0/62

Threat

com.lidl.eci.lidlplus

Lidl Plus

Analyzed on 2022-04-28T08:31:28.562085

25

permissions

112

activities

19

services

18

receivers

71

domains

File sums

MD5 aa84eced98d0da4176125847bc360dc6
SHA1 a29b187d1e9f2048828628df9d18e9410ec99975
SHA256 1b35c4c38dffc20c209c0b164a5708a61781cdcacba685606e18ee6101d03c39
Size 39.69MB

APKiD

Information computed with APKiD.

/tmp/tmpuug7i3py!classes.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MODEL check
  • Build.MANUFACTURER check
  • Build.PRODUCT check
  • Build.TAGS check
compiler
  • r8
/tmp/tmpuug7i3py!classes2.dex
compiler
  • r8 without marker (suspicious)
/tmp/tmpuug7i3py!classes3.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MODEL check
  • Build.MANUFACTURER check
  • Build.PRODUCT check
  • Build.HARDWARE check
  • Build.BOARD check
  • possible Build.SERIAL check
  • Build.TAGS check
  • SIM operator check
  • network operator name check
  • possible VM check
anti_debug
  • Debug.isDebuggerConnected() check
compiler
  • r8 without marker (suspicious)
/tmp/tmpuug7i3py!classes4.dex
anti_vm
  • Build.MODEL check
  • Build.MANUFACTURER check
compiler
  • r8 without marker (suspicious)
/tmp/tmpuug7i3py!lib/arm64-v8a/libTMXProfiling-RL-6.2-97-jni.so
obfuscator
  • Arxan
/tmp/tmpuug7i3py!lib/armeabi-v7a/libTMXProfiling-RL-6.2-97-jni.so
obfuscator
  • Arxan

SSdeep

Information computed with ssdeep.

APK file 786432:VNrVH1recjy0vjRYFIFpz0k3877BMPVy0r7tbVz+WqD3T:VNrVH1renkjR3Fpok38XBK1/VB+ND3T
Manifest 768:4zLrKTAdG/RVj8cKE6XiASbqUQtoTYo9Oe9i3oetynavEQgJ/Kf1GPZjd9Xmqa4c:…
classes.dex 49152:FNiic7OBRO92LCBx81TFIAgLK+uXSGMT1muk+GhvK4D+QsJgvB1YQYIDbMyb8pt…
classes2.dex 6144:kmDPARqUQ4WaPN+SQAiM6+2FoHKeXzKsctlpr0q0IhJGo6wiIegjP389TS0P0Qgw…
classes3.dex 98304:7ZvLa6Zj6EwEXEsGai2NgWEUe3Clb1r1rjB:NT1j6EwEXEsxgWZlBv
classes4.dex 49152:pVUkdCTG0B/yFUwBhHF0Gm4NX00ot8L3izXFI8jv1JxkXH/yFgJRgSzMY8FuqC2…

Dexofuzzy

Information computed with Dexofuzzy.

APK file 12288:aPSdX5ILNhQOAkAGHKJOxrLCqiKyP/qYDKrBmTt5nMPtpoXYZOc0:aadp2cvGH7…
classes.dex 6144:aPnSdqcuKn5S7LNhqkyyUOGXysTQ7kRQvstU9Eo5fCn:aPSdX5ILNhQOAkAGHKn
classes2.dex 768:IvLWEMnRRRHJPtZ5UN/48d333t4deqpeb0vUNvA1:IvLWEMnRRRHJPtZWNg8d333H…
classes3.dex 6144:usiHEjaxqlmahYYXQcurynu2lYIomi+eu22YRDsKy0OV/qYNoL4K4S3BBmTUt:bO…
classes4.dex 6144:g5bbaXAgqoJQo3pov8a8DDAHbcbXevOmcOqv1el:g5nMPtpoXYZOc0

APK details

Information computed with AndroGuard and Pithus.

Package com.lidl.eci.lidlplus
App name Lidl Plus
Version name 14.49.3
Version code 1470400233
SDK 23 - 31
UAID 98de87df597ad087c5a17ff1cdd0fc8ff791853a
Signature Signature V1 Signature V2
Frosting Frosted
Blocks found within V2 signature:
  • 0x7109871a: Unknown
  • 0x504b4453: Dependency metadata
  • 0x42726577: Verity padding
  • 0x2146444e: Google metadata

Certificate details

Information computed with AndroGuard.

MD5 6604b3f484b9d2c8f3a26e1de203891e
SHA1 edf2cc49788026c4c843b6e16fa9f57836d1b2a8
SHA256 bc9492be094d62d922ca1e963687758cb89b22e961de681b936c2d9b17a79195
Issuer Common Name: External Developer, Organizational Unit: Mobile Systeme, Organization: Lidl E-Commerce International GmbH & Co. KG, Locality: Neckarsulm, State/Province: Baden-Wuerttemberg, Country: DE
Not before 2017-07-12T11:53:25+00:00
Not after 2042-07-06T11:53:25+00:00

File Analysis

Information computed with MobSF.

Findings Files
Certificate/Key files hardcoded inside the app. assets/ag_sdk_cbg_root.cer
assets/cbg_root.cer
res/Mc9.pem
Findings Files
Hardcoded Keystore found. assets/grs_sp.bks
assets/hmsincas.bks
assets/hmsrootcas.bks
assets/updatesdkcas.bks

Manifest analysis

Information computed with MobSF.

Low App has a Network Security Configuration[android:networkSecurityConfig=@xml/network_security_config]
The Network Security Configuration feature lets apps customize their network security settings in a safe, declarative configuration file without modifying app code. These settings can be configured for specific domains and for a specific app.
High Activity (es.lidlplus.features.inviteyourfriends.presentation.deeplink.InviteYourFriendsDeepLinkActivity) is not Protected. [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Activity (net.openid.appauth.RedirectUriReceiverActivity) is not Protected. [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Activity (es.lidlplus.features.thirdpartybenefit.presentation.detail.howtoredeemcode.HowToRedeemCodeActivity) is not Protected. [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Broadcast Receiver (es.lidlplus.commons.share.ShareReceiver) is not Protected. [android:exported=true]
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Activity (androidx.compose.ui.tooling.PreviewActivity) is not Protected. [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High TaskAffinity is set for Activity
(com.salesforce.marketingcloud.notifications.NotificationOpenActivity)
If taskAffinity is set, then other application could read the Intents sent to Activities belonging to another task. Always use the default setting keeping the affinity as the package name in order to prevent sensitive information inside sent or received Intents from being read by another application.
High Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) is Protected by a permission, but the protection level of the permission should be checked.
Permission: com.google.android.c2dm.permission.SEND [android:exported=true]
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Broadcast Receiver (com.salesforce.marketingcloud.sfmcsdk.SFMCSdkReceiver) is not Protected. [android:exported=true]
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) is Protected by a permission, but the protection level of the permission should be checked.
Permission: android.permission.DUMP [android:exported=true]
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Service (androidx.work.impl.background.systemjob.SystemJobService) is Protected by a permission, but the protection level of the permission should be checked.
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) is Protected by a permission, but the protection level of the permission should be checked.
Permission: android.permission.DUMP [android:exported=true]
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
Low Broadcast Receiver (com.huawei.hms.support.api.push.PushMsgReceiver) is Protected by a permission.
Permission: com.lidl.eci.lidlplus.permission.PROCESS_PUSH_MSG
protectionLevel: signature[android:exported=true]
A Broadcast Receiver is found to be exported, but is protected by permission.
Low Broadcast Receiver (com.huawei.hms.support.api.push.PushReceiver) is Protected by a permission.
Permission: com.lidl.eci.lidlplus.permission.PROCESS_PUSH_MSG
protectionLevel: signature[android:exported=true]
A Broadcast Receiver is found to be exported, but is protected by permission.
High Service (com.huawei.hms.support.api.push.service.HmsMsgService) is not Protected. [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
Low Content Provider (com.huawei.hms.support.api.push.PushProvider) is Protected by a permission.
Permission: com.lidl.eci.lidlplus.permission.PUSH_PROVIDER
protectionLevel: signature[android:exported=true]
A Content Provider is found to be exported, but is protected by permission.

Browsable activities

Information computed with MobSF.

es.lidlplus.features.inviteyourfriends.presentation.deeplink.InviteYourFriendsDeepLinkActivity

Hosts: inviteyourfriends.lidlplus.com inviteyourfriends

Schemes: https:// com.lidlplus.app://

es.lidlplus.i18n.splash.presentation.view.SplashActivity

Hosts: @string/deep_linking_host_com

Schemes: @string/deep_linking_schema://

net.openid.appauth.RedirectUriReceiverActivity

Hosts: callback

Schemes: com.lidlplus.app://

Main Activity

Information computed with AndroGuard.

es.lidlplus.i18n.splash.presentation.view.SplashActivity

Activities

Information computed with AndroGuard.

es.lidlplus.i18n.coupons.presentation.detail.CouponDetailActivity
es.lidlplus.features.opengift.presentation.ui.OpenGiftActivity
es.lidlplus.features.inviteyourfriends.presentation.navigation.InviteYourFriendsLoadingNavigationActivity
es.lidlplus.features.inviteyourfriends.presentation.navigationerror.IYFNavigationErrorActivity
es.lidlplus.features.inviteyourfriends.presentation.campaign.InviteYourFriendsCampaignActivity
es.lidlplus.features.inviteyourfriends.presentation.congratulations.InviteYourFriendsCongratulationsActivity
es.lidlplus.features.inviteyourfriends.presentation.expired.InviteYourFriendsExpiredActivity
es.lidlplus.features.inviteyourfriends.presentation.standard.InviteYourFriendsStandardActivity
es.lidlplus.features.inviteyourfriends.presentation.help.IYFHelpActivity
es.lidlplus.features.iyu.presentation.redeemCode.validateCode.ValidateCodeActivity
es.lidlplus.features.inviteyourfriends.presentation.deeplink.InviteYourFriendsDeepLinkActivity
es.lidlplus.features.share.presentation.notavailable.NotAvailableActivity
es.lidlplus.features.iyu.presentation.redeemCode.congratulations.RedeemCongratulationsActivity
es.lidlplus.features.purchaselottery.presentation.view.RouletteActivity
es.lidlplus.features.purchaselottery.presentation.view.ScratchActivity
es.lidlplus.i18n.couponplus.standard.presentation.ui.activity.CouponPlusDetailActivity
es.lidlplus.i18n.couponplus.gift.presentation.ui.activity.CouponPlusGiftActivity
es.lidlplus.i18n.couponplus.giveaway.presentation.ui.activity.CouponPlusGiveawayDetailActivity
es.lidlplus.i18n.splash.presentation.view.SplashActivity
es.lidlplus.i18n.payments.rememberPin.RememberPinFlowActivity
es.lidlplus.i18n.payments.enrollment.presentation.EnrollmentActivity
es.lidlplus.i18n.payments.addressmanager.presentation.AddressManagerActivity
es.lidlplus.i18n.payments.security.presentation.SecurityActivity
es.lidlplus.i18n.payments.mfa.MfaActivity
es.lidlplus.i18n.onboard.register.presentation.view.RegisterStoreProvBecomesPlusFormActivity
es.lidlplus.i18n.onboard.register.presentation.view.RegisterStoreProvBecomesPlusOkActivity
es.lidlplus.i18n.common.views.NavigatorActivity
es.lidlplus.i18n.onboard.country.view.OnboardCountryActivity
es.lidlplus.i18n.countryselector.presentation.ui.activity.SelectCountryActivity
es.lidlplus.i18n.countryselector.presentation.ui.activity.SelectLanguageActivity
es.lidlplus.i18n.stores.presentation.ui.activity.SelectStoreActivity
es.lidlplus.i18n.stores.availables.presentation.view.StoresAvailableActivity
es.lidlplus.i18n.modals.pilotzone.view.PilotZoneActivity
es.lidlplus.i18n.main.view.MainActivity
es.lidlplus.i18n.purchasesummary.presentation.ui.activity.PurchaseSummaryActivity
es.lidlplus.features.carrousel.presentation.ui.CarrouselActivity
es.lidlplus.i18n.settings.changecountry.view.ChangeCountryActivity
es.lidlplus.i18n.settings.updating.view.UpdatingCountryLanguageActivity
es.lidlplus.i18n.payments.lidlpay.presentation.LidlPlusCardActivity
es.lidlplus.i18n.onboard.provinces.view.ProvinceSearchActivity
es.lidlplus.i18n.webview.WebViewActivity
es.lidlplus.i18n.webview.LegalTermsWebViewActivity
es.lidlplus.i18n.register.singlesignon.RegisterSingleSignOnActivity
es.lidlplus.i18n.modals.wrongPhoneDateTime.view.WrongPhoneDateModalActivity
es.lidlplus.i18n.settings.alerts.presentation.ui.activity.SettingsAlertsActivity
es.lidlplus.i18n.analyticsconsent.presentation.ui.AskAnalyticsConsentActivity
es.lidlplus.i18n.analyticsconsent.presentation.ui.AskAnalyticsPrivacyNoticeActivity
es.lidlplus.i18n.register.singlesignon.LoginRegisterActivity
es.lidlplus.i18n.payments.sca.ScaChallengeActivity
net.openid.appauth.RedirectUriReceiverActivity
es.lidlplus.features.clickandpick.presentation.list.ClickandpickListActivity
es.lidlplus.features.clickandpick.presentation.detail.ClickandpickDetailActivity
es.lidlplus.features.clickandpick.presentation.howto.ClickandpickHowToActivity
es.lidlplus.features.clickandpick.presentation.cart.ClickandpickCartActivity
es.lidlplus.features.clickandpick.presentation.reservation.ConfirmedReservationActivity
es.lidlplus.features.clickandpick.presentation.order.OrderDetailActivity
es.lidlplus.features.clickandpick.presentation.video.VideoActivity
es.lidlplus.features.gallery.EmbeddedGalleryActivity
es.lidlplus.features.thirdpartybenefit.presentation.detail.howtoredeemcode.HowToRedeemCodeActivity
es.lidlplus.features.thirdpartybenefit.presentation.detail.TPBDetailActivity
es.lidlplus.brochures.flyers.detail.presentation.activity.FlyerDetailActivity
es.lidlplus.i18n.brochures.presentation.ui.BrochuresActivity
es.lidlplus.features.productsfeatured.presentation.detail.ProductDetailActivity
es.lidlplus.features.productsrecommended.presentation.detail.ProductDetailActivity
es.lidlplus.features.productsrelated.presentation.detail.ProductDetailActivity
es.lidlplus.features.recipes.presentation.RecipesActivity
es.lidlplus.commons.share.presentation.ShareLoadingNavigationActivity
es.lidlplus.i18n.common.views.LegalTermsActivity
es.lidlplus.i18n.modals.updateApp.view.ModalsUpdateActivity
es.lidlplus.features.alerts.presentation.ui.activity.AlertsActivity
es.lidlplus.features.surveys.presentation.campaign.view.SurveyActivity
es.lidlplus.features.nps.presentation.question.NpsQuestionActivity
es.lidlplus.features.nps.presentation.thanks.NpsThanksActivity
es.lidlplus.features.aam.presentation.AskAboutMeActivity
es.lidlplus.features.aam.presentation.webview.AskAboutMeWebViewActivity
es.lidlplus.features.productcodes.ProductCodesActivity
es.lidlplus.i18n.emobility.presentation.EmobilityActivity
es.lidlplus.i18n.fireworks.view.ui.video.VideoActivity
es.lidlplus.i18n.fireworks.view.ui.detail.activity.FireworkDetailActivity
es.lidlplus.i18n.fireworks.view.ui.cart.activity.CartActivity
es.lidlplus.i18n.fireworks.view.ui.reservation.activity.ConfirmedReservationActivity
es.lidlplus.i18n.fireworks.view.ui.order.activity.OrderDetailActivity
es.lidlplus.i18n.fireworks.view.ui.howto.activity.HowToFireworksActivity
es.lidlplus.i18n.fireworks.view.ui.list.activity.FireworksListActivity
es.lidlplus.features.stampcard.presentation.pendingparticipations.PendingParticipationsActivity
es.lidlplus.features.stampcard.presentation.detail.activity.StampCardDetailActivity
es.lidlplus.i18n.tickets.ticketDetails.presentation.ui.activity.TicketDetailActivity
es.lidlplus.i18n.tickets.ticketSearchProduct.presentation.ui.activity.TicketSearchProductListActivity
es.lidlplus.features.offers.detail.presentation.view.activity.OfferDetailActivity
es.lidlplus.features.flashsales.howitworks.HowItWorksActivity
es.lidlplus.features.flashsales.onboarding.presentation.OnBoardingFlashSaleActivity
es.lidlplus.features.flashsales.detail.presentation.FlashSaleDetailActivity
es.lidlplus.features.flashsales.checkout.FlashSaleCheckOutWebViewActivity
es.lidlplus.features.travel.list.presentation.TravelListActivity
es.lidlplus.features.shoppinglist.presentation.search.ShoppingListSearchActivity
es.lidlplus.features.shoppinglist.presentation.edit.ShoppingListEditActivity
es.lidlplus.commons.announcements.presentation.AnnouncementsActivity
es.lidlplus.features.storedetails.presentation.StoreDetailsActivity
es.lidlplus.features.selfscanning.cart.CartActivity
com.journeyapps.barcodescanner.CaptureActivity
androidx.compose.ui.tooling.PreviewActivity
com.salesforce.marketingcloud.notifications.NotificationOpenActivity
com.salesforce.marketingcloud.messages.iam.IamModalActivity
com.salesforce.marketingcloud.messages.iam.IamBannerActivity
com.salesforce.marketingcloud.messages.iam.IamFullscreenActivity
com.salesforce.marketingcloud.messages.iam.IamFullImageFillActivity
com.google.android.gms.common.api.GoogleApiActivity
net.openid.appauth.AuthorizationManagementActivity
com.huawei.updatesdk.service.otaupdate.AppUpdateActivity
com.huawei.updatesdk.support.pm.PackageInstallerActivity
com.huawei.hms.activity.BridgeActivity
com.huawei.hms.activity.EnableServiceActivity

Receivers

Information computed with AndroGuard.

es.lidlplus.commons.share.ShareReceiver
com.salesforce.marketingcloud.location.LocationReceiver
com.salesforce.marketingcloud.MCReceiver
com.google.firebase.iid.FirebaseInstanceIdReceiver
com.salesforce.marketingcloud.sfmcsdk.SFMCSdkReceiver
com.google.android.gms.measurement.AppMeasurementReceiver
androidx.profileinstaller.ProfileInstallReceiver
androidx.work.impl.utils.ForceStopRunnable$BroadcastReceiver
androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryChargingProxy
androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryNotLowProxy
androidx.work.impl.background.systemalarm.ConstraintProxy$StorageNotLowProxy
androidx.work.impl.background.systemalarm.ConstraintProxy$NetworkStateProxy
androidx.work.impl.background.systemalarm.RescheduleReceiver
androidx.work.impl.background.systemalarm.ConstraintProxyUpdateReceiver
androidx.work.impl.diagnostics.DiagnosticsReceiver
com.google.android.datatransport.runtime.scheduling.jobscheduling.AlarmManagerSchedulerBroadcastReceiver
com.huawei.hms.support.api.push.PushMsgReceiver
com.huawei.hms.support.api.push.PushReceiver

Services

Information computed with AndroGuard.

es.lidlplus.push.google.GoogleMessagingService
es.lidlplus.push.huawei.HuaweiMessagingService
com.salesforce.marketingcloud.MCService
com.salesforce.marketingcloud.NotificationOpenedService
com.salesforce.marketingcloud.messages.push.MCFirebaseMessagingService
com.google.firebase.components.ComponentDiscoveryService
com.google.firebase.messaging.FirebaseMessagingService
com.salesforce.marketingcloud.sfmcsdk.SFMCSdkJobIntentService
com.google.android.gms.measurement.AppMeasurementService
com.google.android.gms.measurement.AppMeasurementJobService
com.huawei.location.lite.common.http.HttpService
androidx.work.impl.background.systemalarm.SystemAlarmService
androidx.work.impl.background.systemjob.SystemJobService
androidx.work.impl.foreground.SystemForegroundService
androidx.room.MultiInstanceInvalidationService
com.google.android.datatransport.runtime.backends.TransportBackendDiscovery
com.google.android.datatransport.runtime.scheduling.jobscheduling.JobInfoSchedulerService
com.huawei.hms.support.api.push.service.HmsMsgService
com.huawei.agconnect.core.ServiceDiscovery

Hunting matches

Information computed by Pithus.

Yara ruleset: mail
with_urls
matching files:
/classes4.dex

Sample timeline

Oldest file found in APK Jan. 1, 1981, 1:01 a.m.
Latest file found in APK Jan. 1, 1981, 1:01 a.m.
Certificate valid not before July 12, 2017, 11:53 a.m.
First submission on VT March 21, 2022, 11:17 a.m.
Last submission on VT March 29, 2022, 6:58 p.m.
Upload on Pithus April 28, 2022, 8:31 a.m.
Certificate valid not after July 6, 2042, 11:53 a.m.

NIAP analysis

Information computed with MobSF.

FCS_RBG_EXT.1.1 The application implement DRBG functionality for its cryptographic operations.
Random Bit Generation Services
FCS_STO_EXT.1.1 The application invoke the functionality provided by the platform to securely store credentials to non-volatile memory.
Storage of Credentials
FCS_CKM_EXT.1.1 The application implement asymmetric key generation.
Cryptographic Key Generation Services
FDP_DEC_EXT.1.1 The application has access to ['location', 'camera', 'network connectivity'].
Access to Platform Resources
FDP_DEC_EXT.1.2 The application has access to no sensitive information repositories.
Access to Platform Resources
FDP_NET_EXT.1.1 The application has user/application initiated network communications.
Network Communications
FDP_DAR_EXT.1.1 The application implement functionality to encrypt sensitive data in non-volatile memory.
Encryption Of Sensitive Application Data
FMT_MEC_EXT.1.1 The application invoke the mechanisms recommended by the platform vendor for storing and setting configuration options.
Supported Configuration Mechanism
FTP_DIT_EXT.1.1 The application does encrypt some transmitted data with HTTPS/TLS/SSH between itself and another trusted IT product.
Protection of Data in Transit
FCS_RBG_EXT.2.1
FCS_RBG_EXT.2.2
The application perform all deterministic random bit generation (DRBG) services in accordance with NIST Special Publication 800-90A using Hash_DRBG. The deterministic RBG is seeded by an entropy source that accumulates entropy from a platform-based DRBG and a software-based noise source, with a minimum of 256 bits of entropy at least equal to the greatest security strength (according to NIST SP 800-57) of the keys and hashes that it will generate.
Random Bit Generation from Application
FCS_CKM.1.1(1) The application generate asymmetric cryptographic keys not in accordance with FCS_CKM.1.1(1) using key generation algorithm RSA schemes and cryptographic key sizes of 1024-bit or lower.
Cryptographic Asymmetric Key Generation
FCS_CKM.1.1(3)
FCS_CKM.1.2(3)
A password/passphrase shall perform [Password-based Key Derivation Functions] in accordance with a specified cryptographic algorithm..
Password Conditioning
FCS_COP.1.1(1) The application perform encryption/decryption in accordance with a specified cryptographic algorithm AES-CBC (as defined in NIST SP 800-38A) mode or AES-GCM (as defined in NIST SP 800-38D) and cryptographic key sizes 256-bit/128-bit.
Cryptographic Operation - Encryption/Decryption
FCS_COP.1.1(2) The application perform cryptographic hashing services not in accordance with FCS_COP.1.1(2) and uses the cryptographic algorithm RC2/RC4/MD4/MD5.
Cryptographic Operation - Hashing
FCS_COP.1.1(3) The application perform cryptographic signature services (generation and verification) in accordance with a specified cryptographic algorithm RSA schemes using cryptographic key sizes of 2048-bit or greater.
Cryptographic Operation - Signing
FCS_COP.1.1(4) The application perform keyed-hash message authentication with cryptographic algorithm ['HMAC-SHA-256'] .
Cryptographic Operation - Keyed-Hash Message Authentication
FCS_HTTPS_EXT.1.1 The application implement the HTTPS protocol that complies with RFC 2818.
HTTPS Protocol
FCS_HTTPS_EXT.1.2 The application implement HTTPS using TLS.
HTTPS Protocol
FCS_HTTPS_EXT.1.3 The application notify the user and not establish the connection or request application authorization to establish the connection if the peer certificate is deemed invalid.
HTTPS Protocol
FIA_X509_EXT.1.1 The application invoked platform-provided functionality to validate certificates in accordance with the following rules: ['RFC 5280 certificate validation and certificate path validation', 'The certificate path must terminate with a trusted CA certificate'].
X.509 Certificate Validation
FIA_X509_EXT.2.1 The application use X.509v3 certificates as defined by RFC 5280 to support authentication for HTTPS , TLS.
X.509 Certificate Authentication
FIA_X509_EXT.2.2 When the application cannot establish a connection to determine the validity of a certificate, the application allow the administrator to choose whether to accept the certificate in these cases or accept the certificate ,or not accept the certificate.
X.509 Certificate Authentication
FPT_TUD_EXT.2.1 The application shall be distributed using the format of the platform-supported package manager.
Integrity for Installation and Update
FCS_CKM.1.1(2) The application shall generate symmetric cryptographic keys using a Random Bit Generator as specified in FCS_RBG_EXT.1 and specified cryptographic key sizes 128 bit or 256 bit.
Cryptographic Symmetric Key Generation

Code analysis

Information computed with MobSF.

Low
CVSS:7.5
The App logs information. Sensitive information should never be logged.
MASVS: MSTG-STORAGE-3
CWE-532 Insertion of Sensitive Information into Log File
Files:
 com/huawei/hms/locationSdk/q0.java
com/journeyapps/barcodescanner/f.java
we/j.java
com/huawei/hms/push/k.java
com/huawei/hms/hatool/z.java
com/huawei/hms/support/common/ActivityMgr.java
com/huawei/hms/support/api/PendingResultImpl.java
com/huawei/hms/opendevice/k.java
p6/a.java
com/threatmetrix/TrustDefender/RL/q.java
cj/a.java
com/huawei/hms/aaid/HmsInstanceId.java
com/huawei/hms/utils/SHA256.java
com/salesforce/marketingcloud/tozny/AesCbcWithIntegrity.java
com/huawei/hms/locationSdk/j.java
com/huawei/hms/availableupdate/a.java
com/huawei/hms/feature/dynamic/ModuleCopy.java
b3/k.java
com/huawei/hms/update/note/AppSpoofResolution.java
com/huawei/hms/common/util/Logger.java
com/huawei/hms/locationSdk/w0.java
com/huawei/hms/push/RemoteMessage.java
o2/f.java
lh/g.java
com/bumptech/glide/load/data/b.java
ue/c.java
com/huawei/hms/push/task/BaseVoidTask.java
yd/e.java
com/bumptech/glide/load/resource/bitmap/d.java
qb/g.java
com/adjust/sdk/h0.java
w6/d.java
es/lidlplus/i18n/brochures/presentation/ui/adapter/StickyHeaderGridLayoutManager.java
com/huawei/hms/opendevice/i.java
es/lidlplus/i18n/emobility/domain/model/ChargeLog.java
com/huawei/hms/activity/internal/ForegroundInnerHeader.java
y41/a.java
t9/a.java
com/huawei/hms/push/task/SendUpStreamTask.java
com/huawei/hms/maps/mae.java
s6/a.java
l3/c.java
com/huawei/hms/base/ui/a.java
com/huawei/hms/common/util/Base64Utils.java
com/bumptech/glide/load/resource/bitmap/a0.java
com/huawei/hms/feature/dynamic/e/b.java
com/huawei/hms/locationSdk/e0.java
com/huawei/hms/push/task/ProfileTask.java
com/huawei/hms/maps/internal/mbt.java
e2/c.java
mi/n.java
com/huawei/hms/common/internal/HuaweiApiManager.java
com/huawei/hms/locationSdk/l0.java
bb/h.java
com/huawei/appgallery/serviceverifykit/d/d/b.java
y6/e.java
com/bumptech/glide/load/engine/GlideException.java
n6/k.java
com/huawei/hms/push/HmsMessageService.java
com/huawei/hms/push/i.java
w3/a.java
d70/o.java
ua0/r.java
com/huawei/hms/feature/dynamic/DeferredLifecycleHelper.java
ha/b.java
mi/g.java
com/huawei/hms/opendevice/g.java
com/huawei/hms/push/ups/UPSService.java
z6/d.java
da/l.java
com/huawei/hms/locationSdk/k0.java
mi/a.java
m/c.java
u2/h.java
q6/t.java
da/f.java
com/huawei/hms/utils/Util.java
com/huawei/hms/activity/BridgeActivity.java
sa/r.java
ph/a.java
com/huawei/hms/opendevice/m.java
ph/d.java
com/salesforce/marketingcloud/sfmcsdk/components/encryption/Encryptor.java
com/huawei/hms/aaid/HmsInstanceIdEx.java
v2/p.java
com/huawei/hms/locationSdk/f.java
hg/g.java
com/huawei/hms/locationSdk/c1.java
yc/b.java
q2/b.java
wa0/l.java
o1/l.java
com/huawei/hms/locationSdk/r0.java
b7/i.java
com/salesforce/marketingcloud/sfmcsdk/components/encryption/SalesforceKeyGenerator.java
com/huawei/hms/opendevice/e.java
q2/d.java
com/huawei/hms/common/HuaweiApi.java
com/huawei/hms/availableupdate/r.java
com/huawei/hms/availableupdate/q.java
com/huawei/hms/stats/a.java
com/huawei/hms/framework/common/Logger.java
xb/n.java
com/huawei/hms/opendevice/d.java
com/bumptech/glide/load/engine/i.java
com/huawei/hms/support/api/push/PushReceiver.java
com/huawei/hms/api/IPCTransport.java
com/huawei/hms/utils/UIUtil.java
q2/c.java
g4/y.java
com/huawei/hms/availableupdate/e.java
com/huawei/hms/push/g.java
com/huawei/hms/push/o.java
com/huawei/hms/maps/TextureMapView.java
zb/f.java
com/huawei/hms/locationSdk/p0.java
k4/i.java
com/salesforce/marketingcloud/sfmcsdk/components/logging/Logger.java
com/huawei/hms/support/api/client/ResolvingResultCallbacks.java
com/huawei/hms/utils/IOUtils.java
org/zakariya/stickyheaders/StickyHeaderLayoutManager.java
com/huawei/hms/opendevice/r.java
j6/d.java
o6/i.java
ca0/d.java
we/c.java
com/huawei/hms/locationSdk/m0.java
com/huawei/hms/availableupdate/b0.java
l2/k.java
com/huawei/hms/adapter/AvailableAdapter.java
com/huawei/hms/availableupdate/a0.java
com/huawei/hms/locationSdk/a1.java
com/bumptech/glide/load/engine/v.java
com/huawei/hms/utils/FileUtil.java
com/huawei/hms/device/a.java
mi/c.java
com/huawei/hms/support/api/push/PushMsgReceiver.java
y6/r.java
com/huawei/hms/support/hianalytics/HiAnalyticsUtil.java
q6/f.java
q6/s.java
com/huawei/hms/locationSdk/m.java
com/huawei/location/c.java
v2/o.java
com/huawei/hms/ui/AbstractDialog.java
com/huawei/hms/locationSdk/g.java
b4/b.java
com/huawei/hms/common/internal/TaskApiCall.java
com/huawei/hms/push/HmsMessaging.java
com/journeyapps/barcodescanner/b.java
com/huawei/hms/support/api/ErrorResultImpl.java
w9/a.java
t7/e.java
ga/h.java
zc/c.java
com/huawei/hms/aaid/utils/PushPreferences.java
com/huawei/hms/support/api/location/common/PermissionUtil.java
com/airbnb/lottie/LottieAnimationView.java
com/huawei/hms/locationSdk/b0.java
com/bumptech/glide/load/engine/j.java
w0/c.java
com/huawei/hms/locationSdk/o0.java
com/huawei/hms/maps/max.java
y6/f.java
ye/b.java
com/huawei/hms/support/hianalytics/HiAnalyticsUtils.java
com/huawei/hms/utils/HMSBIInitializer.java
com/huawei/hms/push/h.java
com/huawei/hms/common/internal/RequestHeader.java
com/bumptech/glide/load/resource/bitmap/c.java
d70/q.java
es/lidlplus/features/offers/list/view/adapter/OffersStickyHeaderGridLayoutManager.java
com/bumptech/glide/load/data/l.java
mi/q.java
zd/a.java
com/huawei/hms/android/SystemUtils.java
com/huawei/hms/opendevice/OpenDeviceTaskApiCall.java
com/huawei/hms/common/internal/DialogRedirect.java
h3/c.java
xb/g.java
com/huawei/hms/locationSdk/c0.java
com/huawei/hms/common/internal/ConnectionErrorMessages.java
com/huawei/hms/locationSdk/n0.java
va/a.java
com/huawei/hms/support/api/core/ConnectService.java
com/huawei/hms/push/utils/JsonUtil.java
com/huawei/hms/activity/ForegroundBusDelegate.java
com/huawei/hms/availableupdate/k.java
nb/d.java
com/huawei/hms/support/api/location/common/HMSLocationLog.java
com/huawei/hms/support/api/push/PushProvider.java
x7/a.java
com/huawei/hms/utils/ReadApkFileUtil.java
v2/h.java
com/huawei/hms/push/j.java
es/lidlplus/i18n/common/utils/a.java
com/huawei/hms/opendevice/u.java
c4/h.java
com/huawei/hms/availableupdate/i0.java
w6/a.java
ca/a.java
oh/a.java
com/huawei/hms/push/l.java
com/huawei/hms/opendevice/l.java
com/huawei/hms/locationSdk/t0.java
com/huawei/hms/update/manager/UpdateManager.java
com/huawei/hms/locationSdk/z0.java
com/huawei/hms/aaid/init/AutoInitHelper.java
da/k.java
we/i.java
y6/s.java
li/i.java
p6/b.java
com/huawei/hms/utils/HMSPackageManager.java
com/huawei/hms/utils/JsonUtil.java
s3/a.java
com/salesforce/marketingcloud/g.java
com/huawei/hms/support/api/location/common/exception/ServiceErrorCodeAdaptor.java
j6/e.java
e3/c.java
com/bumptech/glide/load/resource/bitmap/n.java
ye/a.java
com/huawei/hms/common/internal/BaseHmsClient.java
w9/f.java
n6/j.java
com/huawei/hms/opendevice/c.java
mi/h.java
com/huawei/hms/availableupdate/z.java
com/huawei/riemann/common/api/location/SdmLocationClient.java
we/b.java
com/huawei/hms/push/c.java
gd/c.java
com/huawei/hms/push/s.java
com/bumptech/glide/load/data/j.java
com/huawei/hms/locationSdk/s0.java
com/huawei/hms/maps/maw.java
ya/a.java
com/huawei/hms/api/FailedBinderCallBack.java
com/huawei/updatesdk/a/a/a.java
com/huawei/hms/push/utils/DateUtil.java
com/huawei/hms/opendevice/p.java
com/huawei/hms/locationSdk/y0.java
com/huawei/hms/opendevice/s.java
com/huawei/hms/common/internal/ResponseWrap.java
com/huawei/hms/support/api/opendevice/HuaweiOpendeviceApiImpl.java
z9/u.java
com/huawei/hms/utils/PackageManagerHelper.java
com/bumptech/glide/load/resource/bitmap/c0.java
l2/l.java
com/huawei/hms/common/data/DataHolder.java
com/huawei/hms/availableupdate/j0.java
b3/f.java
com/huawei/hms/common/internal/ConnectionManagerKey.java
com/huawei/hms/adapter/BinderAdapter.java
z9/o.java
com/bumptech/glide/b.java
com/huawei/hms/push/HmsProfile.java
aj/l.java
l6/c.java
v2/j.java
com/huawei/hms/push/q.java
ph/b.java
q6/d.java
com/huawei/agconnect/core/provider/AGConnectInitializeProvider.java
com/huawei/hms/locationSdk/d.java
com/huawei/hms/locationSdk/j0.java
v2/l.java
com/huawei/hms/locationSdk/x0.java
com/salesforce/marketingcloud/sfmcsdk/components/encryption/KeyStoreWrapper.java
com/huawei/hms/locationSdk/p.java
com/huawei/hms/locationSdk/g0.java
l/g.java
u2/c.java
com/huawei/updatesdk/service/otaupdate/g.java
oh/f.java
q6/c.java
z1/w.java
com/huawei/hms/support/api/location/common/LocationClientStateManager.java
com/bumptech/glide/load/engine/h.java
ph/c.java
f6/c.java
j3/b.java
com/huawei/hms/adapter/ui/BaseResolutionAdapter.java
com/huawei/hms/push/p.java
com/huawei/location/a.java
dd/c.java
com/huawei/hms/api/HuaweiMobileServicesUtil.java
com/huawei/hms/aaid/utils/BaseUtils.java
v2/k.java
hg/e.java
com/huawei/hms/common/api/AvailabilityException.java
y6/p.java
j2/d.java
com/huawei/hms/availableupdate/p.java
com/huawei/hms/api/ResolutionDelegate.java
com/huawei/hms/locationSdk/e1.java
com/huawei/hms/push/d.java
it/sephiroth/android/library/imagezoom/b.java
k7/a.java
com/huawei/hms/common/util/AGCUtils.java
com/huawei/hms/opendevice/o.java
v1/m.java
f4/a.java
com/bumptech/glide/load/resource/bitmap/m.java
w0/g.java
com/huawei/hms/push/r.java
com/huawei/hms/common/internal/HmsClient.java
we/f.java
w6/j.java
u2/d.java
g4/i0.java
com/huawei/hms/support/api/push/service/HmsMsgService.java
com/huawei/hms/support/api/client/ResultCallbacks.java
com/huawei/hms/support/log/HMSDebugger.java
com/huawei/hms/adapter/ui/UpdateAdapter.java
yd/g.java
com/huawei/hms/opendevice/n.java
com/huawei/hms/availableupdate/c.java
com/huawei/hms/adapter/BaseAdapter.java
ii/c.java
hg/f.java
com/huawei/hms/opendevice/h.java
com/huawei/hms/push/utils/PluginUtil.java
com/huawei/hms/common/internal/ResponseHeader.java
it/sephiroth/android/library/imagezoom/a.java
com/bumptech/glide/load/resource/bitmap/DefaultImageHeaderParser.java
com/huawei/hms/api/b.java
i2/y.java
com/huawei/hms/core/aidl/e.java
com/huawei/hms/locationSdk/v0.java
com/huawei/hms/feature/dynamic/e/a.java
com/huawei/hms/locationSdk/i0.java
com/huawei/hms/stats/c.java
f7/a.java
d70/n.java
com/bumptech/glide/load/resource/bitmap/r.java
com/huawei/hms/api/BindingFailedResolution.java
com/salesforce/marketingcloud/MCLogListener.java
com/bumptech/glide/request/h.java
o6/e.java
ob/b.java
y6/o.java
xi/f.java
com/huawei/hms/android/HwBuildEx.java
com/huawei/hms/locationSdk/u0.java
com/salesforce/marketingcloud/sfmcsdk/components/logging/LogListener.java
com/huawei/hms/locationSdk/h0.java
com/huawei/hms/api/HuaweiApiClientImpl.java
com/huawei/hms/api/IPCCallback.java
gh/a.java
com/huawei/hms/push/e.java
com/huawei/hms/locationSdk/f1.java
ua0/p.java
mi/l.java
Medium
CVSS:7.4
Files may contain hardcoded sensitive information like usernames, passwords, keys etc.
MASVS: MSTG-STORAGE-14
CWE-312 Cleartext Storage of Sensitive Information
M9: Reverse Engineering
Files:
 es/lidlplus/i18n/stores/autocomplete/domain/model/StoreSearch.java
q5/j.java
h00/c.java
com/salesforce/marketingcloud/events/g.java
k0/n0.java
dc/d.java
com/bumptech/glide/load/engine/d.java
es/lidlplus/i18n/common/models/Store.java
tm0/c.java
l5/k.java
com/salesforce/marketingcloud/events/h.java
od0/c.java
l5/h.java
yq/j.java
com/huawei/hms/push/constant/RemoteMessageConst.java
com/bumptech/glide/load/engine/o.java
d30/c.java
tm0/d.java
l5/i.java
g0/i0.java
com/salesforce/marketingcloud/registration/Registration.java
qz0/a.java
com/bumptech/glide/load/engine/t.java
com/huawei/hms/common/internal/ConnectionManagerKey.java
es/lidlplus/i18n/emobility/data/v1/model/SetAcceptanceRequest.java
com/huawei/hms/support/hianalytics/HiAnalyticsConstant.java
k6/c.java
we/i.java
es/lidlplus/features/stampcard/data/api/v1/SetUserLotteryAsViewedCommand.java
r41/u0.java
com/huawei/hms/location/LocationAvailability.java
com/huawei/location/lite/common/config/a.java
com/huawei/hms/framework/common/hianalytics/HianalyticsBaseData.java
High
CVSS:7.4
The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks.
MASVS: MSTG-CRYPTO-3
CWE-649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
M5: Insufficient Cryptography
Files:
 hh/a.java
we/i.java
at/favre/lib/armadillo/a.java
Medium
CVSS:4.3
IP Address disclosure
MASVS: MSTG-CODE-2
CWE-200 Information Exposure
Files:
 com/huawei/hms/hatool/z.java
com/huawei/hms/hatool/e1.java
com/huawei/hms/framework/network/grs/h/a.java
com/huawei/hms/support/api/PendingResultImpl.java
com/huawei/hms/framework/network/frameworkcompat/BuildConfig.java
com/huawei/location/router/BuildConfig.java
oh/a.java
com/huawei/hms/framework/network/grs/g/k/a.java
com/huawei/hms/base/device/BuildConfig.java
com/huawei/hms/framework/network/grs/BuildConfig.java
com/huawei/hms/support/hianalytics/HiAnalyticsUtil.java
com/huawei/hms/hatool/v.java
com/huawei/hms/support/hianalytics/a.java
com/huawei/hms/api/HuaweiApiClientImpl.java
com/huawei/hms/location/base/BuildConfig.java
com/huawei/hms/framework/common/BuildConfig.java
ki/f.java
com/huawei/hms/framework/common/hianalytics/HianalyticsHelper.java
com/huawei/hms/framework/common/PackageManagerCompat.java
com/huawei/hms/location/BuildConfig.java
com/huawei/hms/feature/dynamic/a.java
com/huawei/hms/common/PackageConstants.java
Medium
CVSS:5.9
App uses SQLite Database and execute raw SQL query. Untrusted user input in raw SQL queries can cause SQL Injection. Also sensitive information should be encrypted and written to the database.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
M7: Client Code Quality
Files:
 b8/m0.java
com/salesforce/marketingcloud/storage/db/upgrades/a.java
com/salesforce/marketingcloud/storage/db/f.java
com/salesforce/marketingcloud/storage/db/upgrades/g.java
com/salesforce/marketingcloud/storage/db/c.java
com/salesforce/marketingcloud/storage/db/upgrades/d.java
com/salesforce/marketingcloud/storage/db/m.java
com/salesforce/marketingcloud/storage/db/j.java
d4/a.java
com/salesforce/marketingcloud/storage/db/a.java
com/salesforce/marketingcloud/storage/db/g.java
b8/p0.java
com/salesforce/marketingcloud/storage/db/upgrades/h.java
com/salesforce/marketingcloud/storage/db/b.java
com/salesforce/marketingcloud/storage/db/upgrades/e.java
com/salesforce/marketingcloud/storage/db/e.java
com/salesforce/marketingcloud/storage/db/upgrades/b.java
com/salesforce/marketingcloud/storage/db/h.java
com/salesforce/marketingcloud/storage/db/k.java
com/salesforce/marketingcloud/storage/db/upgrades/c.java
com/salesforce/marketingcloud/storage/db/upgrades/i.java
com/salesforce/marketingcloud/storage/db/upgrades/f.java
com/salesforce/marketingcloud/storage/db/i.java
b8/t0.java
com/salesforce/marketingcloud/storage/db/l.java
Medium
CVSS:5.9
SHA-1 is a weak hash known to have hash collisions.
MASVS: MSTG-CRYPTO-4
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
M5: Insufficient Cryptography
Files:
 com/salesforce/marketingcloud/sfmcsdk/components/encryption/SalesforceKeyGenerator.java
we/g.java
lh/b.java
yc/b.java
com/salesforce/marketingcloud/tozny/AesCbcWithIntegrity.java
com/threatmetrix/TrustDefender/RL/c0.java
ih/c.java
com/huawei/hms/hatool/e.java
com/salesforce/marketingcloud/sfmcsdk/components/encryption/Encryptor.java
High
CVSS:5.4
Remote WebView debugging is enabled.
MASVS: MSTG-RESILIENCE-2
CWE-919 - Weaknesses in Mobile Applications
M1: Improper Platform Usage
Files:
 ci0/q.java
es/lidlplus/i18n/common/base/MonolithApp.java
Info
CVSS:0
This App uses SSL certificate pinning to detect or prevent MITM attacks in secure communication channel.
MASVS: MSTG-NETWORK-4
Files:
 aa0/va.java
yl/f.java
rm/j.java
g30/e.java
ak0/m.java
um0/i.java
in/f.java
ap/c.java
d40/a.java
ms/e0.java
x00/e.java
zv/m.java
sk/e.java
rp/f.java
p90/f.java
pw/j.java
ex/m.java
i7/f.java
xn0/n.java
hm/b.java
pl/c.java
pu/k.java
jx0/g.java
tl0/a.java
dz/r.java
i20/k.java
i7/a.java
com/huawei/secure/android/common/ssl/e.java
ym/m.java
t10/p.java
w40/a.java
w30/e.java
ia0/c0.java
aa0/i9.java
jq/f.java
t70/t.java
nr/o.java
tt/m.java
aa0/r8.java
pb0/z.java
qv/n.java
Info
CVSS:0
This App uses SafetyNet API.
MASVS: MSTG-RESILIENCE-7
Files:
 com/threatmetrix/TrustDefender/RL/t.java
Medium
CVSS:7.5
The App uses an insecure Random Number Generator.
MASVS: MSTG-CRYPTO-6
CWE-330 Use of Insufficiently Random Values
M5: Insufficient Cryptography
Files:
 yi/b.java
b9/o.java
d41/a.java
yi/h.java
ld/d.java
c41/a.java
j$/util/concurrent/ThreadLocalRandom.java
xi/a.java
com/huawei/hms/common/internal/TransactionIdCreater.java
at/favre/lib/bytes/c.java
c41/b.java
xi/i.java
com/adjust/sdk/c1.java
Medium
CVSS:5.5
App creates temp file. Sensitive information should never be written into a temp file.
MASVS: MSTG-STORAGE-2
CWE-276 Incorrect Default Permissions
M2: Insecure Data Storage
Files:
 com/journeyapps/barcodescanner/f.java
yc/c.java
Low
CVSS:0
This App copies data to clipboard. Sensitive data should not be copied to clipboard as other applications can access it.
MASVS: MSTG-STORAGE-10
Files:
 es/lidlplus/features/thirdpartybenefit/presentation/detail/scancode/CodeToCopyView.java
Medium
CVSS:7.4
MD5 is a weak hash known to have hash collisions.
MASVS: MSTG-CRYPTO-4
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
M5: Insufficient Cryptography
Files:
 com/salesforce/marketingcloud/util/l.java
com/threatmetrix/TrustDefender/RL/c0.java
High
CVSS:5.5
App can read/write to External Storage. Any App can read data written to External Storage.
MASVS: MSTG-STORAGE-2
CWE-276 Incorrect Default Permissions
M2: Insecure Data Storage
Files:
 com/huawei/hms/availableupdate/e.java
xv0/a.java
Pygal Germany: 1200 France: 100 Hong Kong: 100 Ireland: 200 Netherlands: 1300 Turkey: 300 United States: 3400

Map computed by Pithus.

Network analysis

Information computed with MobSF.

Medium Base config is configured to trust system certificates.
Scope: ['*']
High Base config is configured to trust user installed certificates.
Scope: ['*']
Info Certificate pinning does not have an expiry. Ensure that pins are updated before certificate expire.[Pin: V6tuyEKclNw5w8Kf2AiwNOpszvLw9VcJnHCapipmUEM= Digest: SHA-256,Pin: mDKR5ptpp7PqVUefxx2Ftq5ymsEuzCEg+EVrLOrQFB8= Digest: SHA-256,Pin: QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= Digest: SHA-256]
Scope: ['appgateway.lidlplus.com']
Info Certificate pinning does not have an expiry. Ensure that pins are updated before certificate expire.[Pin: iCRH69PKNf82UES78BaOZyZgJ0ZdHgoivdPakG/1wp8= Digest: SHA-256,Pin: mDKR5ptpp7PqVUefxx2Ftq5ymsEuzCEg+EVrLOrQFB8= Digest: SHA-256,Pin: QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= Digest: SHA-256]
Scope: ['payments.lidlplus.com']
Info Certificate pinning does not have an expiry. Ensure that pins are updated before certificate expire.[Pin: JjfHMo/TYRJT71EGrUo6CrAnQN9+UQifQB3aQpYdcXU= Digest: SHA-256,Pin: mDKR5ptpp7PqVUefxx2Ftq5ymsEuzCEg+EVrLOrQFB8= Digest: SHA-256,Pin: QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= Digest: SHA-256]
Scope: ['accounts.lidl.com']
Info Certificate pinning does not have an expiry. Ensure that pins are updated before certificate expire.[Pin: qq80Mk7v5KR7JIylLmeOKDSplIfriBQynlgnqjoPL+U= Digest: SHA-256,Pin: mDKR5ptpp7PqVUefxx2Ftq5ymsEuzCEg+EVrLOrQFB8= Digest: SHA-256,Pin: QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= Digest: SHA-256]
Scope: ['segments.lidlplus.com']
Info Certificate pinning does not have an expiry. Ensure that pins are updated before certificate expire.[Pin: c0/BZ7dbFxwnDslIbUkxIWwSzOR9VsvbhG982Ao71p4= Digest: SHA-256,Pin: mDKR5ptpp7PqVUefxx2Ftq5ymsEuzCEg+EVrLOrQFB8= Digest: SHA-256,Pin: QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= Digest: SHA-256]
Scope: ['eticket.lidlplus.com']
Info Certificate pinning does not have an expiry. Ensure that pins are updated before certificate expire.[Pin: MyvXmQF4N/Nn5Xf689A7ThIapXQuQmIKhON+vIk+SKc= Digest: SHA-256,Pin: mDKR5ptpp7PqVUefxx2Ftq5ymsEuzCEg+EVrLOrQFB8= Digest: SHA-256,Pin: QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= Digest: SHA-256]
Scope: ['surveys.lidlplus.com']
Info Certificate pinning does not have an expiry. Ensure that pins are updated before certificate expire.[Pin: +ZbZsHxn6JZmGaOuhC/iVWs8aB+oGubmHju1yuaiKac= Digest: SHA-256,Pin: mDKR5ptpp7PqVUefxx2Ftq5ymsEuzCEg+EVrLOrQFB8= Digest: SHA-256,Pin: QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= Digest: SHA-256]
Scope: ['tickets.lidlplus.com']
Info Certificate pinning does not have an expiry. Ensure that pins are updated before certificate expire.[Pin: tPtlDtJJGVxLu4dyv4YMtJXPhsAsHJxfsha3vj+oi+s= Digest: SHA-256,Pin: mDKR5ptpp7PqVUefxx2Ftq5ymsEuzCEg+EVrLOrQFB8= Digest: SHA-256,Pin: QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= Digest: SHA-256]
Scope: ['emobility.lidl.com']
Info Certificate pinning does not have an expiry. Ensure that pins are updated before certificate expire.[Pin: OfVMckx0IOnfxE+42i1YrUANpR2euxRRUgHwkf4LXR8= Digest: SHA-256,Pin: mDKR5ptpp7PqVUefxx2Ftq5ymsEuzCEg+EVrLOrQFB8= Digest: SHA-256,Pin: QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= Digest: SHA-256]
Scope: ['shopping-list.lidl.com']
High Domain config is insecurely configured to permit clear text traffic to these domains in scope.
Scope: ['welcome.schwarz']

Domains analysis

Information computed with MobSF.

US app.igodigital.com 52.45.18.106
US profile.lidl.com 20.67.209.186
US lidl-plus-230408.firebaseio.com 35.201.97.85
US www.w3.org 128.30.52.100
clickandpick.lidlplus.com
US app.adjust.com 185.151.204.15
US subscription.adjust.com 185.151.204.52
US eticket.lidlplus.com 20.82.249.204
reports.crashlytics.com
DE gdpr.adjust.world 178.162.219.36
NL tickets.lidlplus.com 23.36.162.89
US firebase-settings.crashlytics.com 142.250.185.227
US app.eu.adjust.com 185.151.204.60
US picsum.photos 104.26.5.30
US goo.gle 67.199.248.13
NL flashsales.lidlplus.com 23.36.162.89
US app.us.adjust.com 185.151.204.70
NL banners.lidlplus.com 23.36.162.89
US app.adjust.world 185.151.204.41
US subscription.eu.adjust.com 185.151.204.60
NL home.lidlplus.com 23.36.162.89
NL offers.lidlplus.com 23.36.162.72
NL accounts.lidl.com 51.105.123.133
US update.crashlytics.com 142.250.186.163
TR subscription.tr.adjust.com 195.244.54.5
US play.google.com 172.217.23.110
IE payments.lidlplus.com 20.54.8.99
US github.com 140.82.121.3
US gdpr.eu.adjust.com 185.151.204.60
NL lidlplus.com 52.178.43.209
DE ktor.io 143.204.202.46
US familyclub.lidl.com 20.105.35.53
DE gdpr.adjust.com 178.162.219.36
US subscription.adjust.world 185.151.204.44
TR gdpr.tr.adjust.com 195.244.54.5
NL appgateway.lidlplus.com 40.114.188.208
DE tipcards.lidlplus.com 23.75.226.52
NL shopping-list.lidlplus.com 23.36.162.83
DE branddeals.lidlplus.com 23.75.226.52
NL alerts.lidlplus.com 23.36.162.83
DE coupons.lidlplus.com 23.75.226.52
IE inviteyourfriends.lidlplus.com 52.142.87.173
US subscription.adjust.net.in 185.151.204.34
US emobility.lidl.com 20.105.48.207
US stage.app.igodigital.com 52.200.228.230
DE gdpr.adjust.net.in 178.162.219.36
FR journeyapps.com 143.204.226.63
US overmind.datatheorem.com 142.250.184.211
NL thirdparties.lidlplus.com 23.36.162.75
appconfig.lidlplus.com
schemas.android.com
TR app.tr.adjust.com 195.244.54.5
DE welcome.schwarz 185.86.188.54
US profile.lidlplus.com 20.86.226.207
HK kkkk.com 45.197.79.98
NL consent.lidlplus.com 23.36.162.89
DE appgallery.cloud.huawei.com 80.158.19.46
DE announcements.lidlplus.com 23.75.226.52
DE media.istockphoto.com 143.204.98.76
US subscription.us.adjust.com 185.151.204.70
DE store.hispace.hicloud.com 160.44.202.202
US localization.lidlplus.com 20.67.156.98
US segments.lidlplus.com 20.82.218.32
US surveys.lidlplus.com 20.76.161.56
US app.adjust.net.in 185.151.204.33
US gdpr.us.adjust.com 185.151.204.70
NL travel.lidlplus.com 23.36.162.89
ns.adobe.com
US www.example.com 93.184.216.34
US console.firebase.google.com 142.250.186.46
US plus.google.com 142.250.185.142

URL analysis

Information computed with MobSF.

https://play.google.com/store/apps/details?id=
Defined in gz0/a.java
https://github.com/ReactiveX/RxJava/wiki/What's-different-in-2.0#error-handling
Defined in io/reactivex/rxjava3/exceptions/UndeliverableException.java
https://github.com/ReactiveX/RxJava/wiki/Error-Handling
Defined in io/reactivex/rxjava3/exceptions/OnErrorNotImplementedException.java
http://schemas.android.com/apk/res/android
Defined in u2/i.java
http://www.w3.org/ns/ttml#parameter
Defined in k9/c.java
http://welcome.schwarz
Defined in tl0/a.java
https://ktor.io/clients/http-client/engines.html
Defined in p11/d.java
https://github.com/ReactiveX/RxJava/wiki/Plugins
Defined in u21/d.java
https://app.adjust.net.in
https://app.adjust.com
https://app.adjust.world
https://app.eu.adjust.com
https://app.tr.adjust.com
https://app.us.adjust.com
https://gdpr.adjust.net.in
https://gdpr.adjust.com
https://gdpr.adjust.world
https://gdpr.eu.adjust.com
https://gdpr.tr.adjust.com
https://gdpr.us.adjust.com
https://subscription.adjust.net.in
https://subscription.adjust.com
https://subscription.adjust.world
https://subscription.eu.adjust.com
https://subscription.tr.adjust.com
https://subscription.us.adjust.com
Defined in r5/c.java
https://app.adjust.net.in
https://app.adjust.com
https://app.adjust.world
https://app.eu.adjust.com
https://app.tr.adjust.com
https://app.us.adjust.com
https://gdpr.adjust.net.in
https://gdpr.adjust.com
https://gdpr.adjust.world
https://gdpr.eu.adjust.com
https://gdpr.tr.adjust.com
https://gdpr.us.adjust.com
https://subscription.adjust.net.in
https://subscription.adjust.com
https://subscription.adjust.world
https://subscription.eu.adjust.com
https://subscription.tr.adjust.com
https://subscription.us.adjust.com
Defined in r5/c.java
https://app.adjust.net.in
https://app.adjust.com
https://app.adjust.world
https://app.eu.adjust.com
https://app.tr.adjust.com
https://app.us.adjust.com
https://gdpr.adjust.net.in
https://gdpr.adjust.com
https://gdpr.adjust.world
https://gdpr.eu.adjust.com
https://gdpr.tr.adjust.com
https://gdpr.us.adjust.com
https://subscription.adjust.net.in
https://subscription.adjust.com
https://subscription.adjust.world
https://subscription.eu.adjust.com
https://subscription.tr.adjust.com
https://subscription.us.adjust.com
Defined in r5/c.java
https://app.adjust.net.in
https://app.adjust.com
https://app.adjust.world
https://app.eu.adjust.com
https://app.tr.adjust.com
https://app.us.adjust.com
https://gdpr.adjust.net.in
https://gdpr.adjust.com
https://gdpr.adjust.world
https://gdpr.eu.adjust.com
https://gdpr.tr.adjust.com
https://gdpr.us.adjust.com
https://subscription.adjust.net.in
https://subscription.adjust.com
https://subscription.adjust.world
https://subscription.eu.adjust.com
https://subscription.tr.adjust.com
https://subscription.us.adjust.com
Defined in r5/c.java
https://app.adjust.net.in
https://app.adjust.com
https://app.adjust.world
https://app.eu.adjust.com
https://app.tr.adjust.com
https://app.us.adjust.com
https://gdpr.adjust.net.in
https://gdpr.adjust.com
https://gdpr.adjust.world
https://gdpr.eu.adjust.com
https://gdpr.tr.adjust.com
https://gdpr.us.adjust.com
https://subscription.adjust.net.in
https://subscription.adjust.com
https://subscription.adjust.world
https://subscription.eu.adjust.com
https://subscription.tr.adjust.com
https://subscription.us.adjust.com
Defined in r5/c.java
https://app.adjust.net.in
https://app.adjust.com
https://app.adjust.world
https://app.eu.adjust.com
https://app.tr.adjust.com
https://app.us.adjust.com
https://gdpr.adjust.net.in
http