Skip to content

Latest commit

 

History

History
112 lines (63 loc) · 5.69 KB

How to check Insecure Coding Practice.md

File metadata and controls

112 lines (63 loc) · 5.69 KB
Raw

How to check insecure coding practice for java script enabled for web views

WebViews in Android allow apps to display web content within the app. When JavaScript is enabled for a WebView, it can potentially be used to exploit vulnerabilities in the web content displayed within the app.

Steps to check for insecure coding practices for JavaScript-enabled WebViews:

  1. Obtain a copy of the APK file for the Android app that you want to check for insecure coding practices.

  2. Use a tool such as Dex2jar, which can convert the APK file into a JAR file, to convert the APK file into a JAR file.

  3. Use a Java decompiler, such as JD-GUI, to open the JAR file and view the app's source code.

  4. Search for any instances of WebViews in the code and check if JavaScript is enabled by looking for the following line of code: webView.getSettings().setJavaScriptEnabled(true);.

  5. Check the code for any other insecure coding practices such as, Insecure handling of JavaScript interfaces Insecure handling of input validation and sanitization Insecure handling of cookies Insecure handling of file uploads Insecure handling of redirects and links Insecure handling of SSL certificate validation

  6. Check if the app has any anti-debugging or anti-tampering mechanisms

  7. Check if the app has any security controls in place to restrict access to sensitive data, such as user credentials, by using a Content Security Policy.

  8. Check if the app has any security controls in place to restrict the use of dangerous JavaScript APIs, such as WebRTC

how to check insecure coding practice for use of insecure random number generator step by step

Insecure random number generators (RNGs) can be used in Android apps to generate random numbers for tasks such as encryption keys, session IDs, and other security-sensitive operations. However, if an insecure RNG is used, the generated numbers may not be truly random, and an attacker may be able to predict or recreate them.

Steps to check for insecure coding practices for the use of insecure random number generators:

  1. Obtain a copy of the APK file for the Android app that you want to check for insecure coding practices.

  2. Use a tool such as Dex2jar, which can convert the APK file into a JAR file, to convert the APK file into a JAR file.

  3. Use a Java decompiler, such as JD-GUI, to open the JAR file and view the app's source code.

  4. Search the codebase for any calls to insecure random number generators such as java.util.Random, java.security.SecureRandom, etc.

  5. Check if the app uses any insecure PRNGs like, Math.random() new Random() new SecureRandom() with a default seed

  6. Check if the app uses any cryptographically secure PRNGs like, java.security.SecureRandom android.security.SecureRandom

  7. Check if the app uses any seed value for the PRNGs that is easy to guess like, current time, device id, etc.

  8. Check if the app uses any seed value for the PRNGs that is hardcoded in the code

how to check insecure coding practice for use of insecure function step by step

Insecure functions are functions or methods that have known vulnerabilities and should not be used for security-sensitive operations. If an insecure function is used in an Android app, it can potentially be exploited by an attacker to gain unauthorized access or perform other malicious actions.

Steps to check for insecure coding practices for the use of insecure functions:

  1. Obtain a copy of the APK file for the Android app that you want to check for insecure coding practices.

  2. Use a tool such as Dex2jar, which can convert the APK file into a JAR file, to convert the APK file into a JAR file.

  3. Use a Java decompiler, such as JD-GUI, to open the JAR file and view the app's source code.

  4. Search the codebase for any calls to insecure functions such as, Insecure encryption functions like MD5, SHA1, etc. Insecure hash functions like MessageDigest.getInstance("MD5"), etc. Insecure random number generators like Math.random() Insecure keystore functions like KeyStore.getInstance(“AndroidKeyStore”), etc.

  5. Check if the app uses any function that has been deprecated or removed from the Android SDK

  6. Check if the app uses any function that has known vulnerabilities

  7. Check if the app uses any function that has been replaced by a more secure function

  8. Check if the app uses any function that has been marked as "Insecure" by OWASP

how to check insecure coding practice for use of weak cryptography step by step

Weak cryptography refers to the use of algorithms, protocols, or key sizes that are known to be insecure or can be easily broken. If weak cryptography is used in an Android app, it can potentially be exploited by an attacker to gain unauthorized access or perform other malicious actions.

Steps to check for insecure coding practices for the use of weak cryptography:

  1. Obtain a copy of the APK file for the Android app that you want to check for insecure coding practices.

  2. Use a tool such as Dex2jar, which can convert the APK file into a JAR file, to convert the APK file into a JAR file.

  3. Use a Java decompiler, such as JD-GUI, to open the JAR file and view the app's source code.

  4. Search the codebase for any calls to weak encryption algorithms such as, DES, 3DES, Blowfish RC4, RC2, RC5 RSA with key length < 2048 MD5, SHA1

  5. Check if the app uses any encryption algorithm that has been deprecated or removed from the Android SDK

  6. Check if the app uses any encryption algorithm that has known vulnerabilities

  7. Check if the app uses any encryption algorithm that has been replaced by a more secure algorithm

  8. Check if the app uses any encryption algorithm that has been marked as "Weak" by OWASP