Static Analysis

Android Static Analysis

Android Static analysis, also called static code analysis, is a method of debugging that is done by examining the code without executing the Android application. The process provides an understanding of the code structure, and can help to ensure that the code adheres to industry standards.

Static Analysis results are displayed in json objects with the following names:

  • kind“: Type of analysis test (static or dynamic)
  • key“: Contains the value of the static analysis test title used for testing purposes
  • title“: Title of the specific static analysis test
  • category“: Category of the specific static analysis test
  • summary“: Summary of the specific static analysis test
  • cvss“: Common Vulnerability Scoring System (CVSS) The universal, open and standardized method for rating IT vulnerabilities and determining the urgency of response
  • regulatory“: Security and compliance regulations

Under the regulatory category will display a json array with the following names:

  • cwe“: The “CWE” or “Common Weakness Enumeration category is displayed in a json array with id and url of each specifc software weakness(es) found during static analysis.

  • owasp“: The “OWASP” or “Open Web Application Security Project” category is displayed in a json array with id and url of each specific mobile security risk(s) found during static analysis.

Example:

{
    "kind": "static",
    "key": "dynamic_code_loading_check",
    "title": "Dynamic Code Loading",
    "category": "code",
    "summary": "\n    Checks for the use of dynamic code loading within the APK. This mechanism allows a developer to specify which components of the application should not be loaded by default when the application is started. Typically, core components and additional dependencies are loaded natively at runtime, however, dynamically loaded components are only loaded as they are specifically requested. While this can have a positive impact on performance, or grant additional functionality (i.e. a non-invasive update feature), it can also open the application to serious security vulnerabilities if not implemented properly.\n  ",
    "cvss": 4.3,
    "regulatory": {
      "cwe": [
        {
          "id": 545,
          "url": "https://cwe.mitre.org/data/definitions/545.html"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M7-Client Side Injection",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M7"
        }
      ]
    }

If an application was not found to be vulnerable or affected by this specific static analysis test, the results will display in json objects with the following names and values:

  • affected“: Boolean value (true or false) that states whether the application is affected by the specific static analysis test
  • severity“: If the application is not vulnerable to a specific static analysis test, the severity value will display “pass”
  • description“: Description of the static analysis test result

Example:

"affected": false,
    "severity": "pass",
    "description": "\n    Your application was signed using a key length of more than 1024 bits.\n  "
  }

If an application was found to be vulnerable and affected by this specific static analysis test, the results will display in json objects with the following names and values:

  • affected“: Boolean value (true or false) that states whether the application is affected by the specific static analysis test
  • category“: Category of the specific static analysis test
  • severity“: If the application is vulnerable to a specific static analysis test, the severity values range from “high”, “medium”, and “low”
  • cvss“: Common Vulnerability Scoring System (CVSS) The universal, open and standardized method for rating IT vulnerabilities and determining the urgency of response
  • title“: Title of the specific static analysis test
  • cwe“: The “CWE” or “Common Weakness Enumeration category is displayed in a json array with id and url of each specifc software weakness(es) found during static analysis.
  • description“: Description of the static analysis test result
  • recommendation“: Recommendation on how to fix the issue or vulnerability

Example:

"affected": true,
    "issue": {
      "category": "code",
      "severity": "medium",
      "cvss": 4.3,
      "cwe": [
        {
          "id": 545,
          "url": "https://cwe.mitre.org/data/definitions/545.html"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M7-Client Side Injection",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M7"
        }
      ],
      "title": "Dynamic code loading detected",
      "description": "\n    Your application was found to be using dynamic code loading. While this\n    is not a vulnerability per se, it is not a secure code practice and can\n    lead to code injection or malicious side-loading of code.\n  ",
      "recommendation": "\n    It is strongly discouraged to load code from outside of the application APK. Doing so significantly increases the likelihood of application compromise due to code injection or code tampering. It also adds complexity around version management, application testing and can make it impossible to verify the behavior of an application. Dynamically loaded code runs with the same security permissions as the application APK. If the modules are included directly within the APK, then they cannot be modified by other applications. This is true whether the code is a native library or a class being loaded using DexClassLoader. There can be instances of applications attempting to load code from insecure locations, such as downloaded from the network over unencrypted protocols or from world writable locations such as external storage. These locations could allow modification of the content in transit, or another application to modify the content on the device, respectively.\n  ",
      "pass": "\n    Your application is either not using dynamic code loading or has\n    implemented it securely.\n  "
    },
    "severity": "medium",
    "description": "\n    Your application was found to be using dynamic code loading. While this\n    is not a vulnerability per se, it is not a secure code practice and can\n    lead to code injection or malicious side-loading of code.\n  ",
    "recommendation": "\n    It is strongly discouraged to load code from outside of the application APK. Doing so significantly increases the likelihood of application compromise due to code injection or code tampering. It also adds complexity around version management, application testing and can make it impossible to verify the behavior of an application. Dynamically loaded code runs with the same security permissions as the application APK. If the modules are included directly within the APK, then they cannot be modified by other applications. This is true whether the code is a native library or a class being loaded using DexClassLoader. There can be instances of applications attempting to load code from insecure locations, such as downloaded from the network over unencrypted protocols or from world writable locations such as external storage. These locations could allow modification of the content in transit, or another application to modify the content on the device, respectively.\n  ",
    "context": {
      "title": "Code Locations",
      "rows": [
        {
          "class": "Lcom/google/android/gms/internal/bc;",
          "method": "b",
          "signature": "()V"
        },
        {
          "class": "Lcom/google/android/gms/internal/al;",
          "method": "a",
          "signature": "(Ljava/lang/String;)Z"
        }
      ],
      "fields": {
        "class": {
          "title": "Class"
        },
        "method": {
          "title": "Method"
        },
        "signature": {
          "title": "Signature"
        }
      }
    }
  }

Certificate Validity Check

  • Checks to see if the certificate used for this application compilation is valid. Specifically, this static checks seeks to determine whether the certificate is expired or is set to expire within 30 days.

Example:

{
    "kind": "static",
    "key": "certificate_validity_check",
    "title": "Certificate Validity Check",
    "category": "code",
    "summary": "\n    Checks to see if the certificate used for this application compilation is valid. Specifically, this static checks seeks to determine whether the certificate is expired or is set to expire within 30 days.\n  ",
    "cvss": 7.5,
    "regulatory": {},
    "affected": false,
    "severity": "pass",
    "description": "\n    The application's certificate was found to be valid, in that is is not set to expire in < 30 days.\n  "
  },
  {
    "kind": "static",
    "key": "debug_flag_check",
    "title": "Debug Flag Check",
    "category": "code",
    "summary": "\n    Checks to determine whether the application was compiled with the `debuggable` flag enabled in the Android manifest. If the application has the `debuggable` flag enabled, it’s possible to attach a debugger to the application’s process and execute arbitrary code. The default value is \"true\" if the `debuggable` flag is not set. Debugging should be disabled before compiling an app for production.\n  ",
    "cvss": 4.4,
    "regulatory": {
      "cwe": [
        {
          "id": 215,
          "url": "https://cwe.mitre.org/data/definitions/215.html"
        }
      ],
      "owasp": [
        {
          "id": "OWASP Mobile Top 10: M8-Security Decisions via Untrusted Inputs",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M8"
        },
        {
          "id": "M10-Lack of Binary Protections",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M10"
        }
      ]
    },
    "affected": false,
    "severity": "pass",
    "description": "\n    The application was compiled with the `debuggable` flag disabled.\n  "
  }

Master Key Check

  • This checks if the application is attempting to exploit the Master Key vulnerability. Android OS versions 1.6 through 4.2 do not properly check cryptographic signatures and this could lead to non-approved code being run.

Example:

{
    "kind": "static",
    "key": "master_key_check",
    "title": "Master Key Check",
    "category": "code",
    "summary": "\n    This checks if the application is attempting to exploit the Master Key\n    vulnerability. Android OS versions 1.6 through 4.2 do not properly check\n    cryptographic signatures and this could lead to non-approved code being run.\n    For more information see [CVE 2013-4787](http://web.nvd.nist.gov/view/vuln/detail?vulnid=CVE-2013-4787).\n    The purpose of this check to flag potentially malicious behavior within the application.\n  ",
    "cvss": 9.3,
    "regulatory": {
      "cve": "CVE-2013-4787",
      "cwe": [
        {
          "id": 310,
          "url": "https://cwe.mitre.org/data/definitions/310.html"
        },
        {
          "id": 20,
          "url": "https://cwe.mitre.org/data/definitions/20.html"
        }
      ],
      "niap": [
        {
          "id": "FCS_COP.1.1(3)",
          "url": "https://www.niap-ccevs.org/pp/pp_app_v1.1_table-reqs.htm#FCS_COP.1.1(3)"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M6-Broken Cryptography",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M6"
        }
      ]
    },
    "affected": false,
    "severity": "pass",
    "description": "\n    The application was not found to contain two files with the same path and\n    filename, which indicates the app is not attempting to exploit the Master\n    Key vulnerability.\n  "
  }

Secure Random Check

  • Applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the PRNG (pseudo-random number generator). Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected. Please note that for “electronic wallet” applications, or applications that process sensitive and/or monetary transactions (including bitcoin transactions), the risk associated with this finding should carefully be considered and should potentially be classified using a finding with severity “High”.

Example:

{
    "kind": "static",
    "key": "secure_random_check",
    "title": "Secure Random Check",
    "category": "code",
    "summary": "\n    Applications which use the Java Cryptography Architecture (JCA) for key\n    generation, signing, or random number generation may not receive\n    cryptographically strong values on Android devices due to improper\n    initialization of the PRNG (pseudo-random number generator). Applications\n    that directly invoke the system-provided OpenSSL PRNG without explicit\n    initialization on Android are also affected. Please note that for\n    \"electronic wallet\" applications, or applications that process sensitive\n    and/or monetary transactions (including bitcoin transactions), the risk\n    associated with this finding should carefully be considered and should\n    potentially be classified using a finding with severity \"High\".\n  ",
    "cvss": 5.5,
    "regulatory": {
      "cwe": [
        {
          "id": 310,
          "url": "https://cwe.mitre.org/data/definitions/310.html"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M6-Broken Cryptography",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M6"
        }
      ]
    },
    "affected": true,
    "issue": {
      "category": "code",
      "cvss": 5.5,
      "cwe": [
        {
          "id": 310,
          "url": "https://cwe.mitre.org/data/definitions/310.html"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M6-Broken Cryptography",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M6"
        }
      ],
      "severity": "medium",
      "title": "Secure Random exploit",
      "vector": "physical",
      "complexity": "high",
      "privileges": "low",
      "interaction": "none",
      "scope": "unchanged",
      "confidentiality": "high",
      "integrity": "high",
      "availability": "none",
      "description": "\n    The application was found to be vulnerable because of issues related to the\n    SecureRandom implementation. A static value is used each time the\n    SecureRandom variable is created, which means that the results are not\n    randomized on each individual instance. The code locations provided in the\n    table below were identified as being the cause for the current risk status. \n    It is encouraged to review these locations to determine if the violation occurred\n    in an internal or external library. If the issue was found in an external library, \n    it is not possible to determine if the affected portion of code is being triggered \n    from the application's Java source code. In this case, it may not be possible to locate\n    and resolve this issue.\n  ",
      "recommendation": "\n    To avoid being vulnerable to Secure Random, ensure that you properly\n    initialize the underlying pseudo-random number generator.\n\n    Developers who use JCA for key generation, signing or random number\n    generation should explicitly initialize the PRNG with entropy from\n    `/dev/urandom` or `/dev/random`. Also, developers should evaluate whether to\n    regenerate cryptographic keys or other random values previously generated\n    using JCA APIs such as `SecureRandom`, `KeyGenerator`, `KeyPairGenerator`,\n    `KeyAgreement`, and `Signature`. A suggested implementation is provided at the\n    end of [this blog post](http://android-developers.blogspot.com.es/2013/08/some-securerandom-thoughts.html).\n  ",
      "pass": "\n    The application appears to properly initialize the underlying PRNG, and is not vulnerable to the Secure Random exploit.\n  "
    },
    "severity": "medium",
    "description": "\n    The application was found to be vulnerable because of issues related to the\n    SecureRandom implementation. A static value is used each time the\n    SecureRandom variable is created, which means that the results are not\n    randomized on each individual instance. The code locations provided in the\n    table below were identified as being the cause for the current risk status. \n    It is encouraged to review these locations to determine if the violation occurred\n    in an internal or external library. If the issue was found in an external library, \n    it is not possible to determine if the affected portion of code is being triggered \n    from the application's Java source code. In this case, it may not be possible to locate\n    and resolve this issue.\n  ",
    "recommendation": "\n    To avoid being vulnerable to Secure Random, ensure that you properly\n    initialize the underlying pseudo-random number generator.\n\n    Developers who use JCA for key generation, signing or random number\n    generation should explicitly initialize the PRNG with entropy from\n    `/dev/urandom` or `/dev/random`. Also, developers should evaluate whether to\n    regenerate cryptographic keys or other random values previously generated\n    using JCA APIs such as `SecureRandom`, `KeyGenerator`, `KeyPairGenerator`,\n    `KeyAgreement`, and `Signature`. A suggested implementation is provided at the\n    end of [this blog post](http://android-developers.blogspot.com.es/2013/08/some-securerandom-thoughts.html).\n  ",
    "context": {
      "title": "Code Locations",
      "rows": [
        {
          "class": "Lmobi/android/adlibrary/internal/utils/HttpRequest;",
          "method": "getTrustedFactory",
          "signature": "()Ljavax/net/ssl/SSLSocketFactory;"
        },
        {
          "class": "Lcom/tencent/bugly/proguard/a;",
          "method": "a",
          "signature": "(I)[B"
        },
        {
          "class": "Lcom/google/android/gms/internal/f;",
          "method": "b",
          "signature": "([B Ljava/lang/String; Z)[B"
        },
        {
          "class": "Lmobi/android/adlibrary/internal/net/HttpRequest;",
          "method": "getTrustedFactory",
          "signature": "()Ljavax/net/ssl/SSLSocketFactory;"
        },
        {
          "class": "Lcom/google/android/gms/measurement/internal/af;",
          "method": "E",
          "signature": "()Ljava/security/SecureRandom;"
        }
      ],
      "fields": {
        "class": {
          "title": "Class"
        },
        "method": {
          "title": "Method"
        },
        "signature": {
          "title": "Signature"
        }
      }
    }
  }

Dynamic Code Loading

  • Checks for the use of dynamic code loading within the APK. This mechanism allows a developer to specify which components of the application should not be loaded by default when the application is started. Typically, core components and additional dependencies are loaded natively at runtime, however, dynamically loaded components are only loaded as they are specifically requested. While this can have a positive impact on performance, or grant additional functionality (i.e. a non-invasive update feature), it can also open the application to serious security vulnerabilities if not implemented properly.

Example:

{
    "kind": "static",
    "key": "dynamic_code_loading_check",
    "title": "Dynamic Code Loading",
    "category": "code",
    "summary": "\n    Checks for the use of dynamic code loading within the APK. This mechanism allows a developer to specify which components of the application should not be loaded by default when the application is started. Typically, core components and additional dependencies are loaded natively at runtime, however, dynamically loaded components are only loaded as they are specifically requested. While this can have a positive impact on performance, or grant additional functionality (i.e. a non-invasive update feature), it can also open the application to serious security vulnerabilities if not implemented properly.\n  ",
    "cvss": 4.3,
    "regulatory": {
      "cwe": [
        {
          "id": 545,
          "url": "https://cwe.mitre.org/data/definitions/545.html"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M7-Client Side Injection",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M7"
        }
      ]
    },
    "affected": true,
    "issue": {
      "category": "code",
      "severity": "medium",
      "cvss": 4.3,
      "cwe": [
        {
          "id": 545,
          "url": "https://cwe.mitre.org/data/definitions/545.html"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M7-Client Side Injection",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M7"
        }
      ],
      "title": "Dynamic code loading detected",
      "description": "\n    Your application was found to be using dynamic code loading. While this\n    is not a vulnerability per se, it is not a secure code practice and can\n    lead to code injection or malicious side-loading of code.\n  ",
      "recommendation": "\n    It is strongly discouraged to load code from outside of the application APK. Doing so significantly increases the likelihood of application compromise due to code injection or code tampering. It also adds complexity around version management, application testing and can make it impossible to verify the behavior of an application. Dynamically loaded code runs with the same security permissions as the application APK. If the modules are included directly within the APK, then they cannot be modified by other applications. This is true whether the code is a native library or a class being loaded using DexClassLoader. There can be instances of applications attempting to load code from insecure locations, such as downloaded from the network over unencrypted protocols or from world writable locations such as external storage. These locations could allow modification of the content in transit, or another application to modify the content on the device, respectively.\n  ",
      "pass": "\n    Your application is either not using dynamic code loading or has\n    implemented it securely.\n  "
    },
    "severity": "medium",
    "description": "\n    Your application was found to be using dynamic code loading. While this\n    is not a vulnerability per se, it is not a secure code practice and can\n    lead to code injection or malicious side-loading of code.\n  ",
    "recommendation": "\n    It is strongly discouraged to load code from outside of the application APK. Doing so significantly increases the likelihood of application compromise due to code injection or code tampering. It also adds complexity around version management, application testing and can make it impossible to verify the behavior of an application. Dynamically loaded code runs with the same security permissions as the application APK. If the modules are included directly within the APK, then they cannot be modified by other applications. This is true whether the code is a native library or a class being loaded using DexClassLoader. There can be instances of applications attempting to load code from insecure locations, such as downloaded from the network over unencrypted protocols or from world writable locations such as external storage. These locations could allow modification of the content in transit, or another application to modify the content on the device, respectively.\n  ",
    "context": {
      "title": "Code Locations",
      "rows": [
        {
          "class": "Lcom/google/android/gms/internal/bc;",
          "method": "b",
          "signature": "()V"
        },
        {
          "class": "Lcom/google/android/gms/internal/al;",
          "method": "a",
          "signature": "(Ljava/lang/String;)Z"
        }
      ],
      "fields": {
        "class": {
          "title": "Class"
        },
        "method": {
          "title": "Method"
        },
        "signature": {
          "title": "Signature"
        }
      }
    }
  }

Overprivileged Application Check

  • This test checks the source code to determine if the permissions requested by the application are in fact used by the application. To do this, the list of requested permissions from the source code is compared to the list of granted permissions.

Example:

{
    "kind": "static",
    "key": "application_overprivileged_check",
    "title": "Overprivileged Application Check",
    "category": "permissions",
    "summary": "\n    This test checks the source code to determine if the permissions requested \n    by the application are in fact used by the application. To do this, the list of \n    requested permissions from the source code is compared to the list of granted permissions.\n  ",
    "regulatory": {
      "cwe": [
        {
          "id": 250,
          "url": "https://cwe.mitre.org/data/definitions/250.html"
        }
      ],
      "niap": [
        {
          "id": "FDP_DEC_EXT.1.3",
          "url": "https://www.niap-ccevs.org/pp/pp_app_v1.1_table-reqs.htm#FDP_DEC_EXT.1.3"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M8-Security Decisions Via Untrusted Inputs",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M8"
        }
      ]
    },
    "affected": true,
    "issue": {
      "category": "permissions",
      "severity": "info",
      "title": "Unused permissions detected",
      "cwe": [
        {
          "id": 250,
          "url": "https://cwe.mitre.org/data/definitions/250.html"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M8-Security Decisions Via Untrusted Inputs",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M8"
        }
      ],
      "niap": [
        {
          "id": "FDP_DEC_EXT.1.3",
          "url": "https://www.niap-ccevs.org/pp/pp_app_v1.1_table-reqs.htm#FDP_DEC_EXT.1.3"
        }
      ],
      "description": "\n    Your application was found to ask for permissions that were not used within\n    the application. Please note that due to the automated aspect of this app\n    interaction, all features/functionality within the app may not have been\n    exercised, which could skew the results of this test. It is encouraged to\n    review the output in the table below and determine whether these permissions\n    are in fact used and required by your application.\n  ",
      "recommendation": "\n    It is recommended to only ask for permissions that are being used within\n    the application. Over-privileged apps can be exploited with potential\n    adverse effects on the user’s security and privacy.\n  ",
      "pass": "\n    Your application was found to be using all of the permissions requested\n    within the source code.\n  "
    },
    "severity": "info",
    "description": "\n    Your application was found to ask for permissions that were not used within\n    the application. Please note that due to the automated aspect of this app\n    interaction, all features/functionality within the app may not have been\n    exercised, which could skew the results of this test. It is encouraged to\n    review the output in the table below and determine whether these permissions\n    are in fact used and required by your application.\n  ",
    "recommendation": "\n    It is recommended to only ask for permissions that are being used within\n    the application. Over-privileged apps can be exploited with potential\n    adverse effects on the user’s security and privacy.\n  ",
    "context": {
      "title": "Overprivileged Application Check",
      "fields": {
        "type": {
          "title": "type"
        },
        "value": {
          "title": "value"
        }
      },
      "rows": [
        {
          "type": "Extra Permissions",
          "value": "android.permission.CHANGE_NETWORK_STATE\nandroid.permission.CHANGE_CONFIGURATION\nandroid.permission.EXPAND_STATUS_BAR\nandroid.permission.READ_SETTINGS\nandroid.permission.SYSTEM_ALERT_WINDOW\nandroid.permission.GET_PACKAGE_SIZE\nandroid.permission.READ_EXTERNAL_STORAGE\nandroid.permission.RECEIVE_BOOT_COMPLETED\nandroid.permission.READ_LOGS\nandroid.permission.DISABLE_KEYGUARD\nandroid.permission.BROADCAST_STICKY\nandroid.permission.WRITE_SECURE_SETTINGS\nandroid.permission.REAL_GET_TASKS\nandroid.permission.SYSTEM_OVERLAY_WINDOW\nandroid.permission.FORCE_STOP_PACKAGE\nandroid.permission.PACKAGE_USAGE_STATS\nandroid.permission.CLEAR_APP_CACHE\nandroid.permission.MOUNT_UNMOUNT_FILESYSTEMS\nandroid.permission.DOWNLOAD_WITHOUT_NOTIFICATION"
        },
        {
          "type": "Granted Permissions",
          "value": "android.permission.KILL_BACKGROUND_PROCESSES\nandroid.permission.INTERNET\nandroid.permission.SYSTEM_ALERT_WINDOW\nandroid.permission.WRITE_EXTERNAL_STORAGE\nandroid.permission.READ_EXTERNAL_STORAGE\nandroid.permission.RESTART_PACKAGES\nandroid.permission.GET_PACKAGE_SIZE\nandroid.permission.GET_TASKS\nandroid.permission.ACCESS_WIFI_STATE\nandroid.permission.ACCESS_NETWORK_STATE\nandroid.permission.FORCE_STOP_PACKAGE\nandroid.permission.CLEAR_APP_CACHE\nandroid.permission.EXPAND_STATUS_BAR\nandroid.permission.WAKE_LOCK\ncom.android.launcher.permission.INSTALL_SHORTCUT\ncom.android.launcher.permission.UNINSTALL_SHORTCUT\nandroid.permission.CAMERA\nandroid.permission.DOWNLOAD_WITHOUT_NOTIFICATION\nandroid.permission.ACCESS_FINE_LOCATION\nandroid.permission.RECEIVE_BOOT_COMPLETED\nandroid.permission.CHANGE_CONFIGURATION\ncom.android.launcher.permission.READ_SETTINGS\ncom.android.launcher.permission.WRITE_SETTINGS\ncom.android.launcher2.permission.READ_SETTINGS\ncom.android.launcher2.permission.WRITE_SETTINGS\ncom.android.launcher3.permission.READ_SETTINGS\ncom.android.launcher3.permission.WRITE_SETTINGS\norg.adw.launcher.permission.READ_SETTINGS\norg.adw.launcher.permission.WRITE_SETTINGS\ncom.htc.launcher.permission.READ_SETTINGS\ncom.htc.launcher.permission.WRITE_SETTINGS\ncom.qihoo360.launcher.permission.READ_SETTINGS\ncom.qihoo360.launcher.permission.WRITE_SETTINGS\ncom.lge.launcher.permission.READ_SETTINGS\ncom.lge.launcher.permission.WRITE_SETTINGS\nnet.qihoo.launcher.permission.READ_SETTINGS\nnet.qihoo.launcher.permission.WRITE_SETTINGS\norg.adwfreak.launcher.permission.READ_SETTINGS\norg.adwfreak.launcher.permission.WRITE_SETTINGS\norg.adw.launcher_donut.permission.READ_SETTINGS\norg.adw.launcher_donut.permission.WRITE_SETTINGS\ncom.huawei.launcher3.permission.READ_SETTINGS\ncom.huawei.launcher3.permission.WRITE_SETTINGS\ncom.fede.launcher.permission.READ_SETTINGS\ncom.fede.launcher.permission.WRITE_SETTINGS\ncom.sec.android.app.twlauncher.settings.READ_SETTINGS\ncom.sec.android.app.twlauncher.settings.WRITE_SETTINGS\ncom.anddoes.launcher.permission.READ_SETTINGS\ncom.anddoes.launcher.permission.WRITE_SETTINGS\ncom.tencent.qqlauncher.permission.READ_SETTINGS\ncom.tencent.qqlauncher.permission.WRITE_SETTINGS\ncom.huawei.launcher2.permission.READ_SETTINGS\ncom.huawei.launcher2.permission.WRITE_SETTINGS\ncom.android.mylauncher.permission.READ_SETTINGS\ncom.android.mylauncher.permission.WRITE_SETTINGS\ncom.ebproductions.android.launcher.permission.READ_SETTINGS\ncom.ebproductions.android.launcher.permission.WRITE_SETTINGS\ncom.oppo.launcher.permission.READ_SETTINGS\ncom.oppo.launcher.permission.WRITE_SETTINGS\ncom.lenovo.launcher.permission.READ_SETTINGS\ncom.lenovo.launcher.permission.WRITE_SETTINGS\ncom.huawei.android.launcher.permission.READ_SETTINGS\ncom.huawei.android.launcher.permission.WRITE_SETTINGS\ntelecom.mdesk.permission.READ_SETTINGS\ntelecom.mdesk.permission.WRITE_SETTINGS\ndianxin.permission.ACCESS_LAUNCHER_DATA\ncom.google.android.launcher.permission.READ_SETTINGS\ncom.google.android.launcher.permission.WRITE_SETTINGS\ncom.google.android.launcher.permission.CONTENT_REDIRECT\ncom.yulong.android.launcher3.permission.WRITE_SETTINGS\ncom.yulong.android.launcher3.permission.READ_SETTINGS\ncom.bbk.launcher2.permission.READ_SETTINGS\ncom.bbk.launcher2.permission.WRITE_SETTINGS\ncom.android.browser.permission.READ_HISTORY_BOOKMARKS\ncom.android.browser.permission.WRITE_HISTORY_BOOKMARKS\nandroid.permission.READ_PHONE_STATE\nandroid.permission.WRITE_SETTINGS\nandroid.permission.CHANGE_WIFI_STATE\ncom.google.android.providers.gsf.permission.READ_GSERVICES\ncom.google.android.gms.permission.ACTIVITY_RECOGNITION\nandroid.permission.ACCESS_COARSE_LOCATION\nandroid.permission.READ_SETTINGS\ncom.qihoo360.home.permission.READ_SETTINGS\ncom.qihoo360.home.permission.WRITE_SETTINGS\ncom.sonymobile.home.permission.PROVIDER_ACCESS_MODIFY_CONFIGURATION\nandroid.permission.WRITE_SECURE_SETTINGS\nandroid.permission.DISABLE_KEYGUARD\nandroid.permission.SYSTEM_OVERLAY_WINDOW\nandroid.permission.CHANGE_NETWORK_STATE\nandroid.permissoon.READ_PHONE_STATE\nandroid.permission.VIBRATE\nandroid.permission.BROADCAST_STICKY\nandroid.permission.REAL_GET_TASKS\nandroid.permission.READ_LOGS\nandroid.permission.PACKAGE_USAGE_STATS\nandroid.permission.MOUNT_UNMOUNT_FILESYSTEMS\ncom.google.android.c2dm.permission.RECEIVE\nmobi.supo.cleaner.permission.C2D_MESSAGE"
        }
      ]
    }
  }

Allow Backup Check

  • Checks to determine whether the allowBackup flag within the Android Manifest is set to False. If this flag is enabled, it could allow easier access to the application files stored on the device.

Example:

{
    "kind": "static",
    "key": "allow_backup_check",
    "title": "Allow Backup Check",
    "category": "code",
    "summary": "\n    Checks to determine whether the `allowBackup` flag within the Android\n    Manifest is set to False. If this flag is enabled, it could allow easier\n    access to the application files stored on the device.\n  ",
    "cvss": 4.6,
    "regulatory": {
      "cwe": [
        {
          "id": 538,
          "url": "https://cwe.mitre.org/data/definitions/538.html"
        },
        {
          "id": 359,
          "url": "https://cwe.mitre.org/data/definitions/359.html"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M4-Unintended Data Leakage",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M4"
        }
      ]
    },
    "affected": true,
    "issue": {
      "category": "code",
      "severity": "medium",
      "cvss": 4.6,
      "cwe": [
        {
          "id": 538,
          "url": "https://cwe.mitre.org/data/definitions/538.html"
        },
        {
          "id": 359,
          "url": "https://cwe.mitre.org/data/definitions/359.html"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M4-Unintended Data Leakage",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M4"
        }
      ],
      "title": "Allow-backup flag enabled",
      "description": "\n    Your application is declaring the `allowBackup` flag as true in the\n    Android Manifest (or using the Android default value, which is true as well).\n\n    This can allow an attacker to backup your application folder and recover\n    private data from it.\n  ",
      "recommendation": "\n    Unless required by your app to run, it is recommended to explicitly set the\n    `allowBackup` flag to false in the Android Manifest.\n  ",
      "pass": "\n    Your application has the `allowBackup` flag set to false in the Android Manifest.\n  "
    },
    "severity": "medium",
    "description": "\n    Your application is declaring the `allowBackup` flag as true in the\n    Android Manifest (or using the Android default value, which is true as well).\n\n    This can allow an attacker to backup your application folder and recover\n    private data from it.\n  ",
    "recommendation": "\n    Unless required by your app to run, it is recommended to explicitly set the\n    `allowBackup` flag to false in the Android Manifest.\n  "
  }

Code Obfuscation Check

  • Checks if the source code has been obfuscated either by Proguard or Dexguard in order to make class identification less obvious.

Example:

{
    "kind": "static",
    "key": "obfuscation_check",
    "title": "Obfuscation Check",
    "category": "code",
    "summary": "\n    Checks if the source code has been obfuscated either by Proguard or Dexguard in order to make class identification less obvious.\n  ",
    "cvss": 4,
    "regulatory": {},
    "affected": true,
    "issue": {
      "severity": "medium",
      "cvss": 4,
      "title": "Unobfuscated code detected",
      "description": "\n    The source code does not appear to have been obfuscated. Your intellectual property is at risk because your app can easily be reverse-engineered.\n  ",
      "recommendation": "\n    Protect code that handles sensitive data in your app with advanced protection tools for obfuscation and encryption of source code.\n\n    One option is to at least enable the Android's built-in obfuscation tool 'ProGuard'.\n  ",
      "pass": "\n    The application was found to have implemented code obfuscation, making it more difficult for an attacker to reverse-engineering and see the clear operation of your app.\n  "
    },
    "severity": "medium",
    "description": "\n    The source code does not appear to have been obfuscated. Your intellectual property is at risk because your app can easily be reverse-engineered.\n  ",
    "recommendation": "\n    Protect code that handles sensitive data in your app with advanced protection tools for obfuscation and encryption of source code.\n\n    One option is to at least enable the Android's built-in obfuscation tool 'ProGuard'.\n  "
  }

Keysize Check

  • This test checks to see if the key used to sign the application is larger than 1024 bits. Anything smaller leaves your app vulnerable to forged digital signatures.

Example:

{
    "kind": "static",
    "key": "keysize_check",
    "title": "Keysize Check",
    "category": "code",
    "summary": "\n    This test checks to see if the key used to sign the application is larger\n    than 1024 bits. Anything smaller leaves your app vulnerable to forged\n    digital signatures.\n  ",
    "cvss": 5.9,
    "regulatory": {
      "cwe": [
        {
          "id": 310,
          "url": "https://cwe.mitre.org/data/definitions/310.html"
        },
        {
          "id": 326,
          "url": "https://cwe.mitre.org/data/definitions/326.html"
        }
      ],
      "niap": [
        {
          "id": "FPT_TUD_EXT.1.6",
          "url": "https://www.niap-ccevs.org/pp/pp_app_v1.1_table-reqs.htm#FPT_TUD_EXT.1.6"
        },
        {
          "id": "FCS_COP.1.1(3)",
          "url": "https://www.niap-ccevs.org/pp/pp_app_v1.1_table-reqs.htm#FCS_COP.1.1(3)"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M6-Broken Cryptography",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M6"
        }
      ]
    },
    "affected": false,
    "severity": "pass",
    "description": "\n    Your application was signed using a key length of more than 1024 bits.\n  "
  }

Javascript Interface Check

  • Checks for the usage of addJavascriptInterface(). This can be used to intercept network traffic thats being sent and interact with the javascript interface.

Example:

{
    "kind": "static",
    "key": "javascript_interface_check",
    "title": "Javascript Interface Check",
    "category": "code",
    "summary": "\n    Checks for the usage of `addJavascriptInterface()`. This can be used to intercept network traffic thats being sent and interact with the javascript interface.\n  ",
    "cvss": 2.9,
    "regulatory": {
      "cwe": [
        {
          "id": 545,
          "url": "https://cwe.mitre.org/data/definitions/545.html"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M7-Client Side Injection",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M7"
        }
      ]
    },
    "affected": false,
    "severity": "pass",
    "description": "\n    Your application is not vulnerable to untrusted code execution using a Javascript interface.\n  "
  }

URL Listing

  • Checks for embedded URLs in the source code, which can point to sensitive company servers or assets and provide valuable information to potential attackers.

Example:

{
    "kind": "static",
    "key": "url_listing",
    "title": "URL Listing",
    "category": "artifact",
    "summary": "\n    Checks for embedded URLs in the source code, which can point to sensitive\n    company servers or assets and provide valuable information to potential\n    attackers.\n  ",
    "regulatory": {},
    "affected": true,
    "issue": {
      "category": "code",
      "title": "Embedded URL data detetected",
      "description": "\n    We found URL data embedded in your application code.\n  ",
      "recommendation": "\n    Do not embed sensitive URLs in your application code or resources.\n  ",
      "pass": "\n    We did not find any URLs embedded in the application code or resources.\n  "
    },
    "description": "\n    We found URL data embedded in your application code.\n  ",
    "recommendation": "\n    Do not embed sensitive URLs in your application code or resources.\n  ",
    "context": {
      "title": "URLs",
      "pre": "http:​/​/%s:%d​/%s\r\nhttp:​/​/127.0.0.1:\r\nhttp:​/​/169.55.74.167:12201​/v3​/config?pubid=514\r\nhttp:​/​/169.55.74.167:15580\r\nhttp:​/​/192.168.40.234:1233\r\nhttp:​/​/192.168.5.222:11011\r\nhttp:​/​/192.168.5.222:11011​/\r\nhttp:​/​/192.168.5.222:13567​/v3​/config\r\nhttp:​/​/ad.spcleaner.info​/v3​/config\r\nhttp:​/​/ad.spcleaner.info​/v3​/config?pubid=514\r\nhttp:​/​/adlog.flurry.com\r\nhttp:​/​/ads.flurry.com​/v16​/getAds.do\r\nhttp:​/​/android.bugly.qq.com​/rqd​/async\r\nhttp:​/​/api.mobula.sdk.duapps.com​/adunion​/rtb​/fetchAd?\r\nhttp:​/​/api.mobula.sdk.duapps.com​/adunion​/rtb​/getInmobiAd?\r\nhttp:​/​/api.mobula.sdk.duapps.com​/adunion​/slot​/getDlAd?\r\nhttp:​/​/api.mobula.sdk.duapps.com​/adunion​/slot​/getSrcPrio?\r\nhttp:​/​/cdn.flurry.com​/adSpaceStyles.dev​/images​/bttn-close-bw.png\r\nhttp:​/​/cf.spcleaner.info\r\nhttp:​/​/data.flurry.com​/aap.do\r\nhttp:​/​/feedback.spcleaner.info​/feedback​/report\r\nhttp:​/​/ip-api.com​/json\r\nhttp:​/​/m.onelink.me​/36a27a60\r\nhttp:​/​/m.onelink.me​/bdc8131\r\nhttp:​/​/market.android.com\r\nhttp:​/​/misc.spcleaner.info​/p​/t\r\nhttp:​/​/misc.spcleaner.info​/version​/privacy\r\nhttp:​/​/misc.spcleaner.info​/version​/update\r\nhttp:​/​/mta.oa.com​/\r\nhttp:​/​/mta.qq.com​/\r\nhttp:​/​/mta.qq.com​/mta​/api​/ctr_feedback\r\nhttp:​/​/mta.qq.com​/mta​/api​/ctr_feedback​/add_feedback\r\nhttp:​/​/mta.qq.com​/mta​/api​/ctr_feedback​/get_feedback\r\nhttp:​/​/mta.qq.com​/mta​/api​/ctr_feedback​/reply_feedback\r\nhttp:​/​/pingma.qq.com:80​/mstat​/report\r\nhttp:​/​/pingmid.qq.com:80​/\r\nhttp:​/​/play.google.com\r\nhttp:​/​/plus.google.com​/\r\nhttp:​/​/rqd.uu.qq.com​/rqd​/sync\r\nhttp:​/​/rts.mobula.sdk.duapps.com​/orts​/rp?\r\nhttp:​/​/rts.mobula.sdk.duapps.com​/orts​/rpb?\r\nhttp:​/​/schemas.android.com​/apk​/res​/android\r\nhttp:​/​/stt.spcleaner.info\r\nhttp:​/​/stt.spcleaner.info​/\r\nhttp:​/​/ufeedback.spcleaner.info\r\nhttp:​/​/www.example.com\r\nhttp:​/​/www.google.com\r\nhttp:​/​/www.slf4j.org​/codes.html\r\nhttp:​/​/www.tumblr.com​/connect​/login_success.html\r\nhttp:​/​/xmlpull.org​/v1​/doc​/features.html\r\nhttps:​/​/adlog.flurry.com\r\nhttps:​/​/ads.flurry.com​/v16​/getAds.do\r\nhttps:​/​/analytics.mopub.com​/i​/jot​/exchange_client_event\r\nhttps:​/​/api.appsflyer.com​/install_data​/v3​/\r\nhttps:​/​/api.tumblr.com​/v2​/blog​/\r\nhttps:​/​/api.tumblr.com​/v2​/user​/info\r\nhttps:​/​/app-measurement.com​/a\r\nhttps:​/​/cdn.flurry.com​/sdkAssets​/bttn-close-bw.png\r\nhttps:​/​/cdn.flurry.com​/vast​/videocontrols​/v2​/android.zip\r\nhttps:​/​/code.google.com​/p​/android​/issues​/detail?id=10789\r\nhttps:​/​/csi.gstatic.com​/csi\r\nhttps:​/​/data.flurry.com​/aap.do\r\nhttps:​/​/data.flurry.com​/pcr.do\r\nhttps:​/​/events.appsflyer.com​/api​/v\r\nhttps:​/​/github.com​/vinc3m1\r\nhttps:​/​/github.com​/vinc3m1​/RoundedImageView\r\nhttps:​/​/github.com​/vinc3m1​/RoundedImageView.git\r\nhttps:​/​/googleads.g.doubleclick.net​/mads​/static​/mad​/sdk​/native​/mraid​/v2​/mraid_app_banner.js\r\nhttps:​/​/googleads.g.doubleclick.net​/mads​/static​/mad​/sdk​/native​/mraid​/v2​/mraid_app_expanded_banner.js\r\nhttps:​/​/googleads.g.doubleclick.net​/mads​/static​/mad​/sdk​/native​/mraid​/v2​/mraid_app_interstitial.js\r\nhttps:​/​/googleads.g.doubleclick.net​/mads​/static​/mad​/sdk​/native​/sdk-core-v40.html\r\nhttps:​/​/graph.%s.facebook.com​/network_ads_common​/\r\nhttps:​/​/graph.facebook.com​/network_ads_common​/\r\nhttps:​/​/market.android.com\r\nhttps:​/​/pagead2.googlesyndication.com​/pagead​/gen_204\r\nhttps:​/​/play.google.com\r\nhttps:​/​/play.google.com​/store​/apps​/details?id=\r\nhttps:​/​/proton.flurry.com​/sdk​/v1​/config\r\nhttps:​/​/register.appsflyer.com​/api​/v\r\nhttps:​/​/sb-ssl.google.com​/safebrowsing​/clientreport​/malware\r\nhttps:​/​/sdk-services.appsflyer.com​/validate-android-signature\r\nhttps:​/​/stats.appsflyer.com​/stats\r\nhttps:​/​/supo-cleaner.firebaseio.com\r\nhttps:​/​/t.appsflyer.com​/api​/v\r\nhttps:​/​/twitter.com​/%s​/status​/%s\r\nhttps:​/​/www.%s.facebook.com\r\nhttps:​/​/www.facebook.com​/\r\nhttps:​/​/www.facebook.com​/SUPO-Cleaner-Page-282609748784957\r\nhttps:​/​/www.google.com\r\nhttps:​/​/www.googleapis.com​/auth​/games\r\nhttps:​/​/www.googleapis.com​/auth​/plus.me\r\nhttps:​/​/www.mopub.com​/optout\r\nhttps:​/​/www.mopub.com​/optout​/\r\nhttps:​/​/www.tumblr.com​/oauth​/access_token\r\nhttps:​/​/www.tumblr.com​/oauth​/authorize?oauth_token=%s\r\nhttps:​/​/www.tumblr.com​/oauth​/request_token"
    }
  }

File Listing

  • Shows the files contained in the APK package.

Example:

{
    "kind": "static",
    "key": "get_app_files",
    "title": "File Listing",
    "category": "artifact",
    "summary": "\n    Shows the files contained in the APK package.\n  ",
    "regulatory": {},
    "affected": true,
    "context": {
      "title": "Files",
      "pre": "AndroidManifest.xml\r\nMETA-INF​/\r\nMETA-INF​/MANIFEST.MF\r\nMETA-INF​/RELEASE.RSA\r\nMETA-INF​/RELEASE.SF\r\nassets​/\r\nassets​/app_config.json\r\nassets​/avl​/\r\nassets​/avl.json\r\nassets​/avl​/config.json\r\nassets​/avl​/d_avl_exh\r\nassets​/avlfile.json\r\nassets​/cleanrule\r\nassets​/fastcharge.json\r\nassets​/fonts​/\r\nassets​/fonts​/NEOTECH-LIGHT.OTF\r\nassets​/fonts​/NEOTECH.OTF\r\nassets​/percent.ttf\r\nassets​/upgrade_config.json\r\nassets​/white_black.json\r\nbuild-data.properties\r\nclasses.dex\r\nclasses2.dex\r\nfabric​/\r\nfabric​/com.mopub.sdk.android.mopub.properties\r\njsr305_annotations​/\r\njsr305_annotations​/Jsr305_annotations.gwt.xml\r\nlib​/\r\nlib​/armeabi​/\r\nlib​/armeabi​/libandrll.so\r\nlib​/armeabi​/libandrpl.so\r\nlib​/armeabi​/libapp.so\r\nlib​/armeabi​/libbsdiffjni.so\r\nlib​/armeabi​/libphoto.so\r\nlib​/armeabi​/libpl_droidsonroids_gif.so\r\nlib​/armeabi​/libpl_droidsonroids_gif_surface.so\r\nr​/\r\nr​/a​/\r\nr​/a​/a.xml\r\nr​/a​/b.xml\r\nr​/a​/c.xml\r\nr​/a​/d.xml\r\nr​/a​/e.xml\r\nr​/a​/f.xml\r\nr​/a​/g.xml\r\nr​/a​/h.xml\r\nr​/a​/i.xml\r\nr​/a​/j.xml\r\nr​/a​/k.xml\r\nr​/a​/l.xml\r\nr​/a​/m.xml\r\nr​/a​/n.xml\r\nr​/a​/o.xml\r\nr​/a​/p.xml\r\nr​/a​/q.xml\r\nr​/a​/r.xml\r\nr​/a0​/\r\nr​/a0​/a.png\r\nr​/a0​/a0.png\r\nr​/a0​/a1.png\r\nr​/a0​/a2.png\r\nr​/a0​/a3.png\r\nr​/a0​/a4.png\r\nr​/a0​/a5.png\r\nr​/a0​/a6.png\r\nr​/a0​/a7.jpg\r\nr​/a0​/a8.png\r\nr​/a0​/a9.png\r\nr​/a0​/a_.png\r\nr​/a0​/aa.png\r\nr​/a0​/ab.png\r\nr​/a0​/ac.png\r\nr​/a0​/ad.png\r\nr​/a0​/ae.png\r\nr​/a0​/af.png\r\nr​/a0​/ag.png\r\nr​/a0​/ah.png\r\nr​/a0​/ai.png\r\nr​/a0​/aj.png\r\nr​/a0​/ak.png\r\nr​/a0​/al.png\r\nr​/a0​/am.png\r\nr​/a0​/an.png\r\nr​/a0​/ao.png\r\nr​/a0​/ap.9.png\r\nr​/a0​/aq.png\r\nr​/a0​/ar.png\r\nr​/a0​/as.png\r\nr​/a0​/at.png\r\nr​/a0​/au.png\r\nr​/a0​/av.png\r\nr​/a0​/aw.png\r\nr​/a0​/ax.png\r\nr​/a0​/ay.png\r\nr​/a0​/az.png\r\nr​/a0​/b.png\r\nr​/a0​/b0.png\r\nr​/a0​/b1.png\r\nr​/a0​/b2.png\r\nr​/a0​/b3.png\r\nr​/a0​/b4.png\r\nr​/a0​/b5.png\r\nr​/a0​/b6.png\r\nr​/a0​/b7.png\r\nr​/a0​/b8.png\r\nr​/a0​/b9.png\r\nr​/a0​/b_.png\r\nr​/a0​/c.png\r\nr​/a0​/d.png\r\nr​/a0​/e.png\r\nr​/a0​/f.png\r\nr​/a0​/g.png\r\nr​/a0​/h.png\r\nr​/a0​/i.png\r\nr​/a0​/j.png\r\nr​/a0​/k.png\r\nr​/a0​/l.png\r\nr​/a0​/m.png\r\nr​/a0​/n.png\r\nr​/a0​/o.9.png\r\nr​/a0​/p.png\r\nr​/a0​/q.png\r\nr​/a0​/r.png\r\nr​/a0​/s.png\r\nr​/a0​/t.png\r\nr​/a0​/u.png\r\nr​/a0​/v.png\r\nr​/a0​/w.png\r\nr​/a0​/x.png\r\nr​/a0​/y.png\r\nr​/a0​/yb_ic_launcher.png\r\nr​/a0​/z.png\r\nr​/a1​/\r\nr​/a1​/a.png\r\nr​/a1​/ba.png\r\nr​/a1​/yb_ic_launcher.png\r\nr​/a2​/\r\nr​/a2​/a.png\r\nr​/a3​/\r\nr​/a3​/a.xml\r\nr​/a3​/b.xml\r\nr​/b​/\r\nr​/b​/fr.xml\r\nr​/b​/fs.xml\r\nr​/c​/\r\nr​/c​/fd.xml\r\nr​/c​/fe.xml\r\nr​/c​/ff.xml\r\nr​/c​/fg.xml\r\nr​/c​/fh.xml\r\nr​/c​/fi.xml\r\nr​/c​/fj.xml\r\nr​/c​/fk.xml\r\nr​/c​/fl.xml\r\nr​/c​/fm.xml\r\nr​/c​/fn.xml\r\nr​/c​/fo.xml\r\nr​/c​/fp.xml\r\nr​/c​/fq.xml\r\nr​/d​/\r\nr​/d​/dl.png\r\nr​/d​/dm.9.png\r\nr​/d​/dn.png\r\nr​/d​/do.png\r\nr​/d​/dp.png\r\nr​/d​/dq.png\r\nr​/d​/dr.png\r\nr​/d​/ds.png\r\nr​/d​/dt.9.png\r\nr​/d​/du.9.png\r\nr​/d​/dv.9.png\r\nr​/d​/dw.png\r\nr​/d​/dx.png\r\nr​/d​/dy.png\r\nr​/d​/dz.png\r\nr​/d​/e0.png\r\nr​/d​/e1.png\r\nr​/d​/e2.png\r\nr​/d​/e3.png\r\nr​/d​/e4.png\r\nr​/d​/e5.png\r\nr​/d​/e6.png\r\nr​/d​/e7.png\r\nr​/d​/e8.9.png\r\nr​/d​/e9.9.png\r\nr​/d​/e_.9.png\r\nr​/d​/ea.9.png\r\nr​/d​/eb.9.png\r\nr​/d​/ec.9.png\r\nr​/d​/ed.9.png\r\nr​/d​/ee.9.png\r\nr​/d​/ef.9.png\r\nr​/d​/eg.9.png\r\nr​/d​/eh.9.png\r\nr​/d​/ei.9.png\r\nr​/d​/ej.9.png\r\nr​/d​/ek.9.png\r\nr​/d​/el.9.png\r\nr​/d​/em.9.png\r\nr​/d​/en.9.png\r\nr​/d​/eo.png\r\nr​/d​/ep.9.png\r\nr​/d​/eq.9.png\r\nr​/d​/er.9.png\r\nr​/d​/es.9.png\r\nr​/d​/et.9.png\r\nr​/d​/eu.9.png\r\nr​/d​/ev.9.png\r\nr​/d​/ew.9.png\r\nr​/d​/ex.9.png\r\nr​/d​/ey.9.png\r\nr​/d​/ez.9.png\r\nr​/d​/f0.9.png\r\nr​/d​/f1.9.png\r\nr​/d​/f2.9.png\r\nr​/d​/f3.9.png\r\nr​/d​/f4.9.png\r\nr​/d​/f5.9.png\r\nr​/d​/f6.9.png\r\nr​/d​/f7.9.png\r\nr​/d​/f8.9.png\r\nr​/d​/f9.9.png\r\nr​/d​/f_.9.png\r\nr​/d​/fa.9.png\r\nr​/d​/fb.9.png\r\nr​/d​/fc.9.png\r\nr​/d​/fd.9.png\r\nr​/d​/fe.9.png\r\nr​/d​/ff.9.png\r\nr​/d​/fg.9.png\r\nr​/d​/fh.9.png\r\nr​/d​/fi.9.png\r\nr​/d​/fj.9.png\r\nr​/d​/fk.png\r\nr​/d​/fl.png\r\nr​/d​/fm.png\r\nr​/d​/fn.png\r\nr​/d​/fo.png\r\nr​/d​/fp.png\r\nr​/e​/\r\nr​/e​/dl.png\r\nr​/f​/\r\nr​/f​/dw.png\r\nr​/f​/e0.png\r\nr​/f​/e1.png\r\nr​/f​/eg.9.png\r\nr​/g​/\r\nr​/g​/dw.png\r\nr​/g​/e0.png\r\nr​/g​/e1.png\r\nr​/g​/eg.9.png\r\nr​/h​/\r\nr​/h​/dw.png\r\nr​/h​/e0.png\r\nr​/h​/e1.png\r\nr​/h​/eg.9.png\r\nr​/i​/\r\nr​/i​/dw.png\r\nr​/i​/e0.png\r\nr​/i​/e1.png\r\nr​/i​/eg.9.png\r\nr​/j​/\r\nr​/j​/dw.png\r\nr​/j​/e0.png\r\nr​/j​/e1.png\r\nr​/j​/eg.9.png\r\nr​/k​/\r\nr​/k​/dl.png\r\nr​/k​/dm.9.png\r\nr​/k​/dn.png\r\nr​/k​/do.png\r\nr​/k​/dp.png\r\nr​/k​/dq.png\r\nr​/k​/dr.png\r\nr​/k​/ds.png\r\nr​/k​/dt.9.png\r\nr​/k​/du.9.png\r\nr​/k​/dv.9.png\r\nr​/k​/dw.png\r\nr​/k​/dx.png\r\nr​/k​/dy.png\r\nr​/k​/dz.png\r\nr​/k​/e0.png\r\nr​/k​/e1.png\r\nr​/k​/e2.png\r\nr​/k​/e3.png\r\nr​/k​/e4.png\r\nr​/k​/e5.png\r\nr​/k​/e6.png\r\nr​/k​/e7.png\r\nr​/k​/e8.9.png\r\nr​/k​/e9.9.png\r\nr​/k​/e_.9.png\r\nr​/k​/ea.9.png\r\nr​/k​/eb.9.png\r\nr​/k​/ec.9.png\r\nr​/k​/ed.9.png\r\nr​/k​/ee.9.png\r\nr​/k​/ef.9.png\r\nr​/k​/eg.9.png\r\nr​/k​/eh.9.png\r\nr​/k​/ei.9.png\r\nr​/k​/ej.9.png\r\nr​/k​/ek.9.png\r\nr​/k​/el.9.png\r\nr​/k​/em.9.png\r\nr​/k​/en.9.png\r\nr​/k​/eo.png\r\nr​/k​/ep.9.png\r\nr​/k​/eq.9.png\r\nr​/k​/er.9.png\r\nr​/k​/es.9.png\r\nr​/k​/et.9.png\r\nr​/k​/eu.9.png\r\nr​/k​/ev.9.png\r\nr​/k​/ew.9.png\r\nr​/k​/ex.9.png\r\nr​/k​/ey.9.png\r\nr​/k​/ez.9.png\r\nr​/k​/f0.9.png\r\nr​/k​/f1.9.png\r\nr​/k​/f2.9.png\r\nr​/k​/f3.9.png\r\nr​/k​/f4.9.png\r\nr​/k​/f5.9.png\r\nr​/k​/f6.9.png\r\nr​/k​/f7.9.png\r\nr​/k​/f8.9.png\r\nr​/k​/f9.9.png\r\nr​/k​/f_.9.png\r\nr​/k​/fa.9.png\r\nr​/k​/fb.9.png\r\nr​/k​/fc.9.png\r\nr​/k​/fd.9.png\r\nr​/k​/fe.9.png\r\nr​/k​/ff.9.png\r\nr​/k​/fg.9.png\r\nr​/k​/fh.9.png\r\nr​/k​/fi.9.png\r\nr​/k​/fj.9.png\r\nr​/k​/fk.png\r\nr​/k​/fl.png\r\nr​/k​/fm.png\r\nr​/k​/fn.png\r\nr​/l​/\r\nr​/l​/eo.png\r\nr​/l​/ep.9.png\r\nr​/l​/eq.9.png\r\nr​/l​/er.9.png\r\nr​/l​/es.9.png\r\nr​/l​/et.9.png\r\nr​/l​/eu.9.png\r\nr​/l​/ev.9.png\r\nr​/l​/ew.9.png\r\nr​/l​/ex.9.png\r\nr​/l​/ey.9.png\r\nr​/l​/ez.9.png\r\nr​/l​/f0.9.png\r\nr​/l​/f1.9.png\r\nr​/l​/f2.9.png\r\nr​/l​/f3.9.png\r\nr​/l​/f4.9.png\r\nr​/l​/f5.9.png\r\nr​/l​/f6.9.png\r\nr​/l​/f7.9.png\r\nr​/l​/f8.9.png\r\nr​/l​/f9.9.png\r\nr​/l​/f_.9.png\r\nr​/l​/fa.9.png\r\nr​/l​/fb.9.png\r\nr​/l​/fc.9.png\r\nr​/l​/fd.9.png\r\nr​/l​/fe.9.png\r\nr​/l​/ff.9.png\r\nr​/l​/fg.9.png\r\nr​/l​/fh.9.png\r\nr​/l​/fi.9.png\r\nr​/l​/fj.9.png\r\nr​/m​/\r\nr​/m​/aq.png\r\nr​/m​/dl.png\r\nr​/m​/dm.9.png\r\nr​/m​/dn.png\r\nr​/m​/do.png\r\nr​/m​/dp.png\r\nr​/m​/dq.png\r\nr​/m​/dr.png\r\nr​/m​/ds.png\r\nr​/m​/dt.9.png\r\nr​/m​/du.9.png\r\nr​/m​/dv.9.png\r\nr​/m​/dw.png\r\nr​/m​/dx.png\r\nr​/m​/dy.png\r\nr​/m​/dz.png\r\nr​/m​/e0.png\r\nr​/m​/e1.png\r\nr​/m​/e2.png\r\nr​/m​/e3.png\r\nr​/m​/e4.png\r\nr​/m​/e5.png\r\nr​/m​/e6.png\r\nr​/m​/e7.png\r\nr​/m​/e8.9.png\r\nr​/m​/e9.9.png\r\nr​/m​/e_.9.png\r\nr​/m​/ea.9.png\r\nr​/m​/eb.9.png\r\nr​/m​/ec.9.png\r\nr​/m​/ed.9.png\r\nr​/m​/ee.9.png\r\nr​/m​/ef.9.png\r\nr​/m​/eg.9.png\r\nr​/m​/eh.9.png\r\nr​/m​/ei.9.png\r\nr​/m​/ej.9.png\r\nr​/m​/ek.9.png\r\nr​/m​/el.9.png\r\nr​/m​/em.9.png\r\nr​/m​/en.9.png\r\nr​/m​/eo.png\r\nr​/m​/ep.9.png\r\nr​/m​/eq.9.png\r\nr​/m​/er.9.png\r\nr​/m​/es.9.png\r\nr​/m​/et.9.png\r\nr​/m​/eu.9.png\r\nr​/m​/ev.9.png\r\nr​/m​/ew.9.png\r\nr​/m​/ex.9.png\r\nr​/m​/ey.9.png\r\nr​/m​/ez.9.png\r\nr​/m​/f0.9.png\r\nr​/m​/f1.9.png\r\nr​/m​/f2.9.png\r\nr​/m​/f3.9.png\r\nr​/m​/f4.9.png\r\nr​/m​/f5.9.png\r\nr​/m​/f6.9.png\r\nr​/m​/f7.9.png\r\nr​/m​/f8.9.png\r\nr​/m​/f9.9.png\r\nr​/m​/f_.9.png\r\nr​/m​/fa.9.png\r\nr​/m​/fb.9.png\r\nr​/m​/fc.9.png\r\nr​/m​/fd.9.png\r\nr​/m​/fe.9.png\r\nr​/m​/ff.9.png\r\nr​/m​/fg.9.png\r\nr​/m​/fh.9.png\r\nr​/m​/fi.9.png\r\nr​/m​/fj.9.png\r\nr​/m​/fk.png\r\nr​/m​/fl.png\r\nr​/m​/fm.png\r\nr​/m​/fn.png\r\nr​/m​/fq.9.png\r\nr​/m​/fr.png\r\nr​/m​/fs.png\r\nr​/m​/ft.9.png\r\nr​/m​/fu.png\r\nr​/m​/fv.png\r\nr​/m​/fw.png\r\nr​/m​/fx.png\r\nr​/m​/fy.9.png\r\nr​/m​/fz.9.png\r\nr​/m​/g0.png\r\nr​/m​/g1.png\r\nr​/m​/g2.png\r\nr​/m​/g3.9.png\r\nr​/m​/g4.png\r\nr​/m​/g5.9.png\r\nr​/m​/g6.png\r\nr​/m​/g7.png\r\nr​/m​/g8.9.png\r\nr​/m​/g9.9.png\r\nr​/m​/g_.png\r\nr​/m​/ga.png\r\nr​/m​/gb.9.png\r\nr​/m​/gc.png\r\nr​/m​/gd.png\r\nr​/m​/ge.png\r\nr​/m​/gf.png\r\nr​/m​/gg.png\r\nr​/m​/gh.png\r\nr​/m​/gi.png\r\nr​/m​/gj.png\r\nr​/m​/gk.png\r\nr​/m​/gl.png\r\nr​/m​/gm.png\r\nr​/m​/gn.png\r\nr​/m​/go.png\r\nr​/m​/gp.png\r\nr​/m​/gq.png\r\nr​/m​/gr.png\r\nr​/m​/gs.png\r\nr​/m​/gt.png\r\nr​/m​/gu.png\r\nr​/m​/gv.9.png\r\nr​/m​/gw.png\r\nr​/m​/gx.png\r\nr​/m​/gy.png\r\nr​/m​/gz.png\r\nr​/m​/h0.png\r\nr​/m​/h1.png\r\nr​/m​/h2.png\r\nr​/m​/h3.png\r\nr​/m​/h4.png\r\nr​/m​/h5.png\r\nr​/m​/h6.png\r\nr​/m​/h7.png\r\nr​/m​/h8.png\r\nr​/m​/h9.png\r\nr​/m​/h_.png\r\nr​/m​/ha.png\r\nr​/m​/hb.png\r\nr​/m​/hc.png\r\nr​/m​/hd.png\r\nr​/m​/he.png\r\nr​/m​/hf.jpg\r\nr​/m​/hg.png\r\nr​/m​/hh.png\r\nr​/m​/hi.png\r\nr​/m​/hj.png\r\nr​/m​/hk.png\r\nr​/m​/hl.png\r\nr​/m​/hm.png\r\nr​/m​/hn.png\r\nr​/m​/ho.png\r\nr​/m​/hp.png\r\nr​/m​/hq.png\r\nr​/m​/hr.png\r\nr​/m​/hs.png\r\nr​/m​/ht.png\r\nr​/m​/hu.png\r\nr​/m​/hv.png\r\nr​/m​/hw.png\r\nr​/m​/hx.png\r\nr​/m​/hy.png\r\nr​/m​/hz.png\r\nr​/m​/i0.png\r\nr​/m​/i1.png\r\nr​/m​/i2.png\r\nr​/m​/i3.png\r\nr​/m​/i4.png\r\nr​/m​/i5.png\r\nr​/m​/i6.png\r\nr​/m​/i7.png\r\nr​/m​/i8.png\r\nr​/m​/i9.png\r\nr​/m​/i_.png\r\nr​/m​/ia.png\r\nr​/m​/ib.png\r\nr​/m​/ic.png\r\nr​/m​/id.png\r\nr​/m​/ie.png\r\nr​/m​/if.png\r\nr​/m​/ig.png\r\nr​/m​/ih.9.png\r\nr​/m​/ii.png\r\nr​/m​/ij.png\r\nr​/m​/ik.png\r\nr​/m​/il.png\r\nr​/m​/im.png\r\nr​/m​/in.png\r\nr​/m​/io.png\r\nr​/m​/ip.png\r\nr​/m​/iq.png\r\nr​/m​/ir.9.png\r\nr​/m​/is.9.png\r\nr​/m​/it.9.png\r\nr​/m​/iu.png\r\nr​/m​/iv.9.png\r\nr​/m​/iw.9.png\r\nr​/m​/ix.png\r\nr​/m​/iy.png\r\nr​/m​/iz.png\r\nr​/m​/j0.9.png\r\nr​/m​/j1.png\r\nr​/m​/j2.png\r\nr​/m​/j3.png\r\nr​/m​/j4.png\r\nr​/m​/j5.png\r\nr​/m​/j6.png\r\nr​/m​/j7.png\r\nr​/m​/j8.png\r\nr​/m​/j9.png\r\nr​/m​/j_.png\r\nr​/m​/ja.png\r\nr​/m​/jb.png\r\nr​/m​/jc.png\r\nr​/m​/jd.9.png\r\nr​/m​/je.png\r\nr​/m​/jf.png\r\nr​/m​/jg.png\r\nr​/m​/jh.png\r\nr​/m​/ji.png\r\nr​/m​/jj.png\r\nr​/m​/jk.png\r\nr​/m​/jl.png\r\nr​/m​/jm.png\r\nr​/m​/jn.png\r\nr​/m​/jo.png\r\nr​/m​/jp.png\r\nr​/m​/jq.png\r\nr​/m​/jr.png\r\nr​/m​/js.png\r\nr​/m​/jt.png\r\nr​/m​/ju.png\r\nr​/m​/jv.png\r\nr​/m​/jw.png\r\nr​/m​/jx.png\r\nr​/m​/jy.png\r\nr​/m​/jz.png\r\nr​/m​/k0.png\r\nr​/m​/k1.png\r\nr​/m​/k2.png\r\nr​/m​/k3.png\r\nr​/m​/k4.png\r\nr​/m​/k5.png\r\nr​/m​/k6.png\r\nr​/m​/k7.png\r\nr​/m​/k8.png\r\nr​/m​/k9.png\r\nr​/m​/k_.png\r\nr​/m​/ka.png\r\nr​/m​/kb.png\r\nr​/m​/kc.png\r\nr​/m​/kd.png\r\nr​/m​/ke.png\r\nr​/m​/kf.png\r\nr​/m​/kg.png\r\nr​/m​/kh.png\r\nr​/m​/ki.png\r\nr​/m​/kj.png\r\nr​/m​/kk.png\r\nr​/m​/kl.png\r\nr​/m​/km.png\r\nr​/m​/kn.png\r\nr​/m​/ko.png\r\nr​/m​/kp.png\r\nr​/m​/kq.png\r\nr​/m​/kr.png\r\nr​/m​/ks.png\r\nr​/m​/kt.png\r\nr​/m​/ku.png\r\nr​/m​/kv.png\r\nr​/m​/kw.png\r\nr​/m​/kx.png\r\nr​/m​/ky.png\r\nr​/m​/kz.png\r\nr​/m​/l0.png\r\nr​/m​/l1.png\r\nr​/m​/l2.png\r\nr​/m​/l3.png\r\nr​/m​/l4.png\r\nr​/m​/l5.png\r\nr​/m​/l6.png\r\nr​/m​/l7.png\r\nr​/m​/l8.png\r\nr​/m​/l9.png\r\nr​/m​/l_.png\r\nr​/m​/la.png\r\nr​/m​/lb.png\r\nr​/m​/lc.png\r\nr​/m​/ld.png\r\nr​/m​/le.png\r\nr​/m​/lf.png\r\nr​/m​/lg.png\r\nr​/m​/lh.png\r\nr​/m​/li.png\r\nr​/m​/lj.png\r\nr​/m​/lk.png\r\nr​/m​/ll.png\r\nr​/m​/lm.png\r\nr​/m​/ln.png\r\nr​/m​/lo.png\r\nr​/m​/lp.png\r\nr​/m​/lq.png\r\nr​/m​/lr.png\r\nr​/m​/ls.png\r\nr​/m​/lt.png\r\nr​/m​/lu.png\r\nr​/m​/lv.png\r\nr​/m​/lw.png\r\nr​/m​/lx.png\r\nr​/m​/ly.png\r\nr​/m​/lz.png\r\nr​/m​/m0.png\r\nr​/m​/m1.9.png\r\nr​/m​/m2.png\r\nr​/m​/m3.png\r\nr​/m​/m4.png\r\nr​/m​/m5.png\r\nr​/m​/m6.png\r\nr​/m​/m7.png\r\nr​/m​/m8.png\r\nr​/m​/m9.png\r\nr​/m​/m_.png\r\nr​/m​/ma.png\r\nr​/m​/mb.png\r\nr​/m​/mc.png\r\nr​/m​/md.png\r\nr​/m​/me.png\r\nr​/m​/mf.png\r\nr​/m​/mg.png\r\nr​/m​/mh.png\r\nr​/m​/mi.png\r\nr​/m​/mj.png\r\nr​/m​/mk.png\r\nr​/m​/ml.png\r\nr​/m​/mm.png\r\nr​/m​/mn.png\r\nr​/m​/mo.png\r\nr​/m​/mp.png\r\nr​/m​/mq.png\r\nr​/m​/mr.png\r\nr​/m​/ms.png\r\nr​/m​/mt.png\r\nr​/m​/mu.png\r\nr​/m​/mv.png\r\nr​/m​/mw.png\r\nr​/m​/mx.png\r\nr​/m​/my.png\r\nr​/m​/mz.png\r\nr​/m​/n0.png\r\nr​/m​/n1.png\r\nr​/m​/n2.png\r\nr​/m​/n3.png\r\nr​/m​/n4.png\r\nr​/m​/n5.png\r\nr​/m​/n6.png\r\nr​/m​/n7.png\r\nr​/m​/n8.png\r\nr​/m​/n9.png\r\nr​/m​/n_.png\r\nr​/m​/na.png\r\nr​/m​/nb.png\r\nr​/m​/nc.png\r\nr​/m​/nd.png\r\nr​/m​/ne.png\r\nr​/m​/nf.png\r\nr​/m​/ng.png\r\nr​/m​/nh.png\r\nr​/m​/ni.png\r\nr​/m​/nj.png\r\nr​/m​/nk.png\r\nr​/m​/nl.png\r\nr​/m​/nm.png\r\nr​/n​/\r\nr​/n​/dl.png\r\nr​/n​/dm.9.png\r\nr​/n​/dn.png\r\nr​/n​/do.png\r\nr​/n​/dp.png\r\nr​/n​/dq.png\r\nr​/n​/dr.png\r\nr​/n​/ds.png\r\nr​/n​/dt.9.png\r\nr​/n​/du.9.png\r\nr​/n​/dv.9.png\r\nr​/n​/dw.png\r\nr​/n​/dx.png\r\nr​/n​/dy.png\r\nr​/n​/dz.png\r\nr​/n​/e0.png\r\nr​/n​/e1.png\r\nr​/n​/e2.png\r\nr​/n​/e3.png\r\nr​/n​/e4.png\r\nr​/n​/e5.png\r\nr​/n​/e6.png\r\nr​/n​/e7.png\r\nr​/n​/e8.9.png\r\nr​/n​/e9.9.png\r\nr​/n​/e_.9.png\r\nr​/n​/ea.9.png\r\nr​/n​/eb.9.png\r\nr​/n​/ec.9.png\r\nr​/n​/ed.9.png\r\nr​/n​/ee.9.png\r\nr​/n​/ef.9.png\r\nr​/n​/eg.9.png\r\nr​/n​/eh.9.png\r\nr​/n​/ei.9.png\r\nr​/n​/ej.9.png\r\nr​/n​/ek.9.png\r\nr​/n​/el.9.png\r\nr​/n​/em.9.png\r\nr​/n​/en.9.png\r\nr​/n​/eo.png\r\nr​/n​/ep.9.png\r\nr​/n​/eq.9.png\r\nr​/n​/er.9.png\r\nr​/n​/es.9.png\r\nr​/n​/et.9.png\r\nr​/n​/eu.9.png\r\nr​/n​/ev.9.png\r\nr​/n​/ew.9.png\r\nr​/n​/ex.9.png\r\nr​/n​/ey.9.png\r\nr​/n​/ez.9.png\r\nr​/n​/f0.9.png\r\nr​/n​/f1.9.png\r\nr​/n​/f2.9.png\r\nr​/n​/f3.9.png\r\nr​/n​/f4.9.png\r\nr​/n​/f5.9.png\r\nr​/n​/f6.9.png\r\nr​/n​/f7.9.png\r\nr​/n​/f8.9.png\r\nr​/n​/f9.9.png\r\nr​/n​/f_.9.png\r\nr​/n​/fa.9.png\r\nr​/n​/fb.9.png\r\nr​/n​/fc.9.png\r\nr​/n​/fd.9.png\r\nr​/n​/fe.9.png\r\nr​/n​/ff.9.png\r\nr​/n​/fg.9.png\r\nr​/n​/fh.9.png\r\nr​/n​/fi.9.png\r\nr​/n​/fj.9.png\r\nr​/n​/fk.png\r\nr​/n​/fl.png\r\nr​/n​/fm.png\r\nr​/n​/fn.png\r\nr​/n​/fo.png\r\nr​/n​/fp.png\r\nr​/n​/nn.png\r\nr​/n​/no.png\r\nr​/o​/\r\nr​/o​/dn.png\r\nr​/o​/do.png\r\nr​/o​/dp.png\r\nr​/o​/dq.png\r\nr​/o​/dt.9.png\r\nr​/o​/du.9.png\r\nr​/o​/dw.png\r\nr​/o​/dx.png\r\nr​/o​/e0.png\r\nr​/o​/e1.png\r\nr​/o​/e2.png\r\nr​/o​/e3.png\r\nr​/o​/e4.png\r\nr​/o​/e5.png\r\nr​/o​/e6.png\r\nr​/o​/e7.png\r\nr​/o​/eg.9.png\r\nr​/o​/eh.9.png\r\nr​/o​/ei.9.png\r\nr​/o​/fk.png\r\nr​/o​/fl.png\r\nr​/o​/fm.png\r\nr​/o​/fn.png\r\nr​/p​/\r\nr​/p​/a.xml\r\nr​/p​/a0.xml\r\nr​/p​/a1.xml\r\nr​/p​/a2.xml\r\nr​/p​/a3.xml\r\nr​/p​/a4.xml\r\nr​/p​/a5.png\r\nr​/p​/a6.xml\r\nr​/p​/a7.xml\r\nr​/p​/a8.xml\r\nr​/p​/a9.xml\r\nr​/p​/a_.xml\r\nr​/p​/aa.xml\r\nr​/p​/ab.xml\r\nr​/p​/ac.xml\r\nr​/p​/ad.xml\r\nr​/p​/ae.xml\r\nr​/p​/af.xml\r\nr​/p​/ag.xml\r\nr​/p​/ah.xml\r\nr​/p​/ai.xml\r\nr​/p​/aj.xml\r\nr​/p​/ak.xml\r\nr​/p​/al.xml\r\nr​/p​/am.xml\r\nr​/p​/an.xml\r\nr​/p​/ao.xml\r\nr​/p​/ap.xml\r\nr​/p​/aq.png\r\nr​/p​/ar.xml\r\nr​/p​/as.xml\r\nr​/p​/at.xml\r\nr​/p​/au.xml\r\nr​/p​/av.xml\r\nr​/p​/aw.xml\r\nr​/p​/ax.xml\r\nr​/p​/ay.xml\r\nr​/p​/az.xml\r\nr​/p​/b.xml\r\nr​/p​/b0.xml\r\nr​/p​/b1.xml\r\nr​/p​/b2.xml\r\nr​/p​/b3.xml\r\nr​/p​/b4.xml\r\nr​/p​/b5.xml\r\nr​/p​/b6.xml\r\nr​/p​/b7.xml\r\nr​/p​/b8.xml\r\nr​/p​/b9.xml\r\nr​/p​/b_.xml\r\nr​/p​/ba.xml\r\nr​/p​/bb.xml\r\nr​/p​/bc.xml\r\nr​/p​/bd.xml\r\nr​/p​/be.xml\r\nr​/p​/bf.xml\r\nr​/p​/bg.xml\r\nr​/p​/bh.xml\r\nr​/p​/bi.xml\r\nr​/p​/bj.png\r\nr​/p​/bk.xml\r\nr​/p​/bl.xml\r\nr​/p​/bm.xml\r\nr​/p​/bn.xml\r\nr​/p​/bo.xml\r\nr​/p​/bp.xml\r\nr​/p​/bq.xml\r\nr​/p​/br.xml\r\nr​/p​/bs.xml\r\nr​/p​/bt.xml\r\nr​/p​/bu.xml\r\nr​/p​/bv.xml\r\nr​/p​/bw.xml\r\nr​/p​/bx.xml\r\nr​/p​/by.xml\r\nr​/p​/bz.xml\r\nr​/p​/c.xml\r\nr​/p​/c0.xml\r\nr​/p​/c1.xml\r\nr​/p​/c2.xml\r\nr​/p​/c3.xml\r\nr​/p​/c4.xml\r\nr​/p​/c5.xml\r\nr​/p​/c6.xml\r\nr​/p​/c7.xml\r\nr​/p​/c8.xml\r\nr​/p​/c9.xml\r\nr​/p​/c_.xml\r\nr​/p​/ca.xml\r\nr​/p​/cb.xml\r\nr​/p​/cc.xml\r\nr​/p​/cd.xml\r\nr​/p​/ce.xml\r\nr​/p​/cf.xml\r\nr​/p​/cg.xml\r\nr​/p​/ch.xml\r\nr​/p​/ci.xml\r\nr​/p​/cj.xml\r\nr​/p​/ck.xml\r\nr​/p​/cl.xml\r\nr​/p​/cm.xml\r\nr​/p​/cn.xml\r\nr​/p​/co.xml\r\nr​/p​/cp.xml\r\nr​/p​/cq.xml\r\nr​/p​/cr.xml\r\nr​/p​/cs.xml\r\nr​/p​/ct.xml\r\nr​/p​/cu.xml\r\nr​/p​/cv.xml\r\nr​/p​/cw.xml\r\nr​/p​/cx.xml\r\nr​/p​/cy.xml\r\nr​/p​/cz.xml\r\nr​/p​/d.xml\r\nr​/p​/d0.xml\r\nr​/p​/d1.xml\r\nr​/p​/d2.xml\r\nr​/p​/d3.xml\r\nr​/p​/d4.xml\r\nr​/p​/d5.xml\r\nr​/p​/d6.xml\r\nr​/p​/d7.xml\r\nr​/p​/d8.xml\r\nr​/p​/d9.xml\r\nr​/p​/d_.xml\r\nr​/p​/da.xml\r\nr​/p​/db.xml\r\nr​/p​/dc.xml\r\nr​/p​/dd.xml\r\nr​/p​/de.xml\r\nr​/p​/df.xml\r\nr​/p​/dg.xml\r\nr​/p​/dh.xml\r\nr​/p​/di.xml\r\nr​/p​/dj.xml\r\nr​/p​/e.xml\r\nr​/p​/f.xml\r\nr​/p​/g.xml\r\nr​/p​/h.xml\r\nr​/p​/i.xml\r\nr​/p​/j.xml\r\nr​/p​/k.xml\r\nr​/p​/l.xml\r\nr​/p​/m.xml\r\nr​/p​/n.xml\r\nr​/p​/o.xml\r\nr​/p​/p.xml\r\nr​/p​/q.xml\r\nr​/p​/r.xml\r\nr​/p​/s.xml\r\nr​/p​/t.xml\r\nr​/p​/u.xml\r\nr​/p​/v.xml\r\nr​/p​/w.png\r\nr​/p​/x.png\r\nr​/p​/y.xml\r\nr​/p​/z.xml\r\nr​/q​/\r\nr​/q​/cx.xml\r\nr​/r​/\r\nr​/r​/an.xml\r\nr​/r​/c7.xml\r\nr​/r​/cx.xml\r\nr​/s​/\r\nr​/s​/ef.xml\r\nr​/t​/\r\nr​/t​/c2.xml\r\nr​/t​/c3.xml\r\nr​/t​/c5.xml\r\nr​/t​/cf.xml\r\nr​/t​/eh.xml\r\nr​/u​/\r\nr​/u​/a0.xml\r\nr​/u​/a2.xml\r\nr​/u​/a3.xml\r\nr​/u​/ah.xml\r\nr​/u​/av.xml\r\nr​/u​/b0.xml\r\nr​/u​/b3.xml\r\nr​/u​/b5.xml\r\nr​/u​/b8.xml\r\nr​/u​/bb.xml\r\nr​/u​/bj.xml\r\nr​/u​/bk.xml\r\nr​/u​/br.xml\r\nr​/u​/c7.xml\r\nr​/u​/c8.xml\r\nr​/u​/c9.xml\r\nr​/u​/c_.xml\r\nr​/u​/cc.xml\r\nr​/u​/ce.xml\r\nr​/u​/cf.xml\r\nr​/u​/cx.xml\r\nr​/u​/dj.xml\r\nr​/u​/dm.xml\r\nr​/u​/dn.xml\r\nr​/u​/du.xml\r\nr​/u​/dv.xml\r\nr​/u​/e4.xml\r\nr​/u​/e_.xml\r\nr​/u​/ea.xml\r\nr​/u​/ed.xml\r\nr​/u​/eg.xml\r\nr​/u​/eh.xml\r\nr​/u​/et.xml\r\nr​/u​/eu.xml\r\nr​/u​/ev.xml\r\nr​/u​/ew.xml\r\nr​/u​/ex.xml\r\nr​/u​/ey.xml\r\nr​/u​/f0.xml\r\nr​/u​/f1.xml\r\nr​/u​/f8.xml\r\nr​/u​/f9.xml\r\nr​/u​/f_.xml\r\nr​/u​/j.xml\r\nr​/u​/k.xml\r\nr​/u​/w.xml\r\nr​/v​/\r\nr​/v​/b0.xml\r\nr​/v​/ez.xml\r\nr​/v​/f2.xml\r\nr​/v​/u.xml\r\nr​/w​/\r\nr​/w​/a.xml\r\nr​/w​/a0.xml\r\nr​/w​/a1.xml\r\nr​/w​/a2.xml\r\nr​/w​/a3.xml\r\nr​/w​/a4.xml\r\nr​/w​/a5.xml\r\nr​/w​/a6.xml\r\nr​/w​/a7.xml\r\nr​/w​/a8.xml\r\nr​/w​/a9.xml\r\nr​/w​/a_.xml\r\nr​/w​/aa.xml\r\nr​/w​/ab.xml\r\nr​/w​/ac.xml\r\nr​/w​/ad.xml\r\nr​/w​/ae.xml\r\nr​/w​/af.xml\r\nr​/w​/ag.xml\r\nr​/w​/ah.xml\r\nr​/w​/ai.xml\r\nr​/w​/aj.xml\r\nr​/w​/ak.xml\r\nr​/w​/al.xml\r\nr​/w​/am.xml\r\nr​/w​/an.xml\r\nr​/w​/ao.xml\r\nr​/w​/ap.xml\r\nr​/w​/aq.xml\r\nr​/w​/ar.xml\r\nr​/w​/as.xml\r\nr​/w​/at.xml\r\nr​/w​/au.xml\r\nr​/w​/av.xml\r\nr​/w​/aw.xml\r\nr​/w​/ax.xml\r\nr​/w​/ay.xml\r\nr​/w​/az.xml\r\nr​/w​/b.xml\r\nr​/w​/b0.xml\r\nr​/w​/b1.xml\r\nr​/w​/b2.xml\r\nr​/w​/b3.xml\r\nr​/w​/b4.xml\r\nr​/w​/b5.xml\r\nr​/w​/b6.xml\r\nr​/w​/b7.xml\r\nr​/w​/b8.xml\r\nr​/w​/b9.xml\r\nr​/w​/b_.xml\r\nr​/w​/ba.xml\r\nr​/w​/bb.xml\r\nr​/w​/bc.xml\r\nr​/w​/bd.xml\r\nr​/w​/be.xml\r\nr​/w​/bf.xml\r\nr​/w​/bg.xml\r\nr​/w​/bh.xml\r\nr​/w​/bi.xml\r\nr​/w​/bj.xml\r\nr​/w​/bk.xml\r\nr​/w​/bl.xml\r\nr​/w​/bm.xml\r\nr​/w​/bn.xml\r\nr​/w​/bo.xml\r\nr​/w​/bp.xml\r\nr​/w​/bq.xml\r\nr​/w​/br.xml\r\nr​/w​/bs.xml\r\nr​/w​/bt.xml\r\nr​/w​/bu.xml\r\nr​/w​/bv.xml\r\nr​/w​/bw.xml\r\nr​/w​/bx.xml\r\nr​/w​/by.xml\r\nr​/w​/bz.xml\r\nr​/w​/c.xml\r\nr​/w​/c0.xml\r\nr​/w​/c1.xml\r\nr​/w​/c2.xml\r\nr​/w​/c3.xml\r\nr​/w​/c4.xml\r\nr​/w​/c5.xml\r\nr​/w​/c6.xml\r\nr​/w​/c7.xml\r\nr​/w​/c8.xml\r\nr​/w​/c9.xml\r\nr​/w​/c_.xml\r\nr​/w​/ca.xml\r\nr​/w​/cb.xml\r\nr​/w​/cc.xml\r\nr​/w​/cd.xml\r\nr​/w​/ce.xml\r\nr​/w​/cf.xml\r\nr​/w​/cg.xml\r\nr​/w​/ch.xml\r\nr​/w​/ci.xml\r\nr​/w​/cj.xml\r\nr​/w​/ck.xml\r\nr​/w​/cl.xml\r\nr​/w​/cm.xml\r\nr​/w​/cn.xml\r\nr​/w​/co.xml\r\nr​/w​/cp.xml\r\nr​/w​/cq.xml\r\nr​/w​/cr.xml\r\nr​/w​/cs.xml\r\nr​/w​/ct.xml\r\nr​/w​/cu.xml\r\nr​/w​/cv.xml\r\nr​/w​/cw.xml\r\nr​/w​/cx.xml\r\nr​/w​/cy.xml\r\nr​/w​/cz.xml\r\nr​/w​/d.xml\r\nr​/w​/d0.xml\r\nr​/w​/d1.xml\r\nr​/w​/d2.xml\r\nr​/w​/d3.xml\r\nr​/w​/d4.xml\r\nr​/w​/d5.xml\r\nr​/w​/d6.xml\r\nr​/w​/d7.xml\r\nr​/w​/d8.xml\r\nr​/w​/d9.xml\r\nr​/w​/d_.xml\r\nr​/w​/da.xml\r\nr​/w​/db.xml\r\nr​/w​/dc.xml\r\nr​/w​/dd.xml\r\nr​/w​/de.xml\r\nr​/w​/df.xml\r\nr​/w​/dg.xml\r\nr​/w​/dh.xml\r\nr​/w​/di.xml\r\nr​/w​/dj.xml\r\nr​/w​/dk.xml\r\nr​/w​/dl.xml\r\nr​/w​/dm.xml\r\nr​/w​/dn.xml\r\nr​/w​/do.xml\r\nr​/w​/dp.xml\r\nr​/w​/dq.xml\r\nr​/w​/dr.xml\r\nr​/w​/ds.xml\r\nr​/w​/dt.xml\r\nr​/w​/du.xml\r\nr​/w​/dv.xml\r\nr​/w​/dw.xml\r\nr​/w​/dx.xml\r\nr​/w​/dy.xml\r\nr​/w​/dz.xml\r\nr​/w​/e.xml\r\nr​/w​/e0.xml\r\nr​/w​/e1.xml\r\nr​/w​/e2.xml\r\nr​/w​/e3.xml\r\nr​/w​/e4.xml\r\nr​/w​/e5.xml\r\nr​/w​/e6.xml\r\nr​/w​/e7.xml\r\nr​/w​/e8.xml\r\nr​/w​/e9.xml\r\nr​/w​/e_.xml\r\nr​/w​/ea.xml\r\nr​/w​/eb.xml\r\nr​/w​/ec.xml\r\nr​/w​/ed.xml\r\nr​/w​/ee.xml\r\nr​/w​/ef.xml\r\nr​/w​/eg.xml\r\nr​/w​/eh.xml\r\nr​/w​/ei.xml\r\nr​/w​/ej.xml\r\nr​/w​/ek.xml\r\nr​/w​/el.xml\r\nr​/w​/em.xml\r\nr​/w​/en.xml\r\nr​/w​/eo.xml\r\nr​/w​/ep.xml\r\nr​/w​/eq.xml\r\nr​/w​/er.xml\r\nr​/w​/es.xml\r\nr​/w​/et.xml\r\nr​/w​/eu.xml\r\nr​/w​/ev.xml\r\nr​/w​/ew.xml\r\nr​/w​/ex.xml\r\nr​/w​/ey.xml\r\nr​/w​/ez.xml\r\nr​/w​/f.xml\r\nr​/w​/f0.xml\r\nr​/w​/f1.xml\r\nr​/w​/f2.xml\r\nr​/w​/f3.xml\r\nr​/w​/f4.xml\r\nr​/w​/f5.xml\r\nr​/w​/f6.xml\r\nr​/w​/f7.xml\r\nr​/w​/f8.xml\r\nr​/w​/f9.xml\r\nr​/w​/f_.xml\r\nr​/w​/fa.xml\r\nr​/w​/fb.xml\r\nr​/w​/fc.xml\r\nr​/w​/fd.xml\r\nr​/w​/g.xml\r\nr​/w​/h.xml\r\nr​/w​/i.xml\r\nr​/w​/j.xml\r\nr​/w​/k.xml\r\nr​/w​/l.xml\r\nr​/w​/m.xml\r\nr​/w​/n.xml\r\nr​/w​/o.xml\r\nr​/w​/p.xml\r\nr​/w​/q.xml\r\nr​/w​/r.xml\r\nr​/w​/s.xml\r\nr​/w​/t.xml\r\nr​/w​/u.xml\r\nr​/w​/v.xml\r\nr​/w​/w.xml\r\nr​/w​/x.xml\r\nr​/w​/y.xml\r\nr​/w​/z.xml\r\nr​/x​/\r\nr​/x​/a.xml\r\nr​/x​/b.xml\r\nr​/y​/\r\nr​/y​/a.png\r\nr​/y​/yb_ic_launcher.png\r\nr​/z​/\r\nr​/z​/a.png\r\nr​/z​/yb_ic_launcher.png\r\nresources.arsc"
    }
  }

Decompile APK Check

  • Determines if an application can be decoded and if its resources can be extracted for further analysis.

Example:

{
    "kind": "static",
    "key": "javascript_interface_check",
    "title": "Javascript Interface Check",
    "category": "code",
    "summary": "\n    Checks for the usage of `addJavascriptInterface()`. This can be used to intercept network traffic thats being sent and interact with the javascript interface.\n  ",
    "cvss": 2.9,
    "regulatory": {
      "cwe": [
        {
          "id": 545,
          "url": "https://cwe.mitre.org/data/definitions/545.html"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M7-Client Side Injection",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M7"
        }
      ]
    },
    "affected": false,
    "severity": "pass",
    "description": "\n    Your application is not vulnerable to untrusted code execution using a Javascript interface.\n  "
  }

Decode APK Check

  • Determines whether an application can be decoded and if its resources can be extracted for further analysis.

Example:

{
    "kind": "static",
    "key": "decode_apk_check",
    "title": "Decode APK Check",
    "category": "code",
    "summary": "\n    Determines whether an application can be decoded and if its resources can\n    be extracted for further analysis.\n  ",
    "regulatory": {},
    "affected": true,
    "issue": {
      "category": "code",
      "severity": "info",
      "title": "APK Decoded",
      "description": "\n    We were able to decode your application to java executable files, which an attacker would be able to do as well. This could allow access to any sensitive information contained in the java executable files.\n  ",
      "recommendation": "\n    Ensure that the decoded application does not contain sensitive user or application data that you would not want a malicious user to have access to.\n  ",
      "pass": "\n    We were unable to decode your application java executable files, which indicates that it may be difficult for an attacker to get access to any sensitive data stored here.\n  "
    },
    "severity": "info",
    "description": "\n    We were able to decode your application to java executable files, which an attacker would be able to do as well. This could allow access to any sensitive information contained in the java executable files.\n  ",
    "recommendation": "\n    Ensure that the decoded application does not contain sensitive user or application data that you would not want a malicious user to have access to.\n  "
  }

Native Method Listing

  • Checks for native libraries used in the application. Native libraries are non-Java libraries typically loaded through Java Native Interface (JNI).

Example:

{
    "kind": "static",
    "key": "get_native_methods",
    "title": "Native Method Listing",
    "category": "code",
    "summary": "\n    Checks for native libraries used in the application. Native libraries are\n    non-Java libraries typically loaded through Java Native Interface (JNI).\n  ",
    "regulatory": {},
    "affected": false,
    "severity": "pass",
    "description": "\n    Your application does not use any native methods.\n  "
  },
  {
    "kind": "static",
    "key": "get_reflection_code",
    "title": "Reflection Code Locations",
    "category": "code",
    "summary": "\n    Reflection grants the ability and flexibility to view and determine API \n    characteristics at runtime, as opposed to compile time. From there, \n    developers can construct objects, access fields, and invoke methods \n    dynamically. These reflection APIs come as part of the Android SDK and \n    can be beneficial when targeting a variety of Android versions/devices. \n    At runtime, reflection techniques can be used to determine if a specific \n    class or method is available before trying to use it. This enables the \n    developer to leverage newer APIs, while still supporting older versions, \n    all from within the same application. This check looks for code reflection \n    within the application and returns where reflection is used.\n  ",
    "regulatory": {},
    "affected": true,
    "issue": {
      "category": "code",
      "severity": "info",
      "title": "Reflection detected",
      "pass": "\n    Your application does not use reflection.\n  ",
      "description": "\n    Your application uses reflection.\n  ",
      "recommendation": "\n    Reflection on its own doesn't impose any added security risks, however, \n    it is important to understand the use case for needing reflection, as it \n    can be difficult to debug if issues arise. In some cases, reflection could \n    be used as an obfuscation technique or to access non-public classes/methods.\n  "
    },
    "severity": "info",
    "description": "\n    Your application uses reflection.\n  ",
    "recommendation": "\n    Reflection on its own doesn't impose any added security risks, however, \n    it is important to understand the use case for needing reflection, as it \n    can be difficult to debug if issues arise. In some cases, reflection could \n    be used as an obfuscation technique or to access non-public classes/methods.\n  ",
    "context": {
      "title": "Code Locations",
      "rows": 

Reflection Code Locations

  • Reflection grants the ability and flexibility to view and determine API characteristics at runtime, as opposed to compile time. From there, developers can construct objects, access fields, and invoke methods dynamically. These reflection APIs come as part of the Android SDK and can be beneficial when targeting a variety of Android versions/devices. At runtime, reflection techniques can be used to determine if a specific class or method is available before trying to use it. This enables the developer to leverage newer APIs, while still supporting older versions, all from within the same application. This check looks for code reflection within the application and returns where reflection is used.

Example:

{
    "kind": "static",
    "key": "get_reflection_code",
    "title": "Reflection Code Locations",
    "category": "code",
    "summary": "\n    Reflection grants the ability and flexibility to view and determine API \n    characteristics at runtime, as opposed to compile time. From there, \n    developers can construct objects, access fields, and invoke methods \n    dynamically. These reflection APIs come as part of the Android SDK and \n    can be beneficial when targeting a variety of Android versions/devices. \n    At runtime, reflection techniques can be used to determine if a specific \n    class or method is available before trying to use it. This enables the \n    developer to leverage newer APIs, while still supporting older versions, \n    all from within the same application. This check looks for code reflection \n    within the application and returns where reflection is used.\n  ",
    "regulatory": {},
    "affected": true,
    "issue": {
      "category": "code",
      "severity": "info",
      "title": "Reflection detected",
      "pass": "\n    Your application does not use reflection.\n  ",
      "description": "\n    Your application uses reflection.\n  ",
      "recommendation": "\n    Reflection on its own doesn't impose any added security risks, however, \n    it is important to understand the use case for needing reflection, as it \n    can be difficult to debug if issues arise. In some cases, reflection could \n    be used as an obfuscation technique or to access non-public classes/methods.\n  "
    },
    "severity": "info",
    "description": "\n    Your application uses reflection.\n  ",
    "recommendation": "\n    Reflection on its own doesn't impose any added security risks, however, \n    it is important to understand the use case for needing reflection, as it \n    can be difficult to debug if issues arise. In some cases, reflection could \n    be used as an obfuscation technique or to access non-public classes/methods.\n  ",
    "context": {
      "title": "Code Locations",
      "rows": [
        {
          "dst": "Ljava/lang/reflect/Method; invoke (Ljava/lang/Object; [Ljava/lang/Object;)Ljava/lang/Object;"