Professional Documents
Culture Documents
MobSF Static Analysis Report
MobSF Static Analysis Report
MobSF Static Analysis Report
ColorNote (4.4.6)
File Name: colornote-notepad-4-4-6.apk
Grade:
C
Trackers Detection: 2/428
FINDINGS SEVERITY
20 21 2 2 2
FILE INFORMATION
File Name: colornote-notepad-4-4-6.apk
Size: 3.98MB
MD5: f34b68f1980e9296c9a60bed2425af7a
SHA1: 8f386511aa4d7e3fabf0e1b16f8457ec1493d483
SHA256: 5046f430afa77feaf6cc6d09cc9889dc20606e83fa87018f9d037de866c4968d
APP INFORMATION
App Name: ColorNote
Package Name: com.socialnmobile.dictapps.notepad.color.note
Main Activity: com.socialnmobile.colornote.activity.Main
Target SDK: 31
Min SDK: 15
Max SDK:
Android Version Name: 4.4.6
Android Version Code: 14600
APP COMPONENTS
Activities: 24
Services: 14
Receivers: 20
Providers: 5
Exported Activities: 8
Exported Services: 5
Exported Receivers: 8
Exported Providers: 1
CERTIFICATE INFORMATION
Binary is signed
v1 signature: True
v2 signature: True
v3 signature: False
v4 signature: False
X.509 Subject: C=Unknown, ST=Unknown, L=Unknown, O=socialnmobile, OU=android, CN=socialnmobile
Signature Algorithm: rsassa_pkcs1v15
Valid From: 2009-02-13 09:51:33+00:00
Valid To: 2063-11-17 09:51:33+00:00
Issuer: C=Unknown, ST=Unknown, L=Unknown, O=socialnmobile, OU=android, CN=socialnmobile
Serial Number: 0x499542a5
Hash Algorithm: sha1
md5: 8190fa0dfb1457782dbbe689beef98b7
sha1: f4d8a67bf40879df79cbf1dc8b2999df74ebbf76
sha256: 4e92275e4f7853f3df65171071f0b6841b063520ee93d9bb2db647baec695b98
sha512: 0ea3cd42a12a4b37bb685e2c381e4c15a58ae7ffb64445aed15df2872349f4e1b61f28bcfc7a5b403af48b4688e0d146e5d1cabd5b717ab1b6b47333defa49a2
PublicKey Algorithm: rsa
Bit Size: 1024
Fingerprint: b3e73ed9bda041e5fb23d5ad03a0522de5684d88d280fc7ce53973921df6d739
Found 1 unique certificates
APPLICATION PERMISSIONS
read/modify/delete
Allows an application to write to external
android.permission.WRITE_EXTERNAL_STORAGE dangerous external storage
storage.
contents
APKID ANALYSIS
FILE DETAILS
FINDINGS DETAILS
Build.FINGERPRINT check
classes.dex Build.MODEL check
Anti-VM Code
Build.MANUFACTURER check
Build.PRODUCT check
BROWSABLE ACTIVITIES
ACTIVITY INTENT
Schemes: colornote://,
com.socialnmobile.colornote.activity.AppAction
Hosts: appaction,
Schemes: fbconnect://,
com.facebook.CustomTabActivity
Hosts: cct.com.socialnmobile.dictapps.notepad.color.note,
NETWORK SECURITY
HIGH: 0 | WARNING: 1 | INFO: 0 | SECURE: 1
1 * secure Base config is configured to disallow clear text traffic to all domains.
CERTIFICATE ANALYSIS
HIGH: 1 | WARNING: 1 | INFO: 1
Application is signed with v1 signature scheme, making it vulnerable to Janus vulnerability on Android 5.0-8.0, if signed
Application vulnerable
warning only with v1 signature scheme. Applications running on Android 5.0-7.0 signed with v1, and v2/v3 scheme is also
to Janus Vulnerability
vulnerable.
Certificate algorithm
vulnerable to hash high Application is signed with SHA1withRSA. SHA1 hash algorithm is known to have collision issues.
collision
MANIFEST ANALYSIS
HIGH: 18 | WARNING: 10 | INFO: 0 | SUPPRESSED: 0
This flag allows anyone to backup your application data via adb. It
Application Data can be Backed up
3 warning allows users who have enabled USB debugging to copy application
[android:allowBackup=true]
data off of the device.
Content Provider (com.socialnmobile.colornote.data.NoteProvider) A Content Provider is found to be shared with other apps on the
4 is not Protected. high device therefore leaving it accessible to any other application on the
[android:exported=true] device.
NO ISSUE SEVERITY DESCRIPTION
Broadcast Receiver
A Broadcast Receiver is found to be shared with other apps on the
(com.socialnmobile.colornote.receiver.TimeChangedReceiver) is
5 high device therefore leaving it accessible to any other application on the
not Protected.
device.
[android:exported=true]
Broadcast Receiver
A Broadcast Receiver is found to be shared with other apps on the
(com.socialnmobile.colornote.receiver.PowerConnectedReceiver) is
6 high device therefore leaving it accessible to any other application on the
not Protected.
device.
[android:exported=true]
Broadcast Receiver
A Broadcast Receiver is found to be shared with other apps on the
(com.socialnmobile.colornote.receiver.BuildWidgetReceiver) is not
7 high device therefore leaving it accessible to any other application on the
Protected.
device.
[android:exported=true]
Broadcast Receiver
A Broadcast Receiver is found to be shared with other apps on the
(com.socialnmobile.colornote.receiver.NoteWidget) is not
8 high device therefore leaving it accessible to any other application on the
Protected.
device.
[android:exported=true]
Broadcast Receiver
A Broadcast Receiver is found to be shared with other apps on the
(com.socialnmobile.colornote.receiver.NoteWidget2x2) is not
9 high device therefore leaving it accessible to any other application on the
Protected.
device.
[android:exported=true]
Broadcast Receiver
A Broadcast Receiver is found to be shared with other apps on the
(com.socialnmobile.colornote.receiver.TodayWidget2x2) is not
10 high device therefore leaving it accessible to any other application on the
Protected.
device.
[android:exported=true]
NO ISSUE SEVERITY DESCRIPTION
Service (com.socialnmobile.colornote.oauth.KeepAliveService) is A Service is found to be shared with other apps on the device
13 not Protected. high therefore leaving it accessible to any other application on the
[android:exported=true] device.
Activity (com.socialnmobile.colornote.activity.Search) is not An Activity is found to be shared with other apps on the device
14 Protected. high therefore leaving it accessible to any other application on the
[android:exported=true] device.
Activity-Alias (com.socialnmobile.colornote.activity.NoteList) is not An Activity-Alias is found to be shared with other apps on the
15 Protected. high device therefore leaving it accessible to any other application on the
[android:exported=true] device.
NO ISSUE SEVERITY DESCRIPTION
Activity (com.socialnmobile.colornote.activity.ActionReceiver) is not An Activity is found to be shared with other apps on the device
16 Protected. high therefore leaving it accessible to any other application on the
[android:exported=true] device.
Activity (com.socialnmobile.colornote.activity.NoteEditor) is not An Activity is found to be shared with other apps on the device
18 Protected. high therefore leaving it accessible to any other application on the
[android:exported=true] device.
Activity
An Activity is found to be shared with other apps on the device
(com.socialnmobile.colornote.activity.NoteWidgetConfigure) is not
22 high therefore leaving it accessible to any other application on the
Protected.
device.
[android:exported=true]
Activity
An Activity is found to be shared with other apps on the device
(com.socialnmobile.colornote.oauth.RedirectOauthReceiverActivity)
23 high therefore leaving it accessible to any other application on the
is not Protected.
device.
[android:exported=true]
Activity (com.socialnmobile.colornote.activity.AppAction) is not An Activity is found to be shared with other apps on the device
24 Protected. high therefore leaving it accessible to any other application on the
[android:exported=true] device.
Service (com.google.firebase.iid.FirebaseInstanceIdService) is not A Service is found to be shared with other apps on the device
29 Protected. high therefore leaving it accessible to any other application on the
[android:exported=true] device.
CODE ANALYSIS
HIGH: 1 | WARNING: 7 | INFO: 2 | SECURE: 1 | SUPPRESSED: 0
com/socialnmobile/colornote/Col
orNote.java
sm/b5/d.java
sm/b7/a.java
NO ISSUE SEVERITY STANDARDS FILES
sm/c5/b.java
sm/d1/d.java
sm/d3/c.java
sm/d4/b.java
sm/e0/e.java
sm/e1/a.java
sm/e4/f3.java
sm/e4/f4.java
sm/e4/j3.java
sm/e4/m3.java
sm/e4/v3.java
sm/e4/x3.java
sm/e5/g.java
sm/g1/a.java
sm/g1/b.java
sm/g4/k.java
sm/h0/c.java
sm/h0/d.java
sm/i0/b.java
sm/i0/d.java
sm/i0/e.java
sm/i0/f.java
sm/i0/i.java
sm/i2/a.java
sm/i3/c.java
sm/i4/a.java
sm/i8/a.java
sm/j/a.java
sm/j2/c1.java
sm/j2/g.java
sm/j2/j0.java
sm/j2/o0.java
sm/j2/s0.java
sm/j3/d0.java
sm/j3/e0.java
sm/j3/y.java
sm/k2/c.java
sm/k2/f.java
sm/k2/g0.java
sm/k2/m.java
NO ISSUE SEVERITY STANDARDS FILES
sm/l4/h.java
sm/l5/c.java
CWE: CWE-532: Insertion of Sensitive Information into Log
The App logs information. Sensitive sm/m0/b.java
2 info File
information should never be logged. sm/n/g.java
OWASP MASVS: MSTG-STORAGE-3
sm/n1/c.java
sm/n2/l.java
sm/n3/a.java
sm/o/c.java
sm/o2/e.java
sm/o2/f.java
sm/p/j.java
sm/p/k.java
sm/p/l.java
sm/p0/a.java
sm/p0/b.java
sm/q0/b.java
sm/q1/a.java
sm/q2/a.java
sm/q5/i.java
sm/r1/i0.java
sm/r1/y.java
sm/r3/e.java
sm/r3/j.java
sm/r3/k.java
sm/r5/a.java
sm/r5/k.java
sm/s2/f.java
sm/s2/i.java
sm/s2/l.java
sm/t3/d.java
sm/t3/z.java
sm/t5/d.java
sm/t5/f.java
sm/t5/k.java
sm/t5/l.java
sm/t5/o.java
sm/u0/c.java
sm/u1/j.java
sm/u3/a.java
sm/u3/c.java
NO ISSUE SEVERITY STANDARDS FILES
sm/u3/e.java
sm/u3/e0.java
sm/u3/f.java
sm/u3/k0.java
sm/v2/a.java
sm/w3/a.java
sm/x3/l.java
sm/y4/a.java
sm/z2/d0.java
sm/z2/k0.java
sm/z2/l0.java
sm/z2/u.java
CWE: CWE-327: Use of a Broken or Risky Cryptographic sm/i3/a.java
sm/z7/k.java
SHA-1 is a weak hash known to have Algorithm sm/n7/l2.java
3 warning
hash collisions. OWASP Top 10: M5: Insufficient Cryptography sm/n7/m1.java
OWASP MASVS: MSTG-CRYPTO-4 sm/t5/o.java
com/socialnmobile/colornote/rec
eiver/AutoSyncReceiver.java
sm/a9/a.java
CWE: CWE-330: Use of Insufficiently Random Values
The App uses an insecure Random sm/a9/b.java
4 warning OWASP Top 10: M5: Insufficient Cryptography
Number Generator. sm/e4/v3.java
OWASP MASVS: MSTG-CRYPTO-6
sm/j2/s.java
sm/l6/x.java
sm/z2/k0.java
com/socialnmobile/colornote/dat
a/d.java
sm/l6/z.java
App can read/write to External CWE: CWE-276: Incorrect Default Permissions
sm/n3/i4.java
5 Storage. Any App can read data warning OWASP Top 10: M2: Insecure Data Storage
sm/o6/a.java
written to External Storage. OWASP MASVS: MSTG-STORAGE-2
sm/t6/h.java
sm/z2/k0.java
sm/z7/j.java
NO ISSUE SEVERITY STANDARDS FILES
App creates temp file. Sensitive CWE: CWE-276: Incorrect Default Permissions
7 information should never be written warning OWASP Top 10: M2: Insecure Data Storage sm/g1/b.java
into a temp file. OWASP MASVS: MSTG-STORAGE-2
sm/j2/b.java
sm/j2/c1.java
sm/j2/j.java
App can write to App Directory.
CWE: CWE-276: Incorrect Default Permissions sm/j2/q0.java
8 Sensitive Information should be info
OWASP MASVS: MSTG-STORAGE-14 sm/j2/t0.java
encrypted.
sm/j3/d0.java
sm/q2/j.java
sm/w2/b.java
Files may contain hardcoded CWE: CWE-312: Cleartext Storage of Sensitive Information
sm/m2/g.java
9 sensitive information like usernames, warning OWASP Top 10: M9: Reverse Engineering
sm/n7/d2.java
passwords, keys etc. OWASP MASVS: MSTG-STORAGE-14
The App uses the encryption mode CWE: CWE-649: Reliance on Obfuscation or Encryption of
CBC with PKCS5/PKCS7 padding. This Security-Relevant Inputs without Integrity Checking
11 high sm/n7/o2.java
configuration is vulnerable to OWASP Top 10: M5: Insufficient Cryptography
padding oracle attacks. OWASP MASVS: MSTG-CRYPTO-3
NIAP ANALYSIS v1.3
DOMAIN COUNTRY/REGION
IP: 157.240.226.1
Country: Netherlands
Region: Noord-Holland
graph.facebook.com ok City: Amsterdam
Latitude: 52.374031
Longitude: 4.889690
View: Google Map
DOMAIN STATUS GEOLOCATION
IP: 142.250.219.212
Country: United States of America
Region: California
api-dot-colornote-server.appspot.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map
IP: 142.251.132.52
Country: United States of America
Region: California
event-collector-etc.appspot.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map
IP: 3.162.249.136
Country: United States of America
Region: Washington
www.amazon.com ok City: Seattle
Latitude: 47.627499
Longitude: -122.346199
View: Google Map
IP: 93.184.216.34
Country: United States of America
Region: Virginia
www.example.com ok City: Ashburn
Latitude: 39.043720
Longitude: -77.487488
View: Google Map
IP: 157.240.12.35
Country: Brazil
Region: Sao Paulo
facebook.com ok City: Sao Paulo
Latitude: -23.547501
Longitude: -46.636108
View: Google Map
IP: 142.250.219.238
Country: United States of America
Region: California
developers.google.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map
IP: 130.211.189.49
Country: United States of America
Region: Iowa
www.colornote.com ok City: Council Bluffs
Latitude: 41.261940
Longitude: -95.860832
View: Google Map
IP: 34.120.160.131
Country: United States of America
Region: Missouri
colornote-server.firebaseio.com ok City: Kansas City
Latitude: 39.099731
Longitude: -94.578568
View: Google Map
DOMAIN STATUS GEOLOCATION
IP: 200.152.162.143
Country: Brazil
Region: Sao Paulo
data.flurry.com ok City: Sao Paulo
Latitude: -23.547501
Longitude: -46.636108
View: Google Map
IP: 104.197.70.19
Country: United States of America
Region: Iowa
api.colornote.com ok City: Council Bluffs
Latitude: 41.261940
Longitude: -95.860832
View: Google Map
IP: 142.251.128.148
Country: United States of America
Region: California
api-dot-colornote-dev-py27.appspot.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map
IP: 157.240.222.16
Country: Brazil
Region: Sao Paulo
developers.facebook.com ok City: Sao Paulo
Latitude: -23.547501
Longitude: -46.636108
View: Google Map
DOMAIN STATUS GEOLOCATION
IP: 142.250.219.238
Country: United States of America
Region: California
plus.google.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map
IP: 142.250.79.206
Country: United States of America
Region: California
play.google.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map
IP: 142.250.219.164
Country: United States of America
Region: California
www.google.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map
IP: 172.217.162.116
Country: United States of America
Region: California
event-collector-colornote.appspot.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map
DOMAIN STATUS GEOLOCATION
IP: 142.251.128.74
Country: United States of America
Region: California
firebaseremoteconfig.googleapis.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map
IP: 157.240.226.35
Country: Netherlands
Region: Noord-Holland
www.facebook.com ok City: Amsterdam
Latitude: 52.374031
Longitude: 4.889690
View: Google Map
IP: 172.217.162.109
Country: United States of America
Region: California
accounts.google.com ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map
IP: 142.250.219.206
Country: United States of America
Region: California
schema.org ok City: Mountain View
Latitude: 37.405991
Longitude: -122.078514
View: Google Map
FIREBASE DATABASES
info
https://colornote-server.firebaseio.com
App talks to a Firebase Database.
EMAILS
EMAIL FILE
u0013android@android.com0
sm/r3/p.java
u0013android@android.com
TRACKERS
HARDCODED SECRETS
POSSIBLE SECRETS
"facebook_client_token" : "550b8029088421a81472f9340e57f52d"
"firebase_database_url" : "https://colornote-server.firebaseio.com"
"google_api_key" : "AIzaSyDnUAli16gcM1BshfFIotiKlkhs1B8R7tM"
"google_crash_reporting_api_key" : "AIzaSyDnUAli16gcM1BshfFIotiKlkhs1B8R7tM"
"password" : "Password"
"username" : "Username"
"about_password" : ""
"com_facebook_device_auth_instructions" : "<b>facebook.com/device</b>"
"enter_password" : ""
"master_password" : ""
"password" : ""
"reenter_master_password" : ""
"remove_password" : ""
"username" : "ID"
"master_password" : "Master-Passwort"
POSSIBLE SECRETS
"password" : "Passwort"
"username" : "Nutzername"
"password" : ""
"username" : ""
"username" : "Utilisateur"
"password" : "Şifre"
"password" : "Contraseña"
"password" : "Senha"
"master_password" : "Мастер-пароль"
"password" : "Пароль"
"password" : ""סיסמא
"about_password" : ""
"com_facebook_device_auth_instructions" : "<b>facebook.com/device</b>"
"enter_password" : ""
"master_password" : ""
POSSIBLE SECRETS
"password" : ""
"reenter_master_password" : ""
"remove_password" : ""
"username" : ""
"password" : "Password"
"about_password" : ""
"enter_password" : ""
"master_password" : ""
"password" : ""
"reenter_master_password" : ""
"remove_password" : ""
"username" : ""
c103703e120ae8cc73c9248622f3cd1e
8a3c4b262d721acd49a4bf97d5213199c86fa2b9
2438bce1ddb7bd026d5ff89f598b3b5e5bb824b3
POSSIBLE SECRETS
cc2751449a350f668590264ed76692694a80308a
df6b721c8b4d3b6eb44c861d4415007e5a35fc95
SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4=
9b8f518b086098de3d77736f9458a3d2f6f95a37
cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM=
Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw=
c56fb7d591ba6704df047fd98f535372fea00211
WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=
UZJDjsNp1+4M5x9cbbdflB779y5YRBcV6Z6rBMLIrO4=
JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg=
uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc=
a4b7452e2ed8f5f191058ca7bbfd26b0d3214bfc
49f946663a8deb7054212b8adda248c6
PLAYSTORE INFORMATION
Title: ColorNote Notepad Notes
Score: 4.861069 Installs: 100,000,000+ Price: 0 Android Version Support: Category: Productivity Play Store URL: com.socialnmobile.dictapps.notepad.color.note
Developer Details: Notes, Notes, 142, Gasan digital 1-ro, Geumcheon-gu, Seoul, Korea, http://www.colornote.com, notesupport@socialnmobile.com,
Description:
ColorNote® is a simple and awesome notepad app. It gives you a quick and simple notepad editing experience when you write notes, memos, e-mails, messages,
shopping lists and to-do lists. Taking notes with ColorNote® Notepad is easier than any other notepad or memo pad app. * Notice * - If you cannot find the widget, then
please read the FAQ below. - When you're finished using the notepad, an automatic save command preserves your individual note. * Product Description * ColorNote®
features two basic note taking formats, a lined-paper styled text option, and a checklist option. Add as many as you want to your master list, which appears on the app's
home screen each time the program opens. This list may be viewed in traditional ascending order, in grid format, or by note color. - Taking a Note - Serving as a simple
word processing program, the text option allows for as many characters as you're willing to type. Once saved, you can edit, share, set a reminder, or check off or delete
the note through your device's menu button. When checking off a text note, the app places a slash through the list's title, and this will be displayed on the main menu. -
Making To-do List or Shopping List - In the checklist mode, you can add as many items as you'd like and arrange their order with drag buttons activated in the edit mode.
After the list is finished and saved, you may check or uncheck each line on your list with a quick tap, which will toggle a line slash. If all items have been checked, then the
list's title is slashed as well. * Features * - Organize notes by color (color notebook) - Sticky note memo widget (Put your notes on your home screen) - Checklist notes for
To do list & Shopping list. (Quick and simple list maker) - Checklist notes to get things done (GTD) - Organize your schedule by note in calendar - Write a diary and journal
in calendar - Password Lock note : Protect your notes with passcode - Secured backup notes to SD storage - Supports online back up and sync. You can sync notes
between phone and tablet. - Reminder notes on status bar - List/Grid View - Search notes - Notepad supports ColorDict Add-on - Powerful task reminder : Time Alarm, All
day, Repetition.(lunar calendar) - Quick memo / notes - Wiki note link : [[Title]] - Share notes via SMS, e-mail or Twitter * Online backup and sync cloud service * - Notes
will be encrypted before uploading notes by using the AES standard, which is the same encryption standard used by banks to secure customer data. - It does not send
any of your notes to the server without you signing in. - Sign-in with Google or Facebook. * Permissions * - Internet Access: For online backup & sync notes - Storage : For
backup notes to the storage of the device - Prevent phone from sleeping, control vibrator, automatically start at boot: For reminder notes * FAQ * Q: How do you put a
sticky note widget on the home screen? A: Go to the home screen and hold down your finger on an empty space and choose widget, Color Note will then be desplayed so
you can stick on the page. Q: Why don't the widget, the alarm and notes remider functions work? A: If the app is installed on the SD card, your widget, reminder, etc. will
not work properly because Android doesn't support these features when installed on an SD card! If you have already moved the app to an SD card, but want those
features, then you have to move the app back on the device and reboot your phone. Settings - Applications - Manage Applications - Color Note - Move to Device Q: Where
are backed up notes data on the SD card? A: '/data/colornote' or '/Android/data/com.socialnmobile.dictapps.notepad.color.note/files' on SD card Q: I forgot my master
password. How can I change it? A: Menu → Settings → Master Password → Menu Button → Clear Password. You will lose your current locked notes when you clear the
password! Q: How can I create todo list note? A: New - Select checklist note - Put items - Save. Tap an item to strikethrough.