Document Information

Team Member	Assesor
Carina Yoehadi - 2702335175	Christoper Limawan, S.Kom, M.Kom
Ichiro Dexther Rewah - 2702368186
Noah Goklas Boanerges - 2702349786
Pilar Nalendra Sarwanto - 2702362604
Zenia Nadia Rifaniputri - 2702343832

Assesment Scope

Enumeration	Description
Assesment Type	Black-Box
Testing Environment	Android API 35 (Rooted)
Used Tools	Burpsuites, Postman, Apktool, Bundletool, Apksigner, Zipalign

Executive Summary

This test was conducted to determine the security posture of the Coffee-Portal application by identifying potential risks and vulnerabilities. During the assessment, it was discovered that the application contains hardcoded sensitive information, such as API keys, which could be exploited by an attacker. An attacker can tamper data or see other users’ credentials since most of the time it isn’t encrypted.

Findings / Indicator of Compromise (IoC)

Root Detection Bypass

String Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Severity Score: 5.1 (Medium)

Root and Emulator Checker was detected on MainActivityClass, where we can patch it by changing the condition from the Smali codes on Line 50
- IoC: initialCheck Methods with boolean type return that contains checkRoot and checkEmulator Methods on com.climawan.comp6844001_firsthalfproject.coffeeportal.MainActivity
Insecure Data Storage Lead to API Key Leak

String Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Severity Score: 9.3 (Critical)

API Key was found hardcoded together with the BaseURL. There was also HTTP Request Command (endpoints also included) which leads to exploitation using burpsuites and postman
- IoC:
  - API Key and BaseURL was found on com.climawan.comp6844001_firsthalfproject.coffeeportal.app.tasks.ApiRequestTask
  - HTTP Request and Endpoint was found on com.climawan.comp6844001_firsthalfproject.coffeeportal.app.services.BackendApiServic
POST Account Registration Format Bypass

String Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Severity Score: 3.3 (Low)

@climawan.com and @vii.com format when inputting email registration can be bypassed by trying to hit the POST Request, because there is no validation. This also applies to password that must be contains at least 6 characters, a number, and a symbol
- IoC: HTTP Request —> POST /v1/auth/register
POST Variant Product Tampering

String Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Severity Score: 5.8 (Medium)

Variant can be tampered when we are trying to add the products to the cart. With the help of burpsuites, we can change the variant description to anything that we want
- IoC: HTTP Request —> POST /v1/cart-product
Balance Interception and Tampering

String Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Severity Score: 8.6 (High)

When we are trying to do product checkout using account balance, our balance will automatically deducted with the totalPrice. However, if we try to change the logic by adding a minus (-) sign to the totalPrice, instead of deducting, the system will add that amount to our account balance.
- IoC: HTTP Request —> POST /v1/order-transaction
IDOR Attack (See Account Balance)

String Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity Score: 7.5(High)

This IDOR impact can enable the attacker to see other user account balance. This is not some critical attack, but still impacting the business flaw is this attack is exposed
- IoC: HTTP Request —> POST /v1/auth/profile
Unencrypted Login Request

String Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity Score: 7.5(High)

The login traffic that we are requested can be seen as plain text aka unencrypted, this can lead to data or information leak if an attacker do intercept the network (MITM Attack)
- IoC: HTTP Request —> POST /v1/auth/login | Network Intercept With Wireshark

Document Information

Assesment Scope

Executive Summary

Findings / Indicator of Compromise (IoC)

Proof of Concept (POC)

Building and Decompiling The APK