Skip to main content

Missing secure obfuscation - binary

Description

An anonymous user from the Internet can extract the .apk of the Android application to decompile the binaries in order to have access to the source code and thus better understand the logic of the application.

Impact

  • Extract the apk from the application.
  • Decompile the binaries found in the apk.
  • Understand the logic of the application and increases the attack surface.

Recommendation

Obfuscate all source code files in production.

Threat

Anonymous user from the Internet with access to the application logic being able to view the binaries and see the source code.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the src.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: R

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:R
  • Score:
    • Base: 5.3
    • Temporal: 4.6
  • Severity:
    • Base: Medium
    • Temporal: Medium

Score 4.0

Default score using CVSS 4.0 . It may change depending on the context of the src.

Base 4.0

  • Attack vector: N
  • Attack complexity: L
  • Attack Requirements: N
  • Privileges required: N
  • User interaction: N
  • Confidentiality (VC): L
  • Integrity (VI): N
  • Availability (VA): N
  • Confidentiality (SC): N
  • Integrity (SI): N
  • Availability (SA): N

Threat 4.0

  • Exploit madurity: P

Result 4.0

  • Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
  • Score:
    • CVSS-BT: 5.5
  • Severity:
    • CVSS-BT: Medium

Compliant code

Applying some obfuscation technique, the function above could be mabe uninteligible to an attacker

function _0x5760(){const _0x5b43e6=['318ZFoYzZ','13572pkItrl','2840LJWeoj','express-rate-limit','1464175ucMfwb','651524FvQCOL','2517774aEwpWg','2888lRwrdU','6748SYAhfv','1686jgfuoM','169575nYzNCZ'];_0x5760=function(){return _0x5b43e6;};return _0x5760();}const _0x1b2ce3=_0x49ea;function _0x49ea(_0x1abde5,_0x4c6e26){const _0x576075=_0x5760();return _0x49ea=function(_0x49eadd,_0x427b84){_0x49eadd=_0x49eadd-0xaf;let _0x5cf1f9=_0x576075[_0x49eadd];return _0x5cf1f9;},_0x49ea(_0x1abde5,_0x4c6e26);}(function(_0x1a041f,_0x32de2e){const _0x3f5060=_0x49ea,_0x335ce6=_0x1a041f();while(!![]){try{const _0x42fc9f=parseInt(_0x3f5060(0xb0))/0x1*(parseInt(_0x3f5060(0xb9))/0x2)+parseInt(_0x3f5060(0xaf))/0x3+-parseInt(_0x3f5060(0xb5))/0x4+-parseInt(_0x3f5060(0xb4))/0x5+-parseInt(_0x3f5060(0xb6))/0x6+-parseInt(_0x3f5060(0xb8))/0x7*(-parseInt(_0x3f5060(0xb7))/0x8)+parseInt(_0x3f5060(0xb1))/0x9*(parseInt(_0x3f5060(0xb2))/0xa);if(_0x42fc9f===_0x32de2e)break;else _0x335ce6['push'](_0x335ce6['shift']());}catch(_0xcc228){_0x335ce6['push'](_0x335ce6['shift']());}}}(_0x5760,0x370fa));const rateLimit=require(_0x1b2ce3(0xb3)),apiLimiter=rateLimit({'windowMs':0xf*0x3c*0x3e8,'max':None});

Non compliant code

A function that recreates a sensitive part of the business model can be accessed by an attacker

const rateLimit = require("express-rate-limit");
const apiLimiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: None
});

Requirements

Fixes

free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.