Mobile Security

Description

Static analysis of the Android APK revealed hardcoded AWS Access Key ID and Secret Access Key embedded in the application binary (strings.xml and BuildConfig.java). These keys have permissions to access S3 buckets containing customer transaction data.

Recommendation

Remove all hardcoded credentials from the application binary. Implement a secrets management solution (AWS Secrets Manager). Use short-lived, scoped credentials issued at runtime via your backend API.

Description

The OAuth 2.0 bearer token is stored in Android SharedPreferences in cleartext at /data/data/com.client.app/shared_prefs/auth.xml. On a rooted device or via an ADB backup, an attacker can extract this token and authenticate to the backend API as the victim user.

Recommendation

Use Android Keystore system to encrypt sensitive credentials at rest. Use the EncryptedSharedPreferences API (Jetpack Security). Implement token binding to device identifiers.

Description

Certificate pinning is implemented but can be bypassed using Frida instrumentation hooking the SSL_CTX_set_verify function. This allows a man-in-the-middle proxy to intercept all API communications including authentication tokens and account balances.

Recommendation

Implement multi-layer certificate pinning (leaf + intermediate + root). Use TrustKit or Network Security Config. Add Frida and root detection to the application startup checks.

Description

When the application is backgrounded, iOS and Android capture a screenshot of the last visible screen for the app switcher. Account balances, card numbers, and transaction histories are visible in this cached screenshot, accessible to any app with screen capture permissions.

Recommendation

Implement an application overlay (splash screen or blur) on the applicationWillResignActive (iOS) and onPause (Android) lifecycle events to prevent sensitive data capture.