IndicatorSmart Baby MonitorFinal Results
The product was built with effectively implemented safety features.
  • Best build practice 1: The baby monitor Android app does generate warnings when run through the Integrated Development Environment (IDE) security checks, but does not generate errors.
  • Best build practice 2: The baby monitor Android app only declares one permission specific to the app, and it does use an "android:protectionLevel" statement, however it declares the permission as a development mode, rather than as signature based. This permission allows the app to receive messages from the vendor’s cloud servers. However, because this permission is left in “developer” mode, a maliciously-modified derivative of the app could also gain that permission, because the app signing keys belonging to the app’s comercial developer are not required to convince the Android system that the derivative app is genuine.
  • Best build practice 3: The baby monitor Android app mostly requires specific permissions which limit the use of various parts of the app’s code to the app itself. However five places where permissions should be declared were missed, which leaves parts of the app’s functionality open to use by other apps on the device.
✔️

The software does not make use of unsafe functions or libraries.
  • The baby monitor Android app requests almost every permission available to apps in the Android system, including system-level permissions that it would not be granted unless a device is "rooted." The only app-specific permission that the app declares is not bound to registered versions of the app, but left in "development" mode, meaning anyone who builds a version/derivative of the app can trick the Android permissions system into giving the malignant derivative the same permission level as the registered app distributed by the vendor.
The software is not overly complex.
  • The baby monitor Android app Java class tree (a representation of the function and structure of a Java program), is large and obfuscated in ways that make the code extremely hard to follow. While the tree contains some external libraries (pieces of code that can be referenced in other code) that perform tasks reasonably related to the basic functionality of the app itself, it is unclear why many libraries are included in a U.S. version of an app that has several regional variants, including releases for Australia, the European Union, and Japan. Furthermore, it is not clear that many of these libraries are properly implemented, as they trigger registration and validation errors when run through code validators.