Facebook Lite Report

Download as pdf or txt
Download as pdf or txt
You are on page 1of 45

ANDROID STATIC ANALYSIS REPORT

 Lite (373.0.0.0.3)
File Name: Facebook Lite.apk

Package Name: com.facebook.lite

Scan Date: Sept. 10, 2023, 6:19 a.m.

App Security Score: 17/100 (CRITICAL RISK)

Grade:
F
 FINDINGS SEVERITY

 HIGH  MEDIUM  INFO  SECURE  HOTSPOT

55 16 2 4 1

 FILE INFORMATION
File Name: Facebook Lite.apk
Size: 2.15MB
MD5: d8340f4a444f33f20cc752450de7eff1
SHA1: 8b1a1d3400cf7e39643b2466e1009dc6a2fdcdd7
SHA256: b0af382547043e98507e2702cce931273eed7cc26f378c9c011e20ce82f6279e

 APP INFORMATION
App Name: Lite
Package Name: com.facebook.lite
Main Activity: com.facebook.lite.MainActivity
Target SDK: 33
Min SDK: 15
Max SDK:
Android Version Name: 373.0.0.0.3
Android Version Code: 500700028
 APP COMPONENTS
Activities: 18
Services: 35
Receivers: 31
Providers: 9
Exported Activities: 30
Exported Services: 2
Exported Receivers: 11
Exported Providers: 4

 CERTIFICATE INFORMATION
Binary is signed
v1 signature: True
v2 signature: True
v3 signature: False
v4 signature: False
X.509 Subject: C=US, ST=CA, L=Palo Alto, O=Facebook Mobile, OU=Facebook, CN=Facebook Corporation
Signature Algorithm: rsassa_pkcs1v15
Valid From: 2009-08-31 21:52:16+00:00
Valid To: 2050-09-25 21:52:16+00:00
Issuer: C=US, ST=CA, L=Palo Alto, O=Facebook Mobile, OU=Facebook, CN=Facebook Corporation
Serial Number: 0x4a9c4610
Hash Algorithm: md5
md5: 3fad024f2dcbe3ee693c96f350f8e376
sha1: 8a3c4b262d721acd49a4bf97d5213199c86fa2b9
sha256: e3f9e1e0cf99d0e56a055ba65e241b3399f7cea524326b0cdd6ec1327ed0fdc1
sha512: cd0c5bea15efd4c2620b5632a2d7618bc1cffb2edfc0f70e2f03ce593c162a93f655771bb2e222238889d4a5740f3dcbcd5b14b8a266602048500c67b0f07d14
PublicKey Algorithm: rsa
Bit Size: 1024
Fingerprint: f399a11f1d0ba109236e9b0cd20c7384a55d02042ba6c2500cec5a0001e165a1
Found 1 unique certificates
 APPLICATION PERMISSIONS

PERMISSION STATUS INFO DESCRIPTION

Access coarse location sources, such as the


mobile network database, to determine an
coarse (network- approximate phone location, where
android.permission.ACCESS_COARSE_LOCATION dangerous
based) location available. Malicious applications can use
this to determine approximately where you
are.

Access fine location sources, such as the


Global Positioning System on the phone,
android.permission.ACCESS_FINE_LOCATION dangerous fine (GPS) location where available. Malicious applications can
use this to determine where you are and
may consume additional battery power.

view network Allows an application to view the status of


android.permission.ACCESS_NETWORK_STATE normal
status all networks.

Allows an application to view the


android.permission.ACCESS_WIFI_STATE normal view Wi-Fi status
information about the status of Wi-Fi.

Allows the modification of collected battery


modify battery
android.permission.BATTERY_STATS signature statistics. Not for use by common
statistics
applications.

Allows an application to send sticky


broadcasts, which remain after the
send sticky
android.permission.BROADCAST_STICKY normal broadcast ends. Malicious applications can
broadcast
make the phone slow or unstable by
causing it to use too much memory.
PERMISSION STATUS INFO DESCRIPTION

Allows the application to call phone


numbers without your intervention.
directly call phone Malicious applications may cause
android.permission.CALL_PHONE dangerous
numbers unexpected calls on your phone bill. Note
that this does not allow the application to
call emergency numbers.

Allows application to take pictures and


take pictures and videos with the camera. This allows the
android.permission.CAMERA dangerous
videos application to collect images that the
camera is seeing at any time.

change network Allows applications to change network


android.permission.CHANGE_NETWORK_STATE normal
connectivity connectivity state.

Allows an application to connect to and


disconnect from Wi-Fi access points and to
android.permission.CHANGE_WIFI_STATE normal change Wi-Fi status
make changes to configured Wi-Fi
networks.

Allows application to retrieve information


about currently and recently running tasks.
retrieve running
android.permission.GET_TASKS dangerous May allow malicious applications to
applications
discover private information about other
applications.

Allows an application to create network


android.permission.INTERNET normal full Internet access
sockets.

Allows an application to read all of the


read calendar calendar events stored on your phone.
android.permission.READ_CALENDAR dangerous
events Malicious applications can use this to send
your calendar events to other people.
PERMISSION STATUS INFO DESCRIPTION

Allows an application to read all of the


contact (address) data stored on your
android.permission.READ_CONTACTS dangerous read contact data
phone. Malicious applications can use this
to send your data to other people.

Allows access to the list of accounts in the


android.permission.GET_ACCOUNTS dangerous list accounts
Accounts Service.

Allows an application to use the account


authenticator capabilities of the Account
act as an account
android.permission.AUTHENTICATE_ACCOUNTS dangerous Manager, including creating accounts as
authenticator
well as obtaining and setting their
passwords.

Allows an application to perform


manage the
android.permission.MANAGE_ACCOUNTS dangerous operations like adding and removing
accounts list
accounts and deleting their password.

Allows the application to access the phone


features of the device. An application with
read phone state this permission can determine the phone
android.permission.READ_PHONE_STATE dangerous
and identity number and serial number of this phone,
whether a call is active, the number that
call is connected to and so on.

Allows read access to the device's phone


number(s). This is a subset of the
android.permission.READ_PHONE_NUMBERS dangerous capabilities granted by
READ_PHONE_STATE but is exposed to
instant applications.

read the user's


Allows an application to read the user's
android.permission.READ_PROFILE dangerous personal profile
personal profile data.
data
PERMISSION STATUS INFO DESCRIPTION

Allows an application to start itself as soon


as the system has finished booting. This
automatically start
android.permission.RECEIVE_BOOT_COMPLETED normal can make it take longer to start the phone
at boot
and allow the application to slow down the
overall phone by always running.

Allows application to access the audio


android.permission.RECORD_AUDIO dangerous record audio
record path.

Allows an application to show system-alert


display system-
android.permission.SYSTEM_ALERT_WINDOW dangerous windows. Malicious applications can take
level alerts
over the entire screen of the phone.

Allows the application to control the


android.permission.VIBRATE normal control vibrator
vibrator.

prevent phone Allows an application to prevent the phone


android.permission.WAKE_LOCK normal
from sleeping from going to sleep.

Allows an application to add or change the


add or modify
events on your calendar, which may send
calendar events
android.permission.WRITE_CALENDAR dangerous emails to guests. Malicious applications can
and send emails to
use this to erase or modify your calendar
guests
events or to send emails to guests.

Allows an application to modify the contact


(address) data stored on your phone.
android.permission.WRITE_CONTACTS dangerous write contact data
Malicious applications can use this to erase
or modify your contact data.

read/modify/delete
Allows an application to write to external
android.permission.WRITE_EXTERNAL_STORAGE dangerous external storage
storage.
contents
PERMISSION STATUS INFO DESCRIPTION

Allows an application to read image or


video files from external storage that a user
has selected via the permission prompt
photo picker. Apps can check this
permission to verify that a user has decided
to use the photo picker, instead of granting
android.permission.READ_MEDIA_VISUAL_USER_SELECTED dangerous access to READ_MEDIA_IMAGES or
READ_MEDIA_VIDEO . It does not prevent
apps from accessing the standard photo
picker manually. This permission should be
requested alongside READ_MEDIA_IMAGES
and/or READ_MEDIA_VIDEO , depending on
which type of media is desired.

Unknown Unknown permission from android


com.android.launcher.permission.INSTALL_SHORTCUT unknown
permission reference

Unknown Unknown permission from android


com.android.launcher.permission.UNINSTALL_SHORTCUT unknown
permission reference

Unknown Unknown permission from android


com.facebook.receiver.permission.ACCESS unknown
permission reference

Unknown Unknown permission from android


com.facebook.katana.provider.ACCESS unknown
permission reference

Unknown Unknown permission from android


com.facebook.orca.provider.ACCESS unknown
permission reference

Unknown Unknown permission from android


com.facebook.mlite.provider.ACCESS unknown
permission reference
PERMISSION STATUS INFO DESCRIPTION

Unknown Unknown permission from android


com.facebook.wakizashi.provider.ACCESS unknown
permission reference

Unknown Unknown permission from android


com.facebook.permission.prod.FB_APP_COMMUNICATION unknown
permission reference

Show notification count or badge on


Show notification
com.sec.android.provider.badge.permission.WRITE normal application launch icon for samsung
count on app
phones.

Show notification count or badge on


Show notification
com.sec.android.provider.badge.permission.READ normal application launch icon for samsung
count on app
phones.

Show notification Show notification count or badge on


com.htc.launcher.permission.READ_SETTINGS normal
count on app application launch icon for htc phones.

Show notification Show notification count or badge on


com.htc.launcher.permission.UPDATE_SHORTCUT normal
count on app application launch icon for htc phones.

Show notification Show notification count or badge on


com.sonyericsson.home.permission.BROADCAST_BADGE normal
count on app application launch icon for sony phones.

Show notification Show notification count or badge on


com.sonymobile.home.permission.PROVIDER_INSERT_BADGE normal
count on app application launch icon for sony phones.

Show notification Show notification count or badge on


com.huawei.android.launcher.permission.CHANGE_BADGE normal
count on app application launch icon for huawei phones.

Show notification Show notification count or badge on


com.huawei.android.launcher.permission.READ_SETTINGS normal
count on app application launch icon for huawei phones.
PERMISSION STATUS INFO DESCRIPTION

Show notification Show notification count or badge on


com.huawei.android.launcher.permission.WRITE_SETTINGS normal
count on app application launch icon for huawei phones.

Show notification Show notification count or badge on


com.oppo.launcher.permission.READ_SETTINGS normal
count on app application launch icon for oppo phones.

Show notification Show notification count or badge on


com.oppo.launcher.permission.WRITE_SETTINGS normal
count on app application launch icon for oppo phones.

Allows an application to move tasks to the


reorder
foreground and background. Malicious
android.permission.REORDER_TASKS normal applications
applications can force themselves to the
running
front without your control.

Required for apps targeting


android.permission.USE_FULL_SCREEN_INTENT normal Build.VERSION_CODES.Q that want to use
notification full screen intents.

Unknown Unknown permission from android


com.facebook.services.identity.FEO2 unknown
permission reference

create Bluetooth Allows applications to connect to paired


android.permission.BLUETOOTH normal
connections bluetooth devices.

Allows a regular application to use


android.permission.FOREGROUND_SERVICE normal
Service.startForeground.

Allows a regular application to use


android.permission.FOREGROUND_SERVICE_DATA_SYNC normal Service.startForeground with the type
"dataSync".

Unknown Unknown permission from android


com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE unknown
permission reference
PERMISSION STATUS INFO DESCRIPTION

Unknown Unknown permission from android


com.facebook.lite.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION unknown
permission reference

Unknown Unknown permission from android


com.android.vending.BILLING unknown
permission reference

com.google.android.c2dm.permission.RECEIVE signature C2DM permissions Permission for cloud to device messaging.

change your audio Allows application to modify global audio


android.permission.MODIFY_AUDIO_SETTINGS normal
settings settings, such as volume and routing.

Allows an app to use exact alarm


android.permission.SCHEDULE_EXACT_ALARM normal scheduling APIs to perform timing sensitive
background work.

Allows an application to read image files


android.permission.READ_MEDIA_IMAGES dangerous
from external storage.

Allows an application to read video files


android.permission.READ_MEDIA_VIDEO dangerous
from external storage.

android.permission.POST_NOTIFICATIONS dangerous Allows an app to post notifications

Unknown Unknown permission from android


com.google.android.gms.permission.AD_ID unknown
permission reference

Allows the app to answer an incoming


android.permission.ANSWER_PHONE_CALLS dangerous
phone call.

Allows an application to read the user's call


android.permission.READ_CALL_LOG dangerous
log.
 APKID ANALYSIS

FILE DETAILS

FINDINGS DETAILS

classes.dex Anti-VM Code Build.FINGERPRINT check

Compiler unknown (please file detection issue!)

 BROWSABLE ACTIVITIES

ACTIVITY INTENT

Schemes: fblite://,
com.facebook.lite.MainActivity
Mime Types: text/plain,
ACTIVITY INTENT

Schemes: http://, https://,


Hosts: www.facebook.com, m.facebook.com,
Paths: /permalink.php, /story.php, /home.php, /photo.php, /video.php, /n/,
/nd/,
Path Prefixes: /share, /events, /groups, /watch, /marketplace,
/coronavirus_info, /mobile_center, /pages, /uiqr/.*, /fbrdr/2048/, /fbrdr/274/,
com.facebook.lite.deeplinking.activities.PermalinkPossiblePatternsActivityAlias /profile.php,
Path Patterns: /.*/videos/.*, /reel/.*, /places/..*/..*, /.*/posts/.*, /.*/photos/.*,
/.*/photos, /.*/media_set, /.*/about, /.*/photos_of, /.*/photos_albums,
/.*/friends, /inter_app/redirect/.*, /privacy_access_hub/.*,
/contact_upload_settings/.*, /pg/.*/home, /pg/.*/home/, /pg/.*/about,
/pg/.*/about/, /pg/.*/photos, /pg/.*/photos/, /pages/whatsapp, /pages,
/fblite_transfer_your_information/.*, /dogfooding_assistant,

com.facebook.lite.deeplinking.activities.PermalinkFBLinksAlias Schemes: fb://,

com.facebook.lite.deeplinking.UIQRE2EActivity Schemes: uiqr://,

Schemes: http://, https://,


com.facebook.lite.deeplinking.activities.PermalinkLiteActivityAlias Hosts: www.facebook.com, m.facebook.com, fb.com,
Path Prefixes: /lite, /fblite/launch, /ema/install,

Schemes: http://, https://,


com.facebook.lite.deeplinking.activities.PermalinkWatchShortAlias Hosts: fb.watch, fbwat.ch,
Path Patterns: /.*,

Schemes: http://, https://,


com.facebook.lite.deeplinking.activities.PermalinkFbliteMessagingFbMePrefixAlias Hosts: fb.me,
Path Patterns: /.*,

Schemes: http://, https://,


com.facebook.lite.deeplinking.activities.CommunityChatsMDotMePrefixAlias Hosts: m.me,
Path Patterns: /.*,
ACTIVITY INTENT

Schemes: http://, https://,


com.facebook.lite.deeplinking.activities.PermalinkVanityPrefixAt Hosts: www.facebook.com, m.facebook.com,
Path Patterns: /@.*,

Schemes: http://, https://,


com.facebook.lite.deeplinking.activities.PermalinkVanityPrefixP Hosts: www.facebook.com, m.facebook.com,
Path Patterns: /p/.*,

Schemes: http://, https://,


com.facebook.lite.deeplinking.activities.PermalinkVanityPrefixTilde Hosts: www.facebook.com, m.facebook.com,
Path Patterns: /~.*,

Schemes: http://, https://,


com.facebook.lite.deeplinking.activities.PermalinkHomeAlias Hosts: www.facebook.com, m.facebook.com,
Paths: /,

Schemes: http://, https://,


com.facebook.lite.deeplinking.activities.PermalinkMessagingAlias Hosts: www.facebook.com, m.facebook.com,
Path Patterns: /messages, /messages/read, /messages/t/.*,

Schemes: http://, https://,


com.facebook.lite.deeplinking.activities.PermalinkSettingsAlias Hosts: www.facebook.com, m.facebook.com,
Path Prefixes: /settings,

Schemes: http://, https://,


com.facebook.lite.deeplinking.activities.PermalinkTimelineAlias Hosts: www.facebook.com, m.facebook.com,
Path Prefixes: /timeline,

Schemes: http://, https://,


com.facebook.lite.deeplinking.activities.PermalinkNotificationsAlias Hosts: www.facebook.com, m.facebook.com,
Path Prefixes: /notifications,
ACTIVITY INTENT

Schemes: http://, https://,


com.facebook.lite.deeplinking.activities.PermalinkProfileEditAlias Hosts: www.facebook.com, m.facebook.com,
Path Prefixes: /profile/edit,

Schemes: http://, https://,


com.facebook.lite.deeplinking.activities.PermalinkBuddylistAlias Hosts: www.facebook.com, m.facebook.com,
Paths: /buddylist.php,

Schemes: http://, https://,


Hosts: facebook.com, fb.com, free.facebook.com, m.alpha.facebook.com,
m.beta.facebook.com, mbasic.alpha.facebook.com,
mbasic.beta.facebook.com, mbasic.facebook.com, mobile.facebook.com,
mtouch.facebook.com, p.facebook.com, touch.facebook.com,
web.facebook.com, www.alpha.facebook.com, www.beta.facebook.com,
x.facebook.com,
Paths: /permalink.php, /story.php, /home.php, /photo.php, /video.php, /n/,
com.facebook.lite.deeplinking.activities.PermalinkExtraFacebookHostsAlias /nd/,
Path Prefixes: /events, /groups, /watch, /marketplace, /coronavirus_info,
/mobile_center, /pages, /uiqr/.*, /fbrdr/2048/, /fbrdr/274/, /profile.php,
Path Patterns: /.*/videos/.*, /reel/.*, /places/..*/..*, /.*/posts/.*, /.*/photos/.*,
/.*/photos, /.*/media_set, /.*/about, /.*/photos_of, /.*/photos_albums,
/.*/friends, /inter_app/redirect/.*, /privacy_access_hub/.*,
/contact_upload_settings/.*, /pg/.*/home, /pg/.*/home/, /pg/.*/about,
/pg/.*/about/, /pg/.*/photos, /pg/.*/photos/, /pages/whatsapp, /pages,
/fblite_transfer_your_information/.*, /dogfooding_assistant,

 NETWORK SECURITY
HIGH: 4 | WARNING: 1 | INFO: 1 | SECURE: 2
NO SCOPE SEVERITY DESCRIPTION

1 * high Base config is insecurely configured to permit clear text traffic to all domains.

2 * warning Base config is configured to trust system certificates.

3 * high Base config is configured to trust user installed certificates.

4 * high Base config is configured to bypass certificate pinning.

facebook.com
fbcdn.net
fbsbx.com
facebookcorewwwi.onion
fbcdn23dssr3jqnq.onion
fbsbx2q4mvcl63pw.onion
instagram.com
cdninstagram.com
workplace.com
oculus.com
5 secure Domain config is securely configured to disallow clear text traffic to these domains in scope.
facebookvirtualassistant.com
discoverapp.com
freebasics.com
internet.org
viewpointsfromfacebook.com
h.facebook.com
l.facebook.com
l.alpha.facebook.com
lm.facebook.com
l.instagram.com
NO SCOPE SEVERITY DESCRIPTION

facebook.com
Certificate pinning expires on 2024-09-04. After this date pinning will be disabled. [Pin:
fbcdn.net
x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4= Digest: SHA-256,Pin:
fbsbx.com
ICGRfpgmOUXIWcQ/HXPLQTkFPEFPoDyjvH7ohhQpjzs= Digest: SHA-256,Pin:
facebookcorewwwi.onion
grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME= Digest: SHA-256,Pin:
fbcdn23dssr3jqnq.onion
58qRu/uxh4gFezqAcERupSkRYBlBAvfcw7mEjGPLnNU= Digest: SHA-256,Pin:
fbsbx2q4mvcl63pw.onion
r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= Digest: SHA-256,Pin:
instagram.com
i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY= Digest: SHA-256,Pin:
cdninstagram.com
uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc= Digest: SHA-256,Pin:
workplace.com
WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= Digest: SHA-256,Pin:
oculus.com
6 info Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw= Digest: SHA-256,Pin:
facebookvirtualassistant.com
ape1HIIZ6T5d7GS61YBs3rD4NVvkfnVwELcCRW4Bqv0= Digest: SHA-256,Pin:
discoverapp.com
oC+voZLIy4HLE0FVT5wFtxzKKokLDRKY1oNkfJYe+98= Digest: SHA-256,Pin:
freebasics.com
K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= Digest: SHA-256,Pin:
internet.org
cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A= Digest: SHA-256,Pin:
viewpointsfromfacebook.com
aCdH+LpiG4fN07wpXtXKvOciocDANj0daLOJKNJ4fx4= Digest: SHA-256,Pin:
h.facebook.com
rn+WLLnmp9v3uDP7GPqbcaiRdd+UnCMrap73yz3yu/w= Digest: SHA-256,Pin:
l.facebook.com
C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M= Digest: SHA-256,Pin:
l.alpha.facebook.com
diGVwiVYbubAI3RW4hB9xU8e/CH2GnkuvVFZE8zmgzI= Digest: SHA-256,Pin:
lm.facebook.com
q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ= Digest: SHA-256]
l.instagram.com

h.facebook.com
l.facebook.com
7 l.alpha.facebook.com high Domain config is insecurely configured to permit clear text traffic to these domains in scope.
lm.facebook.com
l.instagram.com

h.facebook.com
l.facebook.com
8 l.alpha.facebook.com secure Certificate pinning does not have an expiry. Ensure that pins are updated before certificate expire. []
lm.facebook.com
l.instagram.com
 CERTIFICATE ANALYSIS
HIGH: 1 | WARNING: 1 | INFO: 1

TITLE SEVERITY DESCRIPTION

Signed Application info Application is signed with a code signing certificate

Application is signed with v1 signature scheme, making it vulnerable to Janus vulnerability on Android 5.0-8.0, if signed
Application vulnerable
warning only with v1 signature scheme. Applications running on Android 5.0-7.0 signed with v1, and v2/v3 scheme is also
to Janus Vulnerability
vulnerable.

Certificate algorithm
vulnerable to hash high Application is signed with MD5. MD5 hash algorithm is known to have collision issues.
collision

 MANIFEST ANALYSIS
HIGH: 49 | WARNING: 8 | INFO: 0 | SUPPRESSED: 0

NO ISSUE SEVERITY DESCRIPTION

This application can be installed on an older


version of android that has multiple unfixed
App can be installed on a vulnerable Android version
1 warning vulnerabilities. Support an Android version >
[minSdk=15]
8, API 26 to receive reasonable security
updates.
NO ISSUE SEVERITY DESCRIPTION

The Network Security Configuration feature


lets apps customize their network security
App has a Network Security Configuration settings in a safe, declarative configuration
2 info
[android:networkSecurityConfig=@xml/fb_network_security_config] file without modifying app code. These
settings can be configured for specific
domains and for a specific app.

An Activity should not be having the launch


mode attribute set to
"singleTask/singleInstance" as it becomes
root Activity and it is possible for other
3 Launch Mode of activity (com.facebook.lite.MainActivity) is not standard. high
applications to read the contents of the
calling Intent. So it is required to use the
"standard" launch mode attribute when
sensitive information is included in an Intent.

A Broadcast Receiver is found to be shared


Broadcast Receiver (com.facebook.lite.pretos.LiteAppComponentReceiver) is not
with other apps on the device therefore
4 Protected. high
leaving it accessible to any other application
[android:exported=true]
on the device.

A Broadcast Receiver is found to be shared


Broadcast Receiver (com.facebook.lite.rtc.IncomingCallReceiver) is not Protected. with other apps on the device therefore
5 high
[android:exported=true] leaving it accessible to any other application
on the device.

A Broadcast Receiver is found to be shared


Broadcast Receiver (com.facebook.lite.campaign.CampaignReceiver) is not Protected. with other apps on the device therefore
6 high
[android:exported=true] leaving it accessible to any other application
on the device.
NO ISSUE SEVERITY DESCRIPTION

A Broadcast Receiver is found to be shared


Broadcast Receiver (com.facebook.lite.appManager.AppManagerReceiver) is not
with other apps on the device therefore
7 Protected. high
leaving it accessible to any other application
[android:exported=true]
on the device.

A Broadcast Receiver is found to be shared


Broadcast Receiver (com.facebook.lite.deviceid.FbLitePhoneIdRequestReceiver) is not
with other apps on the device therefore
8 Protected. high
leaving it accessible to any other application
[android:exported=true]
on the device.

A Broadcast Receiver is found to be shared


Broadcast Receiver (com.facebook.appupdate.DownloadCompleteReceiver) is not
with other apps on the device therefore
9 Protected. high
leaving it accessible to any other application
[android:exported=true]
on the device.

A Content Provider is found to be shared


Content Provider (com.facebook.lite.deviceid.FbLitePhoneIdProvider) is not Protected. with other apps on the device therefore
10 high
[android:exported=true] leaving it accessible to any other application
on the device.

A Broadcast Receiver is found to be shared


Broadcast Receiver (com.facebook.lite.FbnsIntentService$CallbackReceiver) is not
with other apps on the device therefore
11 Protected. high
leaving it accessible to any other application
[android:exported=true]
on the device.

A Broadcast Receiver is found to be shared


Broadcast Receiver (com.facebook.rti.push.service.MqttSystemBroadcastReceiver) is not
with other apps on the device therefore
12 Protected. high
leaving it accessible to any other application
[android:exported=true]
on the device.

A Content Provider is found to be shared


Content Provider (com.facebook.lite.photo.MediaContentProvider) is not Protected. with other apps on the device therefore
13 high
[android:exported=true] leaving it accessible to any other application
on the device.
NO ISSUE SEVERITY DESCRIPTION

A Content Provider is found to be shared


Content Provider (com.facebook.lite.diode.UserValuesProvider) is not Protected. with other apps on the device therefore
14 high
[android:exported=true] leaving it accessible to any other application
on the device.

A Broadcast Receiver is found to be shared


Broadcast Receiver (com.facebook.lite.waotp.WAOtpCodeReceiver) is not Protected. with other apps on the device therefore
15 high
[android:exported=true] leaving it accessible to any other application
on the device.

If taskAffinity is set, then other application


could read the Intents sent to Activities
belonging to another task. Always use the
TaskAffinity is set for activity
16 warning default setting keeping the affinity as the
(com.facebook.lite.ShortcutLauncherActivity)
package name in order to prevent sensitive
information inside sent or received Intents
from being read by another application.

An Activity should not be having the launch


mode attribute set to
"singleTask/singleInstance" as it becomes
root Activity and it is possible for other
17 Launch Mode of activity (com.facebook.lite.ShortcutLauncherActivity) is not standard. high
applications to read the contents of the
calling Intent. So it is required to use the
"standard" launch mode attribute when
sensitive information is included in an Intent.

An Activity is found to be shared with other


Activity (com.facebook.lite.ShortcutLauncherActivity) is not Protected. apps on the device therefore leaving it
18 high
[android:exported=true] accessible to any other application on the
device.
NO ISSUE SEVERITY DESCRIPTION

If taskAffinity is set, then other application


could read the Intents sent to Activities
belonging to another task. Always use the
TaskAffinity is set for activity
19 warning default setting keeping the affinity as the
(com.facebook.lite.ShortcutActivity)
package name in order to prevent sensitive
information inside sent or received Intents
from being read by another application.

An Activity is found to be shared with other


Activity (com.facebook.lite.ShortcutActivity) is not Protected. apps on the device therefore leaving it
20 high
[android:exported=true] accessible to any other application on the
device.

If taskAffinity is set, then other application


could read the Intents sent to Activities
belonging to another task. Always use the
TaskAffinity is set for activity
21 warning default setting keeping the affinity as the
(com.facebook.lite.rtc.RTCActivity)
package name in order to prevent sensitive
information inside sent or received Intents
from being read by another application.

An Activity should not be having the launch


mode attribute set to
"singleTask/singleInstance" as it becomes
root Activity and it is possible for other
22 Launch Mode of activity (com.facebook.lite.rtc.RTCActivity) is not standard. high
applications to read the contents of the
calling Intent. So it is required to use the
"standard" launch mode attribute when
sensitive information is included in an Intent.
NO ISSUE SEVERITY DESCRIPTION

An Activity should not be having the launch


mode attribute set to
"singleTask/singleInstance" as it becomes
Launch Mode of activity (com.facebook.lite.webviewrtc.RTCIncomingCallActivity) is not root Activity and it is possible for other
23 high
standard. applications to read the contents of the
calling Intent. So it is required to use the
"standard" launch mode attribute when
sensitive information is included in an Intent.

An Activity should not be having the launch


mode attribute set to
"singleTask/singleInstance" as it becomes
Launch Mode of activity (com.facebook.lite.nativeRtc.NativeRtcCallActivity) is not root Activity and it is possible for other
24 high
standard. applications to read the contents of the
calling Intent. So it is required to use the
"standard" launch mode attribute when
sensitive information is included in an Intent.

An Activity is found to be shared with other


Activity (com.facebook.lite.platform.LoginGDPDialogActivityV2) is not Protected. apps on the device therefore leaving it
25 high
[android:exported=true] accessible to any other application on the
device.

An Activity is found to be shared with other


Activity (com.facebook.lite.waotp.WAOtpReceiveCodeActivity) is not Protected. apps on the device therefore leaving it
26 high
[android:exported=true] accessible to any other application on the
device.

Activity-Alias An Activity-Alias is found to be shared with


(com.facebook.lite.deeplinking.activities.PermalinkPossiblePatternsActivityAlias) is not other apps on the device therefore leaving it
27 high
Protected. accessible to any other application on the
[android:exported=true] device.
NO ISSUE SEVERITY DESCRIPTION

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.deeplinking.activities.PermalinkFBLinksAlias) is not
other apps on the device therefore leaving it
28 Protected. high
accessible to any other application on the
[android:exported=true]
device.

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.deeplinking.UIQRE2EActivity) is not Protected. other apps on the device therefore leaving it
29 high
[android:exported=true] accessible to any other application on the
device.

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.deeplinking.activities.PermalinkLiteActivityAlias) is not
other apps on the device therefore leaving it
30 Protected. high
accessible to any other application on the
[android:exported=true]
device.

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.stories.activities.ShareToFbStoriesAlias) is not Protected. other apps on the device therefore leaving it
31 high
[android:exported=true] accessible to any other application on the
device.

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.stories.activities.ShareToFbMultiStoriesAlias) is not
other apps on the device therefore leaving it
32 Protected. high
accessible to any other application on the
[android:exported=true]
device.

Activity-Alias An Activity-Alias is found to be shared with


(com.facebook.lite.composer.activities.ShareIntentMultiPhotoAlphabeticalAlias) is not other apps on the device therefore leaving it
33 high
Protected. accessible to any other application on the
[android:exported=true] device.

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.composer.activities.ShareIntentMultiPhotoGroupsAlias) is
other apps on the device therefore leaving it
34 not Protected. high
accessible to any other application on the
[android:exported=true]
device.
NO ISSUE SEVERITY DESCRIPTION

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.composer.activities.ShareIntentVideoGroupsAlias) is not
other apps on the device therefore leaving it
35 Protected. high
accessible to any other application on the
[android:exported=true]
device.

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.composer.activities.ShareIntentVideoAlphabeticalAlias) is
other apps on the device therefore leaving it
36 not Protected. high
accessible to any other application on the
[android:exported=true]
device.

Activity-Alias An Activity-Alias is found to be shared with


(com.facebook.lite.composer.activities.ShareIntentMultiVideoAlphabeticalAlias) is not other apps on the device therefore leaving it
37 high
Protected. accessible to any other application on the
[android:exported=true] device.

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.deeplinking.activities.PermalinkWatchShortAlias) is not
other apps on the device therefore leaving it
38 Protected. high
accessible to any other application on the
[android:exported=true]
device.

Activity-Alias An Activity-Alias is found to be shared with


(com.facebook.lite.deeplinking.activities.PermalinkFbliteMessagingFbMePrefixAlias) is not other apps on the device therefore leaving it
39 high
Protected. accessible to any other application on the
[android:exported=true] device.

Activity-Alias An Activity-Alias is found to be shared with


(com.facebook.lite.deeplinking.activities.CommunityChatsMDotMePrefixAlias) is not other apps on the device therefore leaving it
40 high
Protected. accessible to any other application on the
[android:exported=true] device.

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.deeplinking.activities.PermalinkVanityPrefixAt) is not
other apps on the device therefore leaving it
41 Protected. high
accessible to any other application on the
[android:exported=true]
device.
NO ISSUE SEVERITY DESCRIPTION

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.deeplinking.activities.PermalinkVanityPrefixP) is not
other apps on the device therefore leaving it
42 Protected. high
accessible to any other application on the
[android:exported=true]
device.

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.deeplinking.activities.PermalinkVanityPrefixTilde) is not
other apps on the device therefore leaving it
43 Protected. high
accessible to any other application on the
[android:exported=true]
device.

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.deeplinking.activities.PermalinkHomeAlias) is not
other apps on the device therefore leaving it
44 Protected. high
accessible to any other application on the
[android:exported=true]
device.

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.deeplinking.activities.PermalinkMessagingAlias) is not
other apps on the device therefore leaving it
45 Protected. high
accessible to any other application on the
[android:exported=true]
device.

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.deeplinking.activities.PermalinkSettingsAlias) is not
other apps on the device therefore leaving it
46 Protected. high
accessible to any other application on the
[android:exported=true]
device.

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.deeplinking.activities.PermalinkTimelineAlias) is not
other apps on the device therefore leaving it
47 Protected. high
accessible to any other application on the
[android:exported=true]
device.

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.deeplinking.activities.PermalinkNotificationsAlias) is not
other apps on the device therefore leaving it
48 Protected. high
accessible to any other application on the
[android:exported=true]
device.
NO ISSUE SEVERITY DESCRIPTION

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.deeplinking.activities.PermalinkProfileEditAlias) is not
other apps on the device therefore leaving it
49 Protected. high
accessible to any other application on the
[android:exported=true]
device.

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.deeplinking.activities.PermalinkBuddylistAlias) is not
other apps on the device therefore leaving it
50 Protected. high
accessible to any other application on the
[android:exported=true]
device.

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.deeplinking.activities.PermalinkExtraFacebookHostsAlias)
other apps on the device therefore leaving it
51 is not Protected. high
accessible to any other application on the
[android:exported=true]
device.

An Activity-Alias is found to be shared with


Activity-Alias (com.facebook.lite.composer.activities.ShareTextToMessagingAlias) is not
other apps on the device therefore leaving it
52 Protected. high
accessible to any other application on the
[android:exported=true]
device.

A Content Provider is found to be shared


Content Provider (com.facebook.lite.msys.LiteSecureMessagingKeyContentProvider) is
with other apps on the device therefore
53 not Protected. high
leaving it accessible to any other application
[android:exported=true]
on the device.
NO ISSUE SEVERITY DESCRIPTION

A Broadcast Receiver is found to be shared


with other apps on the device therefore
leaving it accessible to any other application
on the device. It is protected by a permission
Broadcast Receiver
which is not defined in the analysed
(com.facebook.oxygen.preloads.sdk.firstparty.managedappcache.IsManagedAppReceiver)
application. As a result, the protection level
is Protected by a permission, but the protection level of the permission should be
54 warning of the permission should be checked where it
checked.
is defined. If it is set to normal or dangerous,
Permission: com.facebook.appmanager.ACCESS
a malicious application can request and
[android:exported=true]
obtain the permission and interact with the
component. If it is set to signature, only
applications signed with the same certificate
can obtain the permission.

A Service is found to be shared with other


Service (com.facebook.secure.packagefinder.PackageFinderService) is not Protected. apps on the device therefore leaving it
55 high
[android:exported=true] accessible to any other application on the
device.

A Service is found to be shared with other


apps on the device therefore leaving it
accessible to any other application on the
device. It is protected by a permission which
Service (com.google.android.gms.auth.api.signin.RevocationBoundService) is Protected is not defined in the analysed application. As
by a permission, but the protection level of the permission should be checked. a result, the protection level of the
56 Permission: warning permission should be checked where it is
com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION defined. If it is set to normal or dangerous, a
[android:exported=true] malicious application can request and obtain
the permission and interact with the
component. If it is set to signature, only
applications signed with the same certificate
can obtain the permission.
NO ISSUE SEVERITY DESCRIPTION

A Broadcast Receiver is found to be shared


with other apps on the device therefore
leaving it accessible to any other application
on the device. It is protected by a permission
which is not defined in the analysed
Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) is Protected by a
application. As a result, the protection level
permission, but the protection level of the permission should be checked.
57 warning of the permission should be checked where it
Permission: com.google.android.c2dm.permission.SEND
is defined. If it is set to normal or dangerous,
[android:exported=true]
a malicious application can request and
obtain the permission and interact with the
component. If it is set to signature, only
applications signed with the same certificate
can obtain the permission.

By setting an intent priority higher than


High Intent Priority (999)
58 warning another intent, the app effectively overrides
[android:priority]
other requests.

 CODE ANALYSIS
HIGH: 1 | WARNING: 5 | INFO: 1 | SECURE: 1 | SUPPRESSED: 0

NO ISSUE SEVERITY STANDARDS FILES


NO ISSUE SEVERITY STANDARDS FILES

X/AnonymousClass017.java
X/AnonymousClass027.java
X/AnonymousClass032.java
X/AnonymousClass066.java
X/C003501n.java
X/C013005t.java
X/C022009o.java
The App logs information. Sensitive CWE: CWE-532: Insertion of Sensitive Information into Log File X/C02330Af.java
1 info
information should never be logged. OWASP MASVS: MSTG-STORAGE-3 X/C02M.java
X/C05H.java
X/C05T.java
X/C05V.java
X/C07E.java
X/C09X.java
X/C0AS.java
X/C0AZ.java

This App uses SSL certificate pinning


X/AnonymousClass098.java
2 to detect or prevent MITM attacks in secure
OWASP MASVS: MSTG-NETWORK-4 X/C03F.java
secure communication channel.

CWE: CWE-327: Use of a Broken or Risky Cryptographic Algorithm


MD5 is a weak hash known to have
3 warning OWASP Top 10: M5: Insufficient Cryptography X/C0AZ.java
hash collisions.
OWASP MASVS: MSTG-CRYPTO-4

App can read/write to External CWE: CWE-276: Incorrect Default Permissions


4 Storage. Any App can read data warning OWASP Top 10: M2: Insecure Data Storage X/C01C.java
written to External Storage. OWASP MASVS: MSTG-STORAGE-2

X/AnonymousClass093.java
CWE: CWE-330: Use of Insufficiently Random Values X/AnonymousClass095.java
The App uses an insecure Random
5 warning OWASP Top 10: M5: Insufficient Cryptography X/C03B.java
Number Generator.
OWASP MASVS: MSTG-CRYPTO-6 X/C03C.java
X/C0B8.java
NO ISSUE SEVERITY STANDARDS FILES

CWE: CWE-200: Information Exposure X/C00Y.java


6 IP Address disclosure warning
OWASP MASVS: MSTG-CODE-2 X/C014906p.java

CWE: CWE-327: Use of a Broken or Risky Cryptographic Algorithm


SHA-1 is a weak hash known to have
7 warning OWASP Top 10: M5: Insufficient Cryptography X/C02B.java
hash collisions.
OWASP MASVS: MSTG-CRYPTO-4

The file or SharedPreference is World CWE: CWE-276: Incorrect Default Permissions


8 Readable. Any App can read from the high OWASP Top 10: M2: Insecure Data Storage X/C018408a.java
file OWASP MASVS: MSTG-STORAGE-2

 SHARED LIBRARY BINARY ANALYSIS

SYMBOLS
NO SHARED OBJECT NX STACK CANARY RPATH RUNPATH FORTIFY
STRIPPED
SYMBOLS
NO SHARED OBJECT NX STACK CANARY RPATH RUNPATH FORTIFY
STRIPPED

True True None None False True


info info info info warning info
The binary This binary has a stack The The binary The binary does not Symbols are
has NX bit canary value added to the binary does not have any fortified stripped.
set. This stack so that it will be does not have functions. Fortified
marks a overwritten by a stack have RUNPATH functions provides
memory buffer that overflows the run-time set. buffer overflow checks
lib/armeabi- page non- return address. This search against glibc's commons
1
v7a/libfb_xzdecoder.so executable allows detection of path or insecure functions like
making overflows by verifying the RPATH strcpy, gets etc. Use the
attacker integrity of the canary set. compiler option -
injected before function return. D_FORTIFY_SOURCE=2
shellcode to fortify functions. This
non- check is not applicable
executable. for Dart/Flutter
libraries.

True False None None False True


info high info info warning info
The binary This binary does not have The The binary The binary does not Symbols are
has NX bit a stack canary value binary does not have any fortified stripped.
set. This added to the stack. Stack does not have functions. Fortified
marks a canaries are used to have RUNPATH functions provides
memory detect and prevent run-time set. buffer overflow checks
lib/armeabi- page non- exploits from overwriting search against glibc's commons
2
v7a/libmemalign16.so executable return address. Use the path or insecure functions like
making option -fstack-protector- RPATH strcpy, gets etc. Use the
attacker all to enable stack set. compiler option -
injected canaries. Not applicable D_FORTIFY_SOURCE=2
shellcode for Dart/Flutter libraries to fortify functions. This
non- unless Dart FFI is used. check is not applicable
executable. for Dart/Flutter
libraries.
SYMBOLS
NO SHARED OBJECT NX STACK CANARY RPATH RUNPATH FORTIFY
STRIPPED

True True None None False True


info info info info warning info
The binary This binary has a stack The The binary The binary does not Symbols are
has NX bit canary value added to the binary does not have any fortified stripped.
set. This stack so that it will be does not have functions. Fortified
marks a overwritten by a stack have RUNPATH functions provides
memory buffer that overflows the run-time set. buffer overflow checks
lib/armeabi-v7a/libsuperpack- page non- return address. This search against glibc's commons
3
jni.so executable allows detection of path or insecure functions like
making overflows by verifying the RPATH strcpy, gets etc. Use the
attacker integrity of the canary set. compiler option -
injected before function return. D_FORTIFY_SOURCE=2
shellcode to fortify functions. This
non- check is not applicable
executable. for Dart/Flutter
libraries.

True False None None False True


info high info info warning info
The binary This binary does not have The The binary The binary does not Symbols are
has NX bit a stack canary value binary does not have any fortified stripped.
set. This added to the stack. Stack does not have functions. Fortified
marks a canaries are used to have RUNPATH functions provides
memory detect and prevent run-time set. buffer overflow checks
page non- exploits from overwriting search against glibc's commons
4 lib/armeabi-v7a/libsigmux.so
executable return address. Use the path or insecure functions like
making option -fstack-protector- RPATH strcpy, gets etc. Use the
attacker all to enable stack set. compiler option -
injected canaries. Not applicable D_FORTIFY_SOURCE=2
shellcode for Dart/Flutter libraries to fortify functions. This
non- unless Dart FFI is used. check is not applicable
executable. for Dart/Flutter
libraries.
SYMBOLS
NO SHARED OBJECT NX STACK CANARY RPATH RUNPATH FORTIFY
STRIPPED

True False None None False True


info high info info warning info
The binary This binary does not have The The binary The binary does not Symbols are
has NX bit a stack canary value binary does not have any fortified stripped.
set. This added to the stack. Stack does not have functions. Fortified
marks a canaries are used to have RUNPATH functions provides
memory detect and prevent run-time set. buffer overflow checks
lib/armeabi- page non- exploits from overwriting search against glibc's commons
5
v7a/libbreakpad_cpp_helper.so executable return address. Use the path or insecure functions like
making option -fstack-protector- RPATH strcpy, gets etc. Use the
attacker all to enable stack set. compiler option -
injected canaries. Not applicable D_FORTIFY_SOURCE=2
shellcode for Dart/Flutter libraries to fortify functions. This
non- unless Dart FFI is used. check is not applicable
executable. for Dart/Flutter
libraries.

True True None None False True


info info info info warning info
The binary This binary has a stack The The binary The binary does not Symbols are
has NX bit canary value added to the binary does not have any fortified stripped.
set. This stack so that it will be does not have functions. Fortified
marks a overwritten by a stack have RUNPATH functions provides
memory buffer that overflows the run-time set. buffer overflow checks
lib/armeabi- page non- return address. This search against glibc's commons
6
v7a/libc++_shared.so executable allows detection of path or insecure functions like
making overflows by verifying the RPATH strcpy, gets etc. Use the
attacker integrity of the canary set. compiler option -
injected before function return. D_FORTIFY_SOURCE=2
shellcode to fortify functions. This
non- check is not applicable
executable. for Dart/Flutter
libraries.
SYMBOLS
NO SHARED OBJECT NX STACK CANARY RPATH RUNPATH FORTIFY
STRIPPED

True True None None False True


info info info info warning info
The binary This binary has a stack The The binary The binary does not Symbols are
has NX bit canary value added to the binary does not have any fortified stripped.
set. This stack so that it will be does not have functions. Fortified
marks a overwritten by a stack have RUNPATH functions provides
memory buffer that overflows the run-time set. buffer overflow checks
lib/armeabi- page non- return address. This search against glibc's commons
7
v7a/libfb_xzdecoder.so executable allows detection of path or insecure functions like
making overflows by verifying the RPATH strcpy, gets etc. Use the
attacker integrity of the canary set. compiler option -
injected before function return. D_FORTIFY_SOURCE=2
shellcode to fortify functions. This
non- check is not applicable
executable. for Dart/Flutter
libraries.

True False None None False True


info high info info warning info
The binary This binary does not have The The binary The binary does not Symbols are
has NX bit a stack canary value binary does not have any fortified stripped.
set. This added to the stack. Stack does not have functions. Fortified
marks a canaries are used to have RUNPATH functions provides
memory detect and prevent run-time set. buffer overflow checks
lib/armeabi- page non- exploits from overwriting search against glibc's commons
8
v7a/libmemalign16.so executable return address. Use the path or insecure functions like
making option -fstack-protector- RPATH strcpy, gets etc. Use the
attacker all to enable stack set. compiler option -
injected canaries. Not applicable D_FORTIFY_SOURCE=2
shellcode for Dart/Flutter libraries to fortify functions. This
non- unless Dart FFI is used. check is not applicable
executable. for Dart/Flutter
libraries.
SYMBOLS
NO SHARED OBJECT NX STACK CANARY RPATH RUNPATH FORTIFY
STRIPPED

True True None None False True


info info info info warning info
The binary This binary has a stack The The binary The binary does not Symbols are
has NX bit canary value added to the binary does not have any fortified stripped.
set. This stack so that it will be does not have functions. Fortified
marks a overwritten by a stack have RUNPATH functions provides
memory buffer that overflows the run-time set. buffer overflow checks
lib/armeabi-v7a/libsuperpack- page non- return address. This search against glibc's commons
9
jni.so executable allows detection of path or insecure functions like
making overflows by verifying the RPATH strcpy, gets etc. Use the
attacker integrity of the canary set. compiler option -
injected before function return. D_FORTIFY_SOURCE=2
shellcode to fortify functions. This
non- check is not applicable
executable. for Dart/Flutter
libraries.

True False None None False True


info high info info warning info
The binary This binary does not have The The binary The binary does not Symbols are
has NX bit a stack canary value binary does not have any fortified stripped.
set. This added to the stack. Stack does not have functions. Fortified
marks a canaries are used to have RUNPATH functions provides
memory detect and prevent run-time set. buffer overflow checks
page non- exploits from overwriting search against glibc's commons
10 lib/armeabi-v7a/libsigmux.so
executable return address. Use the path or insecure functions like
making option -fstack-protector- RPATH strcpy, gets etc. Use the
attacker all to enable stack set. compiler option -
injected canaries. Not applicable D_FORTIFY_SOURCE=2
shellcode for Dart/Flutter libraries to fortify functions. This
non- unless Dart FFI is used. check is not applicable
executable. for Dart/Flutter
libraries.
SYMBOLS
NO SHARED OBJECT NX STACK CANARY RPATH RUNPATH FORTIFY
STRIPPED

True False None None False True


info high info info warning info
The binary This binary does not have The The binary The binary does not Symbols are
has NX bit a stack canary value binary does not have any fortified stripped.
set. This added to the stack. Stack does not have functions. Fortified
marks a canaries are used to have RUNPATH functions provides
memory detect and prevent run-time set. buffer overflow checks
lib/armeabi- page non- exploits from overwriting search against glibc's commons
11
v7a/libbreakpad_cpp_helper.so executable return address. Use the path or insecure functions like
making option -fstack-protector- RPATH strcpy, gets etc. Use the
attacker all to enable stack set. compiler option -
injected canaries. Not applicable D_FORTIFY_SOURCE=2
shellcode for Dart/Flutter libraries to fortify functions. This
non- unless Dart FFI is used. check is not applicable
executable. for Dart/Flutter
libraries.

True True None None False True


info info info info warning info
The binary This binary has a stack The The binary The binary does not Symbols are
has NX bit canary value added to the binary does not have any fortified stripped.
set. This stack so that it will be does not have functions. Fortified
marks a overwritten by a stack have RUNPATH functions provides
memory buffer that overflows the run-time set. buffer overflow checks
lib/armeabi- page non- return address. This search against glibc's commons
12
v7a/libc++_shared.so executable allows detection of path or insecure functions like
making overflows by verifying the RPATH strcpy, gets etc. Use the
attacker integrity of the canary set. compiler option -
injected before function return. D_FORTIFY_SOURCE=2
shellcode to fortify functions. This
non- check is not applicable
executable. for Dart/Flutter
libraries.
 NIAP ANALYSIS v1.3

NO IDENTIFIER REQUIREMENT FEATURE DESCRIPTION

 OFAC SANCTIONED COUNTRIES


This app may communicate with the following OFAC sanctioned list of countries.

DOMAIN COUNTRY/REGION

 DOMAIN MALWARE CHECK

DOMAIN STATUS GEOLOCATION

schemas.android.com ok No Geolocation information available.

IP: 157.240.205.35
Country: Netherlands
Region: Noord-Holland
m.facebook.com ok City: Amsterdam
Latitude: 52.374031
Longitude: 4.889690
View: Google Map
DOMAIN STATUS GEOLOCATION

IP: 157.240.205.35
Country: Netherlands
Region: Noord-Holland
www.facebook.com ok City: Amsterdam
Latitude: 52.374031
Longitude: 4.889690
View: Google Map

IP: 142.250.74.78
Country: United States of America
Region: California
www.android.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map

 HARDCODED SECRETS

POSSIBLE SECRETS

"google_api_key" : "AIzaSyBWJZPw7wVi-NQEViQV9ZnadO-xbX4S8o0"

aCdH+LpiG4fN07wpXtXKvOciocDANj0daLOJKNJ4fx4=

1RBv0Am3VA2bLMifS4uOCNDeaKSVc7CU

7oVvh3Fck1xX0J5u42DHceCqMyIqewU2TWaJlChTsZA

uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc=
POSSIBLE SECRETS

oSjSY8pqhXpum64U6nRyis9rV9XfVU3BgyBK6ru6RS8

i1R0ZwdXk2ev6WLsW1iXdNyytsuVi570wNd9O6D5wkA

AbX42B4J9OEFPkJ2iesKntcZmdU

Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw=

eBLxbTAHR6nuEIur96W48dDc7Io

jriiCfLl5AQq3PaWv3Uemavb2hMrZhZ

ape1HIIZ6T5d7GS61YBs3rD4NVvkfnVwELcCRW4Bqv0=

HC4rwCH0AxqzQcvYDrHg5ikHBl2GnUuRnJLwuJJyt8o

diGVwiVYbubAI3RW4hB9xU8e/CH2GnkuvVFZE8zmgzI=

oC+voZLIy4HLE0FVT5wFtxzKKokLDRKY1oNkfJYe+98=

Dp3faO2KC6cZg6irlvtu9yL9H3E

Jm4bl26QMphvIVgzVUeQb6f37Ys3IKRmCw0LBgLJBzs

F5OoLdx6B8GGOezxJY0QifKgn3FjXCyp54J8bPv3yfI

sXPIxiZ1lvokCdbRCr64p0GHvtNvywjWNQmqJtqWw8Q

58qRu/uxh4gFezqAcERupSkRYBlBAvfcw7mEjGPLnNU=
POSSIBLE SECRETS

62Yjx8iYhpF3VA6BQQvyUObpLzjXx0Gs5PEm1cLJaf4

oXiTMLDip81kTvgXrtXtypfecxU3vmuNPlCfkOM

Y5Hqye7Bbux7I1qFFmbE6EqILj2ssTFQB9Ss6LwpmGE

4dJKibgNvwschNsyH9YBK3Hwl5zTIkQlBgZu10E

56Okh3GNc5c7nKYtifJU6wAaMW8

jYWbZ4GQZ28iGykpgUFoIDlGPXHb2sIWpDljhlYw

qadsRSPy8q2oOtZucRAyNlbBCyrbDQYWnD6ZESwR0vs

IIi8UGlEtWJZu9Pd7CjQO8rHxTA

pGLr1wNX3vElqWNF4QYKaubskS4

FRNYKa3Xwpy4PBUuvctQLZyChQw

Sr9mhPKOEwo6NysnYn803dZ3UiY

Xz5Q9DVYPJrmJjAqcfc0AEQIen4sYK2s

ICGRfpgmOUXIWcQ/HXPLQTkFPEFPoDyjvH7ohhQpjzs=

ovbQAw7LTrM4PSNadgRBwp4vfR5ma3mkb1x

WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=
POSSIBLE SECRETS

j7DW1GBqpKusFNd9HZfVNAhgyfgQRaoVc

q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ=

K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q=

ztXcjgEmmxMKYWXyXR1OtAW6codwAh6kiOzYzpxMCM4

BcapvdaWLq6ZfAglJbxXazMNBFU

5MCO54QyiJ31mua72pgMV7lET8XxQmxVGsxMmN3dAkA

rn+WLLnmp9v3uDP7GPqbcaiRdd+UnCMrap73yz3yu/w=

AuYCk4ZRoWy5MJTr4GmbZSKv7vsGVtVR2oLiOKKp3qs

uSEJtZCVlVzKr17Lzw8VPslkCkZYwQFmetlrfkmaQJI

IbLe4s4vmD9fTAOkRpKbhqq5uo8

MCluzmTgXDuTHyG9AnpK6nb1ffPe

cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A=

BhbXF71VGdruXI2K92clfscrAA8xTQxV0mTVQSyTzJM

ZiIZ7fdUdXcbGMNL6M656x4mTCC9kdSoSNBOifLrBAA

grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=
POSSIBLE SECRETS

6PDrONEnh3P7htSccijrhAA8B9sXJeGvGHy

XdkQEeiVeIyDkvBEAHtGJKKHfdsrOFf9te68UpyJVhA

C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=

RdBiQjfrXe1WnMMVVkuOoFfs8ri2eE

b2sRSFyeAdgq4NbTDsF6EuDfHreyS9x2Pp7oKe8QclI

2eC54WVokOBCMfraLI5w5AkPzV4OhG2rUnfhWHKBM0M

W1BzWTPVNZBtrA45RvTcbkVphwqyUdZwQEL7X

OaxNl9DzmpbAu1HcjBRq8oUlJBWeTEWmnftIpuLE0dY

 PLAYSTORE INFORMATION
Title: Facebook Lite

Score: 4.044712 Installs: 1,000,000,000+ Price: 0 Android Version Support: Category: Social Play Store URL: com.facebook.lite

Developer Details: Meta Platforms, Inc., Meta+Platforms,+Inc., 1 Hacker Way Menlo Park, CA 94025, https://www.facebook.com/facebook, [email protected],

Release Date: Mar 15, 2018 Privacy Policy: Privacy link

Description:

Keeping up with friends is faster and easier than ever with the Facebook Lite app! Use Facebook Lite as a friends app to connect and keep up with your social network.
The Facebook Lite app is small, allowing you to save space on your phone and use Facebook in 2G conditions. Many of the classic features of Facebook are available on
the app, such as sharing to a Timeline, liking photos, searching for people, and editing your profile and groups. Specific features include: • Find friends and family • Post
status updates & use Facebook emoji to help relay what’s going on in your world • Share photos and your favorite memes • Get notified when friends like and comment
on your posts • Find local social events, RSVP, and make plans to meet up with friends • Interact with your friends by adding your own comments or reactions to their
Facebook posts • Save photos by adding them to photo albums • Follow people to get their latest news • Look up local businesses to see reviews, operation hours, and
pictures • Buy and sell locally on Facebook Marketplace The Facebook app does more than help you stay connected with your friends and interests. It's also your personal
organizer for storing, saving and sharing photos. It's easy to share photos straight from your Android camera, and you have full control over your photos and privacy
settings. You can choose when to keep individual photos private or even set up a secret photo album to control who sees it. Facebook Lite also helps you keep up with
the latest news and current events around the world. Subscribe to your favorite celebrities, brands, websites, artists, or sports teams to follow their News Feeds from the
convenience of your Facebook Lite app! Problems with downloading or installing the app? See https://www.facebook.com/help/fblite Still need help? Please tell us more
about the issue: https://www.facebook.com/help/contact/640732869364975 Facebook is only available to people aged 13 and over. Terms of Service:
http://m.facebook.com/terms.php

Report Generated by - MobSF v3.7.8 Beta


Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment
framework capable of performing static and dynamic analysis.

© 2023 Mobile Security Framework - MobSF | Ajin Abraham | OpenSecurity.

You might also like