TeamViewer For Remote Control APK v10.0.2938 PDF

Mobile Application Report
This report includes important security information about your mobile

application.
Created by:
IBM AppScan Mobile Analyzer, Version 1.0.1119 , Rules: 1.0.1119
Scan name:
TeamViewer for Remote Control APK v10.0.2938
Scan file name:
TeamViewer for Remote Control APK v10.0.2938 .apk
Application Version: 2938

Scan started:
3/27/2015 4:38:15 AM
Operating system:
Android
Summary of security issues

Medium severity issues:
1
Low severity issues:
1
_____________________ ____
Total security issues:
2
Table of Contents
Executive Summary
Issue Types
Fix Recommendations
Security Risks
OWASP Top 10
Issues
Insecure File Permission ( 1 )
Backup Flag Enabled ( 1 )
Fix Recommendations
Do not create files with insecure permissions.
Set the 'android:allowBackup' attribute to false.
Coverage
Issue Types
Activities
3/27/2015
Executive Summary
Issue Types: 2
Number of Issues
Insecure File Permission
Backup Flag Enabled
High
Medium
Low
Informational
Go to Table of Contents
Fix Recommendations: 2
Number of Issues
High
Medium
Low
Informational
Security Risks: 2
Number of Issues
An attacker (by the use of a malicious app) may: 1. Subvert the confidentiality
of the vulnerable app by reading the created file which may contain sensitive
information 2. Subvert the integrity of the vulnerable app by writing arbitrary
data to the file.
A malicious attacker can subvert the integrity and confidentiality of the

1
vulnerable application by conducting a ADB backup or ADB restore operations.
High
Medium
Low
Informational
3/27/2015
OWASP Top 10
Number of Issues
M1: Weak Server Side Controls
M2: Insecure Data Storage
M3: Insufficient Transport Layer Protection
M4: Unintended Data Leakage
M5: Poor Authorization and Authentication
M6: Broken Cryptography
M7: Client Side Injection
M8: Security Decisions Via Untrusted Inputs
M9: Improper Session Handling
M10: Lack of Binary Protections
3/27/2015
Issues
Issue 1 of 1

Severity:
Medium
Synopsis: Android app are separate by each other by the use of sandboxing. The sandbox is implemented by multiple
facilities, one of them is by running each package with a different Linux user id (UID) which means that files
created by one app cannot be accessed by another, unless it is set so explicitly. This test detects if files are
created with world-readable or writable rights which allows a malicious app to subvert the confidentiality
and/or integrity of the vulnerable app.
Risk:
An attacker (by the use of a malicious app) may: 1. Subvert the confidentiality of the vulnerable app by
reading the created file which may contain sensitive information 2. Subvert the integrity of the vulnerable app
by writing arbitrary data to the file.
Causes:
The vulnerable app creates a file with permissive rights.
X-Force:
93409
OWASP:
M2
Fix:
Payload
Intent Package: com.teamviewer.teamviewer.market.mobile
Intent Class:
com.teamviewer.remotecontrollib.gui.optionsactivities.ShowConnectionLogActivity
Method Signature:
android.os.FileUtils.setPermissions(java.lang.String, int, int, int):int
3/27/2015
Issue Validation Parameters:

Name Value
path
/data/data/com.teamviewer.teamviewer.market.mobile/files/connection.txt
mode
436
Call Stack:
Function
Class
android.os.FileUtils.setPermissions(java.lang.Strin
g, int, int, int):int
FileUti (android\os\FileUtils.
ls
java:90)
[Framework Code, 2 lines removed]
...
android.content.ContextWrapper.openFileOutput(java.
lang.String, int):java.io.FileOutputStream
Context (android\content\Conte
Wrapper xtWrapper.java:185)
3/27/2015
Line
(...)
Backup Flag Enabled
Issue 1 of 1
Backup Flag Enabled

Severity:
Low
Synopsis: The 'android:allowBackup' flag in the APK manifest file controls whether the App can be involved in ADB
backup and restore operations. Enabling this flag is dangerous as a malicious attacker will be able to access
application data using ADB backup mechanism or by extract it from previously created backup file.
Risk:
A malicious attacker can subvert the integrity and confidentiality of the vulnerable application by conducting a
ADB backup or ADB restore operations.
Causes:
The App's APK set allowBackup flag to 'true' or not set it at all (The default value of this setting is true).
X-Force:
None
OWASP:
M8
Fix:
Manifest:
XML:
<?xml version="1.0" encoding="utf-8"?>
<manifest
xmlns:android="http://schemas.android.com/apk/res/android"
android:versionCode="2938"
android:versionName="10.0.2938"
android:installLocation="0"
package="com.teamviewer.teamviewer.market.mobile"
>
<uses-sdk
android:minSdkVersion="14"
android:targetSdkVersion="18"
>
</uses-sdk>
<uses-feature
android:name="android.hardware.touchscreen.multitouch"
android:required="true"
>
</uses-feature>
<uses-feature
android:glEsVersion="0x00020000"
android:required="true"
>
</uses-feature>
<uses-permission
android:name="android.permission.INTERNET"
>
</uses-permission>
<uses-permission
android:name="android.permission.WAKE_LOCK"
>
</uses-permission>
3/27/2015
<uses-permission
android:name="android.permission.ACCESS_NETWORK_STATE"
>
</uses-permission>
<uses-permission
android:name="android.permission.ACCESS_WIFI_STATE"
>
</uses-permission>
<uses-permission
android:name="android.permission.READ_PHONE_STATE"
>
</uses-permission>
<uses-permission
android:name="android.permission.WRITE_EXTERNAL_STORAGE"
>
</uses-permission>
<uses-permission
android:name="android.permission.READ_EXTERNAL_STORAGE"
>
</uses-permission>
<application
android:label="@7F0D00A2"
android:icon="@7F020058"
android:name="com.teamviewer.commonresourcelib.application.TVApplication"
android:hardwareAccelerated="true"
android:largeHeap="true"
>
<activity
android:theme="@7F0E000B"
android:name="com.teamviewer.remotecontrollib.activity.MainActivity"
android:launchMode="1"
android:configChanges="0x00000020"
android:windowSoftInputMode="0x00000022"
>
<intent-filter
>
<action
android:name="android.intent.action.MAIN"
>
</action>
<category
android:name="android.intent.category.LAUNCHER"
>
</category>
</intent-filter>
</activity>
<activity
android:theme="@android:01030010"
android:name="com.teamviewer.remotecontrollib.activity.ConnectInterfaceActivity"
>
<intent-filter
>
<action
android:name="android.intent.action.VIEW"
>
</action>
<data
android:scheme="teamviewer8"
android:host="remotecontrol"
>
</data>
<category
android:name="android.intent.category.BROWSABLE"
>
</category>
<category
android:name="android.intent.category.DEFAULT"
>
</category>
</intent-filter>
<intent-filter
>
<action
>
</action>
<data
android:scheme="tvcontrol1"
android:host="control"
3/27/2015
>
</data>
<category
>
</category>
<category
>
</category>
</intent-filter>
<intent-filter
>
<action
>
</action>
<category
>
</category>
<category
>
</category>
<data
android:scheme="file"
>
</data>
<data
android:mimeType="*/*"
>
</data>
<data
android:pathPattern=".*\.tvc"
>
</data>
<data
android:host="*"
>
</data>
</intent-filter>
</activity>
<activity
android:name="o.
"
android:configChanges="0x000004F0"
android:windowSoftInputMode="0x00000012"
>
</activity>
<activity
android:theme="@7F0E0013"
android:name="com.teamviewer.remotecontrollib.activity.ShowHelpActivity"
>
</activity>
<activity
android:name="o.
"
>
</activity>
<activity
android:name="o.
"
>
</activity>
<activity
android:theme="@android:01030010"
android:name="com.teamviewer.remotecontrollib.activity.TutorialActivity"
>
3/27/2015
</activity>
<activity
android:name="com.teamviewer.commonresourcelib.activity.VersionInfoActivity"
>
</activity>
<activity
android:name="com.teamviewer.remotecontrollib.gui.optionsactivities.ShowConnectionLogActivit
y"
android:configChanges="0x000004A0"
>
</activity>
<activity
android:name="com.teamviewer.commonresourcelib.activity.ShowEventLogActivity"
android:configChanges="0x000004A0"
>
</activity>
</application>
</manifest>
3/27/2015
Fix Recommendations

Issue Types that this task fixes

General
Never create files with world-readable or world-writable permissions.
Use MODE_PRIVATE instead of MODE_WORLD_READABLE/MODE_WORLD_WRITABLE when calling APIs such as
Context.openFileOutput(name, mode).
For example, instead of using the following vulnerable code which creates a world-readable file:
openFileOutput("some_file.txt", MODE_WORLD_READABLE)
Use MODE_PRIVATE which only allows read access to the application package:
openFileOutput("some_file.txt", MODE_PRIVATE)
For more information, read http://developer.android.com/reference/android/content/Context.html#MODE_PRIVATE

Issue Types that this task fixes

Backup Flag Enabled
General
Set the 'android:allowBackup' attribute from the Application tag in the Android Manifest file (AndroidManifest.xml) to "false".
For example:
<application android:allowBackup="false">
...
</application>
See http://developer.android.com/guide/topics/manifest/application-element.html#allowbackup for more details
3/27/2015
10
Coverage
Issue Types: 24
Android Fragment Injection

Crash in Java Code
An Unstripped Binary File Exists In The APK
Broadcast Theft
Debug Flag Enabled on Release Version
Buffer Overflow
Debug Version Detected
Cross-Application Scripting
Insecure Pending Intent
Weak Random Number Generator
Unsafe Reflection
File Manipulation
Service Hijacking
Activity Hijacking
Android Class Loading Hijacking
Backup Flag Enabled
Broken Cryptography
UI Spoofing
Client-side SQL Injection
Phishing via Man-in-the-Middle (MiTM)
Cross-Site Scripting (XSS) via Man-in-the-Middle (MiTM)
Broken Cryptographic Hash Function
Crash in Native Code
Activities: 10
com.teamviewer.remotecontrollib.gui.optionsactivities.ShowConnectionLogActivity
o.
3/27/2015
11
com.teamviewer.remotecontrollib.activity.ConnectInterfaceActivity
com.teamviewer.commonresourcelib.activity.VersionInfoActivity
com.teamviewer.remotecontrollib.activity.MainActivity
o.
o.
com.teamviewer.commonresourcelib.activity.ShowEventLogActivity
com.teamviewer.remotecontrollib.activity.TutorialActivity
com.teamviewer.remotecontrollib.activity.ShowHelpActivity
3/27/2015
12

TeamViewer For Remote Control APK v10.0.2938 PDF

Cargado por

Información del documento

Descripción original:

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

TeamViewer For Remote Control APK v10.0.2938 PDF

Cargado por

Copyright:

Formatos disponibles

Mobile Application Report

This report includes important security information about your mobile

IBM AppScan Mobile Analyzer, Version 1.0.1119 , Rules: 1.0.1119

TeamViewer for Remote Control APK v10.0.2938

Scan file name:

TeamViewer for Remote Control APK v10.0.2938 .apk

Application Version: 2938

Summary of security issues

Backup Flag Enabled

Do not create files with insecure permissions.

Set the 'android:allowBackup' attribute to false.

A malicious attacker can subvert the integrity and confidentiality of the

M2: Insecure Data Storage

M3: Insufficient Transport Layer Protection

M4: Unintended Data Leakage

M5: Poor Authorization and Authentication

M6: Broken Cryptography

M7: Client Side Injection

M8: Security Decisions Via Untrusted Inputs

M9: Improper Session Handling

M10: Lack of Binary Protections

Insecure File Permission

Insecure File Permission

The vulnerable app creates a file with permissive rights.

Do not create files with insecure permissions.

Issue Validation Parameters:

[Framework Code, 2 lines removed]

Backup Flag Enabled

Backup Flag Enabled

Set the 'android:allowBackup' attribute to false.

Do not create files with insecure permissions.

Issue Types that this task fixes

Set the 'android:allowBackup' attribute to false.

Issue Types that this task fixes

Android Fragment Injection

También podría gustarte