This repository has been archived by the owner on Feb 16, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 59
/
rules.json
254 lines (254 loc) · 13.4 KB
/
rules.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
[{
"regex": "(?:(?:ftp|http)s?:\/\/|www\\.)[\\w\\.-]+\\.[[:alpha:]]{2,6}(?:\/[\\w\\.\/-]*)?",
"whitelist": [
"schemas.android.com",
"www.w3.org",
"www.apache.org/licenses",
"play.google.com/store/apps",
"dev.twitter.com/docs",
"api.twitter.com",
"crashlytics.com/spi/v\\d",
"com.android.calendar/events",
"www.googleapis.com/auth",
"market://details",
"developers.facebook.com/docs",
"content://.*"
],
"label": "URL Disclosure",
"description": "The decompilation of the source code could lead to the disclosure of private URLs.",
"criticality": "warning"
}, {
"regex": "catch\\s*\\(\\s*(?:(?:\\s*\\|?\\s*\\w+)*\\s*\\|)?\\s*Exception|SystemException|ApplicationException\\s*(?:(?:\\s*\\|\\s*\\w+)*)?\\s+\\w+\\s*\\)",
"criticality": "low",
"label": "Generic Exception in catch",
"description": "Exception catching should be specific. Generic Exception type could not be safe and lead to silent error suppresion",
"include_file_regex": ".java$"
}, {
"regex": "throws\\s+(?:\\w*\\s*,\\s*)*Exception|SystemException|ApplicationException\\s*[,{]",
"criticality": "low",
"label": "Generic Exception in Throws",
"description": "The exceptions thrown by a method should be specific. Generic Exception type could could not be safe and lead to silent error suppresion.",
"include_file_regex": ".java$"
}, {
"regex": "(?:setVisible\\s*\\(\\s*View\\s*\\.\\s*(?:INVISIBLE|invisible)\\s*\\))|(?:android:visibility\\s*=\\s*\"invisible\")|(?:android:background\\s*=\\s*\"(?i)(?:@?null)\")",
"criticality": "warning",
"label": "Hidden fields",
"description": "Hidden fields are often used to cover data from the user, but they are discouraged, since they can lead to data disclosure.",
"include_file_regex": ".java$"
}, {
"regex": "[^0-9a-zA-Z\\n.](?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)",
"criticality": "warning",
"label": "IP Disclosure",
"description": "The decompilation of the source code could lead to the disclosure of private IPs."
}, {
"regex": "Math\\s*\\.\\s*random\\s*\\(\\s*\\)|Random\\s*\\(\\s*\\)",
"criticality": "low",
"label": "Math Random method",
"description": "This method is not as random as it is supossed to be. It should not be use to generate OTP codes.",
"include_file_regex": ".java$"
}, {
"regex": "Log\\s*\\.\\s*(?:w(?:tf)?|e|d|i|v)+\\s*\\((?:\\s*\"?(?:[A-Za-z0-9])*(?:.)*\"?\\s*),(?:\\s*\"(?:[[:alnum:]])*(?:.)*\"\\s*\\+)?\\s*(?:[A-Za-z0-9.\\(\\)\\[\\]-])*(?:_(?:[A-Za-z0-9.\\(\\)\\[\\]-])*)*\\s*(?:(?:\\+\\s*(?:[A-Za-z0-9.\\(\\)\\[\\]-])*(?:_(?:[A-Za-z0-9.\\(\\)\\[\\]-])*)*\\s*)*)?\\)\\s*;",
"criticality": "low",
"label": "Unchecked output in Logs",
"description": "Sensitive information should never be logged since it can lead to that information being disclosed.",
"include_file_regex": ".java$"
}, {
"regex": "(?:(?:\\b[[:upper:]]{1}:)\\\\\\s*[^0 !$&*(?:)+]\\w.+)|(?:(?:\\b[[:upper:]]{1}:)\\\\)",
"criticality": "warning",
"label": "Hardcoded file separator",
"description": "Paths like C:\\\\Program Files\\\\... can cause problems, and are considered vulnerabilities, since some OSs use backslashes `\\\\` (DOS\/Windows) and others slashes `\/` (Unix)."
}, {
"regex": "(?:DESKeySpec)|(?:getInstance\\(\\s*\"?\\s*(?:md5|MD5|md4|MD4)\\s*\"?\\s*\\))|(?:getInstance\\(\\s*\"?\\s*(?:sha-1|SHA-1)\\s*\"?\\s*\\))|(?:getInstance\\(\\s*\"?\\s*(?:rc2|RC2|rc4|RC4|AES\\s*\/\\s*ECB|(rsa|RSA)\/.+\/nopadding)\\s*\"?\\s*\\))",
"criticality": "high",
"label": "Weak Algorithms",
"description": "Using weak algorithms allows an attacker to break the cyphered communications gaining access to plain text content.",
"include_file_regex": ".java$"
}, {
"regex": "(?:Thread|thread|SystemClock)\\s*\\.\\s*sleep\\s*\\(\\s*(?:(?:\\d+(?:\\s*\\+\\s*\\d*\\s*)*\\s*\\+\\s*[[:alpha:]]+(?:(?:\\s*\\+\\s*(?:\\d|[[:alpha:]])*)*)?)|(?:[[:alpha:]]+\\s*(?:\\+\\s*(?:\\d|[[:alpha:]])*(?:\\s*\\+\\s*(?:\\d|[[:alpha:]])*)*)?))\\s*\\)\\s*;",
"criticality": "low",
"label": "Sleep Method",
"description": "Sleep Method is used with vars as arguments. If those vars are modified it could force the aplication to stop indefinitely.",
"include_file_regex": ".java$"
}, {
"regex": "(?:(?:Context\\.)?MODE_WORLD_READABLE)|(?:openFileOutput\\(\\s*\"?.+\"?\\s*,\\s*1\\s*\\))",
"criticality": "high",
"label": "World readable permissions",
"description": "Setting world readable permissions allows to anyone (with access to the target file) to read file content.",
"include_file_regex": ".java$"
}, {
"regex": "(?:(?:Context\\.)?MODE_WORLD_WRITABLE)|(?:openFileOutput\\(\\s*\"?.+\"?\\s*,\\s*2\\s*\\))",
"criticality": "high",
"label": "World writable permissions",
"description": "Setting world writable permissions allows to anyone (with access to the target file) to modify file content.",
"include_file_regex": ".java$"
}, {
"regex": "\\.getExternal(?:Storage|FilesDir)(?:\\(.*\\))?",
"permissions": [
"android.permission.WRITE_EXTERNAL_STORAGE"
],
"criticality": "high",
"label": "Write-Read in external storage",
"description": "Application can read\/write in external storage. Any app can read data written in external storage.",
"include_file_regex": ".java$"
}, {
"regex": "\\.createTempFile\\(.*\\)",
"permissions": [
"android.permission.WRITE_EXTERNAL_STORAGE"
],
"criticality": "high",
"label": "Temp File Use",
"description": "Applications is creating temp files. Sensitive information should never be written in temp files.",
"include_file_regex": ".java$"
}, {
"regex": "setJavaScriptEnabled\\(true\\)",
"forward_check": "\\.addJavascriptInterface\\(.*\\)",
"criticality": "critical",
"label": "WebView XSS",
"description": "Webview insecure implementation. This issue could allow to a remote attacker to code execution in WebView and performing Cross Site Scripting attacks.",
"include_file_regex": ".java$"
}, {
"regex": "onReceivedSslError\\s*\\(\\s*WebView\\s*.*\\)",
"forward_check": "\\.\\s*proceed\\(\\s*\\)\\s*;",
"criticality": "critical",
"label": "WebView ignores SSL errors",
"description": "WebView is ignoring SSL errors and it accepts any SSL certificate. This application could be affected by Man in the Middle attacks.",
"include_file_regex": ".java$"
}, {
"regex": "android\\.database\\.sqlite",
"forward_check": "(?:rawQuery|execSQL)\\(.*\"\\s*\\+\\s*.*\\)",
"criticality": "critical",
"label": "SQL injection",
"description": "This application is vulnerable to SQL injection. Any data stored in database can be exposed as any attacker is able to retrive, modify and delete the stored information.",
"include_file_regex": ".java$"
}, {
"regex": "net\\.ssl",
"forward_check": "(?:(?:Trust)?All(?:Trust)?SSLSocket(?:-)?Factory|NonValidatingSSLSocketFactory|ALLOW_ALL_HOSTNAME_VERIFIER|\\.setDefaultHostnameVerifier\\(.*\\)|NullHostnameVerifier\\(.*\\))",
"criticality": "critical",
"label": "Accepting all SSL certificates",
"description": "Insecure application SSL implementation. This application accepts all certificates, including self signed by default. This is a critical issue as Man in the Middle attacks may be performed.",
"include_file_regex": ".java$"
}, {
"regex": "telephony.SmsManager",
"forward_check": "send(?:Multipart)?TextMessage|vnd\\.android-dir\/mms-sms",
"criticality": "warning",
"label": "Sending sms-mms",
"description": "This application is sending sms or mms and it might be without the user's knowledge.",
"include_file_regex": ".java$"
}, {
"regex": "com\\.noshufou\\.android\\.su|com\\.thirdparty\\.superuser|eu\\.chainfire\\.supersu|com\\.koushikdutta\\.superuser|eu\\.chainfire\\.",
"criticality": "medium",
"label": "Super user privileges.",
"description": "This applications may require super user privileges.",
"include_file_regex": ".java$"
}, {
"regex": ".\\s*contains\\s*\\(\\s*\"test-keys\"\\s*\\)|\/system\/app\/Superuser.apk|isDeviceRooted\\s*\\(\\s*\\)|\/system\/bin\/failsafe\/su|\/system\/sd\/xbin\/su|RootTools.isAccessGiven\\s*\\(\\s*\\)",
"criticality": "high",
"label": "Rooted device detection",
"description": "This applications is performing checks for rooted device. This could be use to execute specific code if the device is rooted to take control of it.",
"include_file_regex": ".java$"
}, {
"regex": "telephony\\.TelephonyManager",
"forward_check": "getCellLocation",
"criticality": "warning",
"label": "Cell Location (Base Stations)",
"description": "This app is using cell location by Base Station method. This process might be performed without the user's knowledge.",
"include_file_regex": ".java$"
}, {
"regex": "telephony\\.TelephonyManager ",
"forward_check": "getDeviceId\\s*\\(",
"criticality": "warning",
"label": "Get Device ID",
"description": "The application is recording the device ID (IMEI). This process might be performed without the user's knowledge.",
"include_file_regex": ".java$"
}, {
"regex": "telephony\\.TelephonyManager",
"forward_check": "getSimSerialNumber\\s*\\(",
"criticality": "warning",
"label": "Get SIM Serial",
"description": "The application is recording the SIM serial. This process might be performed without the user's knowledge.",
"include_file_regex": ".java$"
}, {
"regex": "android\\.location ",
"forward_check": "getLastKnownLocation\\s*\\(|requestLocationUpdates\\s*\\(|getLatitude\\s*\\(|getLongitude\\s*\\(",
"criticality": "warning",
"label": "GPS location",
"description": "This app is using cell location by GPS method. This process might be performed without the user's knowledge.",
"include_file_regex": ".java$"
}, {
"regex": "android\\.util\\.Base64",
"forward_check": "\\.encode(?:ToString)?",
"criticality": "warning",
"label": "Base64 Encode",
"description": "This application is using Base64 encoding. This is not a secure method to encode data.",
"include_file_regex": ".java$"
}, {
"regex": "android\\.util\\.Base64",
"forward_check": "\\.decode\\s*\\(",
"criticality": "warning",
"label": "Base64 decode",
"description": "This application is using Base64 decoding.",
"include_file_regex": ".java$"
}, {
"regex": "while\\s*\\(\\s*true\\s*\\)",
"criticality": "warning",
"label": "Infinite Loop",
"description": "The application contains infinite loops. It is not a good practice to use infinite loops inside a program.",
"include_file_regex": ".java$"
}, {
"regex": "[.-_\\w]+@[-_\\w]+\\.[\\w.]+",
"criticality": "warning",
"label": "Email disclosure",
"description": "The decompilation of the source code could lead to the disclosure of private email information."
}, {
"regex": "\"\\s*\\w*\\.\\s*(?:p12|key|pub|crt|cert|pem|cer|jks|bks)(?:\\s*|\")",
"criticality": "warning",
"label": "Certificate or Keystore disclosure",
"description": "The decompilation of the source code could lead to the disclosure of hardcoded certificate or keystore."
}, {
"regex": "telephony\\.TelephonyManager",
"forward_check": "getSimOperator\\s*\\(",
"criticality": "warning",
"label": "Get SIM Operator",
"description": "The application is recording the device network operator. This process might be performed without the user's knowledge.",
"include_file_regex": ".java$"
}, {
"regex": "telephony\\.TelephonyManager",
"forward_check": "getSimOperatorName\\s*\\(",
"criticality": "warning",
"label": "Get SIM OperatorName",
"description": "The application is recording the device network operator name. This process might be performed without the user's knowledge.",
"include_file_regex": ".java$"
}, {
"regex": "utils\\s*\\.\\s*AESObfuscator",
"forward_check": "getObfuscator",
"criticality": "warning",
"label": "Obfuscated code",
"description": "The code of this application could be obfuscated.",
"include_file_regex": ".java$"
}, {
"regex": "getRuntime\\s*\\(\\s*\\)\\s*\\.\\s*exec\\s*\\(",
"criticality": "high",
"label": "System command execution",
"description": "The application could execute system command.",
"include_file_regex": ".java$"
}, {
"regex": "net\\.ssl\\.SSLSocketFactory|net\\.SSLCertificateSocketFactory",
"forward_check": "getInsecure\\s*\\(",
"criticality": "high",
"label": "SSL getInsecure method",
"description": "Insecure application SSL implementation. This applications in using the getInsecure Method which returns a new instance of a socketFactory with all SSL security checks disabled. These sockets are vulnerable to MITM attacks.",
"include_file_regex": ".java$"
}, {
"regex": "finally\\s*\\{\\s*[\\w.(?:);-_ ]*\\s*return",
"criticality": "low",
"label": "Finally with return statement",
"description": "Finally structure with return statement inside will bypass any error thrown.",
"include_file_regex": ".java$"
}, {
"regex": "(?P<fc1>\\w+)\\s*=.*\\.getText.*;",
"forward_check": "(?:Thread|thread|SystemClock)\\s*\\.\\s*sleep\\s*\\(\\s*[A-Za-z0-9_\".(?:)]*\\s*\\+?\\s*{fc1}\\s*\\+?\\s*[A-Za-z0-9_\".(?:)]*\\s*\\)\\s*;",
"criticality": "high",
"label": "Sleep Method",
"description": "Sleep Method is used with vars as arguments. If those vars are modified it could force the aplication to stop indefinitely.",
"include_file_regex": ".java$"
}]