-
Notifications
You must be signed in to change notification settings - Fork 121
/
Copy pathdescription.json
37 lines (37 loc) · 3.89 KB
/
description.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
{
"_comment": "DO NOT CHANGE THE KEY!",
"Activity": "List of all activities present in the app.",
"ExportedActivity": "Exported Activities are accessible to 3rd party apps. Hence sensitive activities should not be exported.",
"BroadcastReceiver": "List of all the Broadcast receivers present in the app",
"ExportedReceiver": "Exported broadcast receivers can be triggered by 3rd party apps. Make sure no sensitive activity is started by the receiver.",
"Permission": "List of all permissions used by the app.",
"CriticalPerm": "List of all the critical permissions used by the app.",
"CustomPerm": "List of all custom permissions used by the app",
"Deeplinks": "List of all the deeplinks registered in the app.",
"Service": "List of all services that are present in the app.",
"ExportedService": "Exported services are accessible to 3rd party apps in the device. Always make sure the exported component is not dealing with sensitive data.",
"Taskaffinity": "Malicious apps can register with same affinity as the registered activity. This could lead to a phishing attack.",
"ImplicitIntent": "Implicit pending intents that do not define the components to be sent can be hijacked by 3rd party apps",
"Provider": "List of all the providers used in the app",
"Unsafe_Intent_Urls": "Parsing URIs without verifying package could be exploited by malicious apps by getting URIs parsed from the benign app's context.",
"File_Access_Via_Urls": "The webview allows access to local files. Without input filtering, 3rd party sites will be able to access files from the device.",
"Content_Access_Via_Urls": "JavaScript from 3rd parties can access the app's content providers",
"Unencrypted_Socket_Communications": "Transmits data over HTTP. This can lead to MiTM attacks",
"Insecure_Socket_Factory": "Uses SSLCertificateSocketFactory.getInsecure() to retrieve certificates which can lead to MiTM attacks.",
"No_Tls_Validity_Checks": "Not validating the certificate's validity. This may allow expired certificates to be trusted",
"Sticky_Broadcasts": "Sticky broadcasts can leak sensitive information unintentionally.",
"Empty_Pending_Intents": "Apps that use a Pending Intent with base intent empty are vulnerable to leaking privilege",
"Dynamic_or_exported_Broadcast_Receivers": "Dynamically registered broadcast receivers are exported by default",
"Ecb_Instances": "ECB cipher mode has known vulnerabilities. Sensitive data is not safe if encrypted using ECB",
"Javascript_Enabled": "Enabling JavaScript allows for a variety of attacks if not checked thoroughly",
"Overwritable_Cookie": "Webview allows storing cookies which could be overwritten by malicious sites from the same origin.",
"Weak_Dynamic_Invocation_Checks_On_Content_Providers": "Apps that use the call() in the Content Provider API are vulnerable to exposing the underlying data store to unauthorized read and write",
"execSQL_used": "Apps that use SQLiteDatabase.execSQL() method to construct non-parameterized SQL queries are vulnerable to SQL injection attacks",
"SharedPrefs_usage": "The application uses the sharedpreferences API to store data in the device. If sensitive data is stored, it will be accessible on rooted devices to all the applications",
"SQLite_DB_usage": "The application uses SQLite DB to store data in the device. If sensitive data is stored, it will be accessible on rooted devices to all the applications.",
"Urls": "List of all the URL's used in the app.",
"Strings": "List of all the hardcoded strings in the native libraries.",
"Api_keys": "List of all the exposed API key(s) in the app",
"Internal_Storage_usage": "The application uses internal sotrage. If sensitive data is stored, it will be accessible on rooted devices.",
"Keystore_usage": "The application uses Keystore. Make sure best security practices are followed. Recommendations: AES in GCM mode"
}