ANDROID STATIC ANALYSIS REPORT

 TBSE (3.0.2)
File Name: base.apk

Package Name: com.thebarstockexchange.tbse

Scan Date: Feb. 14, 2025, 6:20 a.m.

App Security Score: 47/100 (MEDIUM RISK)

Grade:
B
Trackers Detection: 3/432
 FINDINGS SEVERITY

 HIGH  MEDIUM  INFO  SECURE  HOTSPOT

3 30 3 1 1

 FILE INFORMATION
File Name: base.apk
Size: 5.7MB
MD5: 632206f400551d57a1b137f4ba77f74a
SHA1: 8ea082f8ed2983ea17b21e312ef734f792c2d6e7
SHA256: 8703bd32920d5a8c602604a4f5eb025fe58d7475d34c6dfad872e80d3a2c38c0

 APP INFORMATION
App Name: TBSE
Package Name: com.thebarstockexchange.tbse
Main Activity: com.thebarstockexchange.tbse.MainActivity
Target SDK: 34
Min SDK: 21
Max SDK:
Android Version Name: 3.0.2
Android Version Code: 31

 APP COMPONENTS
Activities: 12
Services: 19
Receivers: 20
Providers: 6
Exported Activities: 4
Exported Services: 3
Exported Receivers: 9
Exported Providers: 0

 CERTIFICATE INFORMATION
Binary is signed
v1 signature: True
v2 signature: True
v3 signature: True
v4 signature: False
X.509 Subject: C=US, ST=California, L=Mountain View, O=Google Inc., OU=Android, CN=Android
Signature Algorithm: rsassa_pkcs1v15
Valid From: 2017-06-21 18:36:28+00:00
Valid To: 2047-06-21 18:36:28+00:00
Issuer: C=US, ST=California, L=Mountain View, O=Google Inc., OU=Android, CN=Android
Serial Number: 0x254ae0a024b198675896cfc599fb3c591dc54c19
Hash Algorithm: sha256
md5: 604e7f54fbd4671b5fe94afb2dd2cbb7
sha1: 74b32440ab0dda4e96721651db0ee777b7b4474b
sha256: 29ffbbacfb84a3074fc10729883b7563e628feebbff88670096e504b4dd0a080
sha512: 6bd244c555381c63877a5600c8e4a8786f945f92945bc85cafcfce6bae145a0e6f539a863f635ac768682de100121fe4fbc5ba97374d61cf5f24c0d55aae560d
PublicKey Algorithm: rsa
Bit Size: 4096
Fingerprint: 407f4cedaf61eebf4432decef0efde3d2ec1e115a2184857e1be628385297ec9
Found 1 unique certificates
 APPLICATION PERMISSIONS

PERMISSION STATUS INFO DESCRIPTION

Allows an application to create

android.permission.INTERNET normal full Internet access
network sockets.

Allows application to take

pictures and videos with the
android.permission.CAMERA dangerous take pictures and videos camera. This allows the
application to collect images that
the camera is seeing at any time.

read external storage Allows an application to read

android.permission.READ_EXTERNAL_STORAGE dangerous
contents from external storage.

read/modify/delete
Allows an application to write to
android.permission.WRITE_EXTERNAL_STORAGE dangerous external storage
external storage.
contents

Unknown permission from

android.permission.STORAGE_INTERNAL unknown Unknown permission
android reference

Access fine location sources, such

as the Global Positioning System
on the phone, where available.
android.permission.ACCESS_FINE_LOCATION dangerous fine (GPS) location Malicious applications can use
this to determine where you are
and may consume additional
battery power.
PERMISSION STATUS INFO DESCRIPTION

Access coarse location sources,

such as the mobile network
database, to determine an
coarse (network-based) approximate phone location,
android.permission.ACCESS_COARSE_LOCATION dangerous
location where available. Malicious
applications can use this to
determine approximately where
you are.

Allows the application to control

android.permission.VIBRATE normal control vibrator
the vibrator.

allows an app to post Allows an app to post

android.permission.POST_NOTIFICATIONS dangerous
notifications. notifications

enables regular apps to

Allows a regular application to
android.permission.FOREGROUND_SERVICE normal use
use Service.startForeground.
Service.startForeground.

prevent phone from Allows an application to prevent

android.permission.WAKE_LOCK normal
sleeping the phone from going to sleep.

Allows the application to access

the phone features of the device.
An application with this
read phone state and permission can determine the
android.permission.READ_PHONE_STATE dangerous
identity phone number and serial
number of this phone, whether a
call is active, the number that call
is connected to and so on.

Unknown permission from

com.thebarstockexchange.tbse.permission.C2D_MESSAGE unknown Unknown permission
android reference
PERMISSION STATUS INFO DESCRIPTION

recieve push Allows an application to receive

com.google.android.c2dm.permission.RECEIVE normal
notifications push notifications from cloud.

Allows an application to view the

android.permission.ACCESS_NETWORK_STATE normal view network status
status of all networks.

Allows an application to start

itself as soon as the system has
finished booting. This can make it
automatically start at
android.permission.RECEIVE_BOOT_COMPLETED normal take longer to start the phone
boot
and allow the application to slow
down the overall phone by
always running.

Show notification count or badge

show notification count
com.sec.android.provider.badge.permission.READ normal on application launch icon for
on app
samsung phones.

Show notification count or badge

show notification count
com.sec.android.provider.badge.permission.WRITE normal on application launch icon for
on app
samsung phones.

Show notification count or badge

show notification count
com.htc.launcher.permission.READ_SETTINGS normal on application launch icon for htc
on app
phones.

Show notification count or badge

show notification count
com.htc.launcher.permission.UPDATE_SHORTCUT normal on application launch icon for htc
on app
phones.

Show notification count or badge

show notification count
com.sonyericsson.home.permission.BROADCAST_BADGE normal on application launch icon for
on app
sony phones.
PERMISSION STATUS INFO DESCRIPTION

Show notification count or badge

show notification count
com.sonymobile.home.permission.PROVIDER_INSERT_BADGE normal on application launch icon for
on app
sony phones.

Show notification count or badge

show notification count
com.anddoes.launcher.permission.UPDATE_COUNT normal on application launch icon for
on app
apex.

Show notification count or badge

show notification count
com.majeur.launcher.permission.UPDATE_BADGE normal on application launch icon for
on app
solid.

Show notification count or badge

show notification count
com.huawei.android.launcher.permission.CHANGE_BADGE normal on application launch icon for
on app
huawei phones.

Show notification count or badge

show notification count
com.huawei.android.launcher.permission.READ_SETTINGS normal on application launch icon for
on app
huawei phones.

Show notification count or badge

show notification count
com.huawei.android.launcher.permission.WRITE_SETTINGS normal on application launch icon for
on app
huawei phones.

Allows an application to show

android.permission.READ_APP_BADGE normal show app notification
app icon badges.

Show notification count or badge

show notification count
com.oppo.launcher.permission.READ_SETTINGS normal on application launch icon for
on app
oppo phones.
PERMISSION STATUS INFO DESCRIPTION

Show notification count or badge

show notification count
com.oppo.launcher.permission.WRITE_SETTINGS normal on application launch icon for
on app
oppo phones.

Unknown permission from

me.everything.badger.permission.BADGE_COUNT_READ unknown Unknown permission
android reference

Unknown permission from

me.everything.badger.permission.BADGE_COUNT_WRITE unknown Unknown permission
android reference

permission defined by A custom permission defined by

com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE normal
google Google.

This app uses a Google

application shows
com.google.android.gms.permission.AD_ID normal advertising ID and can possibly
advertisements
serve advertisements.

Unknown permission from

com.thebarstockexchange.tbse.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION unknown Unknown permission
android reference

 APKID ANALYSIS

FILE DETAILS
FILE DETAILS

FINDINGS DETAILS

Build.FINGERPRINT check
Build.MODEL check
Build.MANUFACTURER check
Build.PRODUCT check
Anti-VM Code
Build.HARDWARE check
Build.BOARD check
possible Build.SERIAL check
classes.dex Build.TAGS check

Compiler r8 without marker (suspicious)

 BROWSABLE ACTIVITIES

ACTIVITY INTENT

Schemes: fbconnect://,
com.facebook.CustomTabActivity
Hosts: cct.com.thebarstockexchange.tbse,
 NETWORK SECURITY

NO SCOPE SEVERITY DESCRIPTION

 CERTIFICATE ANALYSIS
HIGH: 0 | WARNING: 1 | INFO: 1

TITLE SEVERITY DESCRIPTION

Signed Application info Application is signed with a code signing certificate

Application Application is signed with v1 signature scheme, making it vulnerable to Janus vulnerability on Android 5.0-8.0, if signed
vulnerable to Janus warning only with v1 signature scheme. Applications running on Android 5.0-7.0 signed with v1, and v2/v3 scheme is also
Vulnerability vulnerable.

 MANIFEST ANALYSIS
HIGH: 1 | WARNING: 18 | INFO: 0 | SUPPRESSED: 0

NO ISSUE SEVERITY DESCRIPTION

This application can be installed on an older

version of android that has multiple unfixed
App can be installed on a vulnerable upatched Android version vulnerabilities. These devices won't receive
1 high
Android 5.0-5.0.2, [minSdk=21] reasonable security updates from Google.
Support an Android version => 10, API 29 to
receive reasonable security updates.
NO ISSUE SEVERITY DESCRIPTION

The flag [android:allowBackup] should be set to

false. By default it is set to true and allows anyone
Application Data can be Backed up
2 warning to backup your application data via adb. It allows
[android:allowBackup] flag is missing.
users who have enabled USB debugging to copy
application data off of the device.

Broadcast Receiver
A Broadcast Receiver is found to be shared with
(com.dexterous.flutterlocalnotifications.ScheduledNotificationBootReceiver) is not
3 warning other apps on the device therefore leaving it
Protected.
accessible to any other application on the device.
[android:exported=true]

Broadcast Receiver
A Broadcast Receiver is found to be shared with
(com.github.florent37.assets_audio_player.notification.NotificationActionReceiver) is
4 warning other apps on the device therefore leaving it
not Protected.
accessible to any other application on the device.
[android:exported=true]

Broadcast Receiver
A Broadcast Receiver is found to be shared with
(com.github.florent37.assets_audio_player.notification.CustomMediaButtonReceiver)
5 warning other apps on the device therefore leaving it
is not Protected.
accessible to any other application on the device.
[android:exported=true]

Service (com.github.florent37.assets_audio_player.notification.NotificationService) is A Service is found to be shared with other apps on

6 not Protected. warning the device therefore leaving it accessible to any
[android:exported=true] other application on the device.
NO ISSUE SEVERITY DESCRIPTION

A Broadcast Receiver is found to be shared with

other apps on the device therefore leaving it
accessible to any other application on the device.
It is protected by a permission which is not
Broadcast Receiver (com.onesignal.FCMBroadcastReceiver) is Protected by a defined in the analysed application. As a result,
permission, but the protection level of the permission should be checked. the protection level of the permission should be
7 warning
Permission: com.google.android.c2dm.permission.SEND checked where it is defined. If it is set to normal or
[android:exported=true] dangerous, a malicious application can request
and obtain the permission and interact with the
component. If it is set to signature, only
applications signed with the same certificate can
obtain the permission.

An Activity is found to be shared with other apps

Activity (com.onesignal.NotificationOpenedActivityHMS) is not Protected.
8 warning on the device therefore leaving it accessible to any
[android:exported=true]
other application on the device.

A Broadcast Receiver is found to be shared with

Broadcast Receiver (com.onesignal.NotificationDismissReceiver) is not Protected.
9 warning other apps on the device therefore leaving it
[android:exported=true]
accessible to any other application on the device.

A Broadcast Receiver is found to be shared with

Broadcast Receiver (com.onesignal.BootUpReceiver) is not Protected.
10 warning other apps on the device therefore leaving it
[android:exported=true]
accessible to any other application on the device.

A Broadcast Receiver is found to be shared with

Broadcast Receiver (com.onesignal.UpgradeReceiver) is not Protected.
11 warning other apps on the device therefore leaving it
[android:exported=true]
accessible to any other application on the device.

An Activity is found to be shared with other apps

Activity (com.onesignal.NotificationOpenedReceiver) is not Protected.
12 warning on the device therefore leaving it accessible to any
[android:exported=true]
other application on the device.
NO ISSUE SEVERITY DESCRIPTION

Activity (com.onesignal.NotificationOpenedReceiverAndroid22AndOlder) is not An Activity is found to be shared with other apps

13 Protected. warning on the device therefore leaving it accessible to any
[android:exported=true] other application on the device.

A Service is found to be shared with other apps on

the device therefore leaving it accessible to any
other application on the device. It is protected by
Service (com.google.android.gms.auth.api.signin.RevocationBoundService) is
a permission which is not defined in the analysed
Protected by a permission, but the protection level of the permission should be
application. As a result, the protection level of the
checked.
14 warning permission should be checked where it is defined.
Permission:
If it is set to normal or dangerous, a malicious
com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION
application can request and obtain the
[android:exported=true]
permission and interact with the component. If it
is set to signature, only applications signed with
the same certificate can obtain the permission.

A Broadcast Receiver is found to be shared with

other apps on the device therefore leaving it
accessible to any other application on the device.
It is protected by a permission which is not
Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) is Protected defined in the analysed application. As a result,
by a permission, but the protection level of the permission should be checked. the protection level of the permission should be
15 warning
Permission: com.google.android.c2dm.permission.SEND checked where it is defined. If it is set to normal or
[android:exported=true] dangerous, a malicious application can request
and obtain the permission and interact with the
component. If it is set to signature, only
applications signed with the same certificate can
obtain the permission.

An Activity is found to be shared with other apps

Activity (com.facebook.CustomTabActivity) is not Protected.
16 warning on the device therefore leaving it accessible to any
[android:exported=true]
other application on the device.
 NO ISSUE SEVERITY DESCRIPTION

A Service is found to be shared with other apps on

the device therefore leaving it accessible to any
other application on the device. It is protected by
a permission which is not defined in the analysed
Service (androidx.work.impl.background.systemjob.SystemJobService) is Protected
application. As a result, the protection level of the
by a permission, but the protection level of the permission should be checked.
17 warning permission should be checked where it is defined.
Permission: android.permission.BIND_JOB_SERVICE
If it is set to normal or dangerous, a malicious
[android:exported=true]
application can request and obtain the
permission and interact with the component. If it
is set to signature, only applications signed with
the same certificate can obtain the permission.

A Broadcast Receiver is found to be shared with

other apps on the device therefore leaving it
accessible to any other application on the device.
It is protected by a permission which is not
Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) is
defined in the analysed application. As a result,
Protected by a permission, but the protection level of the permission should be
the protection level of the permission should be
18 checked. warning
checked where it is defined. If it is set to normal or
Permission: android.permission.DUMP
dangerous, a malicious application can request
[android:exported=true]
and obtain the permission and interact with the
component. If it is set to signature, only
applications signed with the same certificate can
obtain the permission.

By setting an intent priority higher than another

High Intent Priority (999) - {1} Hit(s)
19 warning intent, the app effectively overrides other
[android:priority]
requests.

 CODE ANALYSIS
HIGH: 2 | WARNING: 9 | INFO: 3 | SECURE: 1 | SUPPRESSED: 0
NO ISSUE SEVERITY STANDARDS FILES

a3/a.java
a4/k.java
a7/a.java
a7/c.java
a7/d1.java
a7/e0.java
a7/g1.java
a7/h0.java
a7/h1.java
a7/i1.java
a7/k1.java
a7/l0.java
a7/q1.java
a7/t1.java
b2/a.java
b2/d.java
b2/j.java
b8/a.java
c0/a.java
c4/a.java
c8/a.java
com/baseflow/geolocator/GeolocatorLoca
tionService.java
com/baseflow/geolocator/b.java
com/baseflow/geolocator/j.java
com/baseflow/geolocator/m.java
com/bumptech/glide/b.java
com/bumptech/glide/load/data/b.java
com/bumptech/glide/load/data/j.java
com/bumptech/glide/load/data/l.java
com/bumptech/glide/manager/f.java
com/bumptech/glide/manager/p.java
com/bumptech/glide/manager/q.java
com/bumptech/glide/manager/s.java
com/bumptech/glide/manager/t.java
com/bumptech/glide/manager/u.java
com/dexterous/flutterlocalnotifications/Ac
 tionBroadcastReceiver.java
NO ISSUE SEVERITY STANDARDS FILES
com/dexterous/flutterlocalnotifications/Fl
utterLocalNotificationsPlugin.java
com/dexterous/flutterlocalnotifications/Sc
heduledNotificationReceiver.java
com/github/florent37/assets_audio_playe
r/notification/CustomMediaButtonReceive
r.java
com/lyokone/location/FlutterLocationServ
ice.java
com/lyokone/location/a.java
com/lyokone/location/b.java
com/lyokone/location/c.java
com/lyokone/location/d.java
com/onesignal/JobIntentService.java
com/onesignal/flutter/f.java
com/onesignal/h.java
com/onesignal/k3.java
com/yalantis/ucrop/UCropActivity.java
com/yalantis/ucrop/view/b.java
d2/d.java
d7/a.java
e3/d0.java
e3/k0.java
e3/l0.java
e3/v.java
e7/a.java
f0/c.java
f1/a.java
f2/i.java
f7/g.java
f7/o.java
f7/p.java
fa/c.java
g0/a.java
h/a.java
h0/a.java
ha/c.java
ha/d.java
i1/j.java
 i3/c.java
NO ISSUE SEVERITY STANDARDS FILES
i7/h.java
i8/c.java
io/flutter/plugins/googlemaps/GoogleMa
pController.java
io/flutter/plugins/googlemaps/g0.java
io/flutter/plugins/imagepicker/a.java
io/flutter/plugins/imagepicker/f.java
j0/k0.java
j0/o.java
j0/o0.java
j0/r.java
j1/b.java
j7/b.java
k/g.java
k2/a.java
k6/s.java
k8/g.java
k8/n.java
l/c.java
l0/a.java
CWE: CWE-532: Insertion of Sensitive Information l1/a.java
The App logs information. Sensitive l1/n.java
1 info into Log File
information should never be logged. l1/o.java
OWASP MASVS: MSTG-STORAGE-3
l1/p.java
lb/l.java
m1/a.java
mb/i.java
n0/h.java
n1/d.java
n1/e.java
n3/c.java
na/a.java
na/b.java
nb/l.java
o0/d.java
o2/c1.java
o2/g.java
o2/n0.java
o2/s0.java
 o3/e0.java
NO ISSUE SEVERITY STANDARDS FILES
o3/f0.java
o3/y.java
o6/a.java
o6/d.java
oa/a.java
oa/c.java
oa/f.java
ob/a.java
ob/b.java
ob/c.java
p0/a.java
p1/c.java
p1/e.java
p2/c.java
p2/f.java
p2/g0.java
p2/m.java
p6/i.java
q1/h.java
q1/i.java
q1/k.java
q1/q.java
q1/z.java
r0/a.java
r1/j.java
r1/k.java
r3/f.java
s0/i0.java
s0/y.java
s1/e.java
s1/i.java
s2/l.java
sa/b.java
t1/a.java
t1/b.java
t2/e.java
t2/f.java
t3/c.java
u0/h.java
 u1/c.java
NO ISSUE SEVERITY STANDARDS FILES
u1/d.java
u1/f.java
u1/s.java
u1/t.java
u3/k.java
u3/l.java
u5/k.java
u6/g.java
v2/a.java
v7/e.java
w1/a.java
w6/b.java
w6/d.java
w6/h.java
w6/r.java
w6/s.java
w6/u.java
w6/x.java
w6/y.java
w7/e0.java
w8/b.java
x1/c.java
x1/d.java
x1/h.java
x1/j.java
x1/k.java
x1/n.java
x1/x.java
x2/f.java
x2/i.java
x2/l.java
x6/b0.java
x6/e.java
x6/g0.java
x6/j.java
x6/k.java
x6/l0.java
x6/o.java
x6/x.java
 x7/d.java
NO ISSUE SEVERITY STANDARDS FILES
x8/c.java
y6/k.java
b3/b.java
z/a.java
o2/b.java
z6/n0.java
o2/c1.java
App can write to App Directory.
CWE: CWE-276: Incorrect Default Permissions o2/j.java
2 Sensitive Information should be info
OWASP MASVS: MSTG-STORAGE-14 o2/p0.java
encrypted.
o2/t0.java
o3/e0.java
v2/j.java

com/dexterous/flutterlocalnotifications/Fl
utterLocalNotificationsPlugin.java
com/dexterous/flutterlocalnotifications/m
odels/NotificationDetails.java
com/onesignal/o1.java
CWE: CWE-312: Cleartext Storage of Sensitive
Files may contain hardcoded com/onesignal/o4.java
Information
3 sensitive information like usernames, warning com/onesignal/w1.java
OWASP Top 10: M9: Reverse Engineering
passwords, keys etc. o1/g.java
OWASP MASVS: MSTG-STORAGE-14
q1/d.java
q1/p.java
q1/x.java
r2/g.java
z0/d.java

App uses SQLite Database and com/onesignal/r3.java

execute raw SQL query. Untrusted CWE: CWE-89: Improper Neutralization of Special da/i.java
user input in raw SQL queries can Elements used in an SQL Command ('SQL g4/b0.java
4 warning
cause SQL Injection. Also sensitive Injection') g4/h0.java
information should be encrypted and OWASP Top 10: M7: Client Code Quality ha/c.java
written to the database. o0/c.java

CWE: CWE-200: Information Exposure

5 IP Address disclosure warning t5/c.java
OWASP MASVS: MSTG-CODE-2
NO ISSUE SEVERITY STANDARDS FILES

This App copies data to clipboard.

Sensitive data should not be copied io/flutter/plugin/editing/b.java
6 info
to clipboard as other applications can OWASP MASVS: MSTG-STORAGE-10 jb/b.java
access it.

CWE: CWE-327: Use of a Broken or Risky

MD5 is a weak hash known to have Cryptographic Algorithm p2/d.java
7 warning
hash collisions. OWASP Top 10: M5: Insufficient Cryptography x2/l.java
OWASP MASVS: MSTG-CRYPTO-4

com/onesignal/OSUtils.java
e3/k0.java
gc/a.java
CWE: CWE-330: Use of Insufficiently Random gc/b.java
The App uses an insecure Random Values hc/a.java
8 warning
Number Generator. OWASP Top 10: M5: Insufficient Cryptography l4/p1.java
OWASP MASVS: MSTG-CRYPTO-6 l7/c.java
m5/y0.java
o2/r.java
p5/b.java

This App uses SSL certificate pinning

9 to detect or prevent MITM attacks in secure tc/c.java
OWASP MASVS: MSTG-NETWORK-4
secure communication channel.

cd/a.java
App can read/write to External CWE: CWE-276: Incorrect Default Permissions
e3/k0.java
10 Storage. Any App can read data warning OWASP Top 10: M2: Insecure Data Storage
mb/h.java
written to External Storage. OWASP MASVS: MSTG-STORAGE-2
mb/i.java
 NO ISSUE SEVERITY STANDARDS FILES

CWE: CWE-649: Reliance on Obfuscation or

The App uses the encryption mode
Encryption of Security-Relevant Inputs without
CBC with PKCS5/PKCS7 padding. This
11 high Integrity Checking r5/a.java
configuration is vulnerable to
OWASP Top 10: M5: Insufficient Cryptography
padding oracle attacks.
OWASP MASVS: MSTG-CRYPTO-3

App creates temp file. Sensitive CWE: CWE-276: Incorrect Default Permissions io/flutter/plugins/imagepicker/d.java
12 information should never be written warning OWASP Top 10: M2: Insecure Data Storage j0/o0.java
into a temp file. OWASP MASVS: MSTG-STORAGE-2 w8/c.java

CWE: CWE-327: Use of a Broken or Risky

SHA-1 is a weak hash known to have Cryptographic Algorithm n3/a.java
13 warning
hash collisions. OWASP Top 10: M5: Insufficient Cryptography w8/b.java
OWASP MASVS: MSTG-CRYPTO-4

CWE: CWE-749: Exposed Dangerous Method or

Insecure WebView Implementation.
Function
14 Execution of user controlled code in warning com/onesignal/x4.java
OWASP Top 10: M1: Improper Platform Usage
WebView is a critical Security Hole.
OWASP MASVS: MSTG-PLATFORM-7

CWE: CWE-919: Weaknesses in Mobile Applications

Remote WebView debugging is
15 high OWASP Top 10: M1: Improper Platform Usage com/onesignal/x4.java
enabled.
OWASP MASVS: MSTG-RESILIENCE-2

 NIAP ANALYSIS v1.3

NO IDENTIFIER REQUIREMENT FEATURE DESCRIPTION

 BEHAVIOUR ANALYSIS
RULE
BEHAVIOUR LABEL FILES
ID

b3/a.java
cc/j.java
com/bumptech/glide/load/a.java
com/dexterous/flutterlocalnotifications/FlutterLocalNotificationsPlugin.jav
a
g3/k.java
j0/o0.java
j6/h.java
00013 Read file and put it into a stream file j6/k0.java
l0/b.java
m1/a.java
oa/e.java
p2/f.java
u1/f.java
w8/c.java
x2/l.java
y2/j.java
RULE
BEHAVIOUR LABEL FILES
ID

com/dexterous/flutterlocalnotifications/FlutterLocalNotificationsPlugin.jav
a
com/onesignal/OSUtils.java
com/onesignal/i0.java
com/onesignal/shortcutbadger/impl/OPPOHomeBader.java
com/onesignal/shortcutbadger/impl/SonyHomeBadger.java
e1/a.java
e3/a.java
e3/d0.java
Implicit intent(view a web page, make e3/k0.java
00063 control
a phone call, etc.) e3/l0.java
e3/p0.java
io/flutter/plugins/imagepicker/d.java
k1/a.java
l1/a.java
l1/n.java
l1/p.java
o3/c.java
ob/b.java
x6/f.java

com/onesignal/shortcutbadger/impl/SamsungHomeBadger.java
e3/a.java
00191 Get messages in the SMS inbox sms e3/d0.java
e3/k0.java
r3/h.java
RULE
BEHAVIOUR LABEL FILES
ID

com/dexterous/flutterlocalnotifications/FlutterLocalNotificationsPlugin.jav
a
com/onesignal/OSUtils.java
com/onesignal/i0.java
com/onesignal/shortcutbadger/impl/EverythingMeHomeBadger.java
com/onesignal/shortcutbadger/impl/HuaweiHomeBadger.java
com/onesignal/shortcutbadger/impl/NovaHomeBadger.java
com/onesignal/shortcutbadger/impl/OPPOHomeBader.java
com/onesignal/shortcutbadger/impl/SamsungHomeBadger.java
Get resource file from res/raw com/onesignal/shortcutbadger/impl/SonyHomeBadger.java
00036 reflection
directory e3/a.java
e3/k0.java
e3/l0.java
e3/p0.java
j6/k0.java
k1/a.java
l1/a.java
l1/n.java
t3/c.java
x6/f.java

b3/a.java
Read file into a stream and put it into g3/k.java
00014 file
a JSON object w8/c.java
y2/j.java

com/onesignal/k0.java
com/onesignal/n0.java
00009 Put data in cursor to JSON object file com/onesignal/r0.java
com/onesignal/v.java
e3/k0.java
RULE
BEHAVIOUR LABEL FILES
ID

com/onesignal/OSUtils.java
com/onesignal/i0.java
e1/a.java
e3/k0.java
e3/l0.java
Implicit intent(view a web page, make
00051 control k1/a.java
a phone call, etc.) via setData
l1/a.java
l1/n.java
l1/p.java
ob/b.java
x6/f.java

com/bumptech/glide/load/data/j.java
com/onesignal/v3.java
Connect to a URL and receive input j6/u.java
00089 command network
stream from the server n3/c.java
r2/g.java
x8/c.java

Read data and put it into a buffer p2/f.java

00012 file
stream x2/l.java

com/bumptech/glide/load/data/j.java
com/onesignal/v3.java
j6/u.java
Connect to a URL and get the
00109 network command o6/d.java
response code
r2/g.java
u6/f.java
x8/c.java
RULE
BEHAVIOUR LABEL FILES
ID

com/onesignal/FCMBroadcastReceiver.java
com/onesignal/PermissionsActivity.java
00091 Retrieve data from broadcast collection com/onesignal/a2.java
e3/d0.java
o3/k0.java

Connect to the remote server com/bumptech/glide/load/data/j.java

00030 network
through the given URL j6/u.java

00192 Get messages in the SMS inbox sms cd/a.java

00028 Read file from assets directory file j6/c.java

Create InetSocketAddress object and zc/b.java

00162 socket
connecting to it zc/g.java

Create new Socket and connecting to zc/b.java

00163 socket
it zc/g.java

com/onesignal/v3.java
j6/u.java
Connect to a URL and set request
00096 command network o2/i0.java
method
r2/g.java
x8/c.java

g3/c.java
Get filename and put it to JSON
00004 file collection k3/a.java
object
y2/f.java

00125 Check if the given file path exist file y2/f.java

RULE
BEHAVIOUR LABEL FILES
ID

com/onesignal/shortcutbadger/impl/SamsungHomeBadger.java
Read sensitive data(SMS, CALLLOG, collection sms calllog e3/d0.java
00077
etc) calendar p1/c.java
r3/h.java

00147 Get the time of current location collection location com/lyokone/location/a.java

00132 Query The ISO country code telephony collection k6/n0.java

Perform accessibility service action io/flutter/view/AccessibilityViewEmbedder.java

00161 accessibility service
on accessibility node info io/flutter/view/c.java

00092 Send broadcast command com/onesignal/n0.java

io/flutter/plugins/imagepicker/d.java
j0/o0.java
Open a file from given absolute path
00022 file mb/i.java
of the file
o0/d.java
p0/a.java

com/onesignal/shortcutbadger/impl/SamsungHomeBadger.java
00189 Get the content of a SMS message sms e3/d0.java
r3/h.java

com/onesignal/shortcutbadger/impl/SamsungHomeBadger.java
00188 Get the address of a SMS message sms e3/d0.java
r3/h.java

com/onesignal/shortcutbadger/impl/SamsungHomeBadger.java
Query data from URI (SMS,
00011 sms calllog collection e3/d0.java
CALLLOGS)
r3/h.java
RULE
BEHAVIOUR LABEL FILES
ID

com/onesignal/shortcutbadger/impl/SamsungHomeBadger.java
00200 Query data from the contact list collection contact e3/d0.java
r3/h.java

collection sms calllog com/onesignal/shortcutbadger/impl/SamsungHomeBadger.java

00187 Query a URI and check the result
calendar e3/d0.java

com/onesignal/shortcutbadger/impl/SamsungHomeBadger.java
00201 Query data from the call log collection calllog e3/d0.java
r3/h.java

Put buffer stream (data) to JSON

00015 file e3/k0.java
object

com/onesignal/OSUtils.java
00078 Get the network operator name collection telephony
e3/k0.java

Connect to a URL and read data from

00094 command network j6/u.java
it

Read the input stream from given

00108 network command j6/u.java
URL

00202 Make a phone call control l1/p.java

00203 Put a phone number into an intent control l1/p.java

Put the compressed bitmap data into o2/i0.java

00003 camera
JSON object s2/l.java
 RULE
BEHAVIOUR LABEL FILES
ID

Get pixels from the latest rendered

00209 collection io/flutter/embedding/android/g.java
image

Copy pixels from the latest rendered

00210 collection io/flutter/embedding/android/g.java
image into a Bitmap

Get bounds in screen of an

00173 AccessibilityNodeInfo and perform accessibility service io/flutter/view/AccessibilityViewEmbedder.java
action

 ABUSED PERMISSIONS

TYPE MATCHES PERMISSIONS

android.permission.INTERNET, android.permission.CAMERA, android.permission.READ_EXTERNAL_STORAGE,

android.permission.WRITE_EXTERNAL_STORAGE, android.permission.ACCESS_FINE_LOCATION,
Malware
11/25 android.permission.ACCESS_COARSE_LOCATION, android.permission.VIBRATE, android.permission.WAKE_LOCK,
Permissions
android.permission.READ_PHONE_STATE, android.permission.ACCESS_NETWORK_STATE,
android.permission.RECEIVE_BOOT_COMPLETED

Other
android.permission.FOREGROUND_SERVICE, com.google.android.c2dm.permission.RECEIVE,
Common 4/44
com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE, com.google.android.gms.permission.AD_ID
Permissions

Malware Permissions:
Top permissions that are widely abused by known malware.
Other Common Permissions:
Permissions that are commonly abused by known malware.
 OFAC SANCTIONED COUNTRIES
This app may communicate with the following OFAC sanctioned list of countries.

DOMAIN COUNTRY/REGION

 DOMAIN MALWARE CHECK

DOMAIN STATUS GEOLOCATION

IP: 104.18.23.19
Country: United States of America
Region: California
www.w3.org ok City: San Francisco
Latitude: 37.775700
Longitude: -122.395203
View: Google Map

IP: 185.199.109.153
Country: United States of America
Region: Pennsylvania
aomedia.org ok City: California
Latitude: 40.065632
Longitude: -79.891708
View: Google Map
DOMAIN STATUS GEOLOCATION

IP: 163.70.145.20
Country: France
Region: Ile-de-France
developers.facebook.com ok City: Nanterre
Latitude: 48.891979
Longitude: 2.206750
View: Google Map

IP: 142.250.182.194
Country: United States of America
Region: California
pagead2.googlesyndication.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map

IP: 163.70.145.35
Country: France
Region: Ile-de-France
facebook.com ok City: Nanterre
Latitude: 48.891979
Longitude: 2.206750
View: Google Map

IP: 20.207.73.82
Country: United States of America
Region: Washington
github.com ok City: Redmond
Latitude: 47.682899
Longitude: -122.120903
View: Google Map
DOMAIN STATUS GEOLOCATION

IP: 13.107.246.48
Country: Netherlands
Region: Noord-Holland
schemas.microsoft.com ok City: Amsterdam
Latitude: 52.374031
Longitude: 4.889690
View: Google Map

IP: 142.250.183.46
Country: United States of America
Region: California
developer.android.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map

IP: 142.251.42.78
Country: United States of America
Region: California
issuetracker.google.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map

IP: 17.253.61.197
Country: United States of America
Region: Arizona
developer.apple.com ok City: Mesa
Latitude: 33.422272
Longitude: -111.822639
View: Google Map
DOMAIN STATUS GEOLOCATION

IP: 185.199.111.153
Country: United States of America
Region: Pennsylvania
exoplayer.dev ok City: California
Latitude: 40.065632
Longitude: -79.891708
View: Google Map

IP: 185.199.109.153
Country: United States of America
Region: Pennsylvania
dashif.org ok City: California
Latitude: 40.065632
Longitude: -79.891708
View: Google Map

ns.adobe.com ok No Geolocation information available.

graph.s ok No Geolocation information available.

IP: 163.70.145.35
Country: France
Region: Ile-de-France
www.facebook.com ok City: Nanterre
Latitude: 48.891979
Longitude: 2.206750
View: Google Map

graph-video.s ok No Geolocation information available.

.facebook.com ok No Geolocation information available.

DOMAIN STATUS GEOLOCATION

IP: 74.125.68.84
Country: United States of America
Region: California
accounts.google.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map

IP: 104.17.111.223
Country: United States of America
Region: California
api.onesignal.com ok City: San Francisco
Latitude: 37.775700
Longitude: -122.395203
View: Google Map

 EMAILS

EMAIL FILE

u0013android@android.com0
x6/w.java
u0013android@android.com

 TRACKERS
TRACKER CATEGORIES URL

Facebook Login Identification https://reports.exodus-privacy.eu.org/trackers/67

Google Firebase Analytics Analytics https://reports.exodus-privacy.eu.org/trackers/49

OneSignal https://reports.exodus-privacy.eu.org/trackers/193

 HARDCODED SECRETS

POSSIBLE SECRETS

"facebook_client_token" : "ed14b00c631b8852e422cd3215e1325e"

df6b721c8b4d3b6eb44c861d4415007e5a35fc95

edef8ba9-79d6-4ace-a3c8-27dcd51d21ed

5eb5a37e-b458-11e3-ac11-000c2940e62c

cc2751449a350f668590264ed76692694a80308a

2438bce1ddb7bd026d5ff89f598b3b5e5bb824b3

a4b7452e2ed8f5f191058ca7bbfd26b0d3214bfc

ChNjb20uYW5kcm9pZC52ZW5kaW5nCiBjb20uZ29vZ2xlLmFuZHJvaWQuYXBwcy5tZWV0aW5ncwohY29tLmdvb2dsZS5hbmRyb2lkLmFwcHMubWVzc2FnaW5n

ae2044fb577e65ee8bb576ca48a2f06e
 POSSIBLE SECRETS

16a09e667f3bcc908b2fb1366ea957d3e3adec17512775099da2f590b0667322a

9a04f079-9840-4286-ab92-e65be0885f95

c56fb7d591ba6704df047fd98f535372fea00211

b2f7f966-d8cc-11e4-bed1-df8f05be55ba

VGhpcyBpcyB0aGUgcHJlZml4IGZvciBCaWdJbnRlZ2Vy

9b8f518b086098de3d77736f9458a3d2f6f95a37

e2719d58-a985-b3c9-781a-b030af78d30e

c682b8144a8dd52bc1ad63

8a3c4b262d721acd49a4bf97d5213199c86fa2b9

5181942b9ebc31ce68dacb56c16fd79f

 PLAYSTORE INFORMATION
Title: TBSE 2.0 UPGRADED

Score: None Installs: 100,000+ Price: 0 Android Version Support: Category: Food & Drink Play Store URL: com.thebarstockexchange.tbse

Developer Details: The Bar Stock Exchange, The+Bar+Stock+Exchange, None, https://www.thebarstockexchange.com, info@thebarstockexchange.com,

Release Date: None Privacy Policy: Privacy link

Description:
Conceptualized on the lines of our infamous stock market, TBSE is fun, unique and cutting-edge bar concept that allows customers to trade in alcohol and spirits, with
prices starting from as low as MRP prices! India’s first stock market based pub chain where the drink prices change based on real time demand, TBSE presents an
experience similar to trading in the stock market - Think of it as happy hours where you control the prices of all the drinks, any time, every time! Being touted as the most
technologically advanced bar in India, customers can also place an order via a specially developed app (Android and iOS) that lets you monitor prices and order in real
time. Customers can compete with each other and the system to score the best prices on their choice of drinks. The brand has taken the nation by storm and has
become the ‘place to be’ for revelers & also being added on the ‘must-go-to’ list of foreign expats & tourists alike. TBSE will “trade”* in alcohol whilst making sure you have
a great exchange (of conversation, ofcourse!). Starting with all prices starting at retail prices, the prices of your favourite drink rise in direct proportion to its consumption
over a period of time at the bar. Every increasing peg/pint/shot/glass ordered by a patron increases its value margin, to be brought down once again if time is on your
side (if orders for the same drink decrease over a period of time). Before you gasp in worry, our circuit breaker system will ensure that you get the best bang out of your
buck always (whether your favourite stock be high or low).

 SCAN LOGS

Timestamp Event Error

2025-02-14 06:20:40 Generating Hashes OK

2025-02-14 06:20:40 Extracting APK OK

2025-02-14 06:20:40 Unzipping OK

2025-02-14 06:20:40 Parsing APK with androguard OK

2025-02-14 06:20:41 Extracting APK features using aapt/aapt2 OK

2025-02-14 06:20:41 Getting Hardcoded Certificates/Keystores OK

2025-02-14 06:20:44 Parsing AndroidManifest.xml OK

2025-02-14 06:20:44 Extracting Manifest Data OK

2025-02-14 06:20:44 Manifest Analysis Started OK

2025-02-14 06:20:44 Performing Static Analysis on: TBSE (com.thebarstockexchange.tbse) OK

2025-02-14 06:20:44 Fetching Details from Play Store: com.thebarstockexchange.tbse OK

2025-02-14 06:20:44 Checking for Malware Permissions OK

2025-02-14 06:20:44 Fetching icon path OK

2025-02-14 06:20:44 Library Binary Analysis Started OK

2025-02-14 06:20:44 Reading Code Signing Certificate OK

2025-02-14 06:20:45 Running APKiD 2.1.5 OK

2025-02-14 06:20:49 Updating Trackers Database.... OK

2025-02-14 06:20:49 Detecting Trackers OK

2025-02-14 06:20:50 Decompiling APK to Java with JADX OK

2025-02-14 06:21:19 Converting DEX to Smali OK

2025-02-14 06:21:19 Code Analysis Started on - java_source OK

2025-02-14 06:21:21 Android SBOM Analysis Completed OK

2025-02-14 06:21:28 Android SAST Completed OK

2025-02-14 06:21:28 Android API Analysis Started OK

2025-02-14 06:21:31 Android API Analysis Completed OK

2025-02-14 06:21:31 Android Permission Mapping Started OK

2025-02-14 06:21:35 Android Permission Mapping Completed OK

2025-02-14 06:21:36 Android Behaviour Analysis Started OK

 2025-02-14 06:21:41 Android Behaviour Analysis Completed OK

2025-02-14 06:21:41 Extracting Emails and URLs from Source Code OK

2025-02-14 06:21:44 Email and URL Extraction Completed OK

2025-02-14 06:21:44 Extracting String data from APK OK

2025-02-14 06:21:44 Extracting String data from Code OK

2025-02-14 06:21:44 Extracting String values and entropies from Code OK

2025-02-14 06:21:45 Performing Malware check on extracted domains OK

2025-02-14 06:21:49 Saving to Database OK

Report Generated by - MobSF v4.3.1

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment
framework capable of performing static and dynamic analysis.

© 2025 Mobile Security Framework - MobSF | Ajin Abraham | OpenSecurity.