penetration test report client name
TRANSCRIPT
DETOkX
PENETRATION TEST REPORT
Client Name
Web Application
Conclusion Report – 26th March, 2018
This document is intended only for the use of the individual or entity to which it is
addressed and may contain information that is privileged, confidential and exempt from
disclosure under applicable law. If the reader of this disclaimer is not the intended recipient,
you are hereby notified that any dissemination, distribution or copying of this document is
strictly prohibited. If you received this document in error, please notify us immediately by
telephone and return the original document to us at the address below. If you have
received an electronic copy of the document, please remove it immediately after reading
this disclaimer.
Penetration Test Report II “CLIENT NAME” ANDROID APP
CONFIDENTIAL
PRIVATE
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 3 © DETOkX. All rights reserved 2018
LEGAL NOTICE
This document contains confidential and proprietary information. It is intended for the exclusive
use of “CLIENT NAME”. Unauthorized use or reproduction of this document is prohibited.
Current Test has been conducted by DETOkX security experts. DETOkX assures that
findings in this report are true to the extent that can be verified via the Internet.
This Vulnerability Assessment & Penetration Test reveals all relevant vulnerabilities known up to
the date of this report. As new vulnerabilities continue to be found and with the introduction of
new security threats, it is suggested that security assessments be conducted after every major
change in the Information System.
DOCUMENT PROPERTIES Title - Penetration Test Report
Pen-testers – Rinkish Khera
Reviewed By -
Approved By -
Classification - Confidential
VERSION CONTROL
VERSION
DATE
AUTHOR
DESCRIPTION
v1.0
24th March, 2018
DETOkX
Conclusion Report
DISTRIBUTION LIST
NAME
ROLE
CONTACT
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 4 © DETOkX. All rights reserved 2018
PROJECT DEFINITION
The DETOkX team was engaged to test “Client Name” Android Application for security issues in
the given scope. The purpose of the test is to determine the level of security of the mobile
applications interface.
LIMITATIONS ON DISCLOSURE & USE OF THIS REPORT
This report contains information concerning potential vulnerabilities of “CLIENT NAME”
ANDROID application and methods of exploiting them. DETOkX recommends that special
precautions be taken to protect the confidentiality of both this document and the
information contained herein. DETOkX has retained and secured a copy of the report for
customer reference. All other copies of the report have been delivered to “CLIENT
NAME”. Security assessment is an uncertain process, based upon past experiences,
currently available information, and known threats. It should be understood that all
information systems, which by their nature are dependent on human beings, are vulnerable to
some degree.
Therefore, while DETOkX considers the major security vulnerabilities of the analysed
application to have been identified, there can be no assurance that any exercise of this nature
will identify all possible vulnerabilities or propose exhaustive and operationally viable
recommendations to mitigate those exposures. In addition, the analysis set forth herein is
based on the technologies and known threats as of the date of this report. As technologies and
risks change over time, the vulnerabilities associated with the operation of “CLIENT NAME”'s
systems described in this report, as well as the actions necessary to reduce the exposure to
such vulnerabilities, will also change.
DETOkX makes no undertaking to supplement or update this report on the basis of changed
circumstances or facts of which DETOkX becomes aware after the date hereof, absent a
specific written agreement to perform supplemental or updated analysis.
This report may recommend that “CLIENT NAME” to use certain software or hardware
products manufactured or maintained by other vendors. DETOkX bases these
recommendations
upon its prior experience with the capabilities of those products. Nonetheless, DETOkX
does not and cannot warrant that a particular product will work as advertised by the vendor, nor
that it will operate in the manner intended. This report was prepared by DETOkX for the
LIMITED LIABILITY
The penetration test provides a snapshot of the current security problems of the application/system,
and it is limited in terms of time and personnel. Therefore, we cannot provide a 100% guarantee
that the system will stay secure over time.
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 5 © DETOkX. All rights reserved 2018
TABLE OF CONTENTS 1. EXECUTIVE SUMMARY ...................................................................................... 6
1.1. Summary of Result ................................................................................................................ 6
2. ENGAGEMENT DETAILS .................................................................................... 8
2.1. Test Goal and Objectives [Methodology] ............................................................................... 8
2.2. Timeline ................................................................................................................................. 9
2.3. Scope of Testing .................................................................................................................... 9
2.4. Statement of Limitations ........................................................................................................ 9
TITLE - App Information ...................................................................................................... 10
TITLE - Identifying Code Nature .......................................................................................... 10
TITLE - Signer Certificate .................................................................................................... 11
TITLE - Permissions ............................................................................................................ 12
TITLE - Manifest Analysis .................................................................................................... 13
TITLE - Activities ................................................................................................................. 13
TITLE - Services ................................................................................................................. 13
TITLE - Broadcast Receivers .............................................................................................. 14
3.1.1 Test cases performed ........................................................................................................ 14
3.2. vulnerabilities found ............................................................................................................. 18
TITLE - Authorization Bearer Doesn’t Expire ....................................................................... 18
TITLE - Login Brute Force ................................................................................................... 26
TITLE - Code Obfuscation ................................................................................................... 28
TITLE - No SSL Pinning ...................................................................................................... 31
3. DETAILED FINDINGS ............................................................................................................ 32
3.3. Risk Evaluation .................................................................................................................... 32
4. CONCLUSION & RECOMMENDATIONS ........................................................... 33
5. APPENDICES AND GLOSSARY ....................................................................... 34
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 6 © DETOkX. All rights reserved 2018
1. EXECUTIVE SUMMARY
This report holds the results of a mobile applications security scan performed on the “CLIENT
NAME” ANDROID application. DETOkX provides customized security solutions to support the
integrity of your environment. These assessments aim to uncover any security issues in the
scanned mobile applications, explain the impact and risks associated with the discovered
issues, and provide guidance in the prioritization and remediation steps.
DETOkX was provided with APK file of the application and an overview of the application. This
report relates to the testing against the “CLIENT NAME” ANDROID application from the
perspective of an authorized attacker.
The test has been carried out on a timeframe of 06th March 2018 to 15th March 2018. From the
results, we’ve determined the threat level for your organization and is given below.
THREAT LEVEL: HIGH
The application is exposed to critical vulnerabilities. Malicious users can exploit existing
vulnerabilities & perform hostile operations.
1.1. SUMMARY OF RESULT
Upon performing deep testing on “CLIENT NAME” ANDROID application, we have found some
vulnerabilities that pose a threat to the client’s organization. We have summoned up the finding
based on the severity and the risk posed to the organization. Every vulnerability that we found in
the process of the penetration test has been explained in-detail in this report, followed up with the
location of the vulnerability, impact, summary/root cause of the vulnerability, severity, risk, likelihood,
full description, steps to reproduction, proof of concept followed by a remediation. It is highly
recommended to take the findings written in this report seriously and fix all of them as soon as you
can to stay safe on the open internet.
The reported findings in this report are prioritized based on the impact and risk associated to the
organization. The following table explains the vulnerability criticality classification.
CRITICALITY
DESCRIPTION
Critical Critical Business Impact - Vulnerabilities like SQL Injections, Remote Code executions, Command Injections, Local File Inclusions, Server Side Injections fall under this category. CVSS 8.0 and above.
High
High Business Impact - Vulnerabilities like Persistent cross site scripting, Template Injections, Misconfigured CORS, IDOR’s fall under this category. CVSS 6.0 to 8.0
Medium Medium Business Impact - Vulnerabilities like Reflected Cross site scripting, Few IDOR’s, application misconfigurations fall under this category. CVSS 4.0 to 6.0
Low
Low Business Impact - Vulnerabilities like HTTP only flags, misconfigurations, best practices fall under this category. CVSS 4.0 and below.
Informational
Informational - Bugs that don’t create a threat directly or indirectly fall under this category.
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 7 © DETOkX. All rights reserved 2018
S No.
VULNERABILITY NAME
RISK
01 AUTHORIZATION BEARER DOESN’T EXPIRE
HIGH
02
LOGIN BRUTE FORCE
MEDIUM
03
CODE OBFUSCATION
LOW
04
NO SSL/CERTIFICATE PINNING
INFO
The following Graph categorizes the number of findings based on risk.
1.2
CRITICALITY ASSESSMENT
1
0.8
0.6
0.4
0.2
0
Number of Findings
CRITICAL HIGH MEDIUM LOW INFO
In conclusion, we have identified areas where security policy is not being adhered to, this
introduces a risk to the organization and therefore we must declare the system as insecure.
1.1. VULNERABILITIES OVERVIEW
STATUS
FIXED
FIXED
FIXED
NOT FIXED
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 8 © DETOkX. All rights reserved 2018
2. ENGAGEMENT DETAILS 2.1. TEST GOAL AND OBJECTIVES [METHODOLOGY]
The goal of the test is to find possible vulnerabilities related to the Mobile applications and verify if
they are exploitable, evaluate its risk provided that a permission to exploit the vulnerability is granted
by the client. To complete this goal, the following objectives are defined:
1. DETOkX will create a threat model for the application. The model will include the
assets and the threat agents.
2. DETOkX will inspect the application and map its functionality.
3. On the application map, DETOkX created a detailed test plan with scenarios and test
cases, which are executed against the target application.
4. The security team will test the mobile application defined in the test scope for the OWASP
Mobile Security Project & other industry accepted standard testing methodologies.
5. The security team will report the progress of the testing to the “CLIENT NAME” periodically.
6. If vulnerability is found, the security team will verify it after they receive approval from the
“CLIENT NAME”.
7. The security team will produce a conclusion report, which will contain assessment of the
security of the targeted mobile application, description of the vulnerabilities and
recommendations on how to remediate the issues that may be detected during the test.
8. The security team presents the conclusion report on 24th March 2018.
NOTE
All information obtained during the test will be processed, analyzed and
stored in accordance with the DETOkX security practices and data
handling policy.
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 9 © DETOkX. All rights reserved 2018
2. ENGAGEMENT DETAILS
2.2. TIMELINE The following table will give you a quick overview of penetration test timeline.
Test Start Date
06th March 2018
Test End Date
15th March 2018
Type of Testing
Mobile Application Penetration Testing
Test Progress
Completed
2.3. SCOPE OF TESTING INSCOPE
1. Make every effort to avoid privacy violations, degradation of user experience, disruption to
production systems, and destruction of data during security testing.
TARGETS
• com.”Client Name”.hcmobile538102
OUT OF SCOPE
1. Anything in conjunction with social engineering aspects.
2. Any attacks/exploits that may cause denial of services.
3. Any services hosted by 3rd party providers and services are excluded from scope.
2.4. STATEMENT OF LIMITATIONS We didn't perform certain tests due to the limitations of SCOPE OF TESTING where it was
mentioned not to perform any tests that might crash the central production server or crash the
production environment.
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 10 © DETOkX. All rights reserved 2018
3. DETAILED FINDINGS
3.1. TEST NARRATIVE
INFO - 01
TITLE - App Information
OBJECTIVE - The objective of this phase is to understand the primary background information of
the application in scope.
RESULTS -
For ANDROID
PACKAGE NAME
com.”Client Name”.hcmobile538102
MAIN ACTIVITY
com.”Client Name”.hcmobile538102.”Client Name”App
APP VERSION
1.1.36
3. DETAILED FINDINGS // 3.2. TEST NARRATIVE // INFO 02
INFO - 02
TITLE - Identifying Code Nature
OBJECTIVE - The objective of this phase is to understand how the code was written and compiled.
RESULTS -
NATIVE
FALSE
DYNAMIC
FALSE
REFLECTION
TRUE
CRYPTO
FALSE
OBFUSCATION
FALSE
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 11 © DETOkX. All rights reserved 2018
3. DETAILED FINDINGS // 3.2. TEST NARRATIVE // INFO 03
INFO - 03
TITLE - Signer Certificate
OBJECTIVE - The objective of this phase is to view the application signer certificate.
RESULTS -
[ [ Version: V3 Subject: CN=Harshit Purwar, OU=“Client Name” Technologies, O=“Client Name” Inc, L=Noida,
ST=UP, C=91 Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Validity: [From: Wed Mar 08 17:43:59 IST 2018,
To: Sun Jul 24 17:43:59 IST 2044] Issuer: CN=Harshit Purwar, OU=“Client Name” Technologies, O=“Client Name” Inc, L=Noida, ST=UP,
C=91 SerialNumber: [ 1afe24eb]
Certificate Extensions: 1 [1]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 05 AF 5E DD 21 12 73 AA C4 CC 02 36 F4 EE 75 3B ..^.!.s....6..u;
0010: 4C 55 1B D9 LU..
] ]
] Algorithm: [SHA256withRSA] Signature:
0000: 2B FF D2 A5 E5 29 CB F0 35 2D BE 42 05 52 FB F1 +....)..5-.B.R..
0010: D8 30 BB 1C 46 A7 0C 39 05 B5 18 D6 71 C6 B8 88 .0..F..9....q...
0020: 04 37 6C C1 F4 ED 06 64 72 4B 58 66 B8 A0 6A 99 .7l....drKXf..j.
0030: 4C 14 B0 9F 30 C5 16 0F 62 73 EB 8F 22 9C 99 AE L...0...bs.."...
0040: EA 7A B6 DE 6A 89 0F 3C 9D 1E D2 AD F8 ED 2A 63 .z..j..<......*c
0050: 1B D0 CF 42 1F 5B 1F 06 B4 98 DD 3A C2 CC BE F8 ...B.[.....:....
0060: 13 5D FA B0 C0 C2 CE 0A 82 DA 53 B2 5E F2 65 13 .]........S.^.e.
0070: F0 51 5B 8C 9C C5 99 30 80 C1 52 B6 E8 A8 22 01 .Q[....0..R...".
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 12 © DETOkX. All rights reserved 2018
0080: B5 9C 48 A3 4A AF 48 46 52 7F 08 95 C1 FA 6E 9F ..H.J.HFR.....n.
0090:
4C
A6
6A
8B
E9
45
C5
48
7C
9C
7C
F4
F2
25
80
33
L.j..E.H.....%.3
00A0:
26
2B
10
EC
EC
71
9B
B3
64
18
D5
65
61
65
FA
9A
&+...q..d..eae..
00B0:
5F
18
08
86
55
DE
11
1F
E7
6D
0B
82
DD
BD
E5
F4
_...U....m......
00C0:
EF
85
98
C8
13
B5
DB
3E
18
95
10
E9
52
B2
94
21
.......>....R..!
00D0:
79
4F
9C
5F
14
9D
B1
52
A2
C2
59
56
4C
66
07
A3
yO._...R..YVLf..
00E0:
5B
3A
E1
A5
BA
E7
72
D1
5A
6A
15
75
EC
C2
D7
D4
[:....r.Zj.u....
00F0:
EB
F9
4E
8B
C2
37
58
CB
2D
F3
2F
05
F0
66
5B
E9
..N..7X.-./..f[.
]
CERTIFICATE STATUS - GOOD
3. DETAILED FINDINGS // 3.2. TEST NARRATIVE // INFO 04
INFO - 04
TITLE - Permissions
OBJECTIVE - The objective of this phase is to understand the application access to android
permissions.
RESULTS -
PERMISSION
INFO
DESCRIPTION
android.permission.INTERNET
full Internet access
Allows an application to create network sockets.
android.permission.ACCESS_NE TWORK_STATE
view network status
Allows an application to view the status of all networks.
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 13 © DETOkX. All rights reserved 2018
android.permission.ACCESS_WI FI_STATE
view Wi-Fi status
Allows an application to view the information about the status of Wi-Fi.
3. DETAILED FINDINGS // 3.2. TEST NARRATIVE // INFO 05
INFO - 05
TITLE - Manifest Analysis
OBJECTIVE - The objective of this phase is to understand the root behaviour of the application.
RESULTS –
ISSUES DESCRIPTION
Application Data can be Backed up [android:allowBackup] flag is missing.
The flag [android:allowBackup] should be set to false. By default it is set to true and allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.
3. DETAILED FINDINGS // 3.2. TEST NARRATIVE // INFO 06
INFO - 06
TITLE - Activities
OBJECTIVE - The objective of this phase is to analyse the activities of the application.
RESULTS -
com.”Client Name”.hcmobile538102.”Client Name”App
3. DETAILED FINDINGS // 3.2. TEST NARRATIVE // INFO 07
INFO - 07
TITLE - Services
OBJECTIVE - The objective of this phase is to analyse the services created by the application.
RESULTS - None
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 14 © DETOkX. All rights reserved 2018
3. DETAILED FINDINGS // 3.2. TEST NARRATIVE // INFO 08
INFO - 08
TITLE - Broadcast Receivers
OBJECTIVE - The objective of this phase is to analyse the broadcast receivers of the application.
RESULTS – None
3.1.1 TEST CASES PERFORMED
TEST CASES
RESULTS
COMMENT
Hard-coded credentials on source code
PASS
Insecure version of Android OS Installation Allowed
PASS
Cryptographic Based Storage Strength
PASS
Poor key management process
PASS
Use of custom encryption protocols
PASS
Unrestricted Backup file
PASS
Unencrypted Database files
PASS
Insecure Shared Storage
PASS
Insecure Application Data Storage
PASS
Information Disclosure through Logcat
PASS
Application Backgrounding (Screenshot)
PASS
URL Caching (HTTP Request and Response) on cache.db
PASS
Keyboard Press Caching
PASS
Copy/Paste Buffer Caching
PASS
Remember Credentials Functionality (Persistent authentication)
PASS
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 15 © DETOkX. All rights reserved 2018
Client Side Based Authentication Flaws
PASS
Client Side Authorization Breaches
PASS
Insufficient WebView hardening (XSS)
PASS
Reverse Engineering Attacks
FAIL Vulnerability
ID: 03
Account Lockout
PASS
XSS
PASS
Authentication Bypass
PASS
Hard Coded Sensitive Information in Application Code
PASS
Malicious File Upload
PASS
Session Fixation
PASS
Privilege Escalation
PASS
SQL Injection
PASS
Bypassing Second Level Authentication
PASS
LDAP Injection
PASS
OS Command Injection
PASS
Debug is set to TRUE
PASS
Weak Cryptography Implementations
PASS
Cleartext information under SSL Tunnel
PASS
Client Side Validation Bypass
PASS
Invalid SSL Certificate
PASS
CAPTCHA bypasses
PASS
Sensitive information in Application Log Files
PASS
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 16 © DETOkX. All rights reserved 2018
Sensitive information sent as a QueryString Parameter
PASS
URL Modification
PASS
Sensitive information in Memory Dump
PASS
Weak Password Policy
PASS
Back and Refresh attack
PASS
Directory Browsing
PASS
Usage of Persistent Cookies
PASS
Insecure Application Permissions
PASS
Application build contains Obsolete Files
PASS
Private IP Disclosure
PASS
UI Impersonation through JAR file modification
PASS
Cached Cookies or information not cleaned after application removal
PASS
No Certificate Pinning
FAIL Vulnerability
ID: 04
Cleartext password in Response
PASS
Direct Reference to Internal Resource without Authentication
PASS
Improper Session Management
FAIL Vulnerability
ID: 01
Cross Domain Scripting Vulnerability
PASS
Login Brute Force Attack
FAIL Vulnerability
ID: 02
Sensitive Information Disclosure in Error Page
PASS
Application allows HTTP Methods besides GET and POST
PASS
Server Site Request Forgery
PASS
Cacheable HTTPS Responses
PASS
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 17 © DETOkX. All rights reserved 2018
Path Attribute not set on a Cookie
PASS
HttpOnly Attribute not set for a Cookie
PASS
Secure Attribute not set for a Cookie
PASS
Application is Vulnerable to Clickjacking/Tapjacking Attack
PASS
Server/OS Fingerprinting
PASS
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 18 © DETOkX. All rights reserved 2018
3. DETAILED FINDINGS
3.2. VULNERABILITIES FOUND
ID - 01
TITLE - Authorization Bearer Doesn’t Expire
AFFECTED ASSET[S] -
[+] https:// phixdev101.demo.hcinternal.net/
IMPACT - HIGH
STATUS - Confirmed/Fixed
RISK - High
LIKELIHOOD - Medium
EASE OF EXPLOIT - Easy
FULL DESCRIPTION – While login into the application, it generates an authorization token
(authorization bearer) which is further used to make authorized request. But it is observed that after
logout that token remains active for 7 hours, which an attacker can use to make authorized request.
VULNERABLE REQUEST - GET /employee/rest/mobile/secured/coverageDetails HTTP/1.1
Host: phixdev101.demo.hcinternal.net
Connection: close Accept: application/json, text/plain, */* Authorization: Bearer
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX21ldGFkYXRhIjp7Im9yZ2FuaXphdGlvbmFsX2lkZ
W50aWZpZXJfdHlwZSI6ImVtcGxveWVyRWluIiwibGFzdCI6ImVwcCIsImJ1c2luZXNzX2lkZW50aWZpZXJfdHl
wZSI6ImVtcGxveWVlQ29kZSIsIm5hbWUiOiJlbXAgZXBwIiwiYnVzaW5lc3NfaWRlbnRpZmllciI6IjhiMGE2M
zA4LWQ5MDQtNDMwMS1iN2I5LTA0MWMyYzU4YTZjMCIsIm9yZ2FuaXphdGlvbmFsX2lkZW50aWZpZXIiOiJhMDR
jYThiNy1mZWFiLTQ4MmYtOGYzNi0yNmE0NDA0ZTkzMmMiLCJmaXJzdCI6ImVtcCIsInRlbmFudCI6InBoaXhkZ XYxMDEifSwiZW1haWwiOiJoYzgzMTFAbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiaXNzIjoiaHR
0cHM6Ly9oY2VudGl2ZS1jcC1kZXYuYXV0aDAuY29tLyIsInN1YiI6ImF1dGgwfDU4YzAxYzA0MmNlZTBmNDEzY
zgxOTYyMCIsImF1ZCI6IlB3ZTFqM2hIMXRQaXdvbWh0TzQ2TFdlYjF0Wm1aN2JVIiwiZXhwIjoxNDkwNjA4NDA
0LCJpYXQiOjE0OTA2MDc4MDR9.Z1uAgUmlXvYDjmbiVcxAz12dHRv4ZnAbq6ZO_zqYf3Y
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; XT1635-02 Build/MPN24.104-56; wv)
AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile
Safari/537.36
Accept-Language: en-US Cookie: JSESSIONID=F9017593C57FE6C3794056C416676B38 X-Requested-With: com.”Client Name”.hcmobile538102
VULNERABLE RESPONSE - HTTP/1.1 200 OK
Date: Mon, 27 Mar 2018 09:45:09 GMT
Server: Apache
Cache-Control: no-cache, no-store
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 19 © DETOkX. All rights reserved 2018
Expires: Wed, 31 Dec 1969 23:59:59 GMT Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, PUT, GET, OPTIONS, DELETE, PATCH Access-Control-Max-Age: 3600 Access-Control-Allow-Headers: Authorization, Access-Control-Allow-Headers, Origin,
Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-
Request-Headers
Content-Type: application/json;charset=UTF-8
Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self' blob: *.google-analytics.com
*.googleapis.com *.auth0.com *.youtube.com *.gstatic.com maps.google.com/mapfiles/ms/icons/blue-dot.png *.liveperson.net *.lpsnmedia.net va.v.liveperson.net hello.myfonts.net *.livechatinc.com 'unsafe-inline' 'unsafe-eval';
img-src 'self' data: blob: *.google-analytics.com *.googleapis.com *.youtube.com
*.gstatic.com maps.google.com/mapfiles/ms/icons/blue-dot.png
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block Connection: close
Content-Length: 24488
[{"productCategory":"medical","coverageDetails":[{"coverageSummary":{"planName":"4D-
Medical-Shelf","planIdentifier":"35d25bac-381e-43af-a766-
52d1426579a8","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"SPOUSE":["spouse"],"
DEPENDENT":["child"]},"carrierName":"4DentaDentalCarrier","carrierContactNumber":"886-
036-
6330","planBrochureUrl":null,"planLogoUrl":"https://phixdev101.demo.hcinternal.net/sta ticContent/employee/user-content/4146/f0243ccd-5f86-4faf-94cf- ad7a73e43b15_carrier.jpg","healthPlanBrochureLink":null,"benefitCoverageLink":"https:/
/wibphix.hcphix.com/sbc/Aetna_SG_Med/88846NY1000001_2016","doctorInNetworkProviderUrl"
:"http://www.aetna.com/dse/search?site_id=docfind&langpref=en&tabKey=tab1&site_id=docf
ind&this_page=enter_welcome.jsp&langpref=en","planType":"PPO","individualDeductible":"
$101","familyDeductible":"$103","outOfPocketMaximumValue":"$106","deductible":"103.0", "prescriptionDrugsCoveredLink":"https://www.aetna.com/individuals-families/find-a-
medication.html","primaryPhysicianOfficeVisit":"$25","specialistVisit":"$40","erVisit"
:"$150","urgentCareFacility":"$75","hospitalInPatient":"$500 Copay per stay","hospitalOutPatient":"No Charge","tier1Drug":"$20","tier2Drug":"$40 Copay after deductible","tier3Drug":"$60 Copay after
deductible","doctorNetwork":{"object":"Nationwide doctor network","toolTipText":"You'll
be able to choose from a Nationwide list of doctors."},"referals":{"object":"Referrals needed","toolTipText":"You'll need your primary care physician to refer you to a
specialist."},"taxSavingToolTip":{"object":"No additional tax
savings","toolTipText":"You can't contribute tax-free money to this
plan."}}}},{"coverageSummary":{"planName":"4D-Medical-
Shelf","planIdentifier":"35d25bac-381e-43af-a766- 52d1426579a8","effectiveDate":"04/01/2018","benefitSummaryType":"PENDING"},"coverageAd
ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"SPOUSE":["spouse"]," DEPENDENT":["childtwo","child"]},"carrierName":"4DentaDentalCarrier","carrierContactNu
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 20 © DETOkX. All rights reserved 2018
mber":"886-036-
6330","planBrochureUrl":null,"planLogoUrl":"https://phixdev101.demo.hcinternal.net/sta ticContent/employee/user-content/4146/f0243ccd-5f86-4faf-94cf- ad7a73e43b15_carrier.jpg","healthPlanBrochureLink":null,"benefitCoverageLink":"https:/
/wibphix.hcphix.com/sbc/Aetna_SG_Med/88846NY1000001_2016","doctorInNetworkProviderUrl" :"http://www.aetna.com/dse/search?site_id=docfind&langpref=en&tabKey=tab1&site_id=docf
ind&this_page=enter_welcome.jsp&langpref=en","planType":"PPO","individualDeductible":"
$101","familyDeductible":"$103","outOfPocketMaximumValue":"$106","deductible":"103.0", "prescriptionDrugsCoveredLink":"https://www.aetna.com/individuals-families/find-a- medication.html","primaryPhysicianOfficeVisit":"$25","specialistVisit":"$40","erVisit"
:"$150","urgentCareFacility":"$75","hospitalInPatient":"$500 Copay per stay","hospitalOutPatient":"No Charge","tier1Drug":"$20","tier2Drug":"$40 Copay after
deductible","tier3Drug":"$60 Copay after deductible","doctorNetwork":{"object":"Nationwide doctor network","toolTipText":"You'll
be able to choose from a Nationwide list of doctors."},"referals":{"object":"Referrals
needed","toolTipText":"You'll need your primary care physician to refer you to a specialist."},"taxSavingToolTip":{"object":"No additional tax
savings","toolTipText":"You can't contribute tax-free money to this plan."}}}}]},{"productCategory":"CRITICALILLNESS","coverageDetails":[{"coverageSummary ":{"planName":"4D-CI-Shelf","planIdentifier":"4550080b-374e-4258-b537-
9da473c0d8bb","effectiveDate":"03/15/2018","benefitSummaryType":"CURRENT"},"coverageAd
ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"]},"carrierName":"4Dent aDentalCarrier","carrierContactNumber":"886-036-
6330","planBrochureUrl":"https://en.wikipedia.org/","planLogoUrl":"https://phixdev101. demo.hcinternal.net/staticContent/employee/user-content/4146/f0243ccd-5f86-4faf-94cf-
ad7a73e43b15_carrier.jpg","majorCoveredConditionsCancer":"101","majorCoveredConditions CancerInSitu":"102","majorCoveredConditionsStroke":"103","majorCoveredConditionsHeartA ttack":"104","majorCoveredConditionsMajorOrganTransplant":"105","majorCoveredCondition
sKidneyFailure":"106","majorCoveredConditionsCoronaryArteryBypassSurgery":"107","benef itWaitingPeriodCancer":"12Months","benefitWaitingPeriodNonCancer":"24Months","coverage
Amounts":{"EMPLOYEE":"$10,000"}}}}]},{"productCategory":"ACCIDENTINSURANCE","coverageD etails":[{"coverageSummary":{"planName":"4D-AI-Shelf","planIdentifier":"1d9f9ec1-1241-
40a1-9907-
64f7c66b7164","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"DEPENDENT":["child"]
},"carrierName":"4DentaDentalCarrier","carrierContactNumber":"886-036-
6330","planBrochureUrl":"https://phixdev101.demo.hcinternal.net/staticContent/broker/u ser-content/1014/f7a72a38-31ca-4416-ac26-
71e5f0625a62_Mobile_App.png","planLogoUrl":"https://phixdev101.demo.hcinternal.net/sta ticContent/employee/user-content/4146/f0243ccd-5f86-4faf-94cf-
ad7a73e43b15_carrier.jpg","coverageAmounts":null,"medicalServicesAndTreatmentEmergency
Care":"501","medicalServicesAndTreatmentNonEmergencyCare":"502","medicalServicesAndTre atmentAmbulanceGround":"503","hospitalBenefitsHospitalAdmission":"801","hospitalBenefi
tsHospitalConfinement":"802","hospitalBenefitsIcuAdmission":"803","hospitalBenefitsIcu
Confinement":"804","injuriesBurns":"1001","injuriesConcussion":"1002","injuriesFractur
es":"1003","accidentalDeathAndDismembermentAccidentalDeathEmployee":"201","accidentalD
eathAndDismembermentAccidentalDeathSpouse":null,"accidentalDeathAndDismembermentAccide ntalDeathChild":"401","accidentalDeathAndDismembermentDismembermentEmployee":"501","ac
cidentalDeathAndDismembermentDismembermentSpouse":null,"accidentalDeathAndDismembermen
tDismembermentChild":"701"}}},{"coverageSummary":{"planName":"4D-AI-
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 21 © DETOkX. All rights reserved 2018
Shelf","planIdentifier":"1d9f9ec1-1241-40a1-9907-
64f7c66b7164","effectiveDate":"04/01/2018","benefitSummaryType":"PENDING"},"coverageAd
ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"DEPENDENT":["childtw o","child"]},"carrierName":"4DentaDentalCarrier","carrierContactNumber":"886-036-
6330","planBrochureUrl":"https://phixdev101.demo.hcinternal.net/staticContent/broker/u
ser-content/1014/f7a72a38-31ca-4416-ac26-
71e5f0625a62_Mobile_App.png","planLogoUrl":"https://phixdev101.demo.hcinternal.net/sta
ticContent/employee/user-content/4146/f0243ccd-5f86-4faf-94cf-
ad7a73e43b15_carrier.jpg","coverageAmounts":null,"medicalServicesAndTreatmentEmergency Care":"501","medicalServicesAndTreatmentNonEmergencyCare":"502","medicalServicesAndTre
atmentAmbulanceGround":"503","hospitalBenefitsHospitalAdmission":"801","hospitalBenefi
tsHospitalConfinement":"802","hospitalBenefitsIcuAdmission":"803","hospitalBenefitsIcu
Confinement":"804","injuriesBurns":"1001","injuriesConcussion":"1002","injuriesFractur
es":"1003","accidentalDeathAndDismembermentAccidentalDeathEmployee":"201","accidentalD
eathAndDismembermentAccidentalDeathSpouse":null,"accidentalDeathAndDismembermentAccide ntalDeathChild":"401","accidentalDeathAndDismembermentDismembermentEmployee":"501","ac
cidentalDeathAndDismembermentDismembermentSpouse":null,"accidentalDeathAndDismembermen
tDismembermentChild":"701"}}}]},{"productCategory":"HRA","coverageDetails":[{"coverage
Summary":{"planName":"Kaiser HRA","planIdentifier":"32db4afe-49a6-46b6-be46-
bdbf2efa8717","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd
ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"]},"carrierName":"Kaise
r","carrierContactNumber":null,"planBrochureUrl":null,"planLogoUrl":"https://phixdev10
1.demo.hcinternal.net/staticContent/employee/user-content/N4706/1e370037-3d3e-4d24-
853d-
008b93537e5f_download.jpg","reimbursement":"N/A","runOutPeriod":null,"rollOverAmount": "N/A","gracePeriod":"N/A","disclaimer":null,"annualEmployerContribution":"$1,222","ann ualEmployeeContribution":null,"guideLink":null,"brochureLink":null,"rollOverOrGracePer
iod":null,"healthCareReimbursementText":{"object":"Healthcare reimbursement","toolTipText":"Your employer will reimburse you for predefined medical
expenses (like your premium, copays, and more)."},"taxAdvantages":{"object":"Tax
advantages","toolTipText":"The money contributed to this account by your employer is
not subject to Federal
taxes."},"gracePeriodToolTip":{"object":null,"toolTipText":null},"taxSaving":{"object"
:null,"toolTipText":null},"usedForDentalOrVision":{"object":null,"toolTipText":null},"
flexibleReimbursement":{"object":null,"toolTipText":null}}}}]},{"productCategory":"FSA ","coverageDetails":[{"coverageSummary":{"planName":"KAISER FSA
ONE","planIdentifier":"e8598a23-4c13-4052-ac45-
f11ca8e8a21f","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd
ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"]},"carrierName":"Kaise
r","carrierContactNumber":null,"planBrochureUrl":null,"planLogoUrl":"https://phixdev10
1.demo.hcinternal.net/staticContent/employee/user-content/N4706/1e370037-3d3e-4d24- 853d-
008b93537e5f_download.jpg","reimbursement":"N/A","runOutPeriod":null,"rollOverAmount": "N/A","gracePeriod":"N/A","disclaimer":null,"annualEmployerContribution":"$1,122","ann
ualEmployeeContribution":"$1,334","guideLink":null,"brochureLink":null,"rollOverOrGrac ePeriod":null,"healthCareReimbursementText":{"object":null,"toolTipText":null},"taxAdv antages":{"object":null,"toolTipText":null},"gracePeriodToolTip":{"object":"Grace
Period","toolTipText":"The money in this account does not roll over at the end of the plan year, but you do have a specified length of time to spend it before it's
lost."},"taxSaving":{"object":"Tax Savings","toolTipText":"The money you set aside in
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 22 © DETOkX. All rights reserved 2018
this account is not subject to Federal taxes (which means you get to keep more of it), but must be used by a specific date or is
lost."},"usedForDentalOrVision":{"object":null,"toolTipText":null},"flexibleReimbursem ent":{"object":null,"toolTipText":null}}}},{"coverageSummary":{"planName":"KAISER FSA
ONE","planIdentifier":"e8598a23-4c13-4052-ac45- f11ca8e8a21f","effectiveDate":"04/01/2018","benefitSummaryType":"PENDING"},"coverageAd ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"]},"carrierName":"Kaise
r","carrierContactNumber":null,"planBrochureUrl":null,"planLogoUrl":"https://phixdev10 1.demo.hcinternal.net/staticContent/employee/user-content/N4706/1e370037-3d3e-4d24-
853d-
008b93537e5f_download.jpg","reimbursement":"N/A","runOutPeriod":null,"rollOverAmount": "N/A","gracePeriod":"N/A","disclaimer":null,"annualEmployerContribution":"$1,122","ann
ualEmployeeContribution":"$987","guideLink":null,"brochureLink":null,"rollOverOrGraceP
eriod":null,"healthCareReimbursementText":{"object":null,"toolTipText":null},"taxAdvan
tages":{"object":null,"toolTipText":null},"gracePeriodToolTip":{"object":"Grace
Period","toolTipText":"The money in this account does not roll over at the end of the
plan year, but you do have a specified length of time to spend it before it's
lost."},"taxSaving":{"object":"Tax Savings","toolTipText":"The money you set aside in
this account is not subject to Federal taxes (which means you get to keep more of it),
but must be used by a specific date or is
lost."},"usedForDentalOrVision":{"object":null,"toolTipText":null},"flexibleReimbursem
ent":{"object":null,"toolTipText":null}}}}]},{"productCategory":"DCFSA","coverageDetai
ls":[{"coverageSummary":{"planName":"KAISER DCAP ONE","planIdentifier":"8d72d937-52b4- 4c3e-b0ad-
750222c3ef61","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd
ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"]},"carrierName":"Kaise
r","carrierContactNumber":null,"planBrochureUrl":null,"planLogoUrl":"https://phixdev10
1.demo.hcinternal.net/staticContent/employee/user-content/N4706/1e370037-3d3e-4d24-
853d-
008b93537e5f_download.jpg","reimbursement":"N/A","runOutPeriod":null,"rollOverAmount": "N/A","gracePeriod":"N/A","disclaimer":null,"annualEmployerContribution":"$1,121","ann
ualEmployeeContribution":"$3,100","guideLink":null,"brochureLink":null,"rollOverOrGrac
ePeriod":null,"healthCareReimbursementText":{"object":null,"toolTipText":null},"taxAdv
antages":{"object":null,"toolTipText":null},"gracePeriodToolTip":{"object":null,"toolT
ipText":null},"taxSaving":{"object":"Tax Savings","toolTipText":"The money you set
aside in this account is not subject to Federal taxes (which means you get to keep more
of it), but must be used by a specific date or is
lost."},"usedForDentalOrVision":{"object":null,"toolTipText":null},"flexibleReimbursem
ent":{"object":"Flexible reimbursement","toolTipText":"Depending on the amount of your
contributions, your plan provider will reimburse you for submitted dependent care
costs."}}}},{"coverageSummary":{"planName":"KAISER DCAP
ONE","planIdentifier":"8d72d937-52b4-4c3e-b0ad- 750222c3ef61","effectiveDate":"04/01/2018","benefitSummaryType":"PENDING"},"coverageAd
ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"]},"carrierName":"Kaise
r","carrierContactNumber":null,"planBrochureUrl":null,"planLogoUrl":"https://phixdev10
1.demo.hcinternal.net/staticContent/employee/user-content/N4706/1e370037-3d3e-4d24-
853d- 008b93537e5f_download.jpg","reimbursement":"N/A","runOutPeriod":null,"rollOverAmount": "N/A","gracePeriod":"N/A","disclaimer":null,"annualEmployerContribution":"$1,121","ann ualEmployeeContribution":"$2,900","guideLink":null,"brochureLink":null,"rollOverOrGrac
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 23 © DETOkX. All rights reserved 2018
ePeriod":null,"healthCareReimbursementText":{"object":null,"toolTipText":null},"taxAdv antages":{"object":null,"toolTipText":null},"gracePeriodToolTip":{"object":null,"toolT
ipText":null},"taxSaving":{"object":"Tax Savings","toolTipText":"The money you set aside in this account is not subject to Federal taxes (which means you get to keep more
of it), but must be used by a specific date or is lost."},"usedForDentalOrVision":{"object":null,"toolTipText":null},"flexibleReimbursem ent":{"object":"Flexible reimbursement","toolTipText":"Depending on the amount of your
contributions, your plan provider will reimburse you for submitted dependent care costs."}}}}]},{"productCategory":"dental","coverageDetails":[{"coverageSummary":{"plan
Name":"Dental Composite 1","planIdentifier":"2d192c68-3417-47b5-be1d-
402517408936","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd
ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"SPOUSE":["spouse"],"
DEPENDENT":["child"]},"carrierName":"HAP","carrierContactNumber":null,"planBrochureUrl ":"https://ex1.phixqa.hcinternal.net/staticContent/individual/exchange/ex1/logo.png"," planLogoUrl":"https://phixdev101.demo.hcinternal.net/staticContent/employee/user-
content/1876/1b1d18fa-f6a6-4378-b6ba-4d81e419e209_ubuntu- logo14.png","healthPlanBrochureLink":"https://ex1.phixqa.hcinternal.net/staticContent/
individual/exchange/ex1/logo.png","benefitCoverageLink":"https://ex1.phixqa.hcinternal
.net/staticContent/individual/exchange/ex1/logo.png","doctorInNetworkProviderUrl":null ,"planType":"POS","individualDeductible":"N/A","familyDeductible":"N/A","annualBenefit
Maximum":"N/A","deductible":"N/A","orthodontiaMax":"N/A","routineDentalCare":"N/A","ba
sicDentalCare":"N/A","majorDentalCare":"N/A","orthodontia":"N/A"}}},{"coverageSummary" :{"planName":"Dental Plan 12","planIdentifier":"9352d196-0c46-45a6-8006-
8aad2946937b","effectiveDate":"04/01/2018","benefitSummaryType":"PENDING"},"coverageAd
ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"SPOUSE":["spouse"],"
DEPENDENT":["childtwo","child"]},"carrierName":"HAP","carrierContactNumber":null,"plan
BrochureUrl":null,"planLogoUrl":"https://phixdev101.demo.hcinternal.net/staticContent/
employee/user-content/1876/1b1d18fa-f6a6-4378-b6ba-4d81e419e209_ubuntu-
logo14.png","healthPlanBrochureLink":null,"benefitCoverageLink":null,"doctorInNetworkP roviderUrl":null,"planType":"PPO","individualDeductible":"N/A","familyDeductible":"N/A
","annualBenefitMaximum":"N/A","deductible":"N/A","orthodontiaMax":"N/A","routineDenta
lCare":"N/A","basicDentalCare":"N/A","majorDentalCare":"N/A","orthodontia":"No
Charge"}}}]},{"productCategory":"vision","coverageDetails":[{"coverageSummary":{"planN
ame":"Composite Plan 1","planIdentifier":"7b81d4b0-3c3b-4ff4-b9cb-
a212afe613f8","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"SPOUSE":["spouse"],"
DEPENDENT":["child"]},"carrierName":"HAP","carrierContactNumber":null,"planBrochureUrl
":"https://ex1.phixqa.hcinternal.net/staticContent/individual/exchange/ex1/logo.png","
planLogoUrl":"https://phixdev101.demo.hcinternal.net/staticContent/employee/user-
content/1876/1b1d18fa-f6a6-4378-b6ba-4d81e419e209_ubuntu-
logo14.png","healthPlanBrochureLink":"https://ex1.phixqa.hcinternal.net/staticContent/
individual/exchange/ex1/logo.png","benefitCoverageLink":"https://ex1.phixqa.hcinternal
.net/staticContent/individual/exchange/ex1/logo.png","doctorInNetworkProviderUrl":null ,"planType":null,"individualDeductible":"N/A","familyDeductible":"N/A","visionExaminat
ion":"$20 co-pay","opticalLenses":"$20 co-pay","contactLenses":"Covered up to $130 Annual Allowance; exclusive member mail-in rebates on eligible Bausch & Lomb and ACUVUE
contact lenses.","frames":"Covered up to $150 Annual Allowance; 20% on any amount above
retail allowance","frequency":"N/A","polycarbonateLenses":"Single vision: $31 co-pay
\nMultifocal: $35 co-pay","antiReflectiveLenses":"$41 co- pay","scratchCoatingLenses":"$17 co-pay","standardProgressiveLenses":"$55 co-
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 24 © DETOkX. All rights reserved 2018
pay","lasikCareProgram":"Discounts average 15%-20% off for laser surgery, including PRK, LASIK and Custom Lasik, where available","photochromic":"Single vision: $70 co-pay
\nMultifocal: $82 co-pay","routineRetinal":"Guaranteed pricing not to exceed $39"}}},{"coverageSummary":{"planName":"Age Plan 1","planIdentifier":"bb5734ad-0819- 4565-a2f0-
4c1f14a8b110","effectiveDate":"04/01/2018","benefitSummaryType":"PENDING"},"coverageAd
ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"SPOUSE":["spouse"]," DEPENDENT":["childtwo","child"]},"carrierName":"HAP","carrierContactNumber":null,"plan
BrochureUrl":"https://ex1.phixqa.hcinternal.net/staticContent/individual/exchange/ex1/
logo.png","planLogoUrl":"https://phixdev101.demo.hcinternal.net/staticContent/employee
/user-content/1876/1b1d18fa-f6a6-4378-b6ba-4d81e419e209_ubuntu- logo14.png","healthPlanBrochureLink":"https://ex1.phixqa.hcinternal.net/staticContent/
individual/exchange/ex1/logo.png","benefitCoverageLink":"https://ex1.phixqa.hcinternal
.net/staticContent/individual/exchange/ex1/logo.png","doctorInNetworkProviderUrl":null
,"planType":null,"individualDeductible":"N/A","familyDeductible":"N/A","visionExaminat
ion":"$20 co-pay","opticalLenses":"$20 co-pay","contactLenses":"Covered up to $130
Annual Allowance; exclusive member mail-in rebates on eligible Bausch & Lomb and ACUVUE
contact lenses.","frames":"Covered up to $150 Annual Allowance; 20% on any amount above
retail allowance","frequency":"N/A","polycarbonateLenses":"Single vision: $31 co-pay
\nMultifocal: $35 co-pay","antiReflectiveLenses":"$41 co- pay","scratchCoatingLenses":"$17 co-pay","standardProgressiveLenses":"$55 co-
pay","lasikCareProgram":"Discounts average 15%-20% off for laser surgery, including PRK, LASIK and Custom Lasik, where available","photochromic":"Single vision: $70 co-pay
\nMultifocal: $82 co-pay","routineRetinal":"Guaranteed pricing not to exceed $39"}}}]},{"productCategory":"BASICLIFE","coverageDetails":[{"coverageSummary":{"planN
ame":"Prudential Employee Basic Life $50,000 Plan","planIdentifier":"80ddb219-b638-
4667-99bb-
0d2df35d9813","effectiveDate":"03/15/2018","benefitSummaryType":"CURRENT"},"coverageAd
ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"]},"carrierName":"HAP",
"carrierContactNumber":null,"planBrochureUrl":"http://www.prudential.com/fidelityPEX",
"planLogoUrl":"https://phixdev101.demo.hcinternal.net/staticContent/employee/user-
content/1876/1b1d18fa-f6a6-4378-b6ba-4d81e419e209_ubuntu-
logo14.png","coverageAmounts":{"EMPLOYEE":"$10,000"}}}}]},{"productCategory":"SUPPLEME
NTALLIFE","coverageDetails":[{"coverageSummary":{"planName":"Platinum 50
Supp","planIdentifier":"193fb423-b9de-4548-88f7- 4d7ba2b16d27","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd
ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"SPOUSE":["spouse"],"
DEPENDENT":["child"]},"carrierName":"HAP","carrierContactNumber":null,"planBrochureUrl
":"https://ex1.phixqa.hcinternal.net/staticContent/individual/exchange/ex1/logo.png","
planLogoUrl":null,"coverageAmounts":{"EMPLOYEE":"$100,000","SPOUSE":"$10,000","CHILD": "$10,000"}}}},{"coverageSummary":{"planName":"Platinum 50
Supp","planIdentifier":"193fb423-b9de-4548-88f7- 4d7ba2b16d27","effectiveDate":"04/01/2018","benefitSummaryType":"PENDING"},"coverageAd ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"SPOUSE":["spouse"],"
DEPENDENT":["childtwo","child"]},"carrierName":"HAP","carrierContactNumber":null,"plan BrochureUrl":"https://ex1.phixqa.hcinternal.net/staticContent/individual/exchange/ex1/
logo.png","planLogoUrl":null,"coverageAmounts":{"EMPLOYEE":"$100,000","SPOUSE":"$5,000 ","CHILD":"$10,000"}}}}]},{"productCategory":"SUPPLEMENTALADD","coverageDetails":[{"co verageSummary":{"planName":"Supp 40 AD&D","planIdentifier":"26d38ee3-bbaa-43f7-a751-
655efe43f69f","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 25 © DETOkX. All rights reserved 2018
ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"SPOUSE":["spouse"]," DEPENDENT":["child"]},"carrierName":"HAP","carrierContactNumber":null,"planBrochureUrl
":"https://ex1.phixqa.hcinternal.net/staticContent/individual/exchange/ex1/logo.png"," planLogoUrl":null,"coverageAmounts":{"EMPLOYEE":"$100,000","SPOUSE":"$50,000","CHILD":
"$5,000"}}}},{"coverageSummary":{"planName":"Supp 40 AD&D","planIdentifier":"26d38ee3- bbaa-43f7-a751- 655efe43f69f","effectiveDate":"04/01/2018","benefitSummaryType":"PENDING"},"coverageAd
ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"SPOUSE":["spouse"]," DEPENDENT":["childtwo","child"]},"carrierName":"HAP","carrierContactNumber":null,"plan
BrochureUrl":"https://ex1.phixqa.hcinternal.net/staticContent/individual/exchange/ex1/
logo.png","planLogoUrl":null,"coverageAmounts":{"EMPLOYEE":"$100,000","SPOUSE":"$50,00
0","CHILD":"$5,000"}}}}]},{"productCategory":"STD","coverageDetails":[{"coverageSummar
y":{"planName":"Gaurdian-ER-90001","planIdentifier":"685fd504-31b1-4fc9-85c5- ec25ecc7e65b","effectiveDate":"03/15/2018","benefitSummaryType":"CURRENT"},"coverageAd ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"]},"carrierName":"HAP",
"carrierContactNumber":null,"planBrochureUrl":null,"planLogoUrl":null,"coverageAmounts ":{"EMPLOYEE":"$500 per week"},"benefit":"60.0% up to $500 max","benefitPeriod":"9
Weeks","eliminationPeriod":"07/07/2015"}}}]},{"productCategory":"LTD","coverageDetails
":[{"coverageSummary":{"planName":"EE-LTD 1","planIdentifier":"8441414f-b517-4c75- 9647-
cac275a072c3","effectiveDate":"03/15/2018","benefitSummaryType":"CURRENT"},"coverageAd
ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"]},"carrierName":"HAP",
"carrierContactNumber":null,"planBrochureUrl":"https://ex1.phixqa.hcinternal.net/stati
cContent/individual/exchange/ex1/logo.png","planLogoUrl":null,"coverageAmounts":{"EMPL
OYEE":"$5,000 per month"},"benefit":"$5000","benefitPeriod":"60
Months","eliminationPeriod":"180 Days"}}}]},{"productCategory":"commuter","coverageDetails":[{"coverageSummary":{"planN
ame":"TWCPark","planIdentifier":"7395f936-90f2-45a5-ac6d-
3b8932cdc3d2","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd
ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"]},"carrierName":"HAP",
"carrierContactNumber":null,"planBrochureUrl":null,"planLogoUrl":null,"employeeParking
":"$231","employeeTransit":"$191","employerParking":"$123","employerTransit":"$101"}}}
,{"coverageSummary":{"planName":"TWCPark","planIdentifier":"7395f936-90f2-45a5-ac6d-
3b8932cdc3d2","effectiveDate":"04/01/2018","benefitSummaryType":"PENDING"},"coverageAd
ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"]},"carrierName":"HAP",
"carrierContactNumber":null,"planBrochureUrl":null,"planLogoUrl":null,"employeeParking ":"$300","employeeTransit":"$302","employerParking":"$123","employerTransit":"$101"}}}
]}]
STEPS TO REPRODUCE -
1. Login into the application.
2. Make any authorized request and intercept the traffic using any proxy tools.
3. Now sign out from the application.
4. Perform the same captured request.
MITIGATION – It is highly recommended to invalidate the authorization token immediately after
logout.
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 26 © DETOkX. All rights reserved 2018
3. DETAILED FINDINGS // 3.2. VULNERABILITIES FOUND // ID
02
ID - 02
TITLE - Login Brute Force
AFFECTED ASSET[S] -
[+]https://”Client Name”-cp-dev.auth0.com/oauth/ro
IMPACT - Medium
STATUS - Confirmed/Fixed
RISK - Medium
LIKELIHOOD - Medium
EASE OF EXPLOIT - Easy
FULL DESCRIPTION - In cryptography, a brute-force attack consists of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an exhaustive key search.
When password guessing, this method is very fast when used to check all short passwords, but for
longer passwords other methods such as the dictionary attack are used because a brute-force
search takes too long. Longer passwords, passphrases and keys have more possible values,
making them exponentially more difficult to crack than shorter ones.
It is observed that there is no proper implementation of rate limiting to prevent against login brute
force account. Attacker can use this vulnerability to brute force login password.
VULNERABLE REQUEST -
POST /oauth/ro HTTP/1.1
Host: “Client Name”-cp-dev.auth0.com Connection: close
Content-Length: 275
Accept: application/json, text/javascript Auth0-Client: eyJuYW1lIjoiYXV0aDAuanMiLCJ2ZXJzaW9uIjoiNy42LjEifQ
Origin: file://
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; XT1635-02 Build/MPN24.104-56; wv)
AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile
Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US X-Requested-With: com.”Client Name”.hcmobile538102
scope=openid+user_metadata+email+offline_access&response_type=token&connection=phixdev
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 27 © DETOkX. All rights reserved 2018
101&responseType=token&popup=true&email=hc8311%40mail.com&password=Qwerty@12&device=mo bile&sso=true&client_id=Pwe1j3hH1tPiwomhtO46LWeb1tZmZ7bU&username=hc8311%40mail.com&gr
ant_type=password
VULNERABLE RESPONSE -
HTTP/1.1 200 OK
Date: Mon, 27 Mar 2018 10:14:05 GMT Content-Type: application/json; charset=utf-8 Content-
Length: 892
Connection: close X-Auth0-RequestId: 28fab941afb7a051fc77
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1490695558 Cache-Control: no-cache
Pragma: no-cache
set-cookie: auth0=s%3AN4NFVZ2krwrMMpbSLwmAzNWd4WSQMXcI.ohLllWYyw4mtx2fbrTTZCVbV8FWa7gugiUzdRxsFeOA
; Path=/; Expires=Thu, 30 Mar 2018 10:14:05 GMT; HttpOnly; Secure Strict-Transport-Security: max-age=15724800
X- Robots-Tag: noindex, nofollow, nosnippet, noarchive
{"refresh_token":"kLJ1fVh5B6GLJXtV77RYK74TLtIxlIHMER4VsqlTeFsye","id_token":"eyJ0eXAiO
iJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX21ldGFkYXRhIjp7Im9yZ2FuaXphdGlvbmFsX2lkZW50aWZpZX
JfdHlwZSI6ImVtcGxveWVyRWluIiwibGFzdCI6ImVwcCIsImJ1c2luZXNzX2lkZW50aWZpZXJfdHlwZSI6ImVt
cGxveWVlQ29kZSIsIm5hbWUiOiJlbXAgZXBwIiwiYnVzaW5lc3NfaWRlbnRpZmllciI6IjhiMGE2MzA4LWQ5MD QtNDMwMS1iN2I5LTA0MWMyYzU4YTZjMCIsIm9yZ2FuaXphdGlvbmFsX2lkZW50aWZpZXIiOiJhMDRjYThiNy1m
ZWFiLTQ4MmYtOGYzNi0yNmE0NDA0ZTkzMmMiLCJmaXJzdCI6ImVtcCIsInRlbmFudCI6InBoaXhkZXYxMDEifS
wiZW1haWwiOiJoYzgzMTFAbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiaXNzIjoiaHR0cHM6Ly9o
Y2VudGl2ZS1jcC1kZXYuYXV0aDAuY29tLyIsInN1YiI6ImF1dGgwfDU4YzAxYzA0MmNlZTBmNDEzYzgxOTYyMC
IsImF1ZCI6IlB3ZTFqM2hIMXRQaXdvbWh0TzQ2TFdlYjF0Wm1aN2JVIiwiZXhwIjoxNDkwNjEwMjQ1LCJpYXQi
OjE0OTA2MDk2NDV9.E4ytUwf6_-
Jrr4pkMojxwvhKsnDsHJwRxHwnmXN_Ie4","access_token":"gLZkyBDDeniRjjIT","token_type":"bea
rer"}
STEPS TO REPRODUCE -
1. Navigate to login screen and fill necessary details.
2. Intercept the request and brute force the password parameter.
3. Response code 200 will indicate successful login for cracked password and 401 indicates
incorrect password.
POC -
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 28 © DETOkX. All rights reserved 2018
MITIGATION - There are multiple ways to protect from brute-force attacks. We recommend you to follow any of these:
• Rate limiting
• Lock user accounts after multiple incorrect password attempts.
• Implement Captcha mechanism.
3. DETAILED FINDINGS // 3.2. VULNERABILITIES FOUND // ID
03
ID - 03
TITLE - Code Obfuscation
AFFECTED ASSET[S] – Application Code
IMPACT - Low
STATUS - Confirmed/Fixed
RISK - Low
LIKELIHOOD - Low
EASE OF EXPLOIT - Easy
FULL DESCRIPTION - The nature of Java (the predominant programming language for Android
apps, with the exception of native code) is that the code is not compiled down to machine code.
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 29 © DETOkX. All rights reserved 2018
it is compiled to an intermediate format that is ready to be run on a variety of hardware
platforms. While this allows great portability, it also leaves the code for Android apps, as present in
the APK (Application PacKage file), available for extraction.
It is observed while reverse engineering the application that the application code is not obfuscate,
due to which an attacker can reverse engineering the application and can read all the java file and
can also modify it as per his need.
POC -
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 30 © DETOkX. All rights reserved 2018
MITIGATION – It is highly recommended to obfuscate the application code to prevent against the reverse engineering attacks.
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 31 © DETOkX. All rights reserved 2018
3. DETAILED FINDINGS // 3.2. VULNERABILITIES FOUND // ID
04
ID - 04
TITLE - No SSL/Certificate Pinning
AFFECTED ASSET[S] – Application Code
IMPACT - Info
STATUS - Confirmed
RISK - Low
LIKELIHOOD - Low
EASE OF EXPLOIT - Easy
FULL DESCRIPTION - Certificate Pinning is an extra layer of security that is used by applications
to ensure that the certificate provided by the remote server is the one which is expected.
By including the remote server’s x509 certificate or public key within the application, it is possible
to compare the locally stored certificate or key with the one provided by the remote server. It is
observed in the application code that there is no implementation of SSL pinning in the application.
Due to which an attacker can add a certificate to the device's trust store and can compromise the
SSL connection. Using this an attacker will be able to intercept the SSL request and can view the
sensitive information that is sent via HTTPS.
MITIGATION – It is recommended to implement SSL Pinning in the application.
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 32 © DETOkX. All rights reserved 2018
3. DETAILED FINDINGS 3.3. RISK EVALUATION The overall risk identified to “CLIENT NAME” ANDROID application as a result of the penetration
test is HIGH. There are multiple vulnerabilities in the application related to session and others
which can be exploited easily by a malicious user or an attacker. It is reasonable to believe that
a malicious entity would be able to successfully execute an attack against “Client Name” Android
Application user(s) through targeted attacks and cause damage to “CLIENT NAME” assets.
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 33 © DETOkX. All rights reserved 2018
4. CONCLUSION & RECOMMENDATIONS
CONCLUSION
“Client Name” Android Application suffered a series of failure defences at some of the endpoints,
which led to a complete compromise of user assets. These failures would have had a dramatic
effect on “CLIENT NAME” Operations if a malicious party had exploited them. The specific goals of
the penetration test were stated as:
I. Identifying if an attacker could breach “CLIENT NAME” ANDROID Application.
II. Determining the impact of a security breach of confidentiality of the company’s information and
data loss.
These goals of the penetration test were met. A targeted attack against “CLIENT NAME”
ANDROID Application can result in a compromise of organizational assets.
RECOMENDATIONS
Due to the impact to the overall organization as uncovered by this penetration test, appropriate
resources should be allocated to ensure that remediation efforts are accomplished in a timely
manner. While a comprehensive list of items that should be implemented is beyond the scope of
this engagement, some high-level items are important to mention.
DETOkX recommends the following:
• Expire the Authorization Token immediately after user logout.
• Implement Rate limiting.
• Implement SSL Pinning
• Obfuscate the application code.
Penetration Test Report // “CLIENT NAME” ANDROID APP
PTR – 26th March 2018 34 © DETOkX. All rights reserved 2018
5. APPENDICES AND GLOSSARY
GLOSSARY
BLACK BOX PENETRATION TESTING: Type of penetration testing in which an assessor
evaluates security controls by simulating a real attack targeting an application. Black Box techniques
assess the security of individual high-risk compiled components; interactions between components
and interactions between the entire application or application system with its users, other systems
and the external environment.
PENETRATION TESTING: Form of assessment to identify ways of exploiting vulnerabilities to
circumvent or defeat the security features of system components. Penetration testing includes
network and application testing as well as controls and processes around the networks and
applications and occurs from both inside and outside the environment (external testing).