0/60

Threat

network.loki.messenger

Session

Analyzed on 2021-12-03T10:58:06.500901

38

permissions

35

activities

12

services

22

receivers

17

domains

File sums

MD5 4d938c23c6b1a04c81679ac686bc74cf
SHA1 e2b3f310ea9f14da9ed2de4afd3d2f58dcdebcde
SHA256 463cd4cb52b5166a1daff86390f47169321d0486fdb65d56f5e43a14f5b9f890
Size 25.02MB

APKiD

Information computed with APKiD.

/tmp/tmpasxm2ok9!classes.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MANUFACTURER check
compiler
  • r8
/tmp/tmpasxm2ok9!classes2.dex
anti_vm
  • Build.MANUFACTURER check
compiler
  • r8 without marker (suspicious)
/tmp/tmpasxm2ok9!classes3.dex
anti_vm
  • possible Build.SERIAL check
compiler
  • r8 without marker (suspicious)
/tmp/tmpasxm2ok9!classes4.dex
anti_vm
  • Build.HARDWARE check
compiler
  • r8 without marker (suspicious)

SSdeep

Information computed with ssdeep.

APK file 786432:QdhYakGuhp35kOzoYIsVy99UC5n2GCZIE:Q47Guhp3+OsYI4NC+x
Manifest 768:9izPergt5e/RxcKE6JH/5iSbntgkITmUhHpNxelaynVCBMuQ80pcKYE1w17CMKfC:…
classes.dex 49152:/eTx4XzQh28XnI54bIL0GrzTgIU0BiRrh2inNkij5zZMJ5GK62kwj8ykU2TUEJ+…
classes2.dex 98304:zgHetdH/rdoDHJSdWXYHoIWEwNEOV3/sBi5+s9gxHv:Tz/rdoDHJdnA5zxHv
classes3.dex 98304:LN0K5Wrgu/rAz71EPInJnQe6PVGes/eWerjoYpm1t/23XV3nT+8Hne:LN0KLuTK…
classes4.dex 6144:rQrQ2TlwrYv5OuxIYBMWqlw8oOqnd9ChjggSQJtjoOvgzEGEwE9qNlnnFsmsnFud…

Dexofuzzy

Information computed with Dexofuzzy.

APK file 12288:dBNuD4Quh2URV4MxWDr5E4euRrdRKTecm3oXv8t82DUG9r1LXOKSAzLP+1QhPt9…
classes.dex 6144:dBNdEnD7sxum+unwbIL6SXarERV4MxWDA45ZENodDeb/BEYGjwbJus/LChSydRK+…
classes2.dex 6144:pLpfwOcmjToNdvhmtOZ837k2YsU3UDoCp7RPZMM5YzFzc1TO0Ht6n:jcm3oXv8t8…
classes3.dex 6144:GLXjKtTRaRv+CQA2iLP+zZKkyvoTdbJqE3ufGmhP3trx7vN:GLXOKSAzLP+1QhPt…
classes4.dex 384:HWN2jfsuEQOI9T7CqpajccMLEj+kEyYzHFEfkEySApYM2VPQgB6z8PmRSX2/EvrM:…

APK details

Information computed with AndroGuard and Pithus.

Package network.loki.messenger
App name Session
Version name 1.11.13
Version code 2355
SDK 23 - 30
UAID e58fbc8b1a863918f6f59bdcb61f430d60bb6105
Signature Signature V1 Signature V2 Signature V3
Frosting Frosted
Blocks found within V2 signature:
  • 0x7109871a: Unknown
  • 0xf05368c0: Unknown
  • 0x6dff800d: Source stamp V2 X509 cert
  • 0x2146444e: Google metadata
  • 0x42726577: Verity padding

Certificate details

Information computed with AndroGuard.

MD5 8b84810b76901db709bee3f27c0c4096
SHA1 dd391d46143646507cab0a1eef5d63031bf11677
SHA256 a0225a4ac33a76e67db273ed17d7d6cfbbae2b4f950742864f83f413de0c5be5
Issuer Common Name: Android, Organizational Unit: Android, Organization: Google Inc., Locality: Mountain View, State/Province: California, Country: US
Not before 2019-08-02T00:38:35+00:00
Not after 2049-08-02T00:38:35+00:00

File Analysis

Information computed with MobSF.

Findings Files
Certificate/Key files hardcoded inside the app. res/raw/lf_session_cert.pem
res/raw/seed1cert.pem
res/raw/seed3cert.pem
stamp-cert-sha256

Manifest analysis

Information computed with MobSF.

Low App has a Network Security Configuration[android:networkSecurityConfig=@xml/network_security_configuration]
The Network Security Configuration feature lets apps customize their network security settings in a safe, declarative configuration file without modifying app code. These settings can be configured for specific domains and for a specific app.
High Activity-Alias (network.loki.messenger.RoutingActivity) is not Protected. [android:exported=true]
An Activity-Alias is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Activity (org.thoughtcrime.securesms.ShareActivity) is not Protected.An intent-filter exists.
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Activity is explicitly exported.
High Activity (org.thoughtcrime.securesms.ShortcutLauncherActivity) is not Protected. [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Service (org.thoughtcrime.securesms.service.DirectShareService) is Protected by a permission, but the protection level of the permission should be checked.
Permission: android.permission.BIND_CHOOSER_TARGET_SERVICE [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Broadcast Receiver (org.thoughtcrime.securesms.service.BootReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Broadcast Receiver (org.thoughtcrime.securesms.service.LocalBackupListener) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Broadcast Receiver (org.thoughtcrime.securesms.service.PersistentConnectionBootListener) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Broadcast Receiver (org.thoughtcrime.securesms.notifications.LocaleChangedReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Broadcast Receiver (org.thoughtcrime.securesms.notifications.DeleteNotificationReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Broadcast Receiver (org.thoughtcrime.securesms.service.PanicResponderListener) is not Protected. [android:exported=true]
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Broadcast Receiver (org.thoughtcrime.securesms.notifications.BackgroundPollWorker$BootBroadcastReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Service (androidx.work.impl.background.systemjob.SystemJobService) is Protected by a permission, but the protection level of the permission should be checked.
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) is Protected by a permission, but the protection level of the permission should be checked.
Permission: android.permission.DUMP [android:exported=true]
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) is Protected by a permission, but the protection level of the permission should be checked.
Permission: com.google.android.c2dm.permission.SEND [android:exported=true]
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.

Main Activity

Information computed with AndroGuard.

network.loki.messenger.RoutingActivity

Activities

Information computed with AndroGuard.

org.thoughtcrime.securesms.onboarding.LandingActivity
org.thoughtcrime.securesms.onboarding.RegisterActivity
org.thoughtcrime.securesms.onboarding.RecoveryPhraseRestoreActivity
org.thoughtcrime.securesms.onboarding.LinkDeviceActivity
org.thoughtcrime.securesms.onboarding.DisplayNameActivity
org.thoughtcrime.securesms.onboarding.PNModeActivity
org.thoughtcrime.securesms.home.HomeActivity
org.thoughtcrime.securesms.preferences.SettingsActivity
org.thoughtcrime.securesms.home.PathActivity
org.thoughtcrime.securesms.preferences.QRCodeActivity
org.thoughtcrime.securesms.dms.CreatePrivateChatActivity
org.thoughtcrime.securesms.groups.CreateClosedGroupActivity
org.thoughtcrime.securesms.groups.EditClosedGroupActivity
org.thoughtcrime.securesms.groups.JoinPublicChatActivity
org.thoughtcrime.securesms.onboarding.SeedActivity
org.thoughtcrime.securesms.contacts.SelectContactsActivity
org.thoughtcrime.securesms.preferences.PrivacySettingsActivity
org.thoughtcrime.securesms.preferences.NotificationSettingsActivity
org.thoughtcrime.securesms.preferences.ChatSettingsActivity
org.thoughtcrime.securesms.ShareActivity
org.thoughtcrime.securesms.conversation.v2.ConversationActivityV2
org.thoughtcrime.securesms.conversation.v2.MessageDetailActivity
org.thoughtcrime.securesms.groups.OpenGroupGuidelinesActivity
org.thoughtcrime.securesms.longmessage.LongMessageActivity
org.thoughtcrime.securesms.DatabaseUpgradeActivity
org.thoughtcrime.securesms.PassphrasePromptActivity
org.thoughtcrime.securesms.giph.ui.GiphyActivity
org.thoughtcrime.securesms.mediasend.MediaSendActivity
org.thoughtcrime.securesms.MediaPreviewActivity
org.thoughtcrime.securesms.MediaOverviewActivity
org.thoughtcrime.securesms.DummyActivity
org.thoughtcrime.securesms.scribbles.StickerSelectActivity
com.theartofdev.edmodo.cropper.CropImageActivity
org.thoughtcrime.securesms.ShortcutLauncherActivity
com.google.android.gms.common.api.GoogleApiActivity

Receivers

Information computed with AndroGuard.

org.thoughtcrime.securesms.notifications.MarkReadReceiver
org.thoughtcrime.securesms.notifications.RemoteReplyReceiver
org.thoughtcrime.securesms.notifications.AndroidAutoHeardReceiver
org.thoughtcrime.securesms.notifications.AndroidAutoReplyReceiver
org.thoughtcrime.securesms.service.ExpirationListener
org.thoughtcrime.securesms.service.BootReceiver
org.thoughtcrime.securesms.service.LocalBackupListener
org.thoughtcrime.securesms.service.PersistentConnectionBootListener
org.thoughtcrime.securesms.notifications.LocaleChangedReceiver
org.thoughtcrime.securesms.notifications.DeleteNotificationReceiver
org.thoughtcrime.securesms.service.PanicResponderListener
org.thoughtcrime.securesms.notifications.BackgroundPollWorker$BootBroadcastReceiver
org.thoughtcrime.securesms.jobmanager.AlarmManagerScheduler$RetryReceiver
androidx.work.impl.utils.ForceStopRunnable$BroadcastReceiver
androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryChargingProxy
androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryNotLowProxy
androidx.work.impl.background.systemalarm.ConstraintProxy$StorageNotLowProxy
androidx.work.impl.background.systemalarm.ConstraintProxy$NetworkStateProxy
androidx.work.impl.background.systemalarm.RescheduleReceiver
androidx.work.impl.background.systemalarm.ConstraintProxyUpdateReceiver
androidx.work.impl.diagnostics.DiagnosticsReceiver
com.google.firebase.iid.FirebaseInstanceIdReceiver

Services

Information computed with AndroGuard.

org.thoughtcrime.securesms.notifications.PushNotificationService
org.thoughtcrime.securesms.service.KeyCachingService
org.thoughtcrime.securesms.service.DirectShareService
org.thoughtcrime.securesms.service.GenericForegroundService
org.thoughtcrime.securesms.jobmanager.JobSchedulerScheduler$SystemService
org.thoughtcrime.securesms.jobmanager.KeepAliveService
com.google.firebase.messaging.FirebaseMessagingService
androidx.work.impl.background.systemalarm.SystemAlarmService
androidx.work.impl.background.systemjob.SystemJobService
androidx.work.impl.foreground.SystemForegroundService
com.google.firebase.components.ComponentDiscoveryService
androidx.room.MultiInstanceInvalidationService

Sample timeline

Oldest file found in APK Jan. 1, 1981, 1:01 a.m.
Latest file found in APK Jan. 1, 1981, 1:01 a.m.
Certificate valid not before Aug. 2, 2019, 12:38 a.m.
First submission on VT Nov. 24, 2021, 4:36 p.m.
Last submission on VT Nov. 24, 2021, 4:36 p.m.
Upload on Pithus Dec. 3, 2021, 10:58 a.m.
Certificate valid not after Aug. 2, 2049, 12:38 a.m.

NIAP analysis

Information computed with MobSF.

FCS_RBG_EXT.1.1 The application implement DRBG functionality for its cryptographic operations.
Random Bit Generation Services
FCS_STO_EXT.1.1 The application does not store any credentials to non-volatile memory.
Storage of Credentials
FCS_CKM_EXT.1.1 The application implement asymmetric key generation.
Cryptographic Key Generation Services
FDP_DEC_EXT.1.1 The application has access to ['network connectivity', 'microphone', 'camera'].
Access to Platform Resources
FDP_DEC_EXT.1.2 The application has access to no sensitive information repositories.
Access to Platform Resources
FDP_NET_EXT.1.1 The application has user/application initiated network communications.
Network Communications
FDP_DAR_EXT.1.1 The application implement functionality to encrypt sensitive data in non-volatile memory.
Encryption Of Sensitive Application Data
FMT_MEC_EXT.1.1 The application invoke the mechanisms recommended by the platform vendor for storing and setting configuration options.
Supported Configuration Mechanism
FTP_DIT_EXT.1.1 The application does encrypt some transmitted data with HTTPS/TLS/SSH between itself and another trusted IT product.
Protection of Data in Transit
FCS_RBG_EXT.2.1
FCS_RBG_EXT.2.2
The application perform all deterministic random bit generation (DRBG) services in accordance with NIST Special Publication 800-90A using Hash_DRBG. The deterministic RBG is seeded by an entropy source that accumulates entropy from a platform-based DRBG and a software-based noise source, with a minimum of 256 bits of entropy at least equal to the greatest security strength (according to NIST SP 800-57) of the keys and hashes that it will generate.
Random Bit Generation from Application
FCS_CKM.1.1(1) The application generate asymmetric cryptographic keys not in accordance with FCS_CKM.1.1(1) using key generation algorithm RSA schemes and cryptographic key sizes of 1024-bit or lower.
Cryptographic Asymmetric Key Generation
FCS_COP.1.1(1) The application perform encryption/decryption not in accordance with FCS_COP.1.1(1), AES-ECB mode is being used.
Cryptographic Operation - Encryption/Decryption
FCS_COP.1.1(2) The application perform cryptographic hashing services not in accordance with FCS_COP.1.1(2) and uses the cryptographic algorithm RC2/RC4/MD4/MD5.
Cryptographic Operation - Hashing
FCS_COP.1.1(4) The application perform keyed-hash message authentication with cryptographic algorithm ['HMAC-SHA-256', 'HMAC-SHA1', 'HMAC-MD5'] .
Cryptographic Operation - Keyed-Hash Message Authentication
FCS_HTTPS_EXT.1.1 The application implement the HTTPS protocol that complies with RFC 2818.
HTTPS Protocol
FCS_HTTPS_EXT.1.2 The application implement HTTPS using TLS.
HTTPS Protocol
FCS_HTTPS_EXT.1.3 The application notify the user and not establish the connection or request application authorization to establish the connection if the peer certificate is deemed invalid.
HTTPS Protocol
FIA_X509_EXT.1.1 The application invoked platform-provided functionality to validate certificates in accordance with the following rules: ['The certificate path must terminate with a trusted CA certificate', 'RFC 5280 certificate validation and certificate path validation', 'The application validate the revocation status of the certificate using the Online Certificate Status Protocol (OCSP) as specified in RFC 2560 or a Certificate Revocation List (CRL) as specified in RFC 5759 or an OCSP TLS Status Request Extension (i.e., OCSP stapling) as specified in RFC 6066'].
X.509 Certificate Validation
FIA_X509_EXT.2.1 The application use X.509v3 certificates as defined by RFC 5280 to support authentication for HTTPS , TLS.
X.509 Certificate Authentication
FCS_CKM.1.1(2) The application shall generate symmetric cryptographic keys using a Random Bit Generator as specified in FCS_RBG_EXT.1 and specified cryptographic key sizes 128 bit or 256 bit.
Cryptographic Symmetric Key Generation

Code analysis

Information computed with MobSF.

Low
CVSS:0
This App copies data to clipboard. Sensitive data should not be copied to clipboard as other applications can access it.
MASVS: MSTG-STORAGE-10
Files:
 org/thoughtcrime/securesms/onboarding/RegisterActivity.java
org/thoughtcrime/securesms/preferences/SeedDialog.java
org/thoughtcrime/securesms/onboarding/SeedActivity.java
org/thoughtcrime/securesms/home/UserDetailsBottomSheet$onViewCreated$5.java
org/thoughtcrime/securesms/conversation/v2/ModalUrlBottomSheet.java
org/thoughtcrime/securesms/conversation/v2/menus/ConversationMenuHelper.java
org/thoughtcrime/securesms/preferences/SettingsActivity.java
org/thoughtcrime/securesms/util/LongClickCopySpan.java
org/thoughtcrime/securesms/backup/BackupDialog.java
org/thoughtcrime/securesms/conversation/v2/ConversationActivityV2.java
org/thoughtcrime/securesms/dms/EnterPublicKeyFragment.java
High
CVSS:5.9
SHA-1 is a weak hash known to have hash collisions.
MASVS: MSTG-CRYPTO-4
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
M5: Insufficient Cryptography
Files:
 org/session/libsignal/utilities/Util.java
org/session/libsession/messaging/utilities/MessageWrapper.java
org/session/libsignal/utilities/KeyHelper.java
org/thoughtcrime/securesms/crypto/ClassicDecryptingPartInputStream.java
org/thoughtcrime/securesms/MessageDetailsRecipientAdapter.java
Medium
CVSS:4.3
IP Address disclosure
MASVS: MSTG-CODE-2
CWE-200 Information Exposure
Files:
 org/conscrypt/OpenSSLCipherRSA.java
org/conscrypt/OAEPParameters.java
org/conscrypt/OpenSSLSignature.java
org/conscrypt/CertificatePriorityComparator.java
org/conscrypt/ChainStrengthAnalyzer.java
org/conscrypt/ct/CTConstants.java
org/session/libsession/snode/SnodeAPI.java
org/conscrypt/TrustManagerImpl.java
org/conscrypt/EvpMdRef.java
org/conscrypt/OpenSSLProvider.java
org/thoughtcrime/securesms/attachments/AttachmentServer.java
org/session/libsession/messaging/open_groups/OpenGroupAPIV2.java
org/session/libsession/snode/SnodeAPI$getRandomSnode$1.java
High
CVSS:5.5
App can read/write to External Storage. Any App can read data written to External Storage.
MASVS: MSTG-STORAGE-2
CWE-276 Incorrect Default Permissions
M2: Insecure Data Storage
Files:
 org/thoughtcrime/securesms/util/SaveAttachmentTask.java
org/session/libsignal/utilities/ExternalStorageUtil.java
com/klinker/android/logger/Log.java
org/thoughtcrime/securesms/preferences/ShareLogsDialog.java
org/thoughtcrime/securesms/util/BackupDirSelector.java
org/thoughtcrime/securesms/preferences/ViewMyQRCodeFragment.java
Low
CVSS:7.5
The App logs information. Sensitive information should never be logged.
MASVS: MSTG-STORAGE-3
CWE-532 Insertion of Sensitive Information into Log File
Files:
 org/thoughtcrime/securesms/notifications/SingleRecipientNotificationBuilder.java
org/thoughtcrime/securesms/backup/FullBackupImporter.java
org/session/libsession/messaging/sending_receiving/MessageEncrypter.java
net/sqlcipher/database/SQLiteOpenHelper.java
org/thoughtcrime/securesms/jobs/LocalBackupJob.java
org/thoughtcrime/securesms/notifications/BackgroundPollWorker.java
org/thoughtcrime/securesms/notifications/PushNotificationService.java
org/thoughtcrime/securesms/components/emoji/MediaKeyboard.java
org/thoughtcrime/securesms/util/SingleLiveEvent.java
org/thoughtcrime/securesms/database/RecipientDatabase.java
com/esotericsoftware/kryo/unsafe/UnsafeUtil.java
org/thoughtcrime/securesms/video/VideoPlayer.java
org/thoughtcrime/securesms/jobs/BaseJob.java
org/thoughtcrime/securesms/notifications/LokiPushNotificationManager$register$1.java
org/thoughtcrime/securesms/components/camera/CameraUtils.java
org/thoughtcrime/securesms/notifications/NotificationChannels.java
net/sqlcipher/database/SQLiteCursor.java
org/thoughtcrime/securesms/glide/cache/EncryptedGifCacheDecoder.java
org/session/libsession/messaging/messages/visible/OpenGroupInvitation.java
org/session/libsession/messaging/utilities/UpdateMessageData.java
org/thoughtcrime/securesms/attachments/DatabaseAttachmentProvider.java
org/thoughtcrime/securesms/glide/ChunkedImageUrlFetcher.java
org/session/libsession/messaging/jobs/BatchMessageReceiveJob$executeAsync$1.java
org/session/libsession/messaging/open_groups/OpenGroupAPIV2$deleteMessage$1.java
org/session/libsignal/utilities/Log.java
com/bumptech/glide/Glide.java
org/thoughtcrime/securesms/util/SaveAttachmentTask.java
android/net/DhcpInfoInternal.java
org/session/libsignal/crypto/PushTransportDetails.java
org/thoughtcrime/securesms/util/ResUtil.java
org/session/libsession/messaging/jobs/AttachmentUploadJob.java
com/bumptech/glide/load/data/mediastore/ThumbnailStreamOpener.java
com/bumptech/glide/load/model/StreamEncoder.java
org/thoughtcrime/securesms/components/ComposeText.java
org/greenrobot/eventbus/EventBus.java
org/session/libsession/utilities/DownloadUtilities.java
org/greenrobot/eventbus/util/ExceptionToResourceMapping.java
org/session/libsession/messaging/open_groups/OpenGroupMessageV2.java
org/thoughtcrime/securesms/logging/UncaughtExceptionLogger.java
org/thoughtcrime/securesms/longmessage/LongMessageRepository.java
net/sqlcipher/DatabaseUtils.java
net/sqlcipher/database/SQLiteDebug.java
org/thoughtcrime/securesms/audio/AudioSlidePlayer.java
org/session/libsession/snode/OnionRequestAPI$testSnode$1.java
org/thoughtcrime/securesms/mms/MediaConstraints.java
com/bumptech/glide/load/engine/GlideException.java
org/thoughtcrime/securesms/components/CustomDefaultPreference.java
org/thoughtcrime/securesms/giph/net/GiphyLoader.java
org/session/libsession/messaging/messages/control/ReadReceipt.java
org/thoughtcrime/securesms/providers/PartProvider.java
org/session/libsession/utilities/ThemeUtil.java
org/session/libsession/messaging/sending_receiving/pollers/Poller$pollNextSnode$1.java
org/thoughtcrime/securesms/notifications/AndroidAutoHeardReceiver.java
com/tbruyelle/rxpermissions2/RxPermissionsFragment.java
org/thoughtcrime/securesms/mediasend/$$Lambda$MediaSendFragment$3$GJFvkhEXXSQ5PFtYNXloIOrbLY.java
org/thoughtcrime/securesms/database/PushDatabase.java
org/session/libsession/snode/OnionRequestAPI$getGuardSnodes$1.java
net/sqlcipher/database/SQLiteQueryBuilder.java
org/session/libsession/messaging/jobs/JobQueue$handleJobFailed$$inlined$schedule$1.java
org/thoughtcrime/securesms/jobs/UpdateApkJob.java
org/thoughtcrime/securesms/database/EarlyReceiptCache.java
org/thoughtcrime/securesms/backup/BackupPreferences.java
org/thoughtcrime/securesms/database/SessionJobDatabase$getAllPendingJobs$1.java
com/nineoldandroids/animation/PropertyValuesHolder.java
org/thoughtcrime/securesms/mediasend/MediaSendFragment.java
net/sqlcipher/AbstractCursor.java
com/bumptech/glide/load/resource/bitmap/Downsampler.java
org/session/libsession/messaging/messages/control/UnsendRequest.java
org/thoughtcrime/securesms/util/Stopwatch.java
com/bumptech/glide/load/resource/ImageDecoderResourceDecoder.java
org/session/libsession/messaging/file_server/FileServerAPIV2$send$1.java
org/session/libsession/messaging/messages/control/ExpirationTimerUpdate.java
org/thoughtcrime/securesms/audio/AudioCodec.java
org/thoughtcrime/securesms/util/IP2Country$populateCacheIfNeeded$1.java
org/thoughtcrime/securesms/audio/AudioRecorder.java
org/thoughtcrime/securesms/conversation/v2/ConversationActivityV2.java
com/bumptech/glide/load/model/ByteBufferEncoder.java
org/thoughtcrime/securesms/linkpreview/LinkPreviewRepository.java
com/bumptech/glide/manager/RequestManagerRetriever.java
com/bumptech/glide/load/resource/bitmap/TransformationUtils.java
org/thoughtcrime/securesms/jobmanager/JobSchedulerScheduler.java
org/thoughtcrime/securesms/sskenvironment/ReadReceiptManager.java
kotlinx/coroutines/debug/AgentPremain$installSignalHandler$1.java
com/bumptech/glide/manager/RequestManagerFragment.java
org/thoughtcrime/securesms/onboarding/LinkDeviceActivity.java
org/thoughtcrime/securesms/notifications/MarkReadReceiver.java
com/codewaves/stickyheadergrid/StickyHeaderGridLayoutManager.java
com/bumptech/glide/load/resource/bitmap/BitmapEncoder.java
org/session/libsession/messaging/sending_receiving/pollers/Poller.java
com/makeramen/roundedimageview/RoundedImageView.java
org/thoughtcrime/securesms/components/emoji/parsing/EmojiPageBitmap.java
org/thoughtcrime/securesms/database/SmsDatabase.java
com/klinker/android/logger/Log.java
org/session/libsession/messaging/sending_receiving/MessageSender$sendToSnodeDestination$3.java
org/thoughtcrime/securesms/jobmanager/JobController.java
org/greenrobot/eventbus/BackgroundPoster.java
se/emilsjolander/stickylistheaders/StickyListHeadersListView.java
com/klinker/android/send_message/Message.java
org/thoughtcrime/securesms/backup/FullBackupExporter.java
com/bumptech/glide/load/data/LocalUriFetcher.java
org/thoughtcrime/securesms/jobmanager/JobRunner.java
org/thoughtcrime/securesms/mms/AttachmentStreamLocalUriFetcher.java
com/bumptech/glide/load/engine/cache/MemorySizeCalculator.java
com/bumptech/glide/request/SingleRequest.java
org/thoughtcrime/securesms/logging/PersistentLogger.java
org/session/libsession/snode/SnodeAPI$getRandomSnode$1.java
org/greenrobot/eventbus/util/ErrorDialogManager.java
org/session/libsession/messaging/messages/control/TypingIndicator.java
com/bumptech/glide/manager/SupportRequestManagerFragment.java
com/tomergoldst/tooltips/ToolTipsManager.java
org/thoughtcrime/securesms/util/DateUtils.java
com/bumptech/glide/load/engine/SourceGenerator.java
com/bumptech/glide/load/engine/Engine.java
com/theartofdev/edmodo/cropper/CropOverlayView.java
org/thoughtcrime/securesms/components/emoji/RecentEmojiPageModel.java
org/thoughtcrime/securesms/mediasend/Camera1Controller.java
com/klinker/android/send_message/Transaction.java
org/session/libsession/messaging/sending_receiving/MessageDecrypter.java
org/thoughtcrime/securesms/service/ExpiringMessageManager.java
org/thoughtcrime/securesms/attachments/AttachmentServer.java
org/thoughtcrime/securesms/jobs/AvatarDownloadJob.java
org/session/libsession/snode/OnionRequestAPI$sendOnionRequest$3.java
org/thoughtcrime/securesms/service/UpdateApkReadyListener.java
org/thoughtcrime/securesms/database/MmsDatabase.java
org/session/libsession/utilities/TextSecurePreferences.java
org/thoughtcrime/securesms/util/BackupUtil.java
org/thoughtcrime/securesms/net/ContentProxySelector.java
org/thoughtcrime/securesms/service/PersistentConnectionBootListener.java
org/thoughtcrime/securesms/jobs/TrimThreadJob.java
org/session/libsession/snode/SnodeAPI$deleteMessage$1.java
org/thoughtcrime/securesms/mediasend/MediaSendVideoFragment.java
org/session/libsession/messaging/jobs/JobQueue.java
org/thoughtcrime/securesms/avatar/AvatarSelection.java
com/klinker/android/send_message/SentReceiver.java
com/sun/jna/Native.java
me/leolin/shortcutbadger/ShortcutBadger.java
com/bumptech/glide/load/model/ResourceLoader.java
org/thoughtcrime/securesms/net/ChunkedDataFetcher.java
org/thoughtcrime/securesms/util/MediaUtil.java
android/database/sqlite/SqliteWrapper.java
org/session/libsession/utilities/recipients/Recipient.java
org/thoughtcrime/securesms/giph/ui/GiphyAdapter.java
org/thoughtcrime/securesms/giph/ui/GiphyActivity.java
org/session/libsession/messaging/sending_receiving/ReceivedMessageHandlerKt.java
com/bumptech/glide/load/engine/prefill/BitmapPreFillRunner.java
com/bumptech/glide/util/pool/FactoryPools.java
org/thoughtcrime/securesms/conversation/v2/utilities/ThumbnailView.java
org/thoughtcrime/securesms/backup/BackupRestoreViewModel$tryRestoreBackup$1.java
com/esotericsoftware/minlog/Log.java
org/thoughtcrime/securesms/util/StreamUtil.java
android/net/LinkCapabilities.java
com/bumptech/glide/request/target/ViewTarget.java
org/session/libsession/messaging/sending_receiving/MessageSenderClosedGroupHandlerKt.java
org/thoughtcrime/securesms/notifications/RemoteReplyReceiver.java
org/thoughtcrime/securesms/database/ThreadDatabase.java
org/thoughtcrime/securesms/scribbles/ImageEditorFragment.java
org/thoughtcrime/securesms/util/IP2Country.java
com/klinker/android/send_message/ApnUtils.java
com/bumptech/glide/load/data/AssetPathFetcher.java
org/session/libsession/messaging/open_groups/OpenGroupAPIV2.java
org/session/libsession/messaging/sending_receiving/pollers/ClosedGroupPollerV2$poll$2.java
org/thoughtcrime/securesms/service/KeyCachingService.java
com/klinker/android/send_message/MmsReceivedService.java
org/thoughtcrime/securesms/components/KeyboardAwareLinearLayout.java
org/thoughtcrime/securesms/backup/BackupPassphrase.java
org/thoughtcrime/securesms/audio/$$Lambda$AudioRecorder$r_l0UJfQeQ3yNuOJqzUKk61tv0.java
org/session/libsession/messaging/sending_receiving/notifications/PushNotificationAPI$register$1.java
org/thoughtcrime/securesms/scribbles/StickerLoader.java
org/thoughtcrime/securesms/service/QuickResponseService.java
org/thoughtcrime/securesms/mms/QuoteId.java
org/thoughtcrime/securesms/PassphrasePromptActivity.java
org/thoughtcrime/securesms/jobs/RetrieveProfileAvatarJob.java
org/thoughtcrime/securesms/PassphraseRequiredActionBarActivity.java
org/thoughtcrime/securesms/MediaDocumentsAdapter.java
org/thoughtcrime/securesms/service/UpdateApkRefreshListener.java
com/bumptech/glide/load/model/FileLoader.java
com/esotericsoftware/kryo/util/Util.java
org/session/libsession/messaging/open_groups/OpenGroupV2.java
com/klinker/android/send_message/DeliveredReceiver.java
com/bumptech/glide/signature/ApplicationVersionSignature.java
org/session/libsignal/utilities/JsonUtil.java
com/klinker/android/send_message/MmsReceivedReceiver.java
com/klinker/android/send_message/MmsSentReceiver.java
com/bumptech/glide/load/engine/DecodeJob.java
org/thoughtcrime/securesms/crypto/ClassicDecryptingPartInputStream.java
com/bumptech/glide/load/resource/gif/StreamGifDecoder.java
org/thoughtcrime/securesms/jobs/PrepareAttachmentAudioExtrasJob.java
com/bumptech/glide/load/resource/gif/GifDrawableEncoder.java
org/session/libsession/messaging/open_groups/OpenGroupAPIV2$ban$1.java
org/thoughtcrime/securesms/service/PersistentAlarmManagerListener.java
org/thoughtcrime/securesms/glide/cache/EncryptedCacheEncoder.java
com/makeramen/roundedimageview/RoundedDrawable.java
com/davemorrissey/labs/subscaleview/SubsamplingScaleImageView.java
org/conscrypt/ct/CTVerifier.java
org/thoughtcrime/securesms/notifications/LokiPushNotificationManager$performOperation$1.java
com/bumptech/glide/load/data/mediastore/ThumbFetcher.java
org/session/libsession/messaging/messages/control/ClosedGroupControlMessage.java
org/thoughtcrime/securesms/glide/cache/EncryptedGifDrawableResourceEncoder.java
com/bumptech/glide/load/resource/bitmap/BitmapImageDecoderResourceDecoder.java
org/thoughtcrime/securesms/glide/cache/EncryptedBitmapCacheDecoder.java
net/sqlcipher/database/SqliteWrapper.java
org/session/libsession/messaging/messages/visible/Quote.java
org/thoughtcrime/securesms/mediasend/$$Lambda$MediaSendActivity$8BkR2lM6qavQ5hTsnpEjEMz56g.java
org/thoughtcrime/securesms/components/ZoomingImageView.java
org/session/libsession/messaging/messages/visible/VisibleMessage.java
org/session/libsession/messaging/messages/control/DataExtractionNotification.java
org/thoughtcrime/securesms/components/emoji/EmojiProvider.java
org/thoughtcrime/securesms/backup/BackupDialog.java
com/bumptech/glide/load/resource/bitmap/HardwareConfigState.java
com/bumptech/glide/manager/RequestTracker.java
com/bumptech/glide/load/model/ByteBufferFileLoader.java
org/session/libsession/utilities/dynamiclanguage/DynamicLanguageActivityHelper.java
org/thoughtcrime/securesms/util/SmsCharacterCalculator.java
org/session/libsession/snode/OnionRequestAPI$sendOnionRequest$5.java
org/thoughtcrime/securesms/notifications/LokiPushNotificationManager$unregister$1.java
org/thoughtcrime/securesms/components/subsampling/AttachmentRegionDecoder.java
org/thoughtcrime/securesms/database/MessagingDatabase.java
org/thoughtcrime/securesms/logging/AndroidLogger.java
org/thoughtcrime/securesms/$$Lambda$ShareActivity$ResolveMediaTask$U0OdykBLzGu2yUma_c4zfPhfe6A.java
com/theartofdev/edmodo/cropper/BitmapUtils.java
org/thoughtcrime/securesms/jobmanager/AlarmManagerScheduler.java
org/session/libsession/utilities/Util.java
com/bumptech/glide/load/resource/gif/ByteBufferGifDecoder.java
org/thoughtcrime/securesms/components/camera/CameraView.java
org/thoughtcrime/securesms/mms/DecryptableStreamLocalUriFetcher.java
org/greenrobot/eventbus/util/ErrorDialogConfig.java
com/bumptech/glide/manager/DefaultConnectivityMonitor.java
org/thoughtcrime/securesms/mediasend/MediaSendActivity.java
org/jsoup/examples/HtmlToPlainText.java
android/net/RouteInfo.java
org/thoughtcrime/securesms/ApplicationContext.java
org/session/libsignal/utilities/HTTP.java
org/thoughtcrime/securesms/notifications/DefaultMessageNotifier.java
org/session/libsession/messaging/jobs/MessageSendJob.java
org/session/libsignal/utilities/PromiseUtilities$successBackground$1.java
org/greenrobot/eventbus/util/AsyncExecutor.java
net/sqlcipher/DefaultDatabaseErrorHandler.java
net/sqlcipher/database/SQLiteContentHelper.java
com/bumptech/glide/load/engine/bitmap_recycle/LruArrayPool.java
org/session/libsession/snode/OnionRequestAPI$buildPaths$promise$1.java
org/thoughtcrime/securesms/util/AttachmentUtil.java
org/thoughtcrime/securesms/contacts/ContactSelectionListFragment.java
org/thoughtcrime/securesms/MediaPreviewActivity.java
org/session/libsession/messaging/jobs/MessageReceiveJob.java
org/thoughtcrime/securesms/service/DirectShareService.java
android/net/NetworkUtilsHelper.java
com/esotericsoftware/kryo/serializers/VersionFieldSerializer.java
com/bumptech/glide/load/resource/bitmap/DrawableToBitmapConverter.java
com/github/ybq/android/spinkit/animation/SpriteAnimatorBuilder.java
com/bumptech/glide/load/engine/cache/DiskLruCacheWrapper.java
org/conscrypt/Platform.java
org/session/libsession/messaging/open_groups/OpenGroupAPIV2$banAndDeleteAll$1.java
net/sqlcipher/database/SQLiteCompiledSql.java
org/session/libsession/messaging/messages/visible/Profile.java
org/thoughtcrime/securesms/notifications/NotificationState.java
org/session/libsession/messaging/jobs/MessageSendJob$execute$promise$2.java
org/thoughtcrime/securesms/util/BitmapUtil.java
org/session/libsession/snode/OnionRequestAPI$sendOnionRequest$1.java
com/bumptech/glide/load/resource/bitmap/VideoDecoder.java
com/bumptech/glide/load/data/HttpUrlFetcher.java
org/thoughtcrime/securesms/ShareActivity.java
org/thoughtcrime/securesms/giph/ui/$$Lambda$GiphyActivity$1$WVDaydrskvdUvSTrxhbYWs7RLo.java
org/jsoup/examples/ListLinks.java
org/session/libsession/snode/SnodeAPI$handleSnodeError$1.java
org/session/libsession/messaging/messages/visible/LinkPreview.java
org/thoughtcrime/securesms/mediasend/Camera1Fragment.java
org/session/libsession/snode/SnodeAPI$invoke$1.java
com/bumptech/glide/request/target/CustomViewTarget.java
net/sqlcipher/database/SQLiteDatabase.java
com/bumptech/glide/load/engine/DecodePath.java
org/thoughtcrime/securesms/database/LokiAPIDatabase.java
com/bumptech/glide/gifdecoder/GifHeaderParser.java
org/thoughtcrime/securesms/mediasend/MediaSendViewModel.java
org/thoughtcrime/securesms/jobmanager/impl/JsonDataSerializer.java
org/thoughtcrime/securesms/jobmanager/InAppScheduler.java
org/thoughtcrime/securesms/net/ContentProxySafetyInterceptor.java
org/thoughtcrime/securesms/glide/cache/EncryptedBitmapResourceEncoder.java
org/thoughtcrime/securesms/jobmanager/Job.java
org/thoughtcrime/securesms/preferences/ChatsPreferenceFragment.java
kotlin/io/ConsoleKt.java
net/sqlcipher/BulkCursorToCursorAdaptor.java
org/thoughtcrime/securesms/notifications/AndroidAutoReplyReceiver.java
org/thoughtcrime/securesms/database/helpers/SQLCipherOpenHelper.java
org/thoughtcrime/securesms/sskenvironment/TypingStatusRepository.java
com/bumptech/glide/module/ManifestParser.java
com/bumptech/glide/GeneratedAppGlideModuleImpl.java
org/thoughtcrime/securesms/jobmanager/JobManager.java
net/sqlcipher/database/SQLiteQuery.java
org/session/libsession/messaging/jobs/AttachmentDownloadJob.java
org/session/libsession/snode/SnodeAPI$handleSnodeError$2.java
org/thoughtcrime/securesms/qr/ScanningThread.java
com/bumptech/glide/load/engine/executor/GlideExecutor.java
com/klinker/android/send_message/Settings.java
com/bumptech/glide/load/resource/bitmap/DefaultImageHeaderParser.java
com/esotericsoftware/kryo/serializers/CachedFields.java
org/session/libsession/utilities/IdentityKeyMismatch.java
org/session/libsession/messaging/sending_receiving/notifications/PushNotificationAPI$performOperation$1.java
com/bumptech/glide/gifdecoder/StandardGifDecoder.java
org/thoughtcrime/securesms/service/GenericForegroundService.java
com/theartofdev/edmodo/cropper/CropImageActivity.java
org/session/libsession/messaging/open_groups/OpenGroupAPIV2$unban$1.java
org/thoughtcrime/securesms/search/SearchRepository.java
org/session/libsession/messaging/utilities/MessageWrapper.java
com/esotericsoftware/kryo/serializers/TaggedFieldSerializer.java
com/bumptech/glide/manager/DefaultConnectivityMonitorFactory.java
com/bumptech/glide/load/engine/bitmap_recycle/LruBitmapPool.java
com/esotericsoftware/kryo/serializers/CompatibleFieldSerializer.java
org/session/libsession/snode/SnodeAPI.java
org/thoughtcrime/securesms/util/WakeLockUtil.java
com/esotericsoftware/kryo/Kryo.java
org/session/libsession/snode/OnionRequestAPI.java
org/thoughtcrime/securesms/database/AttachmentDatabase.java
org/thoughtcrime/securesms/conversation/v2/utilities/AttachmentManager.java
org/thoughtcrime/securesms/providers/BlobProvider.java
net/sqlcipher/database/SQLiteProgram.java
com/bumptech/glide/util/ContentLengthInputStream.java
com/klinker/android/send_message/Utils.java
High
CVSS:7.4
Files may contain hardcoded sensitive informations like usernames, passwords, keys etc.
MASVS: MSTG-STORAGE-14
CWE-312 Cleartext Storage of Sensitive Information
M9: Reverse Engineering
Files:
 com/bumptech/glide/manager/RequestManagerRetriever.java
org/thoughtcrime/securesms/crypto/IdentityKeyUtil.java
org/jsoup/nodes/DataNode.java
org/thoughtcrime/securesms/contacts/SelectContactsActivity.java
org/thoughtcrime/securesms/jobs/LocalBackupJob.java
com/bumptech/glide/load/engine/ResourceCacheKey.java
org/thoughtcrime/securesms/jobs/RetrieveProfileAvatarJob.java
org/thoughtcrime/securesms/database/RecipientDatabase.java
org/session/libsession/utilities/AESGCM.java
org/session/libsession/messaging/mentions/Mention.java
org/session/libsession/messaging/jobs/NotifyPNServerJob.java
org/session/libsignal/utilities/Snode.java
org/session/libsession/messaging/open_groups/OpenGroupV2.java
org/thoughtcrime/securesms/database/LokiUserDatabase.java
kotlinx/serialization/internal/MapEntrySerializer.java
org/thoughtcrime/securesms/groups/EditClosedGroupActivity.java
org/thoughtcrime/securesms/database/LokiAPIDatabase.java
org/thoughtcrime/securesms/jobs/PrepareAttachmentAudioExtrasJob.java
org/session/libsession/messaging/jobs/BatchMessageReceiveJob.java
org/jsoup/nodes/TextNode.java
org/session/libsession/messaging/file_server/FileServerAPIV2.java
org/thoughtcrime/securesms/jobs/AvatarDownloadJob.java
org/session/libsession/messaging/jobs/AttachmentUploadJob.java
org/thoughtcrime/securesms/jobmanager/impl/NetworkConstraint.java
org/session/libsession/utilities/TextSecurePreferences.java
org/conscrypt/OpenSSLECKeyFactory.java
org/thoughtcrime/securesms/notifications/AndroidAutoReplyReceiver.java
org/thoughtcrime/securesms/database/helpers/SQLCipherOpenHelper.java
org/thoughtcrime/securesms/jobs/TrimThreadJob.java
org/thoughtcrime/securesms/jobmanager/impl/NetworkOrCellServiceConstraint.java
org/session/libsession/messaging/jobs/AttachmentDownloadJob.java
org/conscrypt/OpenSSLRSAKeyFactory.java
org/jsoup/nodes/Comment.java
io/reactivex/internal/schedulers/SchedulerPoolFactory.java
org/thoughtcrime/securesms/jobmanager/impl/SqlCipherMigrationConstraint.java
org/thoughtcrime/securesms/database/JobDatabase.java
org/session/libsession/messaging/jobs/TrimThreadJob.java
org/thoughtcrime/securesms/jobs/UpdateApkJob.java
org/jsoup/nodes/XmlDeclaration.java
org/thoughtcrime/securesms/database/GroupDatabase.java
org/thoughtcrime/securesms/database/SessionContactDatabase.java
com/bumptech/glide/load/engine/DataCacheKey.java
org/session/libsession/messaging/jobs/MessageSendJob.java
org/session/libsession/snode/OnionRequestAPI.java
org/thoughtcrime/securesms/database/AttachmentDatabase.java
org/session/libsession/messaging/sending_receiving/notifications/PushNotificationAPI.java
org/session/libsession/messaging/open_groups/OpenGroupAPIV2.java
com/bumptech/glide/load/Option.java
com/bumptech/glide/load/engine/EngineResource.java
org/thoughtcrime/securesms/jobmanager/impl/CellServiceConstraint.java
org/session/libsession/messaging/jobs/MessageReceiveJob.java
High
CVSS:7.5
The App uses an insecure Random Number Generator.
MASVS: MSTG-CRYPTO-6
CWE-330 Use of Insufficiently Random Values
M5: Insufficient Cryptography
Files:
 kotlin/collections/EmptyList.java
kotlin/random/AbstractPlatformRandom.java
kotlin/collections/unsigned/UArraysKt___UArraysJvmKt$asList$4.java
kotlin/collections/unsigned/UArraysKt___UArraysJvmKt$asList$1.java
com/amulyakhare/textdrawable/util/ColorGenerator.java
kotlin/collections/ArraysKt___ArraysJvmKt$asList$6.java
kotlin/collections/ArraysKt___ArraysJvmKt$asList$3.java
org/jsoup/helper/DataUtil.java
kotlin/random/KotlinRandom.java
kotlin/collections/AbstractList.java
kotlin/collections/RingBuffer.java
kotlin/random/PlatformRandomKt.java
kotlin/collections/ArraysKt___ArraysJvmKt$asList$7.java
com/esotericsoftware/kryo/util/CuckooObjectMap.java
kotlin/collections/CollectionsKt__CollectionsJVMKt.java
kotlin/collections/unsigned/UArraysKt___UArraysJvmKt$asList$2.java
kotlin/collections/ArraysKt___ArraysJvmKt$asList$1.java
org/thoughtcrime/securesms/jobs/PrepareAttachmentAudioExtrasJob$onRun$2.java
kotlin/reflect/jvm/internal/impl/utils/SmartList.java
okio/Options.java
kotlin/reflect/jvm/internal/impl/protobuf/UnmodifiableLazyStringList.java
com/fasterxml/jackson/databind/ser/BasicSerializerFactory.java
kotlin/collections/ArraysKt___ArraysJvmKt$asList$4.java
kotlin/collections/builders/ListBuilder.java
kotlin/collections/CollectionsKt___CollectionsKt.java
kotlin/reflect/jvm/internal/impl/protobuf/LazyStringArrayList.java
com/klinker/android/send_message/Transaction.java
com/annimon/stream/RandomCompat.java
kotlin/random/FallbackThreadLocalRandom.java
kotlin/collections/MovingSubList.java
kotlin/collections/ArraysKt___ArraysJvmKt$asList$2.java
kotlin/collections/unsigned/UArraysKt___UArraysJvmKt$asList$3.java
kotlin/collections/CollectionsKt__MutableCollectionsJVMKt.java
io/reactivex/internal/util/VolatileSizeArrayList.java
kotlin/random/FallbackThreadLocalRandom$implStorage$1.java
kotlin/random/PlatformRandom.java
kotlin/collections/ArraysKt___ArraysJvmKt$asList$5.java
kotlin/collections/ArraysKt___ArraysJvmKt$asList$8.java
com/klinker/android/send_message/Utils.java
kotlin/collections/CollectionsKt__MutableCollectionsKt.java
High
CVSS:5.5
App creates temp file. Sensitive information should never be written into a temp file.
MASVS: MSTG-STORAGE-2
CWE-276 Incorrect Default Permissions
M2: Insecure Data Storage
Files:
 com/theartofdev/edmodo/cropper/CropImageActivity.java
kotlin/io/FilesKt__UtilsKt.java
org/thoughtcrime/securesms/database/AttachmentDatabase.java
org/thoughtcrime/securesms/backup/FullBackupImporter.java
org/thoughtcrime/securesms/jobs/AvatarDownloadJob.java
org/session/libsession/messaging/jobs/AttachmentDownloadJob.java
org/thoughtcrime/securesms/jobs/RetrieveProfileAvatarJob.java
org/thoughtcrime/securesms/avatar/AvatarSelection.java
com/theartofdev/edmodo/cropper/BitmapUtils.java
com/sun/jna/Native.java
Info
CVSS:0
This App uses SSL certificate pinning to detect or prevent MITM attacks in secure communication channel.
MASVS: MSTG-NETWORK-4
Files:
 org/conscrypt/SSLParametersImpl.java
org/conscrypt/DefaultSSLContextImpl.java
Low
CVSS:0
This App uses SQL Cipher. SQLCipher provides 256-bit AES encryption to sqlite database files.
MASVS: MSTG-CRYPTO-1
Files:
 org/thoughtcrime/securesms/dependencies/DatabaseModule.java
Pygal Canada: 100 Germany: 300 Israel: 100 United States: 1100

Map computed by Pithus.

Network analysis

Information computed with MobSF.

High Domain config is insecurely configured to permit clear text traffic to these domains in scope.
Scope: ['127.0.0.1']
Info Domain config is securely configured to disallow clear text traffic to these domains in scope.
Scope: ['public.loki.foundation']
Low Domain config is configured to trust bundled certs @raw/lf_session_cert.
Scope: ['public.loki.foundation']
Info Domain config is securely configured to disallow clear text traffic to these domains in scope.
Scope: ['storage.seed1.loki.network']
Low Domain config is configured to trust bundled certs @raw/seed1cert.
Scope: ['storage.seed1.loki.network']
Info Domain config is securely configured to disallow clear text traffic to these domains in scope.
Scope: ['storage.seed3.loki.network']
Low Domain config is configured to trust bundled certs @raw/seed3cert.
Scope: ['storage.seed3.loki.network']

Domains analysis

Information computed with MobSF.

US api.giphy.com 151.101.14.2
US apache.org 151.101.2.132
IL storage.seed3.loki.network 212.199.114.66
DE live.apns.getsession.org 88.99.14.72
US xml.org 104.239.240.11
US crowdin.com 76.223.3.83
DE public.loki.foundation 144.76.164.202
US getsession.org 104.21.81.27
dmytrodanylyk.com
US loki-5a81e.firebaseio.com 35.201.97.85
US www.apache.org 151.101.2.132
CA filev2.getsession.org 51.79.57.232
US xml.apache.org 151.101.2.132
US oxen.io 172.67.146.128
US www.gstatic.com 172.217.16.131
DE storage.seed1.loki.network 116.203.53.213
US github.com 140.82.121.4

URL analysis

Information computed with MobSF.

https://github.com/ReactiveX/RxJava/wiki/Plugins
Defined in io/reactivex/Flowable.java
https://github.com/ReactiveX/RxJava/wiki/Plugins
Defined in io/reactivex/Completable.java
https://github.com/ReactiveX/RxJava/wiki/Plugins
Defined in io/reactivex/Maybe.java
https://github.com/ReactiveX/RxJava/wiki/Plugins
Defined in io/reactivex/Observable.java
https://github.com/ReactiveX/RxJava/wiki/Plugins
Defined in io/reactivex/Single.java
https://github.com/ReactiveX/RxJava/wiki/What's-different-in-2.0#error-handling
Defined in io/reactivex/exceptions/UndeliverableException.java
https://github.com/ReactiveX/RxJava/wiki/Error-Handling
Defined in io/reactivex/exceptions/OnErrorNotImplementedException.java
http://www.apache.org/licenses/LICENSE-2.0
Defined in kotlin/reflect/jvm/internal/impl/descriptors/annotations/BuiltInAnnotationDescriptor.java
http://www.gstatic.com/android/hangouts/hangouts_mms_ua_profile.xml
Defined in com/klinker/android/send_message/ApnUtils.java
https://getsession.org/faq/#privacy
Defined in org/thoughtcrime/securesms/onboarding/PNModeActivity.java
https://getsession.org/terms-of-service/
Defined in org/thoughtcrime/securesms/onboarding/RecoveryPhraseRestoreActivity$onCreate$3.java
https://getsession.org/terms-of-service/
Defined in org/thoughtcrime/securesms/onboarding/RegisterActivity$onCreate$4.java
https://getsession.org/privacy-policy/
Defined in org/thoughtcrime/securesms/onboarding/RegisterActivity$onCreate$5.java
https://getsession.org/privacy-policy/
Defined in org/thoughtcrime/securesms/onboarding/RecoveryPhraseRestoreActivity$onCreate$4.java
https://getsession.org/privacy-policy/
Defined in org/thoughtcrime/securesms/backup/BackupRestoreActivity$onCreate$3.java
https://getsession.org/terms-of-service/
Defined in org/thoughtcrime/securesms/backup/BackupRestoreActivity$onCreate$2.java
https://getsession.org/faq/#onion-routing
Defined in org/thoughtcrime/securesms/home/PathActivity.java
https://getsession.org/.
https://getsession.org/faq
https://getsession.org/survey
https://crowdin.com/project/session-android
Defined in org/thoughtcrime/securesms/preferences/SettingsActivity.java
https://getsession.org/.
https://getsession.org/faq
https://getsession.org/survey
https://crowdin.com/project/session-android
Defined in org/thoughtcrime/securesms/preferences/SettingsActivity.java
https://getsession.org/.
https://getsession.org/faq
https://getsession.org/survey
https://crowdin.com/project/session-android
Defined in org/thoughtcrime/securesms/preferences/SettingsActivity.java
https://getsession.org/.
https://getsession.org/faq
https://getsession.org/survey
https://crowdin.com/project/session-android
Defined in org/thoughtcrime/securesms/preferences/SettingsActivity.java
https://api.giphy.com/v1/stickers/trending?api_key=3o6ZsYH6U6Eri53TXy&offset=%d&limit=
https://api.giphy.com/v1/stickers/search?q=cat&api_key=3o6ZsYH6U6Eri53TXy&offset=%d&limit=
Defined in org/thoughtcrime/securesms/giph/net/GiphyStickerLoader.java
https://api.giphy.com/v1/stickers/trending?api_key=3o6ZsYH6U6Eri53TXy&offset=%d&limit=
https://api.giphy.com/v1/stickers/search?q=cat&api_key=3o6ZsYH6U6Eri53TXy&offset=%d&limit=
Defined in org/thoughtcrime/securesms/giph/net/GiphyStickerLoader.java
https://api.giphy.com/v1/gifs/trending?api_key=3o6ZsYH6U6Eri53TXy&offset=%d&limit=
https://api.giphy.com/v1/gifs/search?api_key=3o6ZsYH6U6Eri53TXy&offset=%d&limit=
Defined in org/thoughtcrime/securesms/giph/net/GiphyGifLoader.java
https://api.giphy.com/v1/gifs/trending?api_key=3o6ZsYH6U6Eri53TXy&offset=%d&limit=
https://api.giphy.com/v1/gifs/search?api_key=3o6ZsYH6U6Eri53TXy&offset=%d&limit=
Defined in org/thoughtcrime/securesms/giph/net/GiphyGifLoader.java
http://public.loki.foundation:38157
https://storage.seed1.loki.network:
https://storage.seed3.loki.network:
https://public.loki.foundation:
Defined in org/session/libsession/snode/SnodeAPI$seedNodePool$2.java
http://public.loki.foundation:38157
https://storage.seed1.loki.network:
https://storage.seed3.loki.network:
https://public.loki.foundation:
Defined in org/session/libsession/snode/SnodeAPI$seedNodePool$2.java
http://public.loki.foundation:38157
https://storage.seed1.loki.network:
https://storage.seed3.loki.network:
https://public.loki.foundation:
Defined in org/session/libsession/snode/SnodeAPI$seedNodePool$2.java
http://public.loki.foundation:38157
https://storage.seed1.loki.network:
https://storage.seed3.loki.network:
https://public.loki.foundation:
Defined in org/session/libsession/snode/SnodeAPI$seedNodePool$2.java
http://filev2.getsession.org/files/
Defined in org/session/libsession/utilities/ProfilePictureUtilities$upload$1.java
http://filev2.getsession.org
Defined in org/session/libsession/messaging/file_server/FileServerAPIV2.java
https://live.apns.getsession.org
Defined in org/session/libsession/messaging/sending_receiving/notifications/PushNotificationAPI.java
http://xml.apache.org/xslt}indent-amount
Defined in ezvcard/io/xml/XCardOutputProperties.java
http://apache.org/xml/features/disallow-doctype-decl
http://xml.org/sax/features/external-general-entities
http://xml.org/sax/features/external-parameter-entities
http://apache.org/xml/features/nonvalidating/load-external-dtd
http://javax.xml.XMLConstants/property/accessExternalDTD
http://javax.xml.XMLConstants/property/accessExternalStylesheet
Defined in ezvcard/util/XmlUtils.java
http://apache.org/xml/features/disallow-doctype-decl
http://xml.org/sax/features/external-general-entities
http://xml.org/sax/features/external-parameter-entities
http://apache.org/xml/features/nonvalidating/load-external-dtd
http://javax.xml.XMLConstants/property/accessExternalDTD
http://javax.xml.XMLConstants/property/accessExternalStylesheet
Defined in ezvcard/util/XmlUtils.java
http://apache.org/xml/features/disallow-doctype-decl
http://xml.org/sax/features/external-general-entities
http://xml.org/sax/features/external-parameter-entities
http://apache.org/xml/features/nonvalidating/load-external-dtd
http://javax.xml.XMLConstants/property/accessExternalDTD
http://javax.xml.XMLConstants/property/accessExternalStylesheet
Defined in ezvcard/util/XmlUtils.java
http://apache.org/xml/features/disallow-doctype-decl
http://xml.org/sax/features/external-general-entities
http://xml.org/sax/features/external-parameter-entities
http://apache.org/xml/features/nonvalidating/load-external-dtd
http://javax.xml.XMLConstants/property/accessExternalDTD
http://javax.xml.XMLConstants/property/accessExternalStylesheet
Defined in ezvcard/util/XmlUtils.java
https://loki-5a81e.firebaseio.com
https://github.com/makovkastar/FloatingActionButton
http://dmytrodanylyk.com/
http://dmytrodanylyk.com/pages/portfolio/circular-progress-button.html
https://github.com/dmytrodanylyk/circular-progress-button
https://github.com/vinc3m1
https://github.com/vinc3m1/RoundedImageView
https://github.com/vinc3m1/RoundedImageView.git
Defined in Android String Resource
https://loki-5a81e.firebaseio.com
https://github.com/makovkastar/FloatingActionButton
http://dmytrodanylyk.com/
http://dmytrodanylyk.com/pages/portfolio/circular-progress-button.html
https://github.com/dmytrodanylyk/circular-progress-button
https://github.com/vinc3m1
https://github.com/vinc3m1/RoundedImageView
https://github.com/vinc3m1/RoundedImageView.git
Defined in Android String Resource
https://loki-5a81e.firebaseio.com
https://github.com/makovkastar/FloatingActionButton
http://dmytrodanylyk.com/
http://dmytrodanylyk.com/pages/portfolio/circular-progress-button.html
https://github.com/dmytrodanylyk/circular-progress-button
https://github.com/vinc3m1
https://github.com/vinc3m1/RoundedImageView
https://github.com/vinc3m1/RoundedImageView.git
Defined in Android String Resource
https://loki-5a81e.firebaseio.com
https://github.com/makovkastar/FloatingActionButton
http://dmytrodanylyk.com/
http://dmytrodanylyk.com/pages/portfolio/circular-progress-button.html
https://github.com/dmytrodanylyk/circular-progress-button
https://github.com/vinc3m1
https://github.com/vinc3m1/RoundedImageView
https://github.com/vinc3m1/RoundedImageView.git
Defined in Android String Resource
https://loki-5a81e.firebaseio.com
https://github.com/makovkastar/FloatingActionButton
http://dmytrodanylyk.com/
http://dmytrodanylyk.com/pages/portfolio/circular-progress-button.html
https://github.com/dmytrodanylyk/circular-progress-button
https://github.com/vinc3m1
https://github.com/vinc3m1/RoundedImageView
https://github.com/vinc3m1/RoundedImageView.git
Defined in Android String Resource
https://loki-5a81e.firebaseio.com
https://github.com/makovkastar/FloatingActionButton
http://dmytrodanylyk.com/
http://dmytrodanylyk.com/pages/portfolio/circular-progress-button.html
https://github.com/dmytrodanylyk/circular-progress-button
https://github.com/vinc3m1
https://github.com/vinc3m1/RoundedImageView
https://github.com/vinc3m1/RoundedImageView.git
Defined in Android String Resource
https://loki-5a81e.firebaseio.com
https://github.com/makovkastar/FloatingActionButton
http://dmytrodanylyk.com/
http://dmytrodanylyk.com/pages/portfolio/circular-progress-button.html
https://github.com/dmytrodanylyk/circular-progress-button
https://github.com/vinc3m1
https://github.com/vinc3m1/RoundedImageView
https://github.com/vinc3m1/RoundedImageView.git
Defined in Android String Resource
https://loki-5a81e.firebaseio.com
https://github.com/makovkastar/FloatingActionButton
http://dmytrodanylyk.com/
http://dmytrodanylyk.com/pages/portfolio/circular-progress-button.html
https://github.com/dmytrodanylyk/circular-progress-button
https://github.com/vinc3m1
https://github.com/vinc3m1/RoundedImageView
https://github.com/vinc3m1/RoundedImageView.git
Defined in Android String Resource

Permissions analysis

Information computed with MobSF.

High android.permission.WRITE_EXTERNAL_STORAGE read/modify/delete external storage contents
Allows an application to write to external storage.
High android.permission.CAMERA take pictures and videos
Allows application to take pictures and videos with the camera. This allows the application to collect images that the camera is seeing at any time.
High android.permission.RECORD_AUDIO record audio
Allows application to access the audio record path.
High android.permission.READ_EXTERNAL_STORAGE read external storage contents
Allows an application to read from external storage.
Low android.permission.FOREGROUND_SERVICE Allows a regular application to use Service.startForeground
Low android.permission.USE_FINGERPRINT allow use of fingerprint
This constant was deprecated in API level 28. Applications should request USE_BIOMETRIC instead
Low android.permission.MODIFY_AUDIO_SETTINGS change your audio settings
Allows application to modify global audio settings, such as volume and routing.
Low android.permission.RECEIVE_BOOT_COMPLETED automatically start at boot
Allows an application to start itself as soon as the system has finished booting. This can make it take longer to start the phone and allow the application to slow down the overall phone by always running.
Low android.permission.VIBRATE control vibrator
Allows the application to control the vibrator.
Low android.permission.ACCESS_NETWORK_STATE view network status
Allows an application to view the status of all networks.
Low android.permission.WAKE_LOCK prevent phone from sleeping
Allows an application to prevent the phone from going to sleep.
Low android.permission.INTERNET full Internet access
Allows an application to create network sockets.
Low android.permission.READ_SYNC_SETTINGS read sync settings
Allows an application to read the sync settings, such as whether sync is enabled for Contacts.
Low android.permission.WRITE_SYNC_SETTINGS write sync settings
Allows an application to modify the sync settings, such as whether sync is enabled for Contacts.
Low android.permission.INSTALL_SHORTCUT Allows an application to install a shortcut in Launcher.
Low android.permission.BROADCAST_STICKY send sticky broadcast
Allows an application to send sticky broadcasts, which remain after the broadcast ends. Malicious applications can make the phone slow or unstable by causing it to use too much memory.
Low android.permission.DISABLE_KEYGUARD Allows applications to disable the keyguard if it is not secure.
Low android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS Permission an application must hold in order to use Settings.ACTION_REQUEST_IGNORE_BATTERY_OPTIMIZATIONS.
Medium com.google.android.c2dm.permission.RECEIVE C2DM permissions
Permission for cloud to device messaging.
network.loki.messenger.ACCESS_SESSION_SECRETS Unknown permission
Unknown permission from android reference
com.android.launcher.permission.INSTALL_SHORTCUT Unknown permission
Unknown permission from android reference
android.permission.RAISED_THREAD_PRIORITY Unknown permission
Unknown permission from android reference
com.sec.android.provider.badge.permission.READ Unknown permission
Unknown permission from android reference
com.sec.android.provider.badge.permission.WRITE Unknown permission
Unknown permission from android reference
com.htc.launcher.permission.READ_SETTINGS Unknown permission
Unknown permission from android reference
com.htc.launcher.permission.UPDATE_SHORTCUT Unknown permission
Unknown permission from android reference
com.sonyericsson.home.permission.BROADCAST_BADGE Unknown permission
Unknown permission from android reference
com.sonymobile.home.permission.PROVIDER_INSERT_BADGE Unknown permission
Unknown permission from android reference
com.anddoes.launcher.permission.UPDATE_COUNT Unknown permission
Unknown permission from android reference
com.majeur.launcher.permission.UPDATE_BADGE Unknown permission
Unknown permission from android reference
com.huawei.android.launcher.permission.CHANGE_BADGE Unknown permission
Unknown permission from android reference
com.huawei.android.launcher.permission.READ_SETTINGS Unknown permission
Unknown permission from android reference
com.huawei.android.launcher.permission.WRITE_SETTINGS Unknown permission
Unknown permission from android reference
android.permission.READ_APP_BADGE Unknown permission
Unknown permission from android reference
com.oppo.launcher.permission.READ_SETTINGS Unknown permission
Unknown permission from android reference
com.oppo.launcher.permission.WRITE_SETTINGS Unknown permission
Unknown permission from android reference
me.everything.badger.permission.BADGE_COUNT_READ Unknown permission
Unknown permission from android reference
me.everything.badger.permission.BADGE_COUNT_WRITE Unknown permission
Unknown permission from android reference

Tracking analysis

Information computed with Exodus-core.

Google Firebase Analytics https://reports.exodus-privacy.eu.org/fr/trackers/49

Threat analysis

Information computed with Quark-Engine.

Confidence:
100%
Load external class
Confidence:
100%
Implicit intent(view a web page, make a phone call, etc.)
Confidence:
100%
Find a method from given class name, usually for reflection
Confidence:
100%
Start a web server
Confidence:
100%
Connect to a URL and receive input stream from the server
Confidence:
100%
Method reflection
Confidence:
100%
Connect to a URL and read data from it
Confidence:
100%
Monitor data identified by a given content URI changes(SMS, MMS, etc.)
Confidence:
100%
Create a secure socket connection to the given host address
Confidence:
100%
Load class from given class name
Confidence:
100%
Retrieve data from broadcast
Confidence:
100%
Write the phone number into a file
Confidence:
100%
Read sensitive data(SMS, CALLLOG, etc)
Confidence:
100%
Implicit intent(view a web page, make a phone call, etc.) via setData
Confidence:
100%
Connect to a URL and get the response code
Confidence:
100%
Send notification
Confidence:
100%
Monitor the broadcast action events (BOOT_COMPLETED)
Confidence:
100%
Get Location of the device and append this info to a string
Confidence:
100%
Get absolute path of the file and store in string
Confidence:
100%
Query the IMSI number
Confidence:
100%
Query The ISO country code
Confidence:
100%
Read file from assets directory
Confidence:
100%
Get last known location of the device
Confidence:
100%
Get calendar information
Confidence:
100%
Get the current WIFI information
Confidence:
100%
Deletes media specified by a content URI(SMS, CALL_LOG, File, etc.)
Confidence:
100%
Get location of the device
Confidence:
100%
Check if the given file path exist
Confidence:
100%
Method reflection
Confidence:
100%
Hide the current app's icon
Confidence:
100%
Connect to the remote server through the given URL
Confidence:
100%
Send SMS
Confidence:
100%
Query data from URI (SMS, CALLLOGS)
Confidence:
100%
Query the phone number
Confidence:
100%
Get the time of current location
Confidence:
100%
Initialize class object dynamically
Confidence:
100%
Create a directory
Confidence:
100%
Connect to a URL and set request method
Confidence:
100%
Initialize bitmap object and compress data (e.g. JPEG) into bitmap object
Confidence:
100%
Get specific method from other Dex files
Confidence:
80%
Check if the network is connected
Confidence:
80%
Read data and put it into a buffer stream
Confidence:
80%
Read file and put it into a stream
Confidence:
80%
Open a file from given absolute path of the file
Confidence:
80%
Executes the specified string Linux command
Confidence:
80%
Read the input stream from given URL
Confidence:
80%
Get resource file from res/raw directory

Behavior analysis

Information computed with MobSF.

Android notifications
       me/leolin/shortcutbadger/impl/XiaomiHomeBadger.java
org/thoughtcrime/securesms/notifications/DefaultMessageNotifier.java
org/thoughtcrime/securesms/notifications/PushNotificationService.java
com/bumptech/glide/request/target/NotificationTarget.java
Base64 decode
       org/thoughtcrime/securesms/crypto/AttachmentSecret.java
com/bumptech/glide/load/model/DataUrlLoader.java
org/thoughtcrime/securesms/crypto/KeyStoreHelper.java
Base64 encode
       org/thoughtcrime/securesms/crypto/AttachmentSecret.java
org/thoughtcrime/securesms/crypto/KeyStoreHelper.java
Certificate handling
       org/conscrypt/OpenSSLSocketFactoryImpl.java
org/conscrypt/Platform.java
org/conscrypt/BaseOpenSSLSocketAdapterFactory.java
org/conscrypt/OpenSSLContextImpl.java
org/jsoup/helper/HttpConnection.java
org/conscrypt/Conscrypt.java
Content provider
       org/thoughtcrime/securesms/providers/PartProvider.java
com/klinker/android/send_message/MmsFileProvider.java
org/thoughtcrime/securesms/database/DatabaseContentProviders.java