Mirage Realms MMORPG    https://play.google.com/store/apps/details?id=com.foxcake.mirage.android
Version:                0.3.81
By Ross Marks:          http://www.rossmarks.uk
Exploit-db:             https://www.exploit-db.com/author/?a=8724
Category:               Android
Screenshot:             http://rossmarks.uk/whitepapers/apps/mirage/Mirage_0.3.81.png

1) Insecure Storage - Plaintext Password

Usernames and passwords for this application are stored in plaintext in the file "shared_prefs/Mirage Preferences.xml". This is demonstrated in the center of the screenshot.

2) Unencrypted Communications

All traffic between the client and the server is sent in plaintext. This allows an attacker suitably placed on the network to intercept communications, reading the login credentials with ease or modifying traffic in transit. This is demonstrated at the bottom of the screenshot with a wireshark capture of a user logging in.

3) Lack of Binary Protection

As shown in the background of the screenshot the source code was easily readable by decompiling the apk. Using this it was possible to find the endpoint easily (miragerealms.servegame.com:1337) amongst other sensitive information.