I hope this is the right place to post this.

With the current compulsion of educational institutions switching to the online mode of learning, many apps for solutions for online proctoring platforms have popped up but a lot of them pose a huge concern of security. One such app is the PEXA Lite App that was going to be implemented for exams at MAHE (Manipal Institute of Technology) but was cancelled due to security and logistic concerns. (The student protests against some of the security issues are well documented here)

Now my college (BITS Pilani) is also planning to force students to download the innocuously named “BITS Exam App” developed by what is seemingly the same company that made the PEXA Lite App (LittleMore Innovation or Ppyrus India Pvt. Ltd.) for evaluation purposes. Here are some of the security concerns that have gone unanswered from the administration:

• Elevated Permissions- The app needs to be run as an administrator and give a lot of permissions that haven’t been justified. We have specifically been told to turn off any antivirus we have in order to use the app and to ignore any alert of virus or malware.
• Alleged Data Breaches and Viruses- There have been accounts of strange behaviour on personal accounts (getting flooded with adware, virus links) and also accounts of viruses totally bricking the laptop. You can see the link I’ve posted above for such examples
• Alleged Misuse of Data- Institution emails typically hold sensitive information like contact details, addresses, bank details etc which would be vulnerable. Also as the app uses the webcam, there have been reports of misuse of video feed.
• Untrusted Company- As mentioned before the company that developed this software does not seem trustworthy.

I would take some of these points with a grain of salt and they could just be rumours, but the questions still remain. There are obviously other logistical and operational issues as well, but I just want to focus on security issues. Does anyone know what we can do to make sure this app is safe for use? I was thinking of analyzing it and maybe generate a report that I could present for the benefit of the institute and its students but I haven’t done this sort of thing before and would love if anyone could help me start.

Also what other experiences have you had with such online proctoring platforms?

They are using examcloud.in and the scary part is it is vuln to blind SQLi they have some signature-based WAF but they can be bypassed. I am waiting for the installer to drop would do some static analysis in sandbox to see what the program is trying to do.

Hi Revolution,

If I understand the question correctly, you want a good start for testing Mobile Application.

For testing any mobile application, there have to be two parts.

1. Static Analysis
2. Dynamic Analysis (More advance) – Out of Scope for now.

For static analysis, you can simply search for things that can be found on the application code. In other words, you try to find the flaws in the source code. Now the flaws can be in any different type of forex: Any admin credentials are leaking, Any Sensitive API is leaking (which might be of third party service which holds all the records), vulnerable Components, what are all the permission are allowed to the application, etc. Now the question is, how can we do that?

You need to learn the decompilation of the Android App so that you can see the clear text source code of the application, and can start finding the flaws. There are some popular tools like APKtool, Enjarify, JADX (for reading JAVA source code), etc. Before using those tools, you need to learn some basics of APK.

For example:

Below are the topics that can give you a good start:

• What is APK
• What is DVM (Dalvik Virtual Machines)
• What is .dex files
• What are components in Android Application (Services, Component providers, etc)
• What is Android Manifest File

Reference for start:
https://developer.android.com/guide/components/fundamentals

References for tools: