Mobile App Security Research: Data Flow & Feedback Handling Analysis – Mr. Number Android App





In 2025, I conducted a security analysis of the Mr. Number Android application, focusing on how the application handles blocked numbers and user feedback data.

This research involved reverse engineering, network traffic analysis, and database inspection to understand how the app processes and transmits sensitive user information.

Testing Techniques Used
• Static Analysis
• Dynamic Analysis
• API Traffic Interception
• SQLite Database Analysis
• Runtime Instrumentation


Tools Used
• Burp Suite
• Frida
• Xposed Framework
• JADX
• APKTool
• SQLite Browser
• Android Debug Bridge (ADB)

Key Findings

Blocking Events

When a user blocks a phone number, the application sends a request to Hiya’s backend API:

https://ingestion.edge.hiyaapi.com/v2/phone_numbers/events

This request includes metadata such as the blocked phone number, timestamp, country code, and device information.

Feedback Submission

User feedback (such as marking numbers as “scammer” or “spam”) is transmitted via another API endpoint:

POST /v2/phone_numbers/feedback

The payload contains:
• Feedback comment
• Reputation category
• Phone number metadata
• Timestamp

Local Data Storage

The application stores blocked numbers locally in a SQLite database:

/data/data/com.mrnumber.blocker/databases/mrnumber.db

However, no feedback comments were found stored locally during the analysis.

📡 Key Insight

The research confirmed that Mr. Number acts primarily as a client interface, while all feedback processing and storage are handled by Hiya's backend infrastructure.

This means that user-generated feedback data is transmitted to third-party servers rather than being stored locally on the device.

⚠️ Privacy Consideration

Since feedback is processed externally, users may not have direct visibility or control over how their submitted data is stored or used.

📊 Research Workflow

Environment Setup → Traffic Capturing → Automation → Manual Security Review



Project Details

Assessment Type: Mobile Application Security Research
Application: Mr. Number Android App
Researcher: Muhammad Qaisar Afridi
Organization: Pak Cyber Wing

Penetration Testing Report: 

https://drive.google.com/file/d/1SC1bOUHaDrwIg0Lz81tWXRmQlwRuIonB/view?usp=drive_link


Price:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Pages