118 lines
7.6 KiB
INI
118 lines
7.6 KiB
INI
com.bartek.esa.core.archetype.JavaPlugin.NO_PACKAGE=There is no package defined in AndroidManifest.xml file. \n\
|
|
Package should be defined as attribute of <manifest> tag.\n\
|
|
For example: <manifest package="com.bartek.esa.test">\n\
|
|
Please fix it to use this tool.
|
|
|
|
com.bartek.esa.core.plugin.LoggingPlugin=Potential data leakage in logs. \n\
|
|
Logging method was detected. Please check if no sensitive data is logged there.
|
|
|
|
com.bartek.esa.core.plugin.DebuggablePlugin.NO_ATTR=There is no android:debuggable option. Potential data leakage. \n\
|
|
The android:debuggable option was not found in the AndroidManifest.xml file. \n\
|
|
To avoid any potential data leakage in the future, please explicitly set this flag to false. \n\
|
|
The attribute should be placed in <application> tag.\n\
|
|
For example: <application android:debuggable="false">
|
|
|
|
com.bartek.esa.core.plugin.DebuggablePlugin.NO_FALSE=The android:debuggable is set to 'true'. Potential data leakage. \n\
|
|
The android:debuggable option in AndroidManifest.xml is set to 'true'. \n\
|
|
This will cause application to be debuggable and can result in \
|
|
security issues and data leakage on the production environment. \n\
|
|
Consider setting it to 'false'.
|
|
|
|
com.bartek.esa.core.plugin.AllowBackupPlugin.NO_ATTR=There is no android:allowBackup option. Potential data leakage. \n\
|
|
The android:allowBackup option was not found in the AndroidManifest.xml file. \n\
|
|
To avoid any potential data theft in the future, please explicitly set this flag to false. \n\
|
|
The attribute should be placed in <application> tag.\n\
|
|
For example: <application android:allowBackup="false">
|
|
|
|
com.bartek.esa.core.plugin.AllowBackupPlugin.NO_FALSE=The android:allowBackup is set to 'true'. Potential data leakage. \n\
|
|
The android:allowBackup option in AndroidManifest.xml is set to 'true'. \n\
|
|
This will allow accessing the backups via adb if device has USB debugging enabled.\n\
|
|
Consider setting it to 'false'.
|
|
|
|
com.bartek.esa.core.plugin.PermissionsRaceConditionPlugin=Potential permissions race condition vulnerability. \n\
|
|
There are declared custom permissions in AndroidManifest.xml and the minimal API version is set to ${minSdkVersion} that is less than 21.\n\
|
|
It means that declared permissions can be obtained by malicious application installed before and without need of having 1proper signature.\n\
|
|
Consider setting minimal API version to 21 at least.
|
|
|
|
com.bartek.esa.core.plugin.SecureRandomPlugin=Initializing SecureRandom object with custom seed. \n\
|
|
Specifying custom seed for SecureRandom can produce predictable sequence of numbers. \n\
|
|
Please create SecureRandom object without any arguments instead.
|
|
|
|
com.bartek.esa.core.plugin.ImplicitIntentsPlugin.IMPLICIT_INTENT=Creating implicit intent. Potential data leakage. \n\
|
|
Implicit intents can be abused in man-in-the-middle attack. Malicious application can hijack intent and start its\n\
|
|
activity/send service etc. to steal sent data. \n\
|
|
Also make sure that no sensitive information is passing to this intent.
|
|
|
|
com.bartek.esa.core.plugin.ImplicitIntentsPlugin.PENDING_INTENT=Creating pending intent from implicit intent. Potential permission escalation vulnerability\n\
|
|
As far as pending intents contains UID of issuing application and its permissions, they should be fed only\n\
|
|
with explicit intents to avoid permission escalation vulnerability.
|
|
|
|
com.bartek.esa.core.plugin.SharedUidPlugin=Making use of shared UserID.\n\
|
|
Shared UserID violates a sandbox nature of Android system. All applications working with the same UID work also \n\
|
|
within the same process and share granted permissions, resources and so on.\n\
|
|
Remember, that if you really want to use this feature, after publishing your app, you won't be able to change it anymore.
|
|
|
|
com.bartek.esa.core.plugin.UsesSdkPlugin.NO_USES_SDK=There is no <uses-sdk> defined in AndroidManifest.xml file.\n\
|
|
In order to use this tool, <uses-sdk> should be defined in AndroidManifest.xml with android:minSdkVersion attribute at least.\n\
|
|
This element should be placed below the root (<manifest>) level.\n\
|
|
For example:\n\
|
|
<manifest>\n\
|
|
\t<uses-sdk android:minSdkVersion="23">\n\
|
|
\t...\n\
|
|
</manifest>
|
|
|
|
com.bartek.esa.core.plugin.UsesSdkPlugin.USES_SDK.NO_MIN_SDK_VERSION=There is no minSdkVersion defined in AndroidManifest.xml file.\n\
|
|
In order to use this tool, minimal SDK version should be provided as the attribute of <uses-sdk> element.\n\
|
|
For example: <uses-sdk android:minSdkVersion="23">
|
|
|
|
com.bartek.esa.core.plugin.UsesSdkPlugin.USES_SDK.MAX_SDK_VERSION=Application defines an upper limit for API version.\n\
|
|
The android:maxSdkVersion is set to ${maxSdkVersion} in AndroidManifest.xml.\n\
|
|
There is no need to limit available platforms for application.\n\
|
|
Furthermore it can cause unexpected application uninstall\n\
|
|
on upgrading Android version (along with API which can exceed defined maximal API version).
|
|
|
|
com.bartek.esa.core.plugin.CipherInstancePlugin=Not fully-qualified algorithm name provided in Cipher.getInstance() method.\n\
|
|
Passing a shortcut instead of fully-qualified algorithm name in Cipher.getInstance() method is not portable across providers\n\
|
|
and can impact the system low secure than intended to be.\n\
|
|
Fully-qualified name matches the pattern: algorithm/mode/pattern\n\
|
|
For example: AES/CBC/PKCS5Padding
|
|
|
|
com.bartek.esa.core.plugin.StrictModePlugin=Strict mode is turned on.\n\
|
|
Strict mode was found in the file. Remember to delete it before publishing.
|
|
|
|
com.bartek.esa.core.plugin.ExternalStoragePlugin=External storage state is not checked.\n\
|
|
There is attempt to access to external storage without checking its state.\n\
|
|
External storage state should be checked through 'Environment.getExternalStorageState()' method.
|
|
|
|
com.bartek.esa.core.plugin.SuppressWarningsPlugin=@SuppressWarnings annotation was found.\n\
|
|
The @SuppressWarnings annotation might be hiding useful warnings.\n\
|
|
Consider removing it.
|
|
|
|
com.bartek.esa.core.plugin.ExportedComponentsPlugin.NO_PERMISSION=Exported activity.\n\
|
|
The ${componentType} with name '${componentName}' is exported but not protected by any permission. \n\
|
|
It means any malicious application could make use of the component. \n\
|
|
Consider using 'android:permission' tag and adding custom permission to protect it.
|
|
|
|
com.bartek.esa.core.plugin.DangerousPermissionPlugin=Custom permission without description.\n\
|
|
Custom permission with 'dangerous' protection level was found and it doesn't have any description.\n\
|
|
As long as the permission requires user attention, he should have provided a meaningful description about\n\
|
|
permission.
|
|
|
|
com.bartek.esa.core.plugin.TextInputValidationPlugin=Input type is no selected.\n\
|
|
The EditText view doesn't have a input type selected.\n\
|
|
Consider associating a input type with this view.\n\
|
|
For example: <EditText android:inputType="number" ...
|
|
|
|
com.bartek.esa.core.plugin.IntentFilterPlugin=Implemented intent filter.\n\
|
|
The ${componentType} with name '${componentName}' does have a intent filter declared. \n\
|
|
It means, that the component is implicitly exposed to public.\n\
|
|
Consider removing intent filter.\n\
|
|
Also be aware, that intent filter is not a security tool. It can be easily omitted.
|
|
|
|
com.bartek.esa.core.plugin.SqlInjectionPlugin='rawQuery' method detected. Potential SQL injection attack.\n\
|
|
'rawQuery' method should be avoided because of possibility to inject SQL code.
|
|
|
|
com.bartek.esa.core.plugin.WorldAccessPermissionsPlugin=World access permissions detected. Potential data leakage.\n\
|
|
The deprecated '${exprName}' constant has been found and it can be risky to use.\n\
|
|
It grants world access permission to selected resource.\n\
|
|
Consider using less permissive mode.a. |