penetration test report client name

DETOkX

PENETRATION TEST REPORT

Client Name

Web Application

Conclusion Report – 26th March, 2018

This document is intended only for the use of the individual or entity to which it is

addressed and may contain information that is privileged, confidential and exempt from

disclosure under applicable law. If the reader of this disclaimer is not the intended recipient,

you are hereby notified that any dissemination, distribution or copying of this document is

strictly prohibited. If you received this document in error, please notify us immediately by

telephone and return the original document to us at the address below. If you have

received an electronic copy of the document, please remove it immediately after reading

this disclaimer.

Penetration Test Report II “CLIENT NAME” ANDROID APP

CONFIDENTIAL

PRIVATE

Penetration Test Report // “CLIENT NAME” ANDROID APP

PTR – 26th March 2018 3 © DETOkX. All rights reserved 2018

LEGAL NOTICE

This document contains confidential and proprietary information. It is intended for the exclusive

use of “CLIENT NAME”. Unauthorized use or reproduction of this document is prohibited.

Current Test has been conducted by DETOkX security experts. DETOkX assures that

findings in this report are true to the extent that can be verified via the Internet.

This Vulnerability Assessment & Penetration Test reveals all relevant vulnerabilities known up to

the date of this report. As new vulnerabilities continue to be found and with the introduction of

new security threats, it is suggested that security assessments be conducted after every major

change in the Information System.

DOCUMENT PROPERTIES Title - Penetration Test Report

Pen-testers – Rinkish Khera

Reviewed By -

Approved By -

Classification - Confidential

VERSION CONTROL

VERSION

DATE

AUTHOR

DESCRIPTION

v1.0

24th March, 2018

DETOkX

Conclusion Report

DISTRIBUTION LIST

NAME

ROLE

CONTACT



PROJECT DEFINITION

The DETOkX team was engaged to test “Client Name” Android Application for security issues in

the given scope. The purpose of the test is to determine the level of security of the mobile

applications interface.

LIMITATIONS ON DISCLOSURE & USE OF THIS REPORT

This report contains information concerning potential vulnerabilities of “CLIENT NAME”

ANDROID application and methods of exploiting them. DETOkX recommends that special

precautions be taken to protect the confidentiality of both this document and the

information contained herein. DETOkX has retained and secured a copy of the report for

customer reference. All other copies of the report have been delivered to “CLIENT

NAME”. Security assessment is an uncertain process, based upon past experiences,

currently available information, and known threats. It should be understood that all

information systems, which by their nature are dependent on human beings, are vulnerable to

some degree.

Therefore, while DETOkX considers the major security vulnerabilities of the analysed

application to have been identified, there can be no assurance that any exercise of this nature

will identify all possible vulnerabilities or propose exhaustive and operationally viable

recommendations to mitigate those exposures. In addition, the analysis set forth herein is

based on the technologies and known threats as of the date of this report. As technologies and

risks change over time, the vulnerabilities associated with the operation of “CLIENT NAME”'s

systems described in this report, as well as the actions necessary to reduce the exposure to

such vulnerabilities, will also change.

DETOkX makes no undertaking to supplement or update this report on the basis of changed

circumstances or facts of which DETOkX becomes aware after the date hereof, absent a

specific written agreement to perform supplemental or updated analysis.

This report may recommend that “CLIENT NAME” to use certain software or hardware

products manufactured or maintained by other vendors. DETOkX bases these

recommendations

upon its prior experience with the capabilities of those products. Nonetheless, DETOkX

does not and cannot warrant that a particular product will work as advertised by the vendor, nor

that it will operate in the manner intended. This report was prepared by DETOkX for the

LIMITED LIABILITY

The penetration test provides a snapshot of the current security problems of the application/system,

and it is limited in terms of time and personnel. Therefore, we cannot provide a 100% guarantee

that the system will stay secure over time.



TABLE OF CONTENTS 1. EXECUTIVE SUMMARY ...................................................................................... 6

1.1. Summary of Result ................................................................................................................ 6

2. ENGAGEMENT DETAILS .................................................................................... 8

2.1. Test Goal and Objectives [Methodology] ............................................................................... 8

2.2. Timeline ................................................................................................................................. 9

2.3. Scope of Testing .................................................................................................................... 9

2.4. Statement of Limitations ........................................................................................................ 9

TITLE - App Information ...................................................................................................... 10

TITLE - Identifying Code Nature .......................................................................................... 10

TITLE - Signer Certificate .................................................................................................... 11

TITLE - Permissions ............................................................................................................ 12

TITLE - Manifest Analysis .................................................................................................... 13

TITLE - Activities ................................................................................................................. 13

TITLE - Services ................................................................................................................. 13

TITLE - Broadcast Receivers .............................................................................................. 14

3.1.1 Test cases performed ........................................................................................................ 14

3.2. vulnerabilities found ............................................................................................................. 18

TITLE - Authorization Bearer Doesn’t Expire ....................................................................... 18

TITLE - Login Brute Force ................................................................................................... 26

TITLE - Code Obfuscation ................................................................................................... 28

TITLE - No SSL Pinning ...................................................................................................... 31

3. DETAILED FINDINGS ............................................................................................................ 32

3.3. Risk Evaluation .................................................................................................................... 32

4. CONCLUSION & RECOMMENDATIONS ........................................................... 33

5. APPENDICES AND GLOSSARY ....................................................................... 34



1. EXECUTIVE SUMMARY

This report holds the results of a mobile applications security scan performed on the “CLIENT

NAME” ANDROID application. DETOkX provides customized security solutions to support the

integrity of your environment. These assessments aim to uncover any security issues in the

scanned mobile applications, explain the impact and risks associated with the discovered

issues, and provide guidance in the prioritization and remediation steps.

DETOkX was provided with APK file of the application and an overview of the application. This

report relates to the testing against the “CLIENT NAME” ANDROID application from the

perspective of an authorized attacker.

The test has been carried out on a timeframe of 06th March 2018 to 15th March 2018. From the

results, we’ve determined the threat level for your organization and is given below.

THREAT LEVEL: HIGH

The application is exposed to critical vulnerabilities. Malicious users can exploit existing

vulnerabilities & perform hostile operations.

1.1. SUMMARY OF RESULT

Upon performing deep testing on “CLIENT NAME” ANDROID application, we have found some

vulnerabilities that pose a threat to the client’s organization. We have summoned up the finding

based on the severity and the risk posed to the organization. Every vulnerability that we found in

the process of the penetration test has been explained in-detail in this report, followed up with the

location of the vulnerability, impact, summary/root cause of the vulnerability, severity, risk, likelihood,

full description, steps to reproduction, proof of concept followed by a remediation. It is highly

recommended to take the findings written in this report seriously and fix all of them as soon as you

can to stay safe on the open internet.

The reported findings in this report are prioritized based on the impact and risk associated to the

organization. The following table explains the vulnerability criticality classification.

CRITICALITY

DESCRIPTION

Critical Critical Business Impact - Vulnerabilities like SQL Injections, Remote Code executions, Command Injections, Local File Inclusions, Server Side Injections fall under this category. CVSS 8.0 and above.

High

High Business Impact - Vulnerabilities like Persistent cross site scripting, Template Injections, Misconfigured CORS, IDOR’s fall under this category. CVSS 6.0 to 8.0

Medium Medium Business Impact - Vulnerabilities like Reflected Cross site scripting, Few IDOR’s, application misconfigurations fall under this category. CVSS 4.0 to 6.0

Low

Low Business Impact - Vulnerabilities like HTTP only flags, misconfigurations, best practices fall under this category. CVSS 4.0 and below.

Informational

Informational - Bugs that don’t create a threat directly or indirectly fall under this category.



S No.

VULNERABILITY NAME

RISK

01 AUTHORIZATION BEARER DOESN’T EXPIRE

HIGH

02

LOGIN BRUTE FORCE

MEDIUM

03

CODE OBFUSCATION

LOW

04

NO SSL/CERTIFICATE PINNING

INFO

The following Graph categorizes the number of findings based on risk.

1.2

CRITICALITY ASSESSMENT

1

0.8

0.6

0.4

0.2

0

Number of Findings

CRITICAL HIGH MEDIUM LOW INFO

In conclusion, we have identified areas where security policy is not being adhered to, this

introduces a risk to the organization and therefore we must declare the system as insecure.

1.1. VULNERABILITIES OVERVIEW

STATUS

FIXED

FIXED

FIXED

NOT FIXED



2. ENGAGEMENT DETAILS 2.1. TEST GOAL AND OBJECTIVES [METHODOLOGY]

The goal of the test is to find possible vulnerabilities related to the Mobile applications and verify if

they are exploitable, evaluate its risk provided that a permission to exploit the vulnerability is granted

by the client. To complete this goal, the following objectives are defined:

1. DETOkX will create a threat model for the application. The model will include the

assets and the threat agents.

2. DETOkX will inspect the application and map its functionality.

3. On the application map, DETOkX created a detailed test plan with scenarios and test

cases, which are executed against the target application.

4. The security team will test the mobile application defined in the test scope for the OWASP

Mobile Security Project & other industry accepted standard testing methodologies.

5. The security team will report the progress of the testing to the “CLIENT NAME” periodically.

6. If vulnerability is found, the security team will verify it after they receive approval from the

“CLIENT NAME”.

7. The security team will produce a conclusion report, which will contain assessment of the

security of the targeted mobile application, description of the vulnerabilities and

recommendations on how to remediate the issues that may be detected during the test.

8. The security team presents the conclusion report on 24th March 2018.

NOTE

All information obtained during the test will be processed, analyzed and

stored in accordance with the DETOkX security practices and data

handling policy.



2. ENGAGEMENT DETAILS

2.2. TIMELINE The following table will give you a quick overview of penetration test timeline.

Test Start Date

06th March 2018

Test End Date

15th March 2018

Type of Testing

Mobile Application Penetration Testing

Test Progress

Completed

2.3. SCOPE OF TESTING INSCOPE

1. Make every effort to avoid privacy violations, degradation of user experience, disruption to

production systems, and destruction of data during security testing.

TARGETS

• com.”Client Name”.hcmobile538102

OUT OF SCOPE

1. Anything in conjunction with social engineering aspects.

2. Any attacks/exploits that may cause denial of services.

3. Any services hosted by 3rd party providers and services are excluded from scope.

2.4. STATEMENT OF LIMITATIONS We didn't perform certain tests due to the limitations of SCOPE OF TESTING where it was

mentioned not to perform any tests that might crash the central production server or crash the

production environment.



3. DETAILED FINDINGS

3.1. TEST NARRATIVE

INFO - 01

TITLE - App Information

OBJECTIVE - The objective of this phase is to understand the primary background information of

the application in scope.

RESULTS -

For ANDROID

PACKAGE NAME

com.”Client Name”.hcmobile538102

MAIN ACTIVITY

com.”Client Name”.hcmobile538102.”Client Name”App

APP VERSION

1.1.36

3. DETAILED FINDINGS // 3.2. TEST NARRATIVE // INFO 02

INFO - 02

TITLE - Identifying Code Nature

OBJECTIVE - The objective of this phase is to understand how the code was written and compiled.

RESULTS -

NATIVE

FALSE

DYNAMIC

FALSE

REFLECTION

TRUE

CRYPTO

FALSE

OBFUSCATION

FALSE




INFO - 03

TITLE - Signer Certificate

OBJECTIVE - The objective of this phase is to view the application signer certificate.

RESULTS -

[ [ Version: V3 Subject: CN=Harshit Purwar, OU=“Client Name” Technologies, O=“Client Name” Inc, L=Noida,

ST=UP, C=91 Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Validity: [From: Wed Mar 08 17:43:59 IST 2018,

To: Sun Jul 24 17:43:59 IST 2044] Issuer: CN=Harshit Purwar, OU=“Client Name” Technologies, O=“Client Name” Inc, L=Noida, ST=UP,

C=91 SerialNumber: [ 1afe24eb]

Certificate Extensions: 1 [1]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 05 AF 5E DD 21 12 73 AA C4 CC 02 36 F4 EE 75 3B ..^.!.s....6..u;

0010: 4C 55 1B D9 LU..

] ]

] Algorithm: [SHA256withRSA] Signature:

0000: 2B FF D2 A5 E5 29 CB F0 35 2D BE 42 05 52 FB F1 +....)..5-.B.R..

0010: D8 30 BB 1C 46 A7 0C 39 05 B5 18 D6 71 C6 B8 88 .0..F..9....q...

0020: 04 37 6C C1 F4 ED 06 64 72 4B 58 66 B8 A0 6A 99 .7l....drKXf..j.

0030: 4C 14 B0 9F 30 C5 16 0F 62 73 EB 8F 22 9C 99 AE L...0...bs.."...

0040: EA 7A B6 DE 6A 89 0F 3C 9D 1E D2 AD F8 ED 2A 63 .z..j..<......*c

0050: 1B D0 CF 42 1F 5B 1F 06 B4 98 DD 3A C2 CC BE F8 ...B.[.....:....

0060: 13 5D FA B0 C0 C2 CE 0A 82 DA 53 B2 5E F2 65 13 .]........S.^.e.

0070: F0 51 5B 8C 9C C5 99 30 80 C1 52 B6 E8 A8 22 01 .Q[....0..R...".



0080: B5 9C 48 A3 4A AF 48 46 52 7F 08 95 C1 FA 6E 9F ..H.J.HFR.....n.

0090:

4C

A6

6A

8B

E9

45

C5

48

7C

9C

7C

F4

F2

25

80

33

L.j..E.H.....%.3

00A0:

26

2B

10

EC

EC

71

9B

B3

64

18

D5

65

61

65

FA

9A

&+...q..d..eae..

00B0:

5F

18

08

86

55

DE

11

1F

E7

6D

0B

82

DD

BD

E5

F4

_...U....m......

00C0:

EF

85

98

C8

13

B5

DB

3E

18

95

10

E9

52

B2

94

21

.......>....R..!

00D0:

79

4F

9C

5F

14

9D

B1

52

A2

C2

59

56

4C

66

07

A3

yO._...R..YVLf..

00E0:

5B

3A

E1

A5

BA

E7

72

D1

5A

6A

15

75

EC

C2

D7

D4

[:....r.Zj.u....

00F0:

EB

F9

4E

8B

C2

37

58

CB

2D

F3

2F

05

F0

66

5B

E9

..N..7X.-./..f[.

]

CERTIFICATE STATUS - GOOD


INFO - 04

TITLE - Permissions

OBJECTIVE - The objective of this phase is to understand the application access to android

permissions.

RESULTS -

PERMISSION

INFO

DESCRIPTION

android.permission.INTERNET

full Internet access

Allows an application to create network sockets.

android.permission.ACCESS_NE TWORK_STATE

view network status

Allows an application to view the status of all networks.



android.permission.ACCESS_WI FI_STATE

view Wi-Fi status

Allows an application to view the information about the status of Wi-Fi.


INFO - 05

TITLE - Manifest Analysis

OBJECTIVE - The objective of this phase is to understand the root behaviour of the application.

RESULTS –

ISSUES DESCRIPTION

Application Data can be Backed up [android:allowBackup] flag is missing.

The flag [android:allowBackup] should be set to false. By default it is set to true and allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.


INFO - 06

TITLE - Activities

OBJECTIVE - The objective of this phase is to analyse the activities of the application.

RESULTS -

com.”Client Name”.hcmobile538102.”Client Name”App


INFO - 07

TITLE - Services

OBJECTIVE - The objective of this phase is to analyse the services created by the application.

RESULTS - None




INFO - 08

TITLE - Broadcast Receivers

OBJECTIVE - The objective of this phase is to analyse the broadcast receivers of the application.

RESULTS – None

3.1.1 TEST CASES PERFORMED

TEST CASES

RESULTS

COMMENT

Hard-coded credentials on source code

PASS

Insecure version of Android OS Installation Allowed

PASS

Cryptographic Based Storage Strength

PASS

Poor key management process

PASS

Use of custom encryption protocols

PASS

Unrestricted Backup file

PASS

Unencrypted Database files

PASS

Insecure Shared Storage

PASS

Insecure Application Data Storage

PASS

Information Disclosure through Logcat

PASS

Application Backgrounding (Screenshot)

PASS

URL Caching (HTTP Request and Response) on cache.db

PASS

Keyboard Press Caching

PASS

Copy/Paste Buffer Caching

PASS

Remember Credentials Functionality (Persistent authentication)

PASS



Client Side Based Authentication Flaws

PASS

Client Side Authorization Breaches

PASS

Insufficient WebView hardening (XSS)

PASS

Reverse Engineering Attacks

FAIL Vulnerability

ID: 03

Account Lockout

PASS

XSS

PASS

Authentication Bypass

PASS

Hard Coded Sensitive Information in Application Code

PASS

Malicious File Upload

PASS

Session Fixation

PASS

Privilege Escalation

PASS

SQL Injection

PASS

Bypassing Second Level Authentication

PASS

LDAP Injection

PASS

OS Command Injection

PASS

Debug is set to TRUE

PASS

Weak Cryptography Implementations

PASS

Cleartext information under SSL Tunnel

PASS

Client Side Validation Bypass

PASS

Invalid SSL Certificate

PASS

CAPTCHA bypasses

PASS

Sensitive information in Application Log Files

PASS



Sensitive information sent as a QueryString Parameter

PASS

URL Modification

PASS

Sensitive information in Memory Dump

PASS

Weak Password Policy

PASS

Back and Refresh attack

PASS

Directory Browsing

PASS

Usage of Persistent Cookies

PASS

Insecure Application Permissions

PASS

Application build contains Obsolete Files

PASS

Private IP Disclosure

PASS

UI Impersonation through JAR file modification

PASS

Cached Cookies or information not cleaned after application removal

PASS

No Certificate Pinning

FAIL Vulnerability

ID: 04

Cleartext password in Response

PASS

Direct Reference to Internal Resource without Authentication

PASS

Improper Session Management

FAIL Vulnerability

ID: 01

Cross Domain Scripting Vulnerability

PASS

Login Brute Force Attack

FAIL Vulnerability

ID: 02

Sensitive Information Disclosure in Error Page

PASS

Application allows HTTP Methods besides GET and POST

PASS

Server Site Request Forgery

PASS

Cacheable HTTPS Responses

PASS



Path Attribute not set on a Cookie

PASS

HttpOnly Attribute not set for a Cookie

PASS

Secure Attribute not set for a Cookie

PASS

Application is Vulnerable to Clickjacking/Tapjacking Attack

PASS

Server/OS Fingerprinting

PASS



3. DETAILED FINDINGS

3.2. VULNERABILITIES FOUND

ID - 01

TITLE - Authorization Bearer Doesn’t Expire

AFFECTED ASSET[S] -

[+] https:// phixdev101.demo.hcinternal.net/

IMPACT - HIGH

STATUS - Confirmed/Fixed

RISK - High

LIKELIHOOD - Medium

EASE OF EXPLOIT - Easy

FULL DESCRIPTION – While login into the application, it generates an authorization token

(authorization bearer) which is further used to make authorized request. But it is observed that after

logout that token remains active for 7 hours, which an attacker can use to make authorized request.

VULNERABLE REQUEST - GET /employee/rest/mobile/secured/coverageDetails HTTP/1.1

Host: phixdev101.demo.hcinternal.net

Connection: close Accept: application/json, text/plain, */* Authorization: Bearer

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX21ldGFkYXRhIjp7Im9yZ2FuaXphdGlvbmFsX2lkZ

W50aWZpZXJfdHlwZSI6ImVtcGxveWVyRWluIiwibGFzdCI6ImVwcCIsImJ1c2luZXNzX2lkZW50aWZpZXJfdHl

wZSI6ImVtcGxveWVlQ29kZSIsIm5hbWUiOiJlbXAgZXBwIiwiYnVzaW5lc3NfaWRlbnRpZmllciI6IjhiMGE2M

zA4LWQ5MDQtNDMwMS1iN2I5LTA0MWMyYzU4YTZjMCIsIm9yZ2FuaXphdGlvbmFsX2lkZW50aWZpZXIiOiJhMDR

jYThiNy1mZWFiLTQ4MmYtOGYzNi0yNmE0NDA0ZTkzMmMiLCJmaXJzdCI6ImVtcCIsInRlbmFudCI6InBoaXhkZ XYxMDEifSwiZW1haWwiOiJoYzgzMTFAbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiaXNzIjoiaHR

0cHM6Ly9oY2VudGl2ZS1jcC1kZXYuYXV0aDAuY29tLyIsInN1YiI6ImF1dGgwfDU4YzAxYzA0MmNlZTBmNDEzY

zgxOTYyMCIsImF1ZCI6IlB3ZTFqM2hIMXRQaXdvbWh0TzQ2TFdlYjF0Wm1aN2JVIiwiZXhwIjoxNDkwNjA4NDA

0LCJpYXQiOjE0OTA2MDc4MDR9.Z1uAgUmlXvYDjmbiVcxAz12dHRv4ZnAbq6ZO_zqYf3Y

User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; XT1635-02 Build/MPN24.104-56; wv)

AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile

Safari/537.36

Accept-Language: en-US Cookie: JSESSIONID=F9017593C57FE6C3794056C416676B38 X-Requested-With: com.”Client Name”.hcmobile538102

VULNERABLE RESPONSE - HTTP/1.1 200 OK

Date: Mon, 27 Mar 2018 09:45:09 GMT

Server: Apache

Cache-Control: no-cache, no-store



Expires: Wed, 31 Dec 1969 23:59:59 GMT Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: POST, PUT, GET, OPTIONS, DELETE, PATCH Access-Control-Max-Age: 3600 Access-Control-Allow-Headers: Authorization, Access-Control-Allow-Headers, Origin,

Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-

Request-Headers

Content-Type: application/json;charset=UTF-8

Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN

Content-Security-Policy: default-src 'self' blob: *.google-analytics.com

*.googleapis.com *.auth0.com *.youtube.com *.gstatic.com maps.google.com/mapfiles/ms/icons/blue-dot.png *.liveperson.net *.lpsnmedia.net va.v.liveperson.net hello.myfonts.net *.livechatinc.com 'unsafe-inline' 'unsafe-eval';

img-src 'self' data: blob: *.google-analytics.com *.googleapis.com *.youtube.com

*.gstatic.com maps.google.com/mapfiles/ms/icons/blue-dot.png

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block Connection: close

Content-Length: 24488

[{"productCategory":"medical","coverageDetails":[{"coverageSummary":{"planName":"4D-

Medical-Shelf","planIdentifier":"35d25bac-381e-43af-a766-

52d1426579a8","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"SPOUSE":["spouse"],"

DEPENDENT":["child"]},"carrierName":"4DentaDentalCarrier","carrierContactNumber":"886-

036-

6330","planBrochureUrl":null,"planLogoUrl":"https://phixdev101.demo.hcinternal.net/sta ticContent/employee/user-content/4146/f0243ccd-5f86-4faf-94cf- ad7a73e43b15_carrier.jpg","healthPlanBrochureLink":null,"benefitCoverageLink":"https:/

/wibphix.hcphix.com/sbc/Aetna_SG_Med/88846NY1000001_2016","doctorInNetworkProviderUrl"

:"http://www.aetna.com/dse/search?site_id=docfind&langpref=en&tabKey=tab1&site_id=docf

ind&this_page=enter_welcome.jsp&langpref=en","planType":"PPO","individualDeductible":"

$101","familyDeductible":"$103","outOfPocketMaximumValue":"$106","deductible":"103.0", "prescriptionDrugsCoveredLink":"https://www.aetna.com/individuals-families/find-a-

medication.html","primaryPhysicianOfficeVisit":"$25","specialistVisit":"$40","erVisit"

:"$150","urgentCareFacility":"$75","hospitalInPatient":"$500 Copay per stay","hospitalOutPatient":"No Charge","tier1Drug":"$20","tier2Drug":"$40 Copay after deductible","tier3Drug":"$60 Copay after

deductible","doctorNetwork":{"object":"Nationwide doctor network","toolTipText":"You'll

be able to choose from a Nationwide list of doctors."},"referals":{"object":"Referrals needed","toolTipText":"You'll need your primary care physician to refer you to a

specialist."},"taxSavingToolTip":{"object":"No additional tax

savings","toolTipText":"You can't contribute tax-free money to this

plan."}}}},{"coverageSummary":{"planName":"4D-Medical-

Shelf","planIdentifier":"35d25bac-381e-43af-a766- 52d1426579a8","effectiveDate":"04/01/2018","benefitSummaryType":"PENDING"},"coverageAd

ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"SPOUSE":["spouse"]," DEPENDENT":["childtwo","child"]},"carrierName":"4DentaDentalCarrier","carrierContactNu

http://www.aetna.com/dse/search?site_id=docfind&langpref=en&tabKey=tab1&site_id=docf

http://www.aetna.com/individuals-families/find-a-



mber":"886-036-

6330","planBrochureUrl":null,"planLogoUrl":"https://phixdev101.demo.hcinternal.net/sta ticContent/employee/user-content/4146/f0243ccd-5f86-4faf-94cf- ad7a73e43b15_carrier.jpg","healthPlanBrochureLink":null,"benefitCoverageLink":"https:/

/wibphix.hcphix.com/sbc/Aetna_SG_Med/88846NY1000001_2016","doctorInNetworkProviderUrl" :"http://www.aetna.com/dse/search?site_id=docfind&langpref=en&tabKey=tab1&site_id=docf

ind&this_page=enter_welcome.jsp&langpref=en","planType":"PPO","individualDeductible":"

$101","familyDeductible":"$103","outOfPocketMaximumValue":"$106","deductible":"103.0", "prescriptionDrugsCoveredLink":"https://www.aetna.com/individuals-families/find-a- medication.html","primaryPhysicianOfficeVisit":"$25","specialistVisit":"$40","erVisit"

:"$150","urgentCareFacility":"$75","hospitalInPatient":"$500 Copay per stay","hospitalOutPatient":"No Charge","tier1Drug":"$20","tier2Drug":"$40 Copay after

deductible","tier3Drug":"$60 Copay after deductible","doctorNetwork":{"object":"Nationwide doctor network","toolTipText":"You'll

be able to choose from a Nationwide list of doctors."},"referals":{"object":"Referrals

needed","toolTipText":"You'll need your primary care physician to refer you to a specialist."},"taxSavingToolTip":{"object":"No additional tax

savings","toolTipText":"You can't contribute tax-free money to this plan."}}}}]},{"productCategory":"CRITICALILLNESS","coverageDetails":[{"coverageSummary ":{"planName":"4D-CI-Shelf","planIdentifier":"4550080b-374e-4258-b537-

9da473c0d8bb","effectiveDate":"03/15/2018","benefitSummaryType":"CURRENT"},"coverageAd

ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"]},"carrierName":"4Dent aDentalCarrier","carrierContactNumber":"886-036-

6330","planBrochureUrl":"https://en.wikipedia.org/","planLogoUrl":"https://phixdev101. demo.hcinternal.net/staticContent/employee/user-content/4146/f0243ccd-5f86-4faf-94cf-

ad7a73e43b15_carrier.jpg","majorCoveredConditionsCancer":"101","majorCoveredConditions CancerInSitu":"102","majorCoveredConditionsStroke":"103","majorCoveredConditionsHeartA ttack":"104","majorCoveredConditionsMajorOrganTransplant":"105","majorCoveredCondition

sKidneyFailure":"106","majorCoveredConditionsCoronaryArteryBypassSurgery":"107","benef itWaitingPeriodCancer":"12Months","benefitWaitingPeriodNonCancer":"24Months","coverage

Amounts":{"EMPLOYEE":"$10,000"}}}}]},{"productCategory":"ACCIDENTINSURANCE","coverageD etails":[{"coverageSummary":{"planName":"4D-AI-Shelf","planIdentifier":"1d9f9ec1-1241-

40a1-9907-

64f7c66b7164","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"DEPENDENT":["child"]

},"carrierName":"4DentaDentalCarrier","carrierContactNumber":"886-036-

6330","planBrochureUrl":"https://phixdev101.demo.hcinternal.net/staticContent/broker/u ser-content/1014/f7a72a38-31ca-4416-ac26-

71e5f0625a62_Mobile_App.png","planLogoUrl":"https://phixdev101.demo.hcinternal.net/sta ticContent/employee/user-content/4146/f0243ccd-5f86-4faf-94cf-

ad7a73e43b15_carrier.jpg","coverageAmounts":null,"medicalServicesAndTreatmentEmergency

Care":"501","medicalServicesAndTreatmentNonEmergencyCare":"502","medicalServicesAndTre atmentAmbulanceGround":"503","hospitalBenefitsHospitalAdmission":"801","hospitalBenefi

tsHospitalConfinement":"802","hospitalBenefitsIcuAdmission":"803","hospitalBenefitsIcu

Confinement":"804","injuriesBurns":"1001","injuriesConcussion":"1002","injuriesFractur

es":"1003","accidentalDeathAndDismembermentAccidentalDeathEmployee":"201","accidentalD

eathAndDismembermentAccidentalDeathSpouse":null,"accidentalDeathAndDismembermentAccide ntalDeathChild":"401","accidentalDeathAndDismembermentDismembermentEmployee":"501","ac

cidentalDeathAndDismembermentDismembermentSpouse":null,"accidentalDeathAndDismembermen

tDismembermentChild":"701"}}},{"coverageSummary":{"planName":"4D-AI-

http://www.aetna.com/dse/search?site_id=docfind&langpref=en&tabKey=tab1&site_id=docf

http://www.aetna.com/individuals-families/find-a-



Shelf","planIdentifier":"1d9f9ec1-1241-40a1-9907-

64f7c66b7164","effectiveDate":"04/01/2018","benefitSummaryType":"PENDING"},"coverageAd

ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"DEPENDENT":["childtw o","child"]},"carrierName":"4DentaDentalCarrier","carrierContactNumber":"886-036-

6330","planBrochureUrl":"https://phixdev101.demo.hcinternal.net/staticContent/broker/u

ser-content/1014/f7a72a38-31ca-4416-ac26-

71e5f0625a62_Mobile_App.png","planLogoUrl":"https://phixdev101.demo.hcinternal.net/sta

ticContent/employee/user-content/4146/f0243ccd-5f86-4faf-94cf-

ad7a73e43b15_carrier.jpg","coverageAmounts":null,"medicalServicesAndTreatmentEmergency Care":"501","medicalServicesAndTreatmentNonEmergencyCare":"502","medicalServicesAndTre

atmentAmbulanceGround":"503","hospitalBenefitsHospitalAdmission":"801","hospitalBenefi

tsHospitalConfinement":"802","hospitalBenefitsIcuAdmission":"803","hospitalBenefitsIcu

Confinement":"804","injuriesBurns":"1001","injuriesConcussion":"1002","injuriesFractur

es":"1003","accidentalDeathAndDismembermentAccidentalDeathEmployee":"201","accidentalD

eathAndDismembermentAccidentalDeathSpouse":null,"accidentalDeathAndDismembermentAccide ntalDeathChild":"401","accidentalDeathAndDismembermentDismembermentEmployee":"501","ac

cidentalDeathAndDismembermentDismembermentSpouse":null,"accidentalDeathAndDismembermen

tDismembermentChild":"701"}}}]},{"productCategory":"HRA","coverageDetails":[{"coverage

Summary":{"planName":"Kaiser HRA","planIdentifier":"32db4afe-49a6-46b6-be46-

bdbf2efa8717","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd

ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"]},"carrierName":"Kaise

r","carrierContactNumber":null,"planBrochureUrl":null,"planLogoUrl":"https://phixdev10

1.demo.hcinternal.net/staticContent/employee/user-content/N4706/1e370037-3d3e-4d24-

853d-

008b93537e5f_download.jpg","reimbursement":"N/A","runOutPeriod":null,"rollOverAmount": "N/A","gracePeriod":"N/A","disclaimer":null,"annualEmployerContribution":"$1,222","ann ualEmployeeContribution":null,"guideLink":null,"brochureLink":null,"rollOverOrGracePer

iod":null,"healthCareReimbursementText":{"object":"Healthcare reimbursement","toolTipText":"Your employer will reimburse you for predefined medical

expenses (like your premium, copays, and more)."},"taxAdvantages":{"object":"Tax

advantages","toolTipText":"The money contributed to this account by your employer is

not subject to Federal

taxes."},"gracePeriodToolTip":{"object":null,"toolTipText":null},"taxSaving":{"object"

:null,"toolTipText":null},"usedForDentalOrVision":{"object":null,"toolTipText":null},"

flexibleReimbursement":{"object":null,"toolTipText":null}}}}]},{"productCategory":"FSA ","coverageDetails":[{"coverageSummary":{"planName":"KAISER FSA

ONE","planIdentifier":"e8598a23-4c13-4052-ac45-

f11ca8e8a21f","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd



1.demo.hcinternal.net/staticContent/employee/user-content/N4706/1e370037-3d3e-4d24- 853d-

008b93537e5f_download.jpg","reimbursement":"N/A","runOutPeriod":null,"rollOverAmount": "N/A","gracePeriod":"N/A","disclaimer":null,"annualEmployerContribution":"$1,122","ann

ualEmployeeContribution":"$1,334","guideLink":null,"brochureLink":null,"rollOverOrGrac ePeriod":null,"healthCareReimbursementText":{"object":null,"toolTipText":null},"taxAdv antages":{"object":null,"toolTipText":null},"gracePeriodToolTip":{"object":"Grace

Period","toolTipText":"The money in this account does not roll over at the end of the plan year, but you do have a specified length of time to spend it before it's

lost."},"taxSaving":{"object":"Tax Savings","toolTipText":"The money you set aside in



this account is not subject to Federal taxes (which means you get to keep more of it), but must be used by a specific date or is

lost."},"usedForDentalOrVision":{"object":null,"toolTipText":null},"flexibleReimbursem ent":{"object":null,"toolTipText":null}}}},{"coverageSummary":{"planName":"KAISER FSA

ONE","planIdentifier":"e8598a23-4c13-4052-ac45- f11ca8e8a21f","effectiveDate":"04/01/2018","benefitSummaryType":"PENDING"},"coverageAd ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"]},"carrierName":"Kaise

r","carrierContactNumber":null,"planBrochureUrl":null,"planLogoUrl":"https://phixdev10 1.demo.hcinternal.net/staticContent/employee/user-content/N4706/1e370037-3d3e-4d24-

853d-


ualEmployeeContribution":"$987","guideLink":null,"brochureLink":null,"rollOverOrGraceP

eriod":null,"healthCareReimbursementText":{"object":null,"toolTipText":null},"taxAdvan

tages":{"object":null,"toolTipText":null},"gracePeriodToolTip":{"object":"Grace

Period","toolTipText":"The money in this account does not roll over at the end of the

plan year, but you do have a specified length of time to spend it before it's

lost."},"taxSaving":{"object":"Tax Savings","toolTipText":"The money you set aside in

this account is not subject to Federal taxes (which means you get to keep more of it),

but must be used by a specific date or is

lost."},"usedForDentalOrVision":{"object":null,"toolTipText":null},"flexibleReimbursem

ent":{"object":null,"toolTipText":null}}}}]},{"productCategory":"DCFSA","coverageDetai

ls":[{"coverageSummary":{"planName":"KAISER DCAP ONE","planIdentifier":"8d72d937-52b4- 4c3e-b0ad-

750222c3ef61","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd




853d-


ualEmployeeContribution":"$3,100","guideLink":null,"brochureLink":null,"rollOverOrGrac

ePeriod":null,"healthCareReimbursementText":{"object":null,"toolTipText":null},"taxAdv

antages":{"object":null,"toolTipText":null},"gracePeriodToolTip":{"object":null,"toolT

ipText":null},"taxSaving":{"object":"Tax Savings","toolTipText":"The money you set

aside in this account is not subject to Federal taxes (which means you get to keep more

of it), but must be used by a specific date or is

lost."},"usedForDentalOrVision":{"object":null,"toolTipText":null},"flexibleReimbursem

ent":{"object":"Flexible reimbursement","toolTipText":"Depending on the amount of your

contributions, your plan provider will reimburse you for submitted dependent care

costs."}}}},{"coverageSummary":{"planName":"KAISER DCAP

ONE","planIdentifier":"8d72d937-52b4-4c3e-b0ad- 750222c3ef61","effectiveDate":"04/01/2018","benefitSummaryType":"PENDING"},"coverageAd




853d- 008b93537e5f_download.jpg","reimbursement":"N/A","runOutPeriod":null,"rollOverAmount": "N/A","gracePeriod":"N/A","disclaimer":null,"annualEmployerContribution":"$1,121","ann ualEmployeeContribution":"$2,900","guideLink":null,"brochureLink":null,"rollOverOrGrac



ePeriod":null,"healthCareReimbursementText":{"object":null,"toolTipText":null},"taxAdv antages":{"object":null,"toolTipText":null},"gracePeriodToolTip":{"object":null,"toolT

ipText":null},"taxSaving":{"object":"Tax Savings","toolTipText":"The money you set aside in this account is not subject to Federal taxes (which means you get to keep more

of it), but must be used by a specific date or is lost."},"usedForDentalOrVision":{"object":null,"toolTipText":null},"flexibleReimbursem ent":{"object":"Flexible reimbursement","toolTipText":"Depending on the amount of your

contributions, your plan provider will reimburse you for submitted dependent care costs."}}}}]},{"productCategory":"dental","coverageDetails":[{"coverageSummary":{"plan

Name":"Dental Composite 1","planIdentifier":"2d192c68-3417-47b5-be1d-

402517408936","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd

ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"SPOUSE":["spouse"],"

DEPENDENT":["child"]},"carrierName":"HAP","carrierContactNumber":null,"planBrochureUrl ":"https://ex1.phixqa.hcinternal.net/staticContent/individual/exchange/ex1/logo.png"," planLogoUrl":"https://phixdev101.demo.hcinternal.net/staticContent/employee/user-

content/1876/1b1d18fa-f6a6-4378-b6ba-4d81e419e209_ubuntu- logo14.png","healthPlanBrochureLink":"https://ex1.phixqa.hcinternal.net/staticContent/

individual/exchange/ex1/logo.png","benefitCoverageLink":"https://ex1.phixqa.hcinternal

.net/staticContent/individual/exchange/ex1/logo.png","doctorInNetworkProviderUrl":null ,"planType":"POS","individualDeductible":"N/A","familyDeductible":"N/A","annualBenefit

Maximum":"N/A","deductible":"N/A","orthodontiaMax":"N/A","routineDentalCare":"N/A","ba

sicDentalCare":"N/A","majorDentalCare":"N/A","orthodontia":"N/A"}}},{"coverageSummary" :{"planName":"Dental Plan 12","planIdentifier":"9352d196-0c46-45a6-8006-

8aad2946937b","effectiveDate":"04/01/2018","benefitSummaryType":"PENDING"},"coverageAd


DEPENDENT":["childtwo","child"]},"carrierName":"HAP","carrierContactNumber":null,"plan

BrochureUrl":null,"planLogoUrl":"https://phixdev101.demo.hcinternal.net/staticContent/

employee/user-content/1876/1b1d18fa-f6a6-4378-b6ba-4d81e419e209_ubuntu-

logo14.png","healthPlanBrochureLink":null,"benefitCoverageLink":null,"doctorInNetworkP roviderUrl":null,"planType":"PPO","individualDeductible":"N/A","familyDeductible":"N/A

","annualBenefitMaximum":"N/A","deductible":"N/A","orthodontiaMax":"N/A","routineDenta

lCare":"N/A","basicDentalCare":"N/A","majorDentalCare":"N/A","orthodontia":"No

Charge"}}}]},{"productCategory":"vision","coverageDetails":[{"coverageSummary":{"planN

ame":"Composite Plan 1","planIdentifier":"7b81d4b0-3c3b-4ff4-b9cb-

a212afe613f8","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"SPOUSE":["spouse"],"

DEPENDENT":["child"]},"carrierName":"HAP","carrierContactNumber":null,"planBrochureUrl

":"https://ex1.phixqa.hcinternal.net/staticContent/individual/exchange/ex1/logo.png","

planLogoUrl":"https://phixdev101.demo.hcinternal.net/staticContent/employee/user-

content/1876/1b1d18fa-f6a6-4378-b6ba-4d81e419e209_ubuntu-

logo14.png","healthPlanBrochureLink":"https://ex1.phixqa.hcinternal.net/staticContent/


.net/staticContent/individual/exchange/ex1/logo.png","doctorInNetworkProviderUrl":null ,"planType":null,"individualDeductible":"N/A","familyDeductible":"N/A","visionExaminat

ion":"$20 co-pay","opticalLenses":"$20 co-pay","contactLenses":"Covered up to $130 Annual Allowance; exclusive member mail-in rebates on eligible Bausch & Lomb and ACUVUE

contact lenses.","frames":"Covered up to $150 Annual Allowance; 20% on any amount above

retail allowance","frequency":"N/A","polycarbonateLenses":"Single vision: $31 co-pay

\nMultifocal: $35 co-pay","antiReflectiveLenses":"$41 co- pay","scratchCoatingLenses":"$17 co-pay","standardProgressiveLenses":"$55 co-



pay","lasikCareProgram":"Discounts average 15%-20% off for laser surgery, including PRK, LASIK and Custom Lasik, where available","photochromic":"Single vision: $70 co-pay

\nMultifocal: $82 co-pay","routineRetinal":"Guaranteed pricing not to exceed $39"}}},{"coverageSummary":{"planName":"Age Plan 1","planIdentifier":"bb5734ad-0819- 4565-a2f0-

4c1f14a8b110","effectiveDate":"04/01/2018","benefitSummaryType":"PENDING"},"coverageAd

ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"SPOUSE":["spouse"]," DEPENDENT":["childtwo","child"]},"carrierName":"HAP","carrierContactNumber":null,"plan

BrochureUrl":"https://ex1.phixqa.hcinternal.net/staticContent/individual/exchange/ex1/

logo.png","planLogoUrl":"https://phixdev101.demo.hcinternal.net/staticContent/employee

/user-content/1876/1b1d18fa-f6a6-4378-b6ba-4d81e419e209_ubuntu- logo14.png","healthPlanBrochureLink":"https://ex1.phixqa.hcinternal.net/staticContent/


.net/staticContent/individual/exchange/ex1/logo.png","doctorInNetworkProviderUrl":null

,"planType":null,"individualDeductible":"N/A","familyDeductible":"N/A","visionExaminat

ion":"$20 co-pay","opticalLenses":"$20 co-pay","contactLenses":"Covered up to $130

Annual Allowance; exclusive member mail-in rebates on eligible Bausch & Lomb and ACUVUE

contact lenses.","frames":"Covered up to $150 Annual Allowance; 20% on any amount above

retail allowance","frequency":"N/A","polycarbonateLenses":"Single vision: $31 co-pay

\nMultifocal: $35 co-pay","antiReflectiveLenses":"$41 co- pay","scratchCoatingLenses":"$17 co-pay","standardProgressiveLenses":"$55 co-

pay","lasikCareProgram":"Discounts average 15%-20% off for laser surgery, including PRK, LASIK and Custom Lasik, where available","photochromic":"Single vision: $70 co-pay

\nMultifocal: $82 co-pay","routineRetinal":"Guaranteed pricing not to exceed $39"}}}]},{"productCategory":"BASICLIFE","coverageDetails":[{"coverageSummary":{"planN

ame":"Prudential Employee Basic Life $50,000 Plan","planIdentifier":"80ddb219-b638-

4667-99bb-

0d2df35d9813","effectiveDate":"03/15/2018","benefitSummaryType":"CURRENT"},"coverageAd

ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"]},"carrierName":"HAP",

"carrierContactNumber":null,"planBrochureUrl":"http://www.prudential.com/fidelityPEX",

"planLogoUrl":"https://phixdev101.demo.hcinternal.net/staticContent/employee/user-

content/1876/1b1d18fa-f6a6-4378-b6ba-4d81e419e209_ubuntu-

logo14.png","coverageAmounts":{"EMPLOYEE":"$10,000"}}}}]},{"productCategory":"SUPPLEME

NTALLIFE","coverageDetails":[{"coverageSummary":{"planName":"Platinum 50

Supp","planIdentifier":"193fb423-b9de-4548-88f7- 4d7ba2b16d27","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd


DEPENDENT":["child"]},"carrierName":"HAP","carrierContactNumber":null,"planBrochureUrl

":"https://ex1.phixqa.hcinternal.net/staticContent/individual/exchange/ex1/logo.png","

planLogoUrl":null,"coverageAmounts":{"EMPLOYEE":"$100,000","SPOUSE":"$10,000","CHILD": "$10,000"}}}},{"coverageSummary":{"planName":"Platinum 50

Supp","planIdentifier":"193fb423-b9de-4548-88f7- 4d7ba2b16d27","effectiveDate":"04/01/2018","benefitSummaryType":"PENDING"},"coverageAd ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"SPOUSE":["spouse"],"

DEPENDENT":["childtwo","child"]},"carrierName":"HAP","carrierContactNumber":null,"plan BrochureUrl":"https://ex1.phixqa.hcinternal.net/staticContent/individual/exchange/ex1/

logo.png","planLogoUrl":null,"coverageAmounts":{"EMPLOYEE":"$100,000","SPOUSE":"$5,000 ","CHILD":"$10,000"}}}}]},{"productCategory":"SUPPLEMENTALADD","coverageDetails":[{"co verageSummary":{"planName":"Supp 40 AD&D","planIdentifier":"26d38ee3-bbaa-43f7-a751-

655efe43f69f","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd

http://www.prudential.com/fidelityPEX



ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"SPOUSE":["spouse"]," DEPENDENT":["child"]},"carrierName":"HAP","carrierContactNumber":null,"planBrochureUrl

":"https://ex1.phixqa.hcinternal.net/staticContent/individual/exchange/ex1/logo.png"," planLogoUrl":null,"coverageAmounts":{"EMPLOYEE":"$100,000","SPOUSE":"$50,000","CHILD":

"$5,000"}}}},{"coverageSummary":{"planName":"Supp 40 AD&D","planIdentifier":"26d38ee3- bbaa-43f7-a751- 655efe43f69f","effectiveDate":"04/01/2018","benefitSummaryType":"PENDING"},"coverageAd

ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"],"SPOUSE":["spouse"]," DEPENDENT":["childtwo","child"]},"carrierName":"HAP","carrierContactNumber":null,"plan

BrochureUrl":"https://ex1.phixqa.hcinternal.net/staticContent/individual/exchange/ex1/

logo.png","planLogoUrl":null,"coverageAmounts":{"EMPLOYEE":"$100,000","SPOUSE":"$50,00

0","CHILD":"$5,000"}}}}]},{"productCategory":"STD","coverageDetails":[{"coverageSummar

y":{"planName":"Gaurdian-ER-90001","planIdentifier":"685fd504-31b1-4fc9-85c5- ec25ecc7e65b","effectiveDate":"03/15/2018","benefitSummaryType":"CURRENT"},"coverageAd ditionalDetail":{"planDetails":{"coveredMembers":{"SELF":["emp"]},"carrierName":"HAP",

"carrierContactNumber":null,"planBrochureUrl":null,"planLogoUrl":null,"coverageAmounts ":{"EMPLOYEE":"$500 per week"},"benefit":"60.0% up to $500 max","benefitPeriod":"9

Weeks","eliminationPeriod":"07/07/2015"}}}]},{"productCategory":"LTD","coverageDetails

":[{"coverageSummary":{"planName":"EE-LTD 1","planIdentifier":"8441414f-b517-4c75- 9647-

cac275a072c3","effectiveDate":"03/15/2018","benefitSummaryType":"CURRENT"},"coverageAd


"carrierContactNumber":null,"planBrochureUrl":"https://ex1.phixqa.hcinternal.net/stati

cContent/individual/exchange/ex1/logo.png","planLogoUrl":null,"coverageAmounts":{"EMPL

OYEE":"$5,000 per month"},"benefit":"$5000","benefitPeriod":"60

Months","eliminationPeriod":"180 Days"}}}]},{"productCategory":"commuter","coverageDetails":[{"coverageSummary":{"planN

ame":"TWCPark","planIdentifier":"7395f936-90f2-45a5-ac6d-

3b8932cdc3d2","effectiveDate":"03/16/2018","benefitSummaryType":"CURRENT"},"coverageAd


"carrierContactNumber":null,"planBrochureUrl":null,"planLogoUrl":null,"employeeParking

":"$231","employeeTransit":"$191","employerParking":"$123","employerTransit":"$101"}}}

,{"coverageSummary":{"planName":"TWCPark","planIdentifier":"7395f936-90f2-45a5-ac6d-

3b8932cdc3d2","effectiveDate":"04/01/2018","benefitSummaryType":"PENDING"},"coverageAd


"carrierContactNumber":null,"planBrochureUrl":null,"planLogoUrl":null,"employeeParking ":"$300","employeeTransit":"$302","employerParking":"$123","employerTransit":"$101"}}}

]}]

STEPS TO REPRODUCE -

1. Login into the application.

2. Make any authorized request and intercept the traffic using any proxy tools.

3. Now sign out from the application.

4. Perform the same captured request.

MITIGATION – It is highly recommended to invalidate the authorization token immediately after

logout.



3. DETAILED FINDINGS // 3.2. VULNERABILITIES FOUND // ID

02

ID - 02

TITLE - Login Brute Force

AFFECTED ASSET[S] -

[+]https://”Client Name”-cp-dev.auth0.com/oauth/ro

IMPACT - Medium


RISK - Medium

LIKELIHOOD - Medium


FULL DESCRIPTION - In cryptography, a brute-force attack consists of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an exhaustive key search.

When password guessing, this method is very fast when used to check all short passwords, but for

longer passwords other methods such as the dictionary attack are used because a brute-force

search takes too long. Longer passwords, passphrases and keys have more possible values,

making them exponentially more difficult to crack than shorter ones.

It is observed that there is no proper implementation of rate limiting to prevent against login brute

force account. Attacker can use this vulnerability to brute force login password.

VULNERABLE REQUEST -

POST /oauth/ro HTTP/1.1

Host: “Client Name”-cp-dev.auth0.com Connection: close

Content-Length: 275

Accept: application/json, text/javascript Auth0-Client: eyJuYW1lIjoiYXV0aDAuanMiLCJ2ZXJzaW9uIjoiNy42LjEifQ

Origin: file://

User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; XT1635-02 Build/MPN24.104-56; wv)

AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile

Safari/537.36

Content-Type: application/x-www-form-urlencoded

Accept-Language: en-US X-Requested-With: com.”Client Name”.hcmobile538102

scope=openid+user_metadata+email+offline_access&response_type=token&connection=phixdev



101&responseType=token&popup=true&email=hc8311%40mail.com&password=Qwerty@12&device=mo bile&sso=true&client_id=Pwe1j3hH1tPiwomhtO46LWeb1tZmZ7bU&username=hc8311%40mail.com&gr

ant_type=password

VULNERABLE RESPONSE -

HTTP/1.1 200 OK

Date: Mon, 27 Mar 2018 10:14:05 GMT Content-Type: application/json; charset=utf-8 Content-

Length: 892

Connection: close X-Auth0-RequestId: 28fab941afb7a051fc77

X-RateLimit-Limit: 100

X-RateLimit-Remaining: 0

X-RateLimit-Reset: 1490695558 Cache-Control: no-cache

Pragma: no-cache

set-cookie: auth0=s%3AN4NFVZ2krwrMMpbSLwmAzNWd4WSQMXcI.ohLllWYyw4mtx2fbrTTZCVbV8FWa7gugiUzdRxsFeOA

; Path=/; Expires=Thu, 30 Mar 2018 10:14:05 GMT; HttpOnly; Secure Strict-Transport-Security: max-age=15724800

X- Robots-Tag: noindex, nofollow, nosnippet, noarchive

{"refresh_token":"kLJ1fVh5B6GLJXtV77RYK74TLtIxlIHMER4VsqlTeFsye","id_token":"eyJ0eXAiO

iJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX21ldGFkYXRhIjp7Im9yZ2FuaXphdGlvbmFsX2lkZW50aWZpZX

JfdHlwZSI6ImVtcGxveWVyRWluIiwibGFzdCI6ImVwcCIsImJ1c2luZXNzX2lkZW50aWZpZXJfdHlwZSI6ImVt

cGxveWVlQ29kZSIsIm5hbWUiOiJlbXAgZXBwIiwiYnVzaW5lc3NfaWRlbnRpZmllciI6IjhiMGE2MzA4LWQ5MD QtNDMwMS1iN2I5LTA0MWMyYzU4YTZjMCIsIm9yZ2FuaXphdGlvbmFsX2lkZW50aWZpZXIiOiJhMDRjYThiNy1m

ZWFiLTQ4MmYtOGYzNi0yNmE0NDA0ZTkzMmMiLCJmaXJzdCI6ImVtcCIsInRlbmFudCI6InBoaXhkZXYxMDEifS

wiZW1haWwiOiJoYzgzMTFAbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiaXNzIjoiaHR0cHM6Ly9o

Y2VudGl2ZS1jcC1kZXYuYXV0aDAuY29tLyIsInN1YiI6ImF1dGgwfDU4YzAxYzA0MmNlZTBmNDEzYzgxOTYyMC

IsImF1ZCI6IlB3ZTFqM2hIMXRQaXdvbWh0TzQ2TFdlYjF0Wm1aN2JVIiwiZXhwIjoxNDkwNjEwMjQ1LCJpYXQi

OjE0OTA2MDk2NDV9.E4ytUwf6_-

Jrr4pkMojxwvhKsnDsHJwRxHwnmXN_Ie4","access_token":"gLZkyBDDeniRjjIT","token_type":"bea

rer"}

STEPS TO REPRODUCE -

1. Navigate to login screen and fill necessary details.

2. Intercept the request and brute force the password parameter.

3. Response code 200 will indicate successful login for cracked password and 401 indicates

incorrect password.

POC -



MITIGATION - There are multiple ways to protect from brute-force attacks. We recommend you to follow any of these:

• Rate limiting

• Lock user accounts after multiple incorrect password attempts.

• Implement Captcha mechanism.


03

ID - 03

TITLE - Code Obfuscation

AFFECTED ASSET[S] – Application Code

IMPACT - Low


RISK - Low

LIKELIHOOD - Low


FULL DESCRIPTION - The nature of Java (the predominant programming language for Android

apps, with the exception of native code) is that the code is not compiled down to machine code.

http://www.java.com/



it is compiled to an intermediate format that is ready to be run on a variety of hardware

platforms. While this allows great portability, it also leaves the code for Android apps, as present in

the APK (Application PacKage file), available for extraction.

It is observed while reverse engineering the application that the application code is not obfuscate,

due to which an attacker can reverse engineering the application and can read all the java file and

can also modify it as per his need.

POC -



MITIGATION – It is highly recommended to obfuscate the application code to prevent against the reverse engineering attacks.




04

ID - 04

TITLE - No SSL/Certificate Pinning

AFFECTED ASSET[S] – Application Code

IMPACT - Info

STATUS - Confirmed

RISK - Low

LIKELIHOOD - Low


FULL DESCRIPTION - Certificate Pinning is an extra layer of security that is used by applications

to ensure that the certificate provided by the remote server is the one which is expected.

By including the remote server’s x509 certificate or public key within the application, it is possible

to compare the locally stored certificate or key with the one provided by the remote server. It is

observed in the application code that there is no implementation of SSL pinning in the application.

Due to which an attacker can add a certificate to the device's trust store and can compromise the

SSL connection. Using this an attacker will be able to intercept the SSL request and can view the

sensitive information that is sent via HTTPS.

MITIGATION – It is recommended to implement SSL Pinning in the application.



3. DETAILED FINDINGS 3.3. RISK EVALUATION The overall risk identified to “CLIENT NAME” ANDROID application as a result of the penetration

test is HIGH. There are multiple vulnerabilities in the application related to session and others

which can be exploited easily by a malicious user or an attacker. It is reasonable to believe that

a malicious entity would be able to successfully execute an attack against “Client Name” Android

Application user(s) through targeted attacks and cause damage to “CLIENT NAME” assets.



4. CONCLUSION & RECOMMENDATIONS

CONCLUSION

“Client Name” Android Application suffered a series of failure defences at some of the endpoints,

which led to a complete compromise of user assets. These failures would have had a dramatic

effect on “CLIENT NAME” Operations if a malicious party had exploited them. The specific goals of

the penetration test were stated as:

I. Identifying if an attacker could breach “CLIENT NAME” ANDROID Application.

II. Determining the impact of a security breach of confidentiality of the company’s information and

data loss.

These goals of the penetration test were met. A targeted attack against “CLIENT NAME”

ANDROID Application can result in a compromise of organizational assets.

RECOMENDATIONS

Due to the impact to the overall organization as uncovered by this penetration test, appropriate

resources should be allocated to ensure that remediation efforts are accomplished in a timely

manner. While a comprehensive list of items that should be implemented is beyond the scope of

this engagement, some high-level items are important to mention.

DETOkX recommends the following:

• Expire the Authorization Token immediately after user logout.

• Implement Rate limiting.

• Implement SSL Pinning

• Obfuscate the application code.



5. APPENDICES AND GLOSSARY

GLOSSARY

BLACK BOX PENETRATION TESTING: Type of penetration testing in which an assessor

evaluates security controls by simulating a real attack targeting an application. Black Box techniques

assess the security of individual high-risk compiled components; interactions between components

and interactions between the entire application or application system with its users, other systems

and the external environment.

PENETRATION TESTING: Form of assessment to identify ways of exploiting vulnerabilities to

circumvent or defeat the security features of system components. Penetration testing includes

network and application testing as well as controls and processes around the networks and

applications and occurs from both inside and outside the environment (external testing).

penetration test report client name

Documents