN NOT NULL DEFAULT 1,FOREIGN KEY (context_id) REFERENCES transport_contexts(_id) ON DELETE CASCADE);CREATE TABLE event_metadata (_id INTEGER PRIMARY KEY, event_id INTEGER NOT NULL, name TEXT NOT NULL, value TEXT NOT NULL,FOREIGN KEY (event_id) REFERENCES events(_id) ON DELETE CASCADE);CREATE TABLE transport_contexts (_id INTEGER PRIMARY KEY, backend_name TEXT NOT NULL, priority INTEGER NOT NULL, next_request_ms INTEGER NOT NULL, extras BLOB);CREATE INDEX events_backend_id on events(context_id);CREATE UNIQUE INDEX contexts_backend_priority_extras on transport_contexts(backend_name, priority, extras);CREATE TABLE event_payloads (sequence_num INTEGER NOT NULL, event_id INTEGER NOT NULL, bytes BLOB NOT NULL,FOREIGN KEY (event_id) REFERENCES events(_id) ON DELETE CASCADE,PRIMARY KEY (sequence_num, event_id)); In file com.amplitude.api:

TABLES: android_metadata store sqlite_autoindex_store_1 long_store sqlite_autoindex_long_store_1 events sqlite_sequence identifys RAW DUMP: CREATE TABLE android_metadata (locale TEXT);CREATE TABLE store (key TEXT PRIMARY KEY NOT NULL, value TEXT);CREATE TABLE long_store (key TEXT PRIMARY KEY NOT NULL, value INTEGER);CREATE TABLE events (id INTEGER PRIMARY KEY AUTOINCREMENT, event TEXT);CREATE TABLE sqlite_sequence(name,seq);CREATE TABLE identifys (id INTEGER PRIMARY KEY AUTOINCREMENT, event TEXT); In file RKStorage: TABLES: android_metadata catalystLocalStorage sqlite_autoindex_catalystLocalStorage_1 RAW DUMP: CREATE TABLE android_metadata (locale TEXT);CREATE TABLE catalystLocalStorage (key TEXT PRIMARY KEY, value TEXT NOT NULL); In file Cookies: TABLES: meta sqlite_autoindex_meta_1 cookies sqlite_autoindex_cookies_1 RAW DUMP: CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR);CREATE TABLE cookies (creation_utc INTEGER NOT NULL,host_key TEXT NOT NULL,name TEXT NOT NULL,value TEXT NOT NULL,path TEXT NOT NULL,expires_utc INTEGER NOT NULL,is_secure INTEGER NOT NULL,is_httponly INTEGER NOT NULL,last_access_utc INTEGER NOT NULL, has_expires INTEGER NOT NULL DEFAULT 1, is_persistent INTEGER NOT NULL DEFAULT 1,priority INTEGER NOT NULL DEFAULT 1,encrypted_value BLOB DEFAULT '',firstpartyonly INTEGER NOT NULL DEFAULT 0,UNIQUE (host_key, name, path)); CVSSv3 Base Score: 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

EXTERNAL DATA STORAGE [M2] [CWE-921] [SAST] -- Medium

Description: The mobile application can access external storage (e.g. SD card) in read or write mode. The application's data stored on the external data storage may be accessed by other applications (including malicious ones) under certain conditions and bring risks of data corruption or tampering.

Example of insecure code:

/* Checks if external storage is available for read and write / public boolean isExternalStorageWritable() { String state = Environment.getExternalStorageState(); if (Environment.MEDIA_MOUNTED.equals(state)) { return true; } return false; } / Checks if external storage is available to at least read */ public boolean isExternalStorageReadable() { String state = Environment.getExternalStorageState(); if (Environment.MEDIA_MOUNTED.equals(state) || Environment.MEDIA_MOUNTED_READ_ONLY.equals(state)) { return true; } return false; } Example of secure code: // If you use external storage you should perform input validation. // In the case that you use external storage for executables files, // these files should be signed and cryptographically verified. Details: There is 'getExternalFilesDir()' found in file 'io/invertase/firebase/utils/ReactNativeFirebaseUtilsModule.java': [line 116: hashMap.put(KEY_CACHE_DIRECTORY, reactApplicationContext.getCacheDir().getAbsolutePath());] [line 117: File externalFilesDir = reactApplicationContext.getExternalFilesDir(null);] [line 118: int i = VERSION.SDK_INT;] There is 'getExternalFilesDir()' found in file 'a/f/e/b.java': [line 105: }] [line 106: return new File[]{context.getExternalFilesDir(str)};] [line 107: }] There is 'getExternalFilesDir()' found in file 'com/rnfs/RNFSManager.java': [line 703: }] [line 704: externalStorageDirectory = getReactApplicationContext().getExternalFilesDir(null);] [line 705: str = RNFSExternalDirectoryPath;]