Android Secure Coding Rules 與範例

DRD00. Do not store sensitive information on external storage (SD card) unless encrypted first
DRD01-X. Limit the accessibility of an app’s sensitive content provider
DRD02-J. Do not allow WebView to access sensitive local resource through file scheme
DRD03-J. Do not broadcast sensitive information using an implicit intent
DRD04-J. Do not log sensitive information
DRD05-J. Do not grant URI permissions on implicit intents
DRD06. Do not act on malicious intents
DRD07-X. Protect exported services with strong permissions
DRD08-J. Always canonicalize a URL received by a content provider
DRD09. Restrict access to sensitive activities
DRD10-X. Do not release apps that are debuggable
DRD11. Ensure that sensitive data is kept secure
DRD12. Do not trust data that is world writable
DRD13. Do not provide addJavascriptInterface method access in a WebView which could contain untrusted content. (API level JELLY_BEAN or below)
DRD14-J. Check that a calling app has appropriate permissions before responding
DRD15-J. Consider privacy concerns when using Geolocation API
DRD16-X. Explicitly define the exported attribute for private components
DRD17-J. Do not use the Android cryptographic security provider encryption default for AES
DRD18. Do not use the default behavior in a cryptographic library if it does not use recommended practices
DRD19. Properly verify server certificate on SSL/TLS
DRD20-C. Specify permissions when creating files via the NDK
DRD21-J. Always pass explicit intents to a PendingIntent
DRD22. Do not cache sensitive information
DRD23-J. Do not use loopback when handling sensitive data
DRD24. Do not bundle OAuth security-related protocol logic or sensitive data into a relying party’s app
DRD25. To request user permission for OAuth, identify relying party and its permissions scope
DRD26-J. For OAuth, use a secure Android method to deliver access tokens

Checker code	Description	Default severity	Enabled by default?
`ANDROID.LIFECYCLE.SV.FRAGMENTINJ`	Unvalidated fragment class name	1	true
`ANDROID.LIFECYCLE.SV.GETEXTRA`	Unvalidated external data	3	true
`ANDROID.NPE`	Dereference of a null value in an Android application	4	true
`ANDROID.RLK.MEDIAPLAYER`	Media player is not released on exit	1	true
`ANDROID.RLK.MEDIARECORDER`	Media recorder is not released on exit	1	true
`ANDROID.RLK.SQLCON`	Sql connection is not closed on exit	1	true
`ANDROID.RLK.SQLOBJ`	Sql object is not closed on exit	1	true
`ANDROID.UF.BITMAP`	Usage of recycled bitmap	2	true
`ANDROID.UF.CAMERA`	Usage of released camera	2	true
`ANDROID.UF.MEDIAPLAYER`	Usage of released media player	2	true
`ANDROID.UF.MEDIARECORDER`	Usage of released media recorder	2	true

軟體品管的專業思維

網路與病毒分析、資訊安全測試、安全自動化測試資料庫與網站效能調教 tony@qa-knowhow.com。FB粉絲專頁 https://www.facebook.com/QA.KnowHow

Android Secure Coding Rules 與範例

Android Secure Coding Rules 與範例

Reference

Leave a Reply Cancel reply

Android Secure Coding Rules 與範例

Reference

Related Posts

Leave a Reply Cancel reply