0/62

Threat

us.spotco.fennec_dos

Mull

Analyzed on 2021-11-04T08:56:31.008159

18

permissions

17

activities

59

services

10

receivers

81

domains

File sums

MD5 ccfe139b2d4bd0846d769f6e7f076e03
SHA1 de9d6b5002f6ad0c1e0cafd8e5c26cb3821190e0
SHA256 d34d31fc2d9047220ad7ebfbe4f8bda034bad3c03cb51b78b359257815a2c395
Size 63.48MB

APKiD

Information computed with APKiD.

/tmp/tmpk8xsj46e!classes.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MODEL check
  • Build.MANUFACTURER check
  • Build.BOARD check
compiler
  • r8 without marker (suspicious)
/tmp/tmpk8xsj46e!classes2.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MANUFACTURER check
  • Build.BOARD check
compiler
  • r8 without marker (suspicious)

SSdeep

Information computed with ssdeep.

APK file 1572864:8/Gg6bAhQE6TAo7hUVL1qv5FToj7K67x0w0ByiD5KJe5tRR:8/Gg6bsQE6LliL1GkjL10w0BhDYE3R
Manifest 768:dwky8PA6mgS3SuQ/REmcKE6XPMiSbqNS9QtoT7ao9iw929etynJyAgQAmJpcKmZ1:…
classes.dex 98304:gBaL9X+t0NmRBUwSeLkrozsP6yoS2JGV3B6VvyVLAb+5G2118uNFBapK:g4uxBx…
classes2.dex 49152:ZaG786ZfrStf/Q84UnVJFF4FqbUzq5ABqdFuHeVAcPi:Zae1fcrVJxbOq5fMuAc…

Dexofuzzy

Information computed with Dexofuzzy.

APK file 12288:Hm7VY9Pg11RUSz+57s2ZirEsDcQfHIjYnewHP53rEIk:Hm7VzmwJDcEokPHPpra
classes.dex 12288:Hm7VY9Pg11RUSz+57s2ZirEsDcQfHIjYnew:Hm7VzmwJDcEokL
classes2.dex 3072:TwCJRBW8BPSY0I9m3i7eNl+KCcsDgQVEHni6poELo7V8:TwCrBHP50kReTs0QVEH…

APK details

Information computed with AndroGuard and Pithus.

Package us.spotco.fennec_dos
App name Mull
Version name 93.1.0
Version code 2931000
SDK 21 - 30
UAID dd49074f194ba96e1cd65e0b2d5ead943a3d5481
Signature Signature V1 Signature V2 Signature V3
Frosting Not frosted
Blocks found within V2 signature:
  • 0x7109871a: Unknown
  • 0xf05368c0: Unknown
  • 0x42726577: Verity padding

Certificate details

Information computed with AndroGuard.

MD5 febdc09444354749a2a8eb073cff401f
SHA1 bb54a806eae680f3316612e3b5f78b558aaf11fe
SHA256 ff81f5be56396594eee70fef2832256e15214122e2ba9cedd26005ffd4bcaaa8
Issuer Common Name: FDroid, Organizational Unit: FDroid, Organization: fdroid.org, Locality: ORG, State/Province: ORG, Country: UK
Not before 2021-06-07T06:57:06+00:00
Not after 2048-10-23T06:57:06+00:00

File Analysis

Information computed with MobSF.

Findings Files
Certificate/Key files hardcoded inside the app. assets/publicsuffixes

Manifest analysis

Information computed with MobSF.

High Clear text traffic is Enabled For App[android:usesCleartextTraffic=true]
The app intends to use cleartext network traffic, such as cleartext HTTP, FTP stacks, DownloadManager, and MediaPlayer. The default value for apps that target API level 27 or lower is "true". Apps that target API level 28 or higher default to "false". The key reason for avoiding cleartext traffic is the lack of confidentiality, authenticity, and protections against tampering; a network attacker can eavesdrop on transmitted data and also modify it without being detected.
High Activity-Alias (us.spotco.fennec_dos.App) is not Protected.An intent-filter exists.
An Activity-Alias is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Activity-Alias is explicitly exported.
High Activity (org.mozilla.fenix.HomeActivity) is not Protected.An intent-filter exists.
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Activity is explicitly exported.
High Activity-Alias (org.mozilla.gecko.LauncherActivity) is not Protected.An intent-filter exists.
An Activity-Alias is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Activity-Alias is explicitly exported.
High Activity-Alias (org.mozilla.gecko.BrowserApp) is not Protected. [android:exported=true]
An Activity-Alias is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Service (org.mozilla.fenix.autofill.AutofillService) is Protected by a permission, but the protection level of the permission should be checked.
Permission: android.permission.BIND_AUTOFILL_SERVICE [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Service (org.mozilla.fenix.customtabs.CustomTabsService) is not Protected. [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Broadcast Receiver (org.mozilla.gecko.search.SearchWidgetProvider) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Activity (mozilla.components.feature.pwa.WebAppLauncherActivity) is not Protected. [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Activity (mozilla.telemetry.glean.debug.GleanDebugActivity) is not Protected. [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Activity (androidx.compose.ui.tooling.PreviewActivity) is not Protected. [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Service (androidx.work.impl.background.systemjob.SystemJobService) is Protected by a permission, but the protection level of the permission should be checked.
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) is Protected by a permission, but the protection level of the permission should be checked.
Permission: android.permission.DUMP [android:exported=true]
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) is Protected by a permission, but the protection level of the permission should be checked.
Permission: android.permission.DUMP [android:exported=true]
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.

Browsable activities

Information computed with MobSF.

org.mozilla.fenix.HomeActivity

Hosts: enable_private_browsing home home_collections install_search_widget make_default_browser open settings settings_accessibility settings_addon_manager settings_delete_browsing_data settings_logins settings_notifications settings_privacy settings_search_engine settings_tracking_protection turn_on_sync urls_bookmarks urls_history

Schemes: fenix://

org.mozilla.fenix.IntentReceiverActivity

Schemes: http:// https://

Mime types: text/html text/plain application/xhtml+xml

Main Activity

Information computed with AndroGuard.

us.spotco.fennec_dos.App

Activities

Information computed with AndroGuard.

org.mozilla.fenix.MigrationDecisionActivity
org.mozilla.fenix.HomeActivity
org.mozilla.fenix.home.mozonline.PrivacyContentDisplayActivity
org.mozilla.fenix.customtabs.ExternalAppBrowserActivity
org.mozilla.fenix.IntentReceiverActivity
org.mozilla.fenix.migration.MigrationProgressActivity
org.mozilla.fenix.crashes.CrashListActivity
org.mozilla.fenix.widget.VoiceSearchActivity
org.mozilla.fenix.settings.account.AuthCustomTabActivity
org.mozilla.fenix.settings.account.AuthIntentReceiverActivity
org.mozilla.fenix.autofill.AutofillUnlockActivity
org.mozilla.fenix.autofill.AutofillConfirmActivity
org.mozilla.fenix.autofill.AutofillSearchActivity
mozilla.components.feature.pwa.WebAppLauncherActivity
mozilla.components.lib.crash.prompt.CrashReporterActivity
mozilla.telemetry.glean.debug.GleanDebugActivity
androidx.compose.ui.tooling.PreviewActivity

Receivers

Information computed with AndroGuard.

org.mozilla.gecko.search.SearchWidgetProvider
androidx.work.impl.utils.ForceStopRunnable$BroadcastReceiver
androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryChargingProxy
androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryNotLowProxy
androidx.work.impl.background.systemalarm.ConstraintProxy$StorageNotLowProxy
androidx.work.impl.background.systemalarm.ConstraintProxy$NetworkStateProxy
androidx.work.impl.background.systemalarm.RescheduleReceiver
androidx.work.impl.background.systemalarm.ConstraintProxyUpdateReceiver
androidx.work.impl.diagnostics.DiagnosticsReceiver
androidx.profileinstaller.ProfileInstallReceiver

Services

Information computed with AndroGuard.

org.mozilla.fenix.MigrationService
org.mozilla.fenix.autofill.AutofillService
org.mozilla.fenix.media.MediaSessionService
org.mozilla.fenix.customtabs.CustomTabsService
org.mozilla.fenix.downloads.DownloadService
org.mozilla.fenix.session.PrivateNotificationService
org.mozilla.fenix.push.FirebasePushService
mozilla.components.feature.addons.update.DefaultAddonUpdater$NotificationHandlerService
mozilla.components.lib.crash.handler.CrashHandlerService
mozilla.components.lib.crash.service.SendCrashReportService
mozilla.components.lib.crash.service.SendCrashTelemetryService
org.mozilla.gecko.process.GeckoChildProcessServices$tab0
org.mozilla.gecko.process.GeckoChildProcessServices$tab1
org.mozilla.gecko.process.GeckoChildProcessServices$tab2
org.mozilla.gecko.process.GeckoChildProcessServices$tab3
org.mozilla.gecko.process.GeckoChildProcessServices$tab4
org.mozilla.gecko.process.GeckoChildProcessServices$tab5
org.mozilla.gecko.process.GeckoChildProcessServices$tab6
org.mozilla.gecko.process.GeckoChildProcessServices$tab7
org.mozilla.gecko.process.GeckoChildProcessServices$tab8
org.mozilla.gecko.process.GeckoChildProcessServices$tab9
org.mozilla.gecko.process.GeckoChildProcessServices$tab10
org.mozilla.gecko.process.GeckoChildProcessServices$tab11
org.mozilla.gecko.process.GeckoChildProcessServices$tab12
org.mozilla.gecko.process.GeckoChildProcessServices$tab13
org.mozilla.gecko.process.GeckoChildProcessServices$tab14
org.mozilla.gecko.process.GeckoChildProcessServices$tab15
org.mozilla.gecko.process.GeckoChildProcessServices$tab16
org.mozilla.gecko.process.GeckoChildProcessServices$tab17
org.mozilla.gecko.process.GeckoChildProcessServices$tab18
org.mozilla.gecko.process.GeckoChildProcessServices$tab19
org.mozilla.gecko.process.GeckoChildProcessServices$tab20
org.mozilla.gecko.process.GeckoChildProcessServices$tab21
org.mozilla.gecko.process.GeckoChildProcessServices$tab22
org.mozilla.gecko.process.GeckoChildProcessServices$tab23
org.mozilla.gecko.process.GeckoChildProcessServices$tab24
org.mozilla.gecko.process.GeckoChildProcessServices$tab25
org.mozilla.gecko.process.GeckoChildProcessServices$tab26
org.mozilla.gecko.process.GeckoChildProcessServices$tab27
org.mozilla.gecko.process.GeckoChildProcessServices$tab28
org.mozilla.gecko.process.GeckoChildProcessServices$tab29
org.mozilla.gecko.process.GeckoChildProcessServices$tab30
org.mozilla.gecko.process.GeckoChildProcessServices$tab31
org.mozilla.gecko.process.GeckoChildProcessServices$tab32
org.mozilla.gecko.process.GeckoChildProcessServices$tab33
org.mozilla.gecko.process.GeckoChildProcessServices$tab34
org.mozilla.gecko.process.GeckoChildProcessServices$tab35
org.mozilla.gecko.process.GeckoChildProcessServices$tab36
org.mozilla.gecko.process.GeckoChildProcessServices$tab37
org.mozilla.gecko.process.GeckoChildProcessServices$tab38
org.mozilla.gecko.process.GeckoChildProcessServices$tab39
org.mozilla.gecko.media.MediaManager
org.mozilla.gecko.process.GeckoChildProcessServices$gmplugin
org.mozilla.gecko.process.GeckoChildProcessServices$socket
org.mozilla.gecko.gfx.SurfaceAllocatorService
androidx.work.impl.background.systemalarm.SystemAlarmService
androidx.work.impl.background.systemjob.SystemJobService
androidx.work.impl.foreground.SystemForegroundService
androidx.room.MultiInstanceInvalidationService

Sample timeline

Oldest file found in APK Jan. 1, 1981, 1:01 a.m.
Latest file found in APK Jan. 1, 1981, 1:01 a.m.
Certificate valid not before June 7, 2021, 6:57 a.m.
First submission on VT Oct. 10, 2021, 8:58 p.m.
Last submission on VT Oct. 10, 2021, 8:58 p.m.
Upload on Pithus Nov. 4, 2021, 8:56 a.m.
Certificate valid not after Oct. 23, 2048, 6:57 a.m.

NIAP analysis

Information computed with MobSF.

FCS_RBG_EXT.1.1 The application invoke platform-provided DRBG functionality for its cryptographic operations.
Random Bit Generation Services
FCS_STO_EXT.1.1 The application does not store any credentials to non-volatile memory.
Storage of Credentials
FCS_CKM_EXT.1.1 The application generate no asymmetric cryptographic keys.
Cryptographic Key Generation Services
FDP_DEC_EXT.1.1 The application has access to ['location', 'network connectivity', 'microphone', 'camera'].
Access to Platform Resources
FDP_DEC_EXT.1.2 The application has access to no sensitive information repositories.
Access to Platform Resources
FDP_NET_EXT.1.1 The application has user/application initiated network communications.
Network Communications
FDP_DAR_EXT.1.1 The application implement functionality to encrypt sensitive data in non-volatile memory.
Encryption Of Sensitive Application Data
FMT_MEC_EXT.1.1 The application invoke the mechanisms recommended by the platform vendor for storing and setting configuration options.
Supported Configuration Mechanism
FTP_DIT_EXT.1.1 The application does encrypt some transmitted data with HTTPS/TLS/SSH between itself and another trusted IT product.
Protection of Data in Transit
FCS_RBG_EXT.2.1
FCS_RBG_EXT.2.2
The application perform all deterministic random bit generation (DRBG) services in accordance with NIST Special Publication 800-90A using Hash_DRBG. The deterministic RBG is seeded by an entropy source that accumulates entropy from a platform-based DRBG and a software-based noise source, with a minimum of 256 bits of entropy at least equal to the greatest security strength (according to NIST SP 800-57) of the keys and hashes that it will generate.
Random Bit Generation from Application
FCS_COP.1.1(1) The application perform encryption/decryption in accordance with a specified cryptographic algorithm AES-CBC (as defined in NIST SP 800-38A) mode or AES-GCM (as defined in NIST SP 800-38D) and cryptographic key sizes 256-bit/128-bit.
Cryptographic Operation - Encryption/Decryption
FCS_COP.1.1(2) The application perform cryptographic hashing services in accordance with a specified cryptographic algorithm SHA-1/SHA-256/SHA-384/SHA-512 and message digest sizes 160/256/384/512 bits.
Cryptographic Operation - Hashing
FCS_HTTPS_EXT.1.3 The application notify the user and not establish the connection or request application authorization to establish the connection if the peer certificate is deemed invalid.
HTTPS Protocol
FIA_X509_EXT.2.1 The application use X.509v3 certificates as defined by RFC 5280 to support authentication for HTTPS , TLS.
X.509 Certificate Authentication
FCS_CKM.1.1(2) The application shall generate symmetric cryptographic keys using a Random Bit Generator as specified in FCS_RBG_EXT.1 and specified cryptographic key sizes 128 bit or 256 bit.
Cryptographic Symmetric Key Generation

Code analysis

Information computed with MobSF.

Low
CVSS:0
This App copies data to clipboard. Sensitive data should not be copied to clipboard as other applications can access it.
MASVS: MSTG-STORAGE-10
Files:
 mozilla/components/feature/pwa/feature/SiteControlsBuilder.java
mozilla/components/feature/contextmenu/ContextMenuCandidate$Companion$createCopyLinkCandidate$2.java
org/mozilla/gecko/Clipboard.java
org/mozilla/fenix/library/bookmarks/DefaultBookmarkController.java
org/mozilla/fenix/library/history/DefaultHistoryController.java
mozilla/components/feature/contextmenu/ContextMenuCandidate$Companion$createCopyEmailAddressCandidate$2.java
mozilla/components/feature/contextmenu/ContextMenuCandidate$Companion$createCopyImageLocationCandidate$2.java
org/mozilla/fenix/library/recentlyclosed/DefaultRecentlyClosedController.java
Low
CVSS:3.9
App can write to App Directory. Sensitive Information should be encrypted.
MASVS: MSTG-STORAGE-14
CWE-276 Incorrect Default Permissions
Files:
 mozilla/components/service/fxa/manager/FxaAccountManager.java
org/mozilla/fenix/settings/advanced/DefaultLocaleSettingsController.java
mozilla/components/support/migration/FennecSettingsMigration.java
mozilla/components/feature/addons/update/DefaultAddonUpdater.java
mozilla/components/support/base/ids/SharedIdsHelper.java
mozilla/components/service/fxa/SharedPrefAccountStorage.java
mozilla/components/lib/dataprotect/SecurePrefsReliabilityExperiment.java
org/mozilla/fenix/widget/VoiceSearchActivity$displaySpeechRecognizer$intentSpeech$1$1.java
org/mozilla/fenix/onboarding/FenixOnboarding.java
mozilla/components/service/location/MozillaLocationService$fetchRegion$2.java
mozilla/components/support/base/utils/SharedPreferencesCache.java
mozilla/components/support/locale/LocaleManager.java
mozilla/components/feature/push/AutoPushFeature.java
org/mozilla/fenix/utils/Settings.java
Low
CVSS:7.5
The App logs information. Sensitive information should never be logged.
MASVS: MSTG-STORAGE-3
CWE-532 Insertion of Sensitive Information into Log File
Files:
 org/mozilla/fenix/FenixApplication.java
org/mozilla/geckoview/GeckoFontScaleListener.java
org/mozilla/fenix/settings/TextPercentageSeekBarPreference$$ExternalSyntheticLambda0.java
mozilla/telemetry/glean/net/PingRequest.java
mozilla/appservices/support/p000native/HelpersKt.java
org/mozilla/geckoview/WebExtension.java
org/mozilla/gecko/media/GeckoMediaDrmBridgeV21.java
org/mozilla/gecko/Clipboard.java
org/mozilla/gecko/GeckoBatteryManager.java
org/mozilla/geckoview/GeckoSession.java
org/mozilla/gecko/process/GeckoServiceChildProcess.java
org/mozilla/gecko/EnterpriseRoots.java
org/mozilla/gecko/media/GeckoHLSDemuxerWrapper.java
org/mozilla/gecko/media/GeckoPlayerFactory.java
org/mozilla/gecko/media/RemoteManager.java
org/mozilla/geckoview/WebPushController$$ExternalSyntheticLambda1.java
org/mozilla/gecko/process/GeckoProcessManager$$ExternalSyntheticLambda2.java
org/mozilla/gecko/mozglue/SharedMemory.java
org/mozilla/gecko/media/MediaManager.java
org/slf4j/helpers/Util.java
org/mozilla/geckoview/PromptController.java
org/mozilla/geckoview/Image.java
org/mozilla/fenix/home/sessioncontrol/viewholders/pocket/PocketStoriesComposablesKt$PocketRecommendations$1$1$1$1.java
org/mozilla/gecko/media/GeckoHlsPlayer.java
org/mozilla/gecko/util/ThreadUtils.java
mozilla/components/lib/crash/CrashReporter$submitReport$2.java
org/mozilla/gecko/process/GeckoProcessManager.java
org/mozilla/fenix/settings/logins/controller/SavedLoginsStorageController.java
org/mozilla/gecko/media/GeckoHLSResourceWrapper.java
mozilla/components/lib/crash/handler/ExceptionHandler.java
org/mozilla/gecko/mozglue/GeckoLoader.java
org/mozilla/geckoview/GeckoRuntimeSettings.java
org/mozilla/geckoview/GeckoRuntime.java
org/mozilla/gecko/media/RemoteMediaDrmBridge.java
org/mozilla/gecko/process/GeckoProcessManager$$ExternalSyntheticLambda1.java
org/mozilla/geckoview/StorageController.java
mozilla/telemetry/glean/debug/GleanDebugActivity.java
mozilla/components/feature/autofill/structure/ParsedStructureKt.java
org/mozilla/gecko/media/Codec.java
mozilla/components/feature/customtabs/AbstractCustomTabsService$validateRelationship$1.java
org/mozilla/gecko/media/GeckoHlsVideoRenderer.java
org/mozilla/gecko/SpeechSynthesisService.java
org/mozilla/geckoview/BasicSelectionActionDelegate.java
com/sun/jna/Native.java
org/mozilla/geckoview/SessionAccessibility.java
org/mozilla/gecko/GeckoScreenOrientation.java
mozilla/telemetry/glean/Dispatchers.java
org/mozilla/gecko/media/GeckoHlsAudioRenderer.java
org/webrtc/videoengine/VideoCaptureAndroid.java
org/mozilla/geckoview/GeckoEditable.java
org/mozilla/gecko/GeckoNetworkManager.java
org/mozilla/geckoview/PanZoomController.java
org/mozilla/gecko/GeckoEditableChild.java
org/mozilla/gecko/gfx/GeckoSurfaceTexture.java
org/mozilla/gecko/CrashHandler.java
mozilla/telemetry/glean/net/HttpURLConnectionUploader.java
org/mozilla/gecko/media/RemoteMediaDrmBridgeStub.java
org/mozilla/gecko/TelemetryUtils.java
mozilla/telemetry/glean/GleanInternalAPI.java
org/mozilla/gecko/GeckoThread.java
mozilla/components/lib/crash/CrashReporter.java
mozilla/telemetry/glean/scheduler/MetricsPingScheduler.java
org/mozilla/geckoview/SessionTextInput.java
org/mozilla/geckoview/GeckoView.java
org/mozilla/geckoview/MediaSession.java
org/mozilla/gecko/media/CodecProxy.java
org/mozilla/gecko/media/MediaDrmProxy.java
org/mozilla/gecko/GeckoAppShell.java
org/mozilla/gecko/media/JellyBeanAsyncCodec.java
org/mozilla/geckoview/CrashReporter.java
org/mozilla/fenix/settings/TextPercentageSeekBarPreference.java
org/mozilla/geckoview/GeckoInputConnection.java
org/mozilla/gecko/GeckoJavaSampler.java
mozilla/components/support/base/log/Log.java
org/mozilla/gecko/media/GeckoHlsRendererBase.java
org/mozilla/gecko/gfx/SurfaceAllocator.java
org/mozilla/gecko/util/HardwareCodecCapabilityUtils.java
org/mozilla/geckoview/WebExtensionController.java
mozilla/appservices/fxaclient/PersistedFirefoxAccount.java
High
CVSS:7.5
The App uses an insecure Random Number Generator.
MASVS: MSTG-CRYPTO-6
CWE-330 Use of Insufficiently Random Values
M5: Insufficient Cryptography
Files:
 kotlin/collections/CollectionsKt___CollectionsKt.java
kotlin/random/FallbackThreadLocalRandom.java
kotlin/collections/EmptyList.java
kotlin/collections/CollectionsKt__ReversedViewsKt.java
org/mozilla/fenix/home/sessioncontrol/SessionControlAdapter.java
kotlin/random/AbstractPlatformRandom.java
kotlin/random/jdk8/PlatformThreadLocalRandom.java
kotlin/random/FallbackThreadLocalRandom$implStorage$1.java
kotlin/collections/ArraysKt___ArraysJvmKt$asList$5.java
kotlin/collections/AbstractList.java
kotlin/collections/RingBuffer.java
org/webrtc/TextureBufferImpl$$ExternalSyntheticLambda0.java
High
CVSS:5.5
App can read/write to External Storage. Any App can read data written to External Storage.
MASVS: MSTG-STORAGE-2
CWE-276 Incorrect Default Permissions
M2: Insecure Data Storage
Files:
 org/mozilla/gecko/mozglue/GeckoLoader.java
mozilla/components/support/utils/DownloadUtils.java
org/mozilla/gecko/GeckoThread.java
mozilla/components/feature/downloads/AbstractFetchDownloadService$performDownload$1.java
mozilla/components/browser/state/state/content/DownloadState.java
High
CVSS:7.4
Files may contain hardcoded sensitive informations like usernames, passwords, keys etc.
MASVS: MSTG-STORAGE-14
CWE-312 Cleartext Storage of Sensitive Information
M9: Reverse Engineering
Files:
 org/mozilla/geckoview/CrashReporter.java
org/mozilla/geckoview/Autocomplete.java
mozilla/telemetry/glean/debug/GleanDebugActivity.java
mozilla/components/support/migration/MigrationResultsStore.java
mozilla/components/feature/downloads/AbstractFetchDownloadService.java
mozilla/components/service/fxa/SyncAuthInfoCache.java
mozilla/components/feature/accounts/push/VerificationDelegate.java
High
CVSS:5.5
App creates temp file. Sensitive information should never be written into a temp file.
MASVS: MSTG-STORAGE-2
CWE-276 Incorrect Default Permissions
M2: Insecure Data Storage
Files:
 mozilla/components/feature/prompts/file/MimeType.java
com/sun/jna/Native.java
High
CVSS:5.9
SHA-1 is a weak hash known to have hash collisions.
MASVS: MSTG-CRYPTO-4
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
M5: Insufficient Cryptography
Files:
 mozilla/components/support/migration/FennecLoginsMigration.java
mozilla/components/browser/icons/utils/IconDiskCacheKt.java
Medium
CVSS:4.3
IP Address disclosure
MASVS: MSTG-CODE-2
CWE-200 Information Exposure
Files:
 mozilla/appservices/fxaclient/Config.java
mozilla/components/feature/accounts/FxaWebChannelFeature.java
High
CVSS:5.9
App uses SQLite Database and execute raw SQL query. Untrusted user input in raw SQL queries can cause SQL Injection. Also sensitive information should be encrypted and written to the database.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
M7: Client Code Quality
Files:
 mozilla/components/support/migration/FennecLoginsMigration.java
Pygal Switzerland: 100 China: 500 Germany: 900 United Kingdom: 100 Hong Kong: 200 Ireland: 100 Netherlands: 200 Sweden: 100 United States: 5100

Map computed by Pithus.

Domains analysis

Information computed with MobSF.

US token.services.mozilla.com 34.214.169.22
DE www.ibm.com 23.45.100.209
CN firefox.com.cn 39.102.151.181
CN jumpluna.58.com 115.159.231.124
push.example.com
US mzl.la 67.199.248.13
US www.eff.org 151.101.12.201
IE www.yahoo.com 87.248.100.215
DE www.conto.com 64.190.62.111
US accounts.stage.mozaws.net 3.220.141.40
DE f-droid.org 148.251.140.42
US www.bing.com 131.253.33.200
US www.example.com 93.184.216.34
US api.accounts.firefox.com 52.41.49.213
DE firefox-android-home-recommendations.getpocket.dev 143.204.98.117
US www.google.pl 142.250.186.99
US location.services.mozilla.com 44.235.94.69
CN accounts.firefox.com.cn 39.107.149.229
CN sync.firefox.com.cn 8.140.173.77
GB www.adibidea.eus 85.159.210.70
DE www.softastur.org 217.160.0.206
speaktome-2.services.mozilla.com
US m.baidu.com 104.193.88.77
US www.dropbox.com 162.125.66.18
US www.ejemplo.com 199.59.242.153
NL www.wikipedia.org 91.198.174.192
US www.ietf.org 104.16.45.99
US www.twitter.com 104.244.42.129
US www.unicode.org 66.34.208.12
US LOCALE.phish-error.mozilla.com 44.236.48.31
US www.w3.org 128.30.52.100
US www.googlemail.com 216.58.212.165
www.esempiu.com
US LOCALE.malware-error.mozilla.com 44.236.72.93
US www.mozilla.org 104.18.164.34
US github.com 140.82.121.4
US firefox.com 44.235.246.155
US www.youtube.com 142.250.185.142
US support.mozilla.org 44.241.0.144
HK mobile.yangkeduo.com 124.156.124.38
allowlisted.example.com
US www.exemple.com 107.180.40.145
identity.mozilla.com
NL www.duckduckgo.com 40.114.177.156
DE www.torproject.org 95.216.163.36
US mozilla.github.io 185.199.111.153
US crash-reports.mozilla.com 52.36.18.64
US sb-ssl.google.com 142.250.74.206
US dxr.mozilla.org 44.236.72.93
US www.gmail.com 142.250.181.229
US accounts.firefox.com 44.230.121.115
US mozilla.cloudflare-dns.com 104.16.248.249
US www.messenger.com 185.60.216.15
US www.google.ba 142.250.185.163
US play.google.com 172.217.16.142
US safebrowsing.googleapis.com 142.250.74.202
US www.yeru.com 52.128.23.153
US services.addons.mozilla.org 35.82.87.100
US crash-stats.mozilla.org 35.160.248.18
US www.googlegroups.com 74.125.206.101
US bugzilla.mozilla.org 35.82.152.176
SE www.eksempel.dk 193.163.102.58
CH www.slf4j.org 83.166.144.67
DE addons.mozilla.org 143.204.98.116
US safebrowsing.google.com 142.250.185.206
www.test.ru
CN api-accounts.firefox.com.cn 39.107.149.229
US www.facebook.com 185.60.216.35
US www.google.com 142.250.185.228
www.ezenpio.com
DE getpocket.com 143.204.98.120
US example.com 93.184.216.34
US stable.dev.lcip.org 52.35.104.172
HK union-click.jd.com 202.77.129.232
US www.g.co 142.250.184.206
US a9.com 99.86.134.32
www.exemplo.gal
US www.webrtc.org 172.217.16.142
DE developer.mozilla.org 143.204.98.77
US developers.google.com 142.250.185.174
US developer.android.com 172.217.16.142

URL analysis

Information computed with MobSF.

https://mozilla.github.io/glean/book/user/general-api.html#initializing-the-glean-sdk
http://localhost:
Defined in mozilla/telemetry/glean/GleanInternalAPI.java
https://accounts.firefox.com
https://stable.dev.lcip.org
https://accounts.stage.mozaws.net
https://accounts.firefox.com.cn
http://127.0.0.1:3030
Defined in mozilla/appservices/fxaclient/Config.java
https://accounts.firefox.com
https://stable.dev.lcip.org
https://accounts.stage.mozaws.net
https://accounts.firefox.com.cn
http://127.0.0.1:3030
Defined in mozilla/appservices/fxaclient/Config.java
https://accounts.firefox.com
https://stable.dev.lcip.org
https://accounts.stage.mozaws.net
https://accounts.firefox.com.cn
http://127.0.0.1:3030
Defined in mozilla/appservices/fxaclient/Config.java
https://accounts.firefox.com
https://stable.dev.lcip.org
https://accounts.stage.mozaws.net
https://accounts.firefox.com.cn
http://127.0.0.1:3030
Defined in mozilla/appservices/fxaclient/Config.java
https://crash-reports.mozilla.com/submit
https://crash-stats.mozilla.org/report/index/
Defined in mozilla/components/lib/crash/service/MozillaSocorroService.java
https://crash-reports.mozilla.com/submit
https://crash-stats.mozilla.org/report/index/
Defined in mozilla/components/lib/crash/service/MozillaSocorroService.java
https://firefox-android-home-recommendations.getpocket.dev/
Defined in mozilla/components/service/pocket/stories/PocketStoriesUseCases.java
https://location.services.mozilla.com/v1/
Defined in mozilla/components/service/location/MozillaLocationService.java
https://identity.mozilla.com/apps/oldsync
Defined in mozilla/components/service/fxa/manager/FxaAccountManager.java
https://identity.mozilla.com/apps/oldsync
Defined in mozilla/components/service/fxa/manager/FxaAccountManager$internalStateSideEffects$result$1.java
https://sync.firefox.com.cn/token/1.0/sync/1.5
https://token.services.mozilla.com/1.0/sync/1.5
https://api-accounts.firefox.com.cn/v1
https://api.accounts.firefox.com/v1
Defined in mozilla/components/support/migration/FennecFxaMigration.java
https://sync.firefox.com.cn/token/1.0/sync/1.5
https://token.services.mozilla.com/1.0/sync/1.5
https://api-accounts.firefox.com.cn/v1
https://api.accounts.firefox.com/v1
Defined in mozilla/components/support/migration/FennecFxaMigration.java
https://sync.firefox.com.cn/token/1.0/sync/1.5
https://token.services.mozilla.com/1.0/sync/1.5
https://api-accounts.firefox.com.cn/v1
https://api.accounts.firefox.com/v1
Defined in mozilla/components/support/migration/FennecFxaMigration.java
https://sync.firefox.com.cn/token/1.0/sync/1.5
https://token.services.mozilla.com/1.0/sync/1.5
https://api-accounts.firefox.com.cn/v1
https://api.accounts.firefox.com/v1
Defined in mozilla/components/support/migration/FennecFxaMigration.java
http://www.mozilla.org/index.html
Defined in mozilla/components/support/utils/Browsers.java
https://github.com/mozilla-mobile/android-components/issues/6832
https://github.com/mozilla-mobile/android-components/issues/403
Defined in mozilla/components/browser/engine/gecko/GeckoEngineSession$createNavigationDelegate$1.java
https://github.com/mozilla-mobile/android-components/issues/6832
https://github.com/mozilla-mobile/android-components/issues/403
Defined in mozilla/components/browser/engine/gecko/GeckoEngineSession$createNavigationDelegate$1.java
https://bugzilla.mozilla.org/show_bug.cgi?id=1672195
https://bugzilla.mozilla.org/show_bug.cgi?id=1671988
https://dxr.mozilla.org/mozilla-central/source/browser/base/content/browser-siteProtections.js
Defined in mozilla/components/browser/engine/gecko/GeckoEngine.java
https://bugzilla.mozilla.org/show_bug.cgi?id=1672195
https://bugzilla.mozilla.org/show_bug.cgi?id=1671988
https://dxr.mozilla.org/mozilla-central/source/browser/base/content/browser-siteProtections.js
Defined in mozilla/components/browser/engine/gecko/GeckoEngine.java
https://bugzilla.mozilla.org/show_bug.cgi?id=1672195
https://bugzilla.mozilla.org/show_bug.cgi?id=1671988
https://dxr.mozilla.org/mozilla-central/source/browser/base/content/browser-siteProtections.js
Defined in mozilla/components/browser/engine/gecko/GeckoEngine.java
http://www.mozilla.org/index.html
https://www.mozilla.org/index.html
Defined in mozilla/components/feature/downloads/DownloadsFeature.java
http://www.mozilla.org/index.html
https://www.mozilla.org/index.html
Defined in mozilla/components/feature/downloads/DownloadsFeature.java
https://accounts.firefox.com/signin
Defined in mozilla/components/feature/accounts/FirefoxAccountsAuthFeature$beginAuthenticationAsync$1.java
https://services.addons.mozilla.org
Defined in mozilla/components/feature/addons/amo/AddonCollectionProvider.java
http://a9.com/-/spec/opensearch/1.1/
http://www.mozilla.org/2006/browser/search/
data:image/png;base64,
Defined in mozilla/components/feature/search/storage/SearchEngineWriter.java
http://a9.com/-/spec/opensearch/1.1/
http://www.mozilla.org/2006/browser/search/
data:image/png;base64,
Defined in mozilla/components/feature/search/storage/SearchEngineWriter.java
https://developer.android.com/topic/libraries/architecture/paging/data
https://developer.android.com/topic/libraries/architecture/paging/ui
Defined in mozilla/components/feature/tab/collections/TabCollectionStorage.java
https://developer.android.com/topic/libraries/architecture/paging/data
https://developer.android.com/topic/libraries/architecture/paging/ui
Defined in mozilla/components/feature/tab/collections/TabCollectionStorage.java
https://getpocket.com/fenix-top-articles',
https://www.wikipedia.org/',
https://www.youtube.com/')
Defined in mozilla/components/feature/top/sites/db/Migrations$migration_2_3$1.java
https://getpocket.com/fenix-top-articles',
https://www.wikipedia.org/',
https://www.youtube.com/')
Defined in mozilla/components/feature/top/sites/db/Migrations$migration_2_3$1.java
https://getpocket.com/fenix-top-articles',
https://www.wikipedia.org/',
https://www.youtube.com/')
Defined in mozilla/components/feature/top/sites/db/Migrations$migration_2_3$1.java
https://getpocket.com/fenix-top-articles',
https://www.wikipedia.org/',
https://www.youtube.com/')
Defined in mozilla/components/feature/top/sites/db/Migrations$migration_1_2$1.java
https://getpocket.com/fenix-top-articles',
https://www.wikipedia.org/',
https://www.youtube.com/')
Defined in mozilla/components/feature/top/sites/db/Migrations$migration_1_2$1.java
https://getpocket.com/fenix-top-articles',
https://www.wikipedia.org/',
https://www.youtube.com/')
Defined in mozilla/components/feature/top/sites/db/Migrations$migration_1_2$1.java
http://www.slf4j.org/codes.html#StaticLoggerBinder
http://www.slf4j.org/codes.html#unsuccessfulInit
http://www.slf4j.org/codes.html#replay
http://www.slf4j.org/codes.html#substituteLogger
http://www.slf4j.org/codes.html#multiple_bindings
http://www.slf4j.org/codes.html#version_mismatch
http://www.slf4j.org/codes.html#loggerNameMismatch
Defined in org/slf4j/LoggerFactory.java
http://www.slf4j.org/codes.html#StaticLoggerBinder
http://www.slf4j.org/codes.html#unsuccessfulInit
http://www.slf4j.org/codes.html#replay
http://www.slf4j.org/codes.html#substituteLogger
http://www.slf4j.org/codes.html#multiple_bindings
http://www.slf4j.org/codes.html#version_mismatch
http://www.slf4j.org/codes.html#loggerNameMismatch
Defined in org/slf4j/LoggerFactory.java
http://www.slf4j.org/codes.html#StaticLoggerBinder
http://www.slf4j.org/codes.html#unsuccessfulInit
http://www.slf4j.org/codes.html#replay
http://www.slf4j.org/codes.html#substituteLogger
http://www.slf4j.org/codes.html#multiple_bindings
http://www.slf4j.org/codes.html#version_mismatch
http://www.slf4j.org/codes.html#loggerNameMismatch
Defined in org/slf4j/LoggerFactory.java
http://www.slf4j.org/codes.html#StaticLoggerBinder
http://www.slf4j.org/codes.html#unsuccessfulInit
http://www.slf4j.org/codes.html#replay
http://www.slf4j.org/codes.html#substituteLogger
http://www.slf4j.org/codes.html#multiple_bindings
http://www.slf4j.org/codes.html#version_mismatch
http://www.slf4j.org/codes.html#loggerNameMismatch
Defined in org/slf4j/LoggerFactory.java
http://www.slf4j.org/codes.html#StaticLoggerBinder
http://www.slf4j.org/codes.html#unsuccessfulInit
http://www.slf4j.org/codes.html#replay
http://www.slf4j.org/codes.html#substituteLogger
http://www.slf4j.org/codes.html#multiple_bindings
http://www.slf4j.org/codes.html#version_mismatch
http://www.slf4j.org/codes.html#loggerNameMismatch
Defined in org/slf4j/LoggerFactory.java
http://www.slf4j.org/codes.html#StaticLoggerBinder
http://www.slf4j.org/codes.html#unsuccessfulInit
http://www.slf4j.org/codes.html#replay
http://www.slf4j.org/codes.html#substituteLogger
http://www.slf4j.org/codes.html#multiple_bindings
http://www.slf4j.org/codes.html#version_mismatch
http://www.slf4j.org/codes.html#loggerNameMismatch
Defined in org/slf4j/LoggerFactory.java
http://www.slf4j.org/codes.html#StaticLoggerBinder
http://www.slf4j.org/codes.html#unsuccessfulInit
http://www.slf4j.org/codes.html#replay
http://www.slf4j.org/codes.html#substituteLogger
http://www.slf4j.org/codes.html#multiple_bindings
http://www.slf4j.org/codes.html#version_mismatch
http://www.slf4j.org/codes.html#loggerNameMismatch
Defined in org/slf4j/LoggerFactory.java
https://addons.mozilla.org
https://addons.mozilla.org/android/downloads/file/(
Defined in org/mozilla/fenix/AppRequestInterceptor.java
https://addons.mozilla.org
https://addons.mozilla.org/android/downloads/file/(
Defined in