================================================================================ FARSNEWS APK ANALYSIS REPORT Fars News Agency (IRGC) Android Application ================================================================================ Date: 2026-02-28 Source: farsnews-app.apk (10,305,416 bytes / 10.3 MB) Analyst: OSINT Extraction via APK Decompilation Tool: unzip + string extraction (no apktool/jadx available) ================================================================================ TABLE OF CONTENTS 1. APPLICATION IDENTITY 2. FIREBASE / GOOGLE CLOUD CONFIGURATION (SECRETS) 3. API ENDPOINTS & DOMAINS 4. APK SIGNING CERTIFICATE (DEVELOPER ATTRIBUTION) 5. EMBEDDED DEVELOPMENT CERTIFICATE (OPSEC FAILURE) 6. ANDROID PERMISSIONS (SURVEILLANCE CAPABILITIES) 7. APPLICATION ARCHITECTURE 8. BUILD ENVIRONMENT INTELLIGENCE 9. SECURITY MISCONFIGURATIONS 10. CAPACITOR/CORDOVA PLUGINS 11. ACTIONABLE INTELLIGENCE SUMMARY ================================================================================ 1. APPLICATION IDENTITY ================================================================================ App Name: Fars Package Name: ir.farsnews.app Capacitor App ID: com.microblog.app App Version: 8.2.3 (Android) / 7.1.1 (iOS) Android Version Code: 80203 Internal Name: Microblog Web Dir: mini-app/dist Gradle Plugin: 8.9.0 R8 Mode: full (release, min-api 23) R8 Map ID: 3823d97 NOTE: The Capacitor app ID is "com.microblog.app" suggesting Fars News was built on top of a generic "Microblog" social media platform. The actual Android package is "ir.farsnews.app". ================================================================================ 2. FIREBASE / GOOGLE CLOUD CONFIGURATION (SECRETS) ================================================================================ These values were extracted from resources.arsc (compiled binary resources): Google API Key: AIzaSyDp9K7YksfYf-JvGOS7YCNv7JbA9P-XemE Firebase App ID: 1:823560469881:android:a2e494ac003a2969c383a8 GCM Sender ID: 823560469881 Storage Bucket: fars-next.appspot.com OAuth Client ID: 823560469881-rqin08q6q2drg8aq740db4j34980t9cp.apps.googleusercontent.com Firebase SDK Versions (from .properties files): firebase-annotations: 16.2.0 firebase-encoders: 17.0.0 firebase-encoders-json: 18.0.0 firebase-encoders-proto: 16.0.0 firebase-iid-interop: 17.1.0 firebase-measurement-connector: 19.0.0 Firebase Installations API Endpoint (from DEX): firebaseinstallations.googleapis.com FCM Channel: fcm_fallback_notification_channel Reconstructed google-services.json equivalent: { "project_info": { "project_number": "823560469881", "storage_bucket": "fars-next.appspot.com" }, "client": [ { "client_info": { "mobilesdk_app_id": "1:823560469881:android:a2e494ac003a2969c383a8", "android_client_info": { "package_name": "ir.farsnews.app" } }, "api_key": [ { "current_key": "AIzaSyDp9K7YksfYf-JvGOS7YCNv7JbA9P-XemE" } ], "oauth_client": [ { "client_id": "823560469881-rqin08q6q2drg8aq740db4j34980t9cp.apps.googleusercontent.com" } ] } ] } INTELLIGENCE VALUE: - The Google API Key can be tested against Firebase REST APIs - Project number 823560469881 can be used to enumerate Firebase services - Storage bucket "fars-next.appspot.com" may contain publicly accessible files - The project name "fars-next" suggests this is a newer/rewritten version ================================================================================ 3. API ENDPOINTS & DOMAINS ================================================================================ PRIMARY ENDPOINTS: https://farsnews.ir/_hybrid/ -- Main web app hybrid endpoint (WebView loads this) https://farsnews.ir/_hybrid/#/ -- Client-side routed SPA entry point https://dl.farsnews.ir/webview -- Download/content delivery endpoint https://dl.gaplication.com/asset/masks.zip -- CDN for image filter masks (photo editor) DEEP LINKS / APP LINKS: [{ "relation": ["delegate_permission/common.handle_all_urls"], "target": { "namespace": "web", "site": "https://farsnews.ir" } }] WEBVIEW CONFIGURATION: Hostname: fars Android Scheme: https (internal: https://fars/) Error Path: error.html Allow Navigation: farsnews.ir Cleartext: true (HTTP traffic allowed) User-Agent: Fars/8.2.3 FarsAndroid/80203 CDN / ASSET DOMAIN: dl.gaplication.com -- Third-party CDN (not .ir TLD - possibly outside Iran) Hosts photo filter assets (masks.zip) "gaplication" = likely "G-Application" infrastructure GOOGLE PLAY LISTING: https://play.google.com/store/apps/details?id=com.google.android.webview ================================================================================ 4. APK SIGNING CERTIFICATE (DEVELOPER ATTRIBUTION) ================================================================================ Certificate Details (CERT.RSA - PKCS7/DER): Serial Number: 7482141732076290043 (0x67d5e84363887ffb) Signature Algo: sha384WithRSAEncryption Public Key: RSA 2048-bit Issuer / Subject: Country (C): IR (Iran) State (ST): Khorasan Razavi City (L): Mashhad Organization (O): TSIT Organizational Unit: Android Common Name (CN): Fars Next Validity: Not Before: Aug 31 13:09:22 2023 GMT Not After: Jan 16 13:09:22 2051 GMT Subject Key ID: C8:F5:76:54:6F:A7:D6:7A:C0:74:5C:84:94:A2:03:14:25:CB:FF:F8 INTELLIGENCE VALUE: - Developer Organization: TSIT (Mashhad, Khorasan Razavi, Iran) - Project codename: "Fars Next" (confirms this is the rewrite) - Self-signed certificate valid for ~28 years (2023-2051) - TSIT = likely "Tose'e Sanat-e IT" or similar IT development company - Located in Mashhad (second largest city in Iran, ~900km east of Tehran) - This is NOT developed in-house by Fars News in Tehran -- outsourced to a Mashhad-based tech company ================================================================================ 5. EMBEDDED DEVELOPMENT CERTIFICATE (OPSEC FAILURE) ================================================================================ File: res/XH.pem (mkcert development CA certificate) Certificate Details: Issuer/Subject: Organization: mkcert development CA OU: DESKTOP-CV5TMVD\MQT@DESKTOP-CV5TMVD (MQT) CN: mkcert DESKTOP-CV5TMVD\MQT@DESKTOP-CV5TMVD (MQT) Validity: Not Before: Dec 23 11:44:14 2024 GMT Not After: Dec 23 11:44:14 2034 GMT Key: RSA 3072-bit DEVELOPER MACHINE INTELLIGENCE: - Computer Name: DESKTOP-CV5TMVD - Windows Username: MQT - Tool Used: mkcert (local HTTPS development tool) - Created: December 23, 2024 (recent development activity) - This certificate was accidentally bundled into the production APK - "MQT" could be a developer's initials or abbreviation - DESKTOP-CV5TMVD is a Windows machine (default Windows hostname format) OPSEC FAILURE: A developer's local mkcert CA certificate was shipped in the production APK. This reveals: 1. The developer's Windows hostname 2. The developer's Windows username 3. The timeline of development (Dec 2024) 4. That local HTTPS development was used (mkcert) ================================================================================ 6. ANDROID PERMISSIONS (SURVEILLANCE CAPABILITIES) ================================================================================ Declared/Referenced Permissions: android.permission.ACCESS_COARSE_LOCATION android.permission.ACCESS_FINE_LOCATION android.permission.ACCESS_MEDIA_LOCATION android.permission.ACCESS_NETWORK_STATE android.permission.BLUETOOTH android.permission.BLUETOOTH_CONNECT android.permission.CAMERA android.permission.MODIFY_AUDIO_SETTINGS android.permission.POST_NOTIFICATIONS android.permission.READ_CONTACTS android.permission.READ_EXTERNAL_STORAGE android.permission.READ_MEDIA_AUDIO android.permission.READ_MEDIA_IMAGES android.permission.READ_MEDIA_VIDEO android.permission.RECORD_AUDIO android.permission.UPDATE_DEVICE_STATS android.permission.WAKE_LOCK android.permission.WRITE_CONTACTS android.permission.WRITE_EXTERNAL_STORAGE SURVEILLANCE-RELEVANT PERMISSIONS: - ACCESS_FINE_LOCATION -> Precise GPS tracking - ACCESS_COARSE_LOCATION -> Cell tower / WiFi location - ACCESS_MEDIA_LOCATION -> Photo EXIF GPS data - CAMERA -> Camera access - RECORD_AUDIO -> Microphone access - READ_CONTACTS -> Contact list exfiltration - WRITE_CONTACTS -> Contact injection - READ_EXTERNAL_STORAGE -> Access all files - UPDATE_DEVICE_STATS -> System-level device stats (unusual) NOTE: The combination of location + contacts + camera + microphone + storage access on a "news app" is excessive and consistent with surveillance-capable applications. The WRITE_CONTACTS permission is particularly suspicious for a news reader. ================================================================================ 7. APPLICATION ARCHITECTURE ================================================================================ Type: Capacitor + Cordova Hybrid App (Ionic-style) Framework: Capacitor 6.x with Cordova compatibility layer Frontend: Vue.js or similar SPA (obfuscated, minified) Backend: WebView loading https://farsnews.ir/_hybrid/ Build: Kotlin/Android with Gradle 8.9.0 Obfuscation: R8 full mode (class/method names obfuscated) Min SDK: API 23 (Android 6.0 Marshmallow) The app is essentially a sophisticated WebView wrapper that: 1. Loads a splash screen 2. Checks Chrome version (minimum v60) 3. Redirects to https://farsnews.ir/_hybrid/ in a WebView 4. Provides native capabilities via Capacitor/Cordova bridge: - Push notifications (FCM) - Camera, geolocation, contacts access - File system access - Local notifications and badges - SMS retrieval (OTP verification) - Audio switching (media playback) - Photo editing (with filter masks from CDN) Internal App Name "Microblog" and class "Microblog" suggests the platform may include social features (posting, commenting, etc.) beyond simple news reading. ================================================================================ 8. BUILD ENVIRONMENT INTELLIGENCE ================================================================================ Build System: - Android Gradle Plugin: 8.9.0 - R8 Compiler: 8.9.27 (dex backend, release mode) - Kotlin with Coroutines - isoparser-1.0.6 (MP4 parsing library) Developer Machine (from builddef.lst): - Build path: /home/sannies/.m2/repository/... - Username: sannies (Linux/macOS Maven build environment) - NOTE: This is from the isoparser library, not the app itself Developer Machine (from mkcert cert - res/XH.pem): - Computer: DESKTOP-CV5TMVD - Username: MQT - OS: Windows Developer Organization (from CERT.RSA): - Organization: TSIT - Location: Mashhad, Khorasan Razavi, Iran Third-Party Libraries: - OkHttp3 (HTTP client) - Glide (image loading: com.bumptech.glide) - ExoPlayer (media player) - Fetch2 (file download library: com.tonyodev.fetch2) - Fetch2 FileServer (com.tonyodev.fetch2fileserver) - UCrop (image cropping: com.yalantis.ucrop) - Google Play Services (auth, location, cloud messaging) - AndroidX full suite - Room (local database) - DataBinding - Core-js 3.45.0 (JavaScript polyfills) ================================================================================ 9. SECURITY MISCONFIGURATIONS ================================================================================ [CRITICAL] webContentsDebuggingEnabled: true - Chrome DevTools can attach to the WebView on any device - Allows real-time inspection of all web traffic, DOM, JS console - This should NEVER be true in a production release - Exploitation: Connect via chrome://inspect on a connected device [HIGH] server.cleartext: true - App allows HTTP (non-HTTPS) traffic - Man-in-the-middle attacks possible - Data can be intercepted on insecure networks [HIGH] Embedded mkcert development CA certificate - Production APK ships with a developer's local CA cert - If this CA is trusted by the app, it could enable MITM - Exposes developer identity (OPSEC failure) [MEDIUM] AllowMixedContent: false (but cleartext true) - Conflicting security settings [MEDIUM] SMS Retriever Plugin - cordova-plugin-sms-retriever-manager present - Can intercept SMS messages (OTP theft potential) [INFO] Google API Key exposed - AIzaSyDp9K7YksfYf-JvGOS7YCNv7JbA9P-XemE - Can be tested for Firebase API access - May have overly permissive scopes ================================================================================ 10. CAPACITOR / CORDOVA PLUGINS ================================================================================ CAPACITOR PLUGINS (from capacitor.plugins.json): @agorapulse/capacitor-mediastore -- Media storage access @capacitor-community/contacts -- Contact list access @capacitor-community/device-security-detect -- Root/jailbreak detection @capacitor-community/file-opener -- Open arbitrary files @capacitor-community/keep-awake -- Prevent sleep @capacitor-community/media -- Media gallery access @capacitor/app -- App lifecycle @capacitor/app-launcher -- Launch other apps @capacitor/browser -- In-app browser @capacitor/camera -- Camera capture @capacitor/clipboard -- Clipboard access @capacitor/device -- Device info collection @capacitor/dialog -- Native dialogs @capacitor/filesystem -- Full filesystem access @capacitor/geolocation -- GPS tracking @capacitor/haptics -- Vibration @capacitor/keyboard -- Keyboard control @capacitor/local-notifications -- Local push notifications @capacitor/network -- Network state monitoring @capacitor/preferences -- Local storage @capacitor/push-notifications -- FCM push notifications @capacitor/share -- Share content @capacitor/splash-screen -- Splash screen @capacitor/status-bar -- Status bar control @capacitor/text-zoom -- Text accessibility @capacitor/toast -- Toast messages @capawesome/capacitor-badge -- App badge count @capawesome/capacitor-file-picker -- File picker @capawesome/capacitor-photo-editor -- Photo editing @christoffyw/capacitor-media-session -- Media session control @hugotomazi/capacitor-navigation-bar -- Navigation bar capacitor-native-settings -- System settings access capacitor-plugin-safe-area -- Safe area insets send-intent -- Android intent sharing CORDOVA PLUGINS (from cordova_plugins.js): cordova-plugin-app-exit -- Force app exit cordova-plugin-appminimize -- Minimize app cordova-plugin-buildinfo -- Build information exposure cordova-plugin-device -- Device fingerprinting cordova-plugin-file -- File system access cordova-plugin-file-opener2 -- Open files externally cordova-plugin-inappbrowser -- Embedded browser cordova-plugin-network-information -- Network monitoring cordova-plugin-notification-badge -- Badge count cordova-plugin-notification-local -- Local notifications cordova-plugin-sms-retriever-manager -- SMS interception es6-promise-plugin -- Promise polyfill NOTE ON device-security-detect PLUGIN: This plugin checks if the device is rooted or jailbroken. This is common in apps that want to: a) Prevent reverse engineering (which we just did) b) Enforce DRM or security policies c) Detect analysis environments ================================================================================ 11. ACTIONABLE INTELLIGENCE SUMMARY ================================================================================ CONFIRMED SECRETS: [1] Google API Key: AIzaSyDp9K7YksfYf-JvGOS7YCNv7JbA9P-XemE [2] Firebase App ID: 1:823560469881:android:a2e494ac003a2969c383a8 [3] GCM Sender ID: 823560469881 [4] Storage Bucket: fars-next.appspot.com [5] OAuth Client ID: 823560469881-rqin08q6q2drg8aq740db4j34980t9cp.apps.googleusercontent.com CONFIRMED ENDPOINTS: [6] https://farsnews.ir/_hybrid/ (main app backend) [7] https://dl.farsnews.ir/webview (content delivery) [8] https://dl.gaplication.com/asset/ (CDN for assets) [9] firebaseinstallations.googleapis.com (Firebase API) DEVELOPER ATTRIBUTION: [10] Organization: TSIT (Mashhad, Khorasan Razavi, Iran) [11] Certificate CN: Fars Next [12] Developer Machine: DESKTOP-CV5TMVD (Windows, user: MQT) RECOMMENDED FOLLOW-UP: 1. Test Google API key against Firebase REST APIs: curl "https://firebaseinstallations.googleapis.com/..." -H "x-goog-api-key: AIzaSyDp9K7YksfYf-JvGOS7YCNv7JbA9P-XemE" 2. Enumerate fars-next.appspot.com for public storage objects 3. Probe https://farsnews.ir/_hybrid/ API for endpoints 4. Probe https://dl.farsnews.ir/ for directory listing 5. Research TSIT (Mashhad) as the development contractor 6. Install jadx or apktool for full Java decompilation of classes.dex (would yield complete source code reconstruction) 7. Research dl.gaplication.com infrastructure (non-.ir CDN) 8. Test FCM push with sender ID 823560469881 ================================================================================ END OF REPORT ================================================================================