mobile-best-practices 1.0.0

package/assets/data/security.csv

@@ -0,0 +1,438 @@
+Category,Threat,Platform,Severity,Keywords,Description,Mitigation,Code Good,Code Bad,OWASP Ref,Reference URL
+Data Storage,Insecure Local Storage,Android,Critical,"sharedpreferences plaintext storage token password",Storing sensitive data in plain SharedPreferences,Use EncryptedSharedPreferences or DataStore with encryption,EncryptedSharedPreferences.create(context masterKey prefName),getSharedPreferences('prefs').putString('token' jwt),M2 - Insecure Data Storage,https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences
+Data Storage,Insecure UserDefaults,iOS,Critical,"userdefaults plaintext token password keychain",Storing secrets in UserDefaults,Use Keychain for sensitive data,KeychainAccess: keychain['token'] = jwt,UserDefaults.standard.set(jwt forKey: 'token'),M2 - Insecure Data Storage,https://developer.apple.com/documentation/security/keychain_services
+Data Storage,Insecure Flutter Storage,Flutter,Critical,"shared_preferences plaintext token sensitive",Using SharedPreferences for tokens/passwords,Use flutter_secure_storage backed by Keychain/Keystore,"FlutterSecureStorage().write(key: 'token' value: jwt)",SharedPreferences.setString('token' jwt),M2 - Insecure Data Storage,https://pub.dev/packages/flutter_secure_storage
+Data Storage,Insecure RN Storage,React Native,Critical,"asyncstorage plaintext sensitive token password",Using AsyncStorage for sensitive data,Use react-native-keychain for credentials,"Keychain.setGenericPassword(username password)",AsyncStorage.setItem('token' jwt),M2 - Insecure Data Storage,https://github.com/oblador/react-native-keychain
+Data Storage,Backup Exposure,Android,High,"backup allowbackup data extraction adb",App data included in device backups,Disable auto-backup or exclude sensitive files,android:allowBackup='false' or backup_rules.xml,android:allowBackup='true' no exclusions,M2 - Insecure Data Storage,https://developer.android.com/guide/topics/data/autobackup
+Data Storage,Database Encryption,All,High,"database sqlite encryption sqlcipher room coredata",Unencrypted local database,Encrypt database with SQLCipher or equivalent,Room with SupportFactory(SQLCipher),Room.databaseBuilder unencrypted,M2 - Insecure Data Storage,https://www.zetetic.net/sqlcipher/
+Data Storage,Clipboard Data,All,Medium,"clipboard copy paste sensitive password token",Sensitive data persisted in clipboard,Clear clipboard after timeout prevent copy of sensitive,Mark password fields secureTextEntry prevent copy,Allow copy of password/token to clipboard,M2 - Insecure Data Storage,
+Network,No SSL Pinning,All,Critical,"ssl pinning certificate mitm network attack",No certificate pinning allowing MITM attacks,Implement certificate or public key pinning,CertificatePinner.add('api.example.com' 'sha256/...'),OkHttpClient() trusts any valid cert,M3 - Insecure Communication,https://developer.android.com/privacy-and-security/security-config#CertificatePinning
+Network,HTTP Traffic,All,High,"http cleartext plaintext traffic unencrypted",Sending data over unencrypted HTTP,Enforce HTTPS for all connections,cleartextTrafficPermitted=false,android:usesCleartextTraffic='true',M3 - Insecure Communication,https://developer.android.com/privacy-and-security/security-config
+Network,No Network Security Config,Android,High,"network security config cleartext domain",Missing network security configuration,Define network_security_config.xml with strict rules,<domain-config cleartextTrafficPermitted='false'>,No network_security_config.xml,M3 - Insecure Communication,https://developer.android.com/privacy-and-security/security-config
+Network,Disabled ATS,iOS,High,"ats app transport security http exception nsallows",Disabling App Transport Security globally,Only add specific domain exceptions,NSExceptionDomains with specific domains only,NSAllowsArbitraryLoads = YES,M3 - Insecure Communication,https://developer.apple.com/documentation/bundleresources/information-property-list/nsapptransportsecurity
+Network,Token in URL,All,High,"token url query parameter log expose",Passing auth tokens in URL query parameters,Send tokens in Authorization header only,headers: { Authorization: Bearer $token },GET /api/data?token=abc123,M3 - Insecure Communication,https://owasp.org/www-project-mobile-top-10/
+Network,No Response Validation,All,Medium,"response validation integrity tamper verify",Not validating API response integrity,Validate response signatures and checksums,Verify response HMAC before processing,Process any response without validation,M3 - Insecure Communication,
+Authentication,Weak Biometric Auth,All,High,"biometric fingerprint faceid weak fallback crypto",Biometric auth with weak fallback,Require strong biometric with crypto-backed auth,BiometricPrompt with CryptoObject binding,BiometricPrompt without CryptoObject,M4 - Insecure Authentication,https://developer.android.com/training/sign-in/biometric-auth
+Authentication,Token Expiry,All,High,"token expiry refresh rotation jwt access",No token expiration or refresh mechanism,Implement short-lived access + refresh token rotation,Access token 15min + refresh rotation,Long-lived token never expires,M4 - Insecure Authentication,https://owasp.org/www-project-mobile-top-10/
+Authentication,No Session Timeout,All,Medium,"session timeout inactivity auto logout lock",No automatic session timeout,Implement inactivity timeout with re-authentication,Lock after 5min inactivity require biometric,Session stays active indefinitely,M4 - Insecure Authentication,
+Authentication,Hardcoded Credentials,All,Critical,"hardcoded password api key secret source code",Credentials embedded in source code,Use environment variables or secure config,BuildConfig.API_KEY from local.properties gitignored,const API_KEY = 'sk-abc123secret',M4 - Insecure Authentication,https://owasp.org/www-project-mobile-top-10/
+Authentication,Weak PIN Storage,All,High,"pin hash bcrypt plaintext storage argon2",Storing user PIN in plain text,Hash PINs with bcrypt/Argon2 and salt,bcrypt.hash(pin saltRounds=12),database.store(userId pin) plaintext,M4 - Insecure Authentication,
+Code,No Code Obfuscation,Android,High,"proguard r8 obfuscation decompile reverse engineer",No code obfuscation in release builds,Enable R8/ProGuard with proper rules,minifyEnabled true; shrinkResources true,minifyEnabled false,M9 - Reverse Engineering,https://developer.android.com/build/shrink-code
+Code,Debug Build Production,All,Critical,"debug release build production debuggable flag",Shipping debug build to production,Always ship release builds with debug disabled,android:debuggable='false' in release,android:debuggable='true' in production,M9 - Reverse Engineering,
+Code,Runtime Integrity,All,Medium,"root jailbreak tamper detection integrity check",No root/jailbreak detection,Detect rooted/jailbroken devices for sensitive apps,Check for su binary Magisk Cydia,No runtime environment verification,M8 - Code Tampering,https://developer.android.com/google/play/integrity
+Code,WebView Security,All,High,"webview javascript injection xss evaluate interface",Insecure WebView configuration,Disable unnecessary WebView features restrict JS,Disable file access restrict to allowList URLs,javaScriptEnabled addJavascriptInterface unrestricted,M1 - Improper Platform Usage,https://developer.android.com/develop/ui/views/layout/webapps/best-practices
+Cryptography,Weak Algorithm,All,High,"encryption algorithm aes md5 sha1 weak des",Using deprecated/weak crypto algorithms,Use AES-256-GCM for encryption SHA-256+ for hashing,AES/GCM/NoPadding with 256-bit key,DES or MD5 for sensitive data,M5 - Insufficient Cryptography,https://developer.android.com/privacy-and-security/cryptography
+Cryptography,Hardcoded Crypto Key,All,Critical,"hardcoded key encryption secret constant embedded",Encryption keys embedded in code,Use Keystore/Keychain for key storage,Generate key in Keystore at runtime,val key = 'my-secret-key'.toByteArray(),M5 - Insufficient Cryptography,https://developer.android.com/privacy-and-security/keystore
+Cryptography,Insecure Random,All,High,"random prng seed predictable token",Using predictable random number generator,Use SecureRandom/SystemRandomNumberGenerator,SecureRandom() or SystemRandomNumberGenerator(),Random() or Math.random() for tokens,M5 - Insufficient Cryptography,
+Cryptography,No Key Rotation,All,Medium,"key rotation encryption periodic renew cycle",Never rotating encryption keys,Implement periodic key rotation strategy,Rotate keys every 90 days migrate data,Same encryption key used forever,M5 - Insufficient Cryptography,
+Platform,Intent Hijacking,Android,High,"intent hijacking exported component broadcast receiver",Exported components accessible to malicious apps,Set exported=false or use permissions,<activity android:exported='false'>,<activity android:exported='true'> for internal,M1 - Improper Platform Usage,https://developer.android.com/privacy-and-security/security-tips#IPC
+Platform,URL Scheme Hijacking,iOS,Medium,"url scheme deeplink hijacking universal links",Custom URL schemes can be hijacked,Use Universal Links instead of custom schemes,Associated Domains apple-app-site-association,Custom scheme myapp:// without validation,M1 - Improper Platform Usage,https://developer.apple.com/documentation/xcode/defining-a-custom-url-scheme-for-your-app
+Platform,Screenshot Leakage,All,Medium,"screenshot task switcher sensitive screen blur",Sensitive screen visible in app switcher,Add blur/overlay when app enters background,FLAG_SECURE or applicationWillResignActive blur,No protection for sensitive screens,M2 - Insecure Data Storage,
+Platform,Tapjacking,Android,Medium,"tapjacking overlay touch filtering attack",Overlay attacks tricking user into actions,Use filterTouchesWhenObscured,android:filterTouchesWhenObscured='true',No touch filtering on sensitive actions,M1 - Improper Platform Usage,https://developer.android.com/privacy-and-security/security-tips
+Input,SQL Injection,All,High,"sql injection query parameterized prepared",Raw SQL queries with user input,Use parameterized queries/prepared statements,"db.query('SELECT * FROM users WHERE id = ?' [userId])","db.rawQuery('SELECT * WHERE id = $input')",M7 - Client Code Quality,https://developer.android.com/privacy-and-security/security-tips#ContentProviders
+Input,Log Sensitive Data,All,High,"log sensitive password token pii production debug",Logging credentials/PII in production,Strip debug logs in release use log levels,Timber.plant(ReleaseTree()) no verbose in prod,"Log.d(TAG 'token=$token password=$pass')",M10 - Extraneous Functionality,
+Input,No Input Sanitization,All,High,"input sanitization xss html injection escape",User input not sanitized before display,Sanitize and escape all user-generated content,Html.escapeHtml(userInput) or proper encoding,textView.text = Html.fromHtml(userInput),M7 - Client Code Quality,
+Logging,Debug Endpoints,All,Medium,"debug endpoint test api production remove",Debug/test API endpoints in production code,Remove all debug endpoints and test configs,ifdef DEBUG only for debug endpoints,/api/debug/resetAllData in production,M10 - Extraneous Functionality,
+Logging,Verbose Error Messages,All,Medium,"verbose error message stack trace user production",Showing stack traces or internal errors to users,Show user-friendly error messages log details internally,Show 'Something went wrong' log full error,Show stack trace or SQL error to user,M7 - Client Code Quality,
+Supply Chain,No Dependency Scanning,All,High,"dependency scanning sca vulnerabilities cve outdated libraries",Not scanning dependencies for known vulnerabilities,Use OWASP Dependency-Check Snyk or GitHub Dependabot,./gradlew dependencyCheckAnalyze or Snyk test in CI,No dependency vulnerability scanning,M6 - Insufficient Supply Chain Security,https://owasp.org/www-project-dependency-check/
+Supply Chain,Third-Party SDK Risks,All,Critical,"third party sdk library supply chain malware backdoor",Using unvetted third-party SDKs without security review,Vet all SDKs review privacy policies scan with tools,Review SDK permissions privacy policy scan dependencies,Add random SDKs without vetting or review,M6 - Insufficient Supply Chain Security,https://owasp.org/www-project-mobile-top-10/
+Supply Chain,Outdated Dependencies,All,High,"outdated dependencies vulnerabilities patch update version",Using libraries with known security vulnerabilities,Keep dependencies updated check for CVEs regularly,Use Renovate/Dependabot; update within 30 days of CVE,Use libraries 2+ years old with known CVEs,M6 - Insufficient Supply Chain Security,
+Authentication,OWASP M1 Credential Usage,All,Critical,"owasp m1 credential hardcoded keystore keychain token",OWASP M1 2024: Improper credential storage and handling,Use Keystore/Keychain; never hardcode; implement MFA rotation,Android Keystore + EncryptedSharedPreferences + MFA,Hardcoded API keys plaintext token storage,M1 - Improper Credential Usage,https://owasp.org/www-project-mobile-top-10/
+Input,OWASP M4 Input Validation,All,High,"owasp m4 input validation sanitize injection xss sql",OWASP M4 2024: Insufficient input/output validation,Validate sanitize all inputs with whitelisting length checks,Regex whitelist + length validation + encoding,Trust all user input no validation or sanitization,M4 - Insufficient Input/Output Validation,https://owasp.org/www-project-mobile-top-10/
+Privacy,OWASP M6 Privacy Violation,All,High,"owasp m6 privacy gdpr ccpa data collection consent",OWASP M6 2024: Privacy violations and excessive data collection,Collect minimum data; obtain consent; honor deletion requests,Collect only essential data; granular consent; delete on request,Collect excessive data no consent mechanisms,M6 - Privacy Violation,https://owasp.org/www-project-mobile-top-10/
+Code,OWASP M8 Security Misconfiguration,All,High,"owasp m8 misconfiguration debug production permissions cleartext",OWASP M8 2024: Security misconfigurations in production,Review all configs; disable debug; minimize permissions; HTTPS only,debuggable=false; minimal permissions; HTTPS enforced,android:debuggable=true; excessive permissions; HTTP allowed,M8 - Security Misconfiguration,https://owasp.org/www-project-mobile-top-10/
+Data Storage,OWASP M9 Insecure Data Storage,All,Critical,"owasp m9 data storage encryption sensitive plaintext cache",OWASP M9 2024: Insecure data storage of sensitive information,Encrypt all sensitive data at rest using platform secure storage,EncryptedSharedPreferences Room encryption Keychain,Store PII passwords tokens in plaintext SharedPreferences,M9 - Insecure Data Storage,https://owasp.org/www-project-mobile-top-10/
+Logging,OWASP M10 Extraneous Functionality,All,Medium,"owasp m10 debug code test endpoint backdoor production",OWASP M10 2024: Debug code and test endpoints in production,Remove all debug features test endpoints before release,Strip debug code; remove test APIs; ifdef DEBUG only,Ship debug endpoints backdoor test features to production,M10 - Extraneous Functionality,https://owasp.org/www-project-mobile-top-10/
+Platform,Android 16 Advanced Protection,Android,High,"android 16 advanced protection mode restricted setting install",Android 16 Advanced Protection Mode for high-risk users,Support Advanced Protection requirements restrict settings access,Avoid WRITE_SETTINGS REQUEST_INSTALL_PACKAGES; test with mode enabled,Request unlimited install permissions restricted settings,M1 - Improper Platform Usage,
+Platform,Android 16 Identity Check,Android,Medium,"android 16 identity check sensitive credential reset password",Android 16 Identity Check API for sensitive operations,Use CredentialCheckerActivity for password reset account changes,CredentialCheckerActivity.createIntent() for credential reset,No identity verification for sensitive account operations,M4 - Insecure Authentication,https://developer.android.com/identity
+Platform,Android 16 OTP Shield,Android,High,"android 16 otp shield sms autofill phishing protection",Android 16 OTP Shield to protect against SMS phishing,Implement SMS autofill; users protected from phishing,Use SMS Retriever API with OTP input autofill,Manual OTP entry vulnerable to phishing clipboard attacks,M3 - Insecure Communication,https://developer.android.com/identity/sms-retriever/overview
+Platform,Android 16 Private Space,Android,Medium,"android 16 private space sensitive app visibility hide",Android 16 Private Space hides apps from launcher,Design for Private Space users; expect hidden from launcher,Graceful handling when app in Private Space; notifications work,Assume app always visible in launcher; break in Private Space,M1 - Improper Platform Usage,https://developer.android.com/about/versions/16/features
+Compliance,Google Play Data Safety 2026,Android,Critical,"google play data safety declaration 2026 privacy policy sdk",Google Play 2026 requires accurate Data Safety declarations,Complete Data Safety form; declare all SDK data collection; update regularly,Declare all data types including SDKs; review before each release,Incomplete Data Safety; SDK data not disclosed; never updated,M6 - Privacy Violation,https://support.google.com/googleplay/android-developer/answer/10787469
+Compliance,Play SDK Compliance 2026,Android,High,"google play sdk compliance 2026 third party library vetting",Google Play 2026 increased SDK compliance requirements,Vet all SDKs; review privacy; scan dependencies; keep updated,SDK vetting checklist; dependency scanning; update regularly,Use unvetted SDKs outdated versions no privacy review,M6 - Insufficient Supply Chain Security,https://support.google.com/googleplay/android-developer/answer/9888076
+Cryptography,Quantum-Resistant Algorithms,All,Medium,"quantum resistant post quantum cryptography pqc nist algorithm",Preparing for quantum computing threats to current crypto,Plan migration to NIST PQC algorithms for long-term data,Monitor NIST PQC standards; plan hybrid classical+PQC approach,No plan for quantum-resistant cryptography migration,M5 - Insufficient Cryptography,https://csrc.nist.gov/projects/post-quantum-cryptography
+Cryptography,Key Attestation,Android,High,"key attestation hardware backed strongbox tee secure",Verifying keys are hardware-backed and secure,Use Key Attestation to verify hardware-backed keys,Use setAttestationChallenge verify certificate chain StrongBox preferred,Assume keys are hardware-backed without verification,M5 - Insufficient Cryptography,https://developer.android.com/privacy-and-security/keystore#attestation
+Authentication,WebAuthn Passkeys,All,Medium,"webauthn passkey fido2 passwordless biometric credential",Passwordless authentication using FIDO2/WebAuthn,Implement passkey support for passwordless flows,Use Credential Manager API for passkey creation and authentication,Password-only authentication no passkey support,M4 - Insecure Authentication,https://developer.android.com/identity/sign-in/credential-manager
+Privacy,Data Minimization,All,High,"data minimization privacy gdpr collect necessary purpose limitation",Collecting more data than necessary for functionality,Only collect data essential for features; delete when no longer needed,Collect minimal data; clear purpose; retention policy; delete on request,Collect all available data just in case; never delete,M6 - Privacy Violation,
+Privacy,Consent Management,All,High,"consent gdpr ccpa privacy opt-in granular control user",No proper consent mechanism for data collection,Implement granular consent; allow opt-out; honor DNT signals,Granular consent per purpose; easy opt-out; respect user choice,Forced consent; no opt-out; pre-checked boxes; dark patterns,M6 - Privacy Violation,
+Financial,PCI DSS 4.0 Compliance,All,Critical,"pci dss payment card compliance tokenization encryption sbom",PCI DSS 4.0 applies to mobile apps handling payment flows (mandatory March 2025+),Implement tokenization; encrypt data with AES-256/TLS 1.3; maintain SBOM; MFA; penetration testing,Use tokenization for card data; AES-256-GCM; TLS 1.3; Software Bill of Materials; MFA for all access,Store raw card numbers; weak encryption; no SBOM; single-factor auth; skip penetration testing,M2 - Insecure Data Storage,https://www.pcisecuritystandards.org/
+Financial,Payment Tokenization,All,Critical,"tokenization pci card payment token vault mobile wallet",Not using tokenization for payment card data storage,Use payment tokenization to replace card numbers with tokens,Stripe/Braintree tokenization; Apple Pay/Google Pay; secure token vault,Store raw credit card numbers in database or app,M2 - Insecure Data Storage,https://www.pcisecuritystandards.org/
+Financial,PSD2 SCA Strong Authentication,All,Critical,"psd2 psd3 sca strong customer authentication mfa biometric banking",PSD2/PSD3 Strong Customer Authentication requirement for banking,Implement multi-factor auth: knowledge + possession + inherence; biometric + device binding,BiometricPrompt + device fingerprinting + dynamic linking; 2+ auth factors,Single-factor password authentication for banking transactions,M4 - Insecure Authentication,https://www.europeanpaymentscouncil.eu/
+Financial,Transaction Risk Analysis,All,High,"transaction risk analysis fraud detection adaptive authentication",No transaction risk analysis for financial operations,Implement adaptive authentication based on transaction risk scoring,Analyze: amount location device behavior; step-up auth for high risk,Same authentication for $5 and $5000 transactions,M4 - Insecure Authentication,
+Financial,No Card Data Logging,All,Critical,"card number cvv log pci compliant redaction",Logging payment card numbers CVV or PINs,Never log sensitive payment data; redact card numbers in logs,Log last 4 digits only; redact CVV/PIN; use tokenized identifiers,Log.d('Card: 4532-1234-5678-9010 CVV: 123'),M10 - Extraneous Functionality,https://www.pcisecuritystandards.org/
+Financial,Banking App Integrity,All,High,"banking root jailbreak runtime integrity tamper detection",No runtime integrity checks for banking/financial apps,Implement root/jailbreak detection; app tampering detection; code integrity checks,Use Play Integrity API; detect Magisk Cydia Frida; verify code signature,No integrity checks allow rooted device access to banking,M8 - Code Tampering,https://developer.android.com/google/play/integrity
+Financial,No Screenshot in Banking,All,High,"screenshot prevent banking sensitive financial transaction",Allowing screenshots of sensitive banking screens,Prevent screenshots on sensitive screens with FLAG_SECURE,setContentView().window.setFlags(FLAG_SECURE SECURE); UITextField.isSecureTextEntry,Allow screenshots of account balances transaction details,M2 - Insecure Data Storage,
+Accessibility,Screen Reader Data Exposure,All,High,"accessibility screen reader talkback voiceover malware data leak",Exposing sensitive data to accessibility services (screen readers),Limit accessibility data exposure for sensitive fields; detect malicious readers,Mark sensitive fields android:importantForAccessibility='no'; detect accessibility abuse,Password credit card fields fully readable by screen readers,M2 - Insecure Data Storage,https://developer.android.com/guide/topics/ui/accessibility/testing
+Accessibility,Malicious Accessibility Service,Android,Critical,"accessibility service malware keylogger overlay attack abuse",Accessibility services can be exploited as keyloggers,Detect suspicious accessibility services; warn users; restrict in sensitive screens,Check enabled AccessibilityServices; warn if unknown service detected; disable in banking flows,No detection of malicious accessibility services,M1 - Improper Platform Usage,https://developer.android.com/reference/android/accessibilityservice/AccessibilityService
+Accessibility,WCAG Compliance Security,All,Medium,"wcag accessibility a11y compliance aria secure labels",Accessibility implementation exposing sensitive information,Implement WCAG compliance while protecting sensitive data in labels,Use generic accessibility labels for sensitive fields; avoid PII in contentDescription,contentDescription='Password: mySecretPass123' exposed to screen readers,M2 - Insecure Data Storage,https://www.w3.org/WAI/WCAG21/quickref/
+Deep Link,Deep Link Validation,All,Critical,"deep link app link intent hijacking validation parameter injection",Deep links accepting unvalidated parameters allowing injection attacks,Validate all deep link parameters; use allowlist; autoVerify App Links; single entry point,Validate against allowlist; autoVerify=true; narrow host/path; parse in DeepLinkActivity only,myapp://payment?amount=$USER_INPUT without validation; broad intent filters,M1 - Improper Platform Usage,https://developer.android.com/training/app-links
+Deep Link,Intent Hijacking Prevention,Android,High,"intent hijacking deep link url scheme app link interception",Multiple apps claiming same deep link scheme allowing interception,Use verified HTTPS App Links instead of custom schemes; autoVerify,Use android:autoVerify='true' + Digital Asset Links; HTTPS only,Custom myapp:// scheme without verification allows hijacking,M1 - Improper Platform Usage,https://developer.android.com/training/app-links/verify-android-applinks
+Backup,Sensitive Data in Backup,All,High,"backup autobackup cloud google drive sensitive exclude allowbackup",Sensitive data included in automatic cloud backups,Exclude sensitive data in backup_rules.xml; use allowBackup=false for critical apps,Use <exclude> in backup_rules.xml for tokens keys credentials; allowBackup=false,Include passwords tokens in AutoBackup; no exclusion rules,M2 - Insecure Data Storage,https://developer.android.com/guide/topics/data/autobackup
+Backup,Backup Data Validation,All,Medium,"backup restore data integrity validation tampering malicious",Not validating integrity of restored backup data,Validate restored data integrity; sign backups; verify data before use,HMAC signature verification; validate data types ranges on restore,Trust all restored backup data without validation,M8 - Code Tampering,
+Network,No Certificate Pinning,All,High,"certificate pinning ssl tls mitm man middle attack https",Not using certificate pinning allowing MITM attacks,Implement certificate/public key pinning with backup pins; use network security config,NetworkSecurityConfig with <pin-set>; CertificatePinner with backup pins,No pinning; trust all system CAs; vulnerable to MITM,M3 - Insecure Communication,https://developer.android.com/privacy-and-security/security-config
+Network,Certificate Pinning Bypass Risk,All,Medium,"certificate pinning bypass rotation management expiry backup",Certificate pinning without backup pins causing outages,Include backup pins; automate cert lifecycle; monitor expiry; public key pinning,Pin public keys not certs; 2+ backup pins; automated monitoring alerts,Single cert pin; no backup; no monitoring; leads to app outages,M3 - Insecure Communication,
+Clipboard,Clipboard Data Exposure,All,High,"clipboard sensitive password copy paste hijacking steal",Allowing sensitive data to be copied to clipboard,Prevent clipboard for sensitive fields; clear clipboard automatically; detect access,textInputType=TYPE_TEXT_VARIATION_PASSWORD prevents copy; auto-clear clipboard,Allow copy of passwords credit cards SSNs to clipboard,M2 - Insecure Data Storage,https://developer.android.com/develop/ui/views/touch-and-input/copy-paste
+Clipboard,Clipboard Hijacking,All,Medium,"clipboard hijacking malware replace crypto wallet address attack",Clipboard content manipulated by malicious apps,Warn users about clipboard risks; validate pasted data; use secure input methods,Validate pasted crypto addresses; warn on sensitive paste; use autofill,No validation of clipboard content allows malware replacement,M1 - Improper Platform Usage,
+API,OAuth 2.1 Token Security,All,Critical,"oauth 2.1 pkce token refresh access api authentication authorization",Not using OAuth 2.1 PKCE and secure token handling,Implement OAuth 2.1 with mandatory PKCE; short-lived tokens; secure storage; rotation,Use PKCE for all flows; store tokens in Keychain/Keystore; rotate refresh tokens,OAuth 2.0 implicit flow; long-lived tokens; SharedPreferences storage,M4 - Insecure Authentication,https://oauth.net/2.1/
+API,API Token Exposure,All,Critical,"api key token hardcoded secret exposed public repository leak",Hardcoded API keys or tokens in source code,Never hardcode API keys; use secure config; rotate keys; detect leaks in CI/CD,Store in BuildConfig from secrets.properties; rotate monthly; scan with TruffleHog,Hardcoded API_KEY = 'sk_live_abc123' in source code,M2 - Insecure Data Storage,
+Code,NDK API Key Storage,Android,Medium,"ndk native code jni cmake api key hide reverse engineering c++",Storing API keys in plain Java/Kotlin code easily decompiled,Store sensitive keys in NDK C++ code with obfuscation; use JNI bridge,Store keys in native .so with XOR encryption; strip symbols; use extern C JNI,API_KEY = 'sk_12345' in BuildConfig or strings.xml,M2 - Insecure Data Storage,
+Code,Native Code Obfuscation,Android,High,"native code obfuscation ndk llvm symbol strip so binary",Native .so libraries with readable symbols and plain strings,Obfuscate native code; strip symbols; encrypt strings at compile time,Use -fvisibility=hidden; strip --strip-all; XOR encrypt strings in C++,Readable function names API keys in .so easily extracted with strings command,M7 - Client Code Quality,
+Code,No Code Obfuscation,All,High,"obfuscation proguard r8 dexguard minify shrink decompile",App published without code obfuscation vulnerable to reverse engineering,Enable R8/ProGuard minification obfuscation; use DexGuard for critical apps,minifyEnabled=true; proguardFiles; shrinkResources=true; DexGuard for banking apps,Release APK with readable class/method names easily decompiled with jadx,M7 - Client Code Quality,https://developer.android.com/build/shrink-code
+Code,Insufficient Obfuscation,All,Medium,"r8 proguard rules keep class prevent obfuscation weak",R8/ProGuard rules that keep too many classes preventing obfuscation,-keep rules only for essential classes; allow aggressive obfuscation,Minimize -keep rules; avoid -keep class ** wildcards; obfuscate models POJOs,-keep class * prevents all obfuscation; defeating purpose,M7 - Client Code Quality,
+Code,No Anti-Tampering,All,Critical,"tampering signature verification integrity check modify repackage",App doesn't detect code modifications or repackaging,Implement signature verification; checksum validation; detect repackaging,Verify app signature at runtime; detect modified APK; validate DEX integrity,No checks allow attackers to modify inject malicious code and repackage,M8 - Code Tampering,
+Code,No Root Detection,All,High,"root detection magisk rooted device jailbreak su binary superuser",App runs on rooted/jailbroken devices without restriction,Detect root/jailbreak; use Play Integrity API; restrict on compromised devices,Check for su binary Magisk SafetyNet bypass; use Play Integrity API Standard verdict,Banking app runs normally on rooted Magisk device with Xposed,M1 - Improper Platform Usage,https://developer.android.com/google/play/integrity
+Code,Play Integrity API Missing,Android,Critical,"play integrity api safetynet device integrity app license verdict",Not using Play Integrity API for device/app integrity verification,Implement Play Integrity API with server-side token validation,Request integrity token; send to backend; validate device/app/license verdicts server-side,No device integrity checks allow modified apps on compromised devices,M1 - Improper Platform Usage,https://developer.android.com/google/play/integrity
+Code,No Frida Detection,All,High,"frida detection hook runtime manipulation debugger xposed lsposed",App vulnerable to Frida hooking and runtime manipulation,Detect Frida Xposed frameworks; anti-debug; check for suspicious libs,Detect frida-server process; check loaded libs for frida; ptrace anti-debug,No detection allows Frida to bypass all security checks certificate pinning,M8 - Code Tampering,
+Code,No Debugger Detection,All,Medium,"debugger detection debug anti-debug android:debuggable ptrace",App allows debugging in production enabling runtime attacks,Disable android:debuggable; detect debuggers at runtime; anti-ptrace,Check android.os.Debug.isDebuggerConnected(); ptrace self-protection; exit if debugged,android:debuggable=true in release OR no runtime debugger detection,M8 - Code Tampering,
+Code,No Emulator Detection,All,Medium,"emulator detection android emulator genymotion virtual device automation",App runs on emulators enabling automated attacks and analysis,Detect emulator/virtual environments; restrict on non-real devices,Check Build.FINGERPRINT Build.MODEL for emulator; detect Genymotion; restrict features,Banking app fully functional in Android Studio emulator with Burp proxy,M1 - Improper Platform Usage,
+Code,CMake NDK API Key Setup,Android,High,"cmake ndk api key native library jni c++ cmakelists externalNativeBuild",No CMake/NDK setup for native API key storage; keys in Kotlin/Java easily decompiled,Configure CMake with externalNativeBuild; create native-lib.cpp with JNI bridge; load .so at runtime,CMakeLists.txt add_library(native-lib SHARED); System.loadLibrary('native-lib'); extern C JNIEXPORT,Store API_KEY in BuildConfig strings.xml or Kotlin companion object,M2 - Insecure Data Storage,https://developer.android.com/ndk/guides/cmake
+Code,NDK Key Splitting and Encoding,Android,High,"ndk key split xor encode runtime assembly obfuscate native c++",Storing API key as single plain string in native code; extractable with strings command,Split key into multiple parts; XOR encode with runtime mask; assemble only when needed; zero memory after use,Split key into 3+ char arrays; XOR with device-derived salt; assemble in JNI call; memset zero after,Single const char* apiKey = 'sk_live_abc123' in native .cpp file,M2 - Insecure Data Storage,https://blog.mindorks.com/securing-api-keys-using-android-ndk/
+Code,Secrets Gradle Plugin,Android,Medium,"secrets gradle plugin local.properties buildconfig api key google maps",API keys committed to version control or hardcoded in build.gradle,Use Google secrets-gradle-plugin to inject keys from local.properties into BuildConfig at build time,id('com.google.android.libraries.mapsplatform.secrets-gradle-plugin'); secrets.properties gitignored,API_KEY = 'abc123' hardcoded in build.gradle.kts or committed to git,M2 - Insecure Data Storage,https://github.com/google/secrets-gradle-plugin
+API,Backend API Key Proxy,All,Critical,"backend proxy api key server side relay never store client mobile",Storing third-party API keys (payment; maps; AI) directly in mobile app,Proxy all third-party API calls through your backend; store keys server-side only; authenticate client,Mobile calls your backend; backend adds API key server-side; never expose key to client,Mobile app directly calls OpenAI/Stripe/Maps API with embedded key,M2 - Insecure Data Storage,
+API,API Key Restriction,All,High,"api key restriction scope package sha256 ip referrer quota limit",API keys used without platform restrictions allowing abuse if leaked,Restrict API keys by package name; SHA-256 fingerprint; IP allowlist; API scope; usage quota,Restrict Google API key to com.myapp + SHA-256 cert; set daily quota; scope to Maps SDK only,Unrestricted API key works from any app any IP any API,M2 - Insecure Data Storage,https://cloud.google.com/docs/authentication/api-keys#securing_an_api_key
+Code,Flutter Code Obfuscation,Flutter,High,"flutter obfuscate dart split-debug-info aot reverse engineering symbol",Flutter release build with readable Dart symbols and class names,Use --obfuscate with --split-debug-info; store symbol map securely for crash reporting,flutter build apk --release --obfuscate --split-debug-info=build/symbols; upload symbols to Crashlytics,flutter build apk --release without obfuscation; readable Dart class names in APK,M9 - Reverse Engineering,https://docs.flutter.dev/deployment/obfuscate
+Code,iOS Binary Protection,iOS,High,"ios obfuscation swiftshield swift binary protection fairplay bitcode strip",iOS app with readable Swift class/method names after FairPlay decryption,Use SwiftShield for identifier obfuscation; strip symbols; enable bitcode; encrypt sensitive strings,SwiftShield obfuscation; strip -S -x in build settings; encrypt string literals at compile time,Readable class/method names in decrypted binary; dump with class-dump or Hopper,M9 - Reverse Engineering,https://github.com/rockbruno/swiftshield
+Code,React Native Code Protection,React Native,High,"react native hermes bytecode obfuscation javascript bundle jsbundle metro",React Native JS bundle easily readable; business logic exposed,Enable Hermes for bytecode compilation; add JS obfuscation; use react-native-obfuscating-transformer,Enable Hermes in app.json; use metro obfuscation plugin; ProGuard for Android native layer,Plain JavaScript bundle in APK/IPA; readable with any text editor,M9 - Reverse Engineering,https://reactnative.dev/docs/hermes
+Code,String Encryption,All,High,"string encryption sensitive literal compile time encrypt decrypt runtime",Sensitive strings (URLs; tokens; keys) stored as plain text literals in binary,Encrypt strings at compile time; decrypt at runtime only when needed; zero memory after use,Use compile-time string encryption macro/annotation; decrypt via secure function; clear from memory,Plain string literals 'https://api.secret.com/v1' readable in decompiled binary,M9 - Reverse Engineering,
+Code,Resource Obfuscation,Android,Medium,"resource obfuscation resguard arsc shrink resource name mapping",Android resource names (layouts; drawables; strings) reveal app structure,Use resource shrinking; ResGuard for resource name obfuscation; remove unused resources,shrinkResources=true; use ResGuard or AndResGuard to rename res/ entries; remove debug resources,Readable resource names like activity_payment.xml; ic_credit_card.png reveal structure,M9 - Reverse Engineering,https://github.com/nicolo-dev/ResGuard
+Code,RASP Implementation,All,Critical,"rasp runtime application self-protection talsec freerasp guardsquare promon",No runtime protection; app vulnerable to live attacks after installation,Implement RASP SDK for real-time threat detection; respond to root; hook; tamper; debugger,Integrate freeRASP/Talsec; configure threat callbacks; block or warn on root; hook; repackage; debugger,No runtime monitoring; attacker freely hooks functions modifies memory at runtime,M8 - Code Tampering,https://github.com/talsec/Free-RASP-Android
+Code,Memory Dump Protection,All,High,"memory dump protection sensitive data ram scraping process dump anti-dump",Sensitive data (keys; tokens; passwords) persists in memory; extractable via dump,Zero-fill sensitive data after use; use secure memory allocations; detect memory dump attempts,memset(buffer 0 len) after use; overwrite String with char[]; detect /proc/self/mem access,Passwords API keys remain in heap memory indefinitely; extractable with memory dump tools,M2 - Insecure Data Storage,
+Code,Hook Detection General,All,High,"hook detection substrate xposed lsposed cydia substrate method swizzle frida",App vulnerable to method hooking via Xposed; LSPosed; Substrate; Frida,Detect known hooking frameworks; verify method integrity; check loaded libraries at runtime,Check for Xposed/LSPosed modules; detect Substrate; verify native method pointers; scan /proc/maps,No hook detection; Xposed module freely intercepts login() bypassing all checks,M8 - Code Tampering,
+Code,APK Signature Verification,Android,High,"apk signature scheme v2 v3 v4 verification signing certificate runtime check",Not verifying APK signature at runtime allowing repackaged APK distribution,Verify APK signing certificate at runtime; use signature scheme v3+; check package signature hash,PackageManager.getPackageInfo(GET_SIGNING_CERTIFICATES); compare SHA-256 with known cert hash,No runtime signature check; attacker repackages APK with different cert; distributes modified app,M8 - Code Tampering,https://developer.android.com/about/versions/13/features#apk-signature-scheme
+Code,DEX Integrity Verification,Android,High,"dex integrity verification checksum crc classes.dex tamper modification",No DEX file integrity check allowing code injection via modified classes.dex,Compute and verify DEX file checksums at runtime; compare against known-good values,Calculate CRC32/SHA-256 of classes.dex at runtime; compare with embedded expected hash; abort if mismatch,No DEX verification; attacker modifies classes.dex injects malicious code repackages APK,M8 - Code Tampering,
+Code,Anti-Dynamic Analysis,All,High,"dynamic analysis prevention timing check debugger trace strace ltrace",App does not detect dynamic analysis tools used during reverse engineering,Detect tracing tools; timing anomalies; instrumentation frameworks; suspicious process names,Detect strace/ltrace via /proc/self/status TracerPid; timing checks for breakpoints; scan process list,No dynamic analysis detection; attacker freely traces API calls and function parameters,M8 - Code Tampering,
+Code,SSL Unpinning Detection,All,High,"ssl unpinning detection bypass certificate pinning frida objection",Certificate pinning bypassed by Frida/Objection scripts without app awareness,Detect SSL pinning bypass attempts; verify pinning at multiple layers; implement custom TrustManager checks,Verify cert chain integrity in custom TrustManager; detect Frida ssl_pinning_bypass.js; multi-layer pinning,Single-layer cert pinning easily bypassed with one Frida script; no bypass detection,M3 - Insecure Communication,
+Code,DexGuard iXGuard Commercial,All,High,"dexguard ixguard guardsquare commercial obfuscation encryption protection",Basic R8/ProGuard insufficient for high-security apps (banking; fintech; healthcare),Use DexGuard (Android) or iXGuard (iOS/Flutter) for advanced obfuscation; string encryption; RASP,DexGuard: control flow obfuscation; string encryption; asset encryption; class encryption; RASP,Basic R8 minification only for banking app; no string encryption or control flow obfuscation,M9 - Reverse Engineering,https://www.guardsquare.com/dexguard
+Code,ProGuard R8 Optimization,Android,High,"proguard r8 rules optimization shrink minify obfuscate android release",R8/ProGuard not configured or using default rules with poor coverage,Configure aggressive R8 rules; enable full mode; add custom rules for reflection/serialization only,isMinifyEnabled=true; isShrinkResources=true; proguardFiles with custom rules; R8 fullMode=true,isMinifyEnabled=false OR -keep class ** wildcard keeping everything unobfuscated,M9 - Reverse Engineering,https://developer.android.com/build/shrink-code
+Code,iOS App Attest,iOS,High,"ios app attest devicecheck attestation integrity apple dcappattestservice",No server-side verification that requests come from genuine unmodified iOS app,Use App Attest API to generate hardware-backed attestation; validate assertions server-side,DCAppAttestService.shared.attestKey(); send attestation to server; validate receipt and assertion,No attestation; server trusts any HTTP client pretending to be the iOS app,M8 - Code Tampering,https://developer.apple.com/documentation/devicecheck/dcappattestservice
+Network,Man-in-the-Middle Detection,All,High,"mitm detection proxy charles burp fiddler transparent proxy interception",App unaware of MITM proxy intercepting traffic during attacks,Detect proxy settings; verify direct connection; implement mutual TLS; detect transparent proxies,Check System.getProperty('http.proxyHost'); detect proxy via ConnectivityManager; mutual TLS auth,No proxy detection; attacker uses Charles/Burp to intercept all API traffic transparently,M3 - Insecure Communication,
+Platform,PendingIntent Security,Android,High,"pendingintent mutable immutable flag_immutable flag_one_shot hijacking implicit",Mutable or implicit PendingIntent allowing hijacking and privilege escalation,Use FLAG_IMMUTABLE by default; FLAG_ONE_SHOT to prevent replay; explicit intents only,PendingIntent.getActivity(ctx 0 explicitIntent FLAG_IMMUTABLE or FLAG_ONE_SHOT),PendingIntent.getActivity(ctx 0 implicitIntent FLAG_MUTABLE) empty action,M1 - Improper Platform Usage,https://developer.android.com/privacy-and-security/risks/pending-intent
+Platform,Content Provider Security,Android,High,"content provider sql injection exported permissions query selection",Exported ContentProvider with SQL injection via unsanitized selection/projection,Set exported=false or require permissions; use parameterized queries; whitelist projections,SQLiteQueryBuilder.setProjectionMap(); selection with ? placeholders; android:permission,Exported provider; rawQuery('SELECT * WHERE id=' + input); no permission,M1 - Improper Platform Usage,https://developer.android.com/guide/topics/providers/content-provider-basics
+Platform,FileProvider Path Traversal,Android,High,"fileprovider path traversal directory file sharing uri permission",FileProvider granting access to entire filesystem or allowing path traversal,Restrict FileProvider paths to specific subdirectories; validate canonical paths; reject ..,<paths><files-path name='docs' path='documents/'/></paths>; canonicalize and validate,<paths><root-path name='root' path='/'/> grants entire filesystem access,M1 - Improper Platform Usage,https://developer.android.com/reference/androidx/core/content/FileProvider
+Platform,Broadcast Receiver Security,Android,High,"broadcast receiver exported implicit permission local broadcast ordered",Exported BroadcastReceiver intercepting or spoofing broadcasts,Use LocalBroadcastManager or custom permissions; set exported=false; validate sender,LocalBroadcastManager.sendBroadcast(); custom permission android:protectionLevel=signature,Exported receiver with implicit intent filter; no sender validation; sensitive data in broadcast,M1 - Improper Platform Usage,https://developer.android.com/privacy-and-security/security-tips#IPC
+Platform,Screen Recording Prevention,All,High,"screen recording capture mediaprojection prevent sensitive banking financial",Sensitive screens recordable via screen capture or MediaProjection API,Use FLAG_SECURE on windows with sensitive data; detect MediaProjection; overlay on app switch,window.setFlags(FLAG_SECURE FLAG_SECURE); detect active MediaProjection; blur on background,Sensitive banking screens fully recordable; account balance visible in screen recordings,M2 - Insecure Data Storage,
+Platform,Third-Party Keyboard Data Leak,All,High,"keyboard third party input leak password sensitive autocomplete custom secure",Third-party keyboards capturing sensitive input (passwords; credit cards; SSN),Disable autocomplete on sensitive fields; detect third-party keyboard; use secure in-app keyboard for banking,android:inputType=textPassword|textNoSuggestions; textContentType=.oneTimeCode; detect IME package,Sensitive fields with autocomplete enabled; keystrokes sent to untrusted keyboard SDK,M2 - Insecure Data Storage,https://www.guardsquare.com/mobile-app-security-research-center/malware/secure-in-app-keyboard
+Platform,Notification Data Exposure,All,Medium,"notification sensitive data push content visible lockscreen preview",Sensitive data displayed in notifications visible on lock screen,Use VISIBILITY_SECRET for sensitive notifications; redact content on lock screen; encrypt payload,notification.visibility = VISIBILITY_SECRET; redact body on lock screen; decrypt payload in-app,Show full account balance transaction details OTP in notification visible on lock screen,M2 - Insecure Data Storage,
+Code,Dynamic Code Loading Security,Android,Critical,"dynamic code loading dex classloader plugin apk dexclassloader",Dynamically loading unverified DEX/APK code allowing code injection,Verify integrity of loaded code; mark files read-only (Android 14+); load from trusted sources only,Verify SHA-256 of DEX before loading; setReadOnly(); load from app internal storage only,DexClassLoader loading unverified APK from external storage or network; writable DEX files,M8 - Code Tampering,https://developer.android.com/privacy-and-security/risks/dynamic-code-loading
+Data Storage,Firebase Security Rules,All,Critical,"firebase firestore realtime database security rules open read write",Firebase database with open read/write rules allowing unauthorized access,Write strict security rules; authenticate all requests; validate data shape and ownership,rules: match /users/{uid} { allow read write: if request.auth.uid == uid; },allow read write: if true; OR no security rules configured,M2 - Insecure Data Storage,https://firebase.google.com/docs/rules
+Data Storage,Push Notification Token Security,All,Medium,"push notification token fcm apns registration device firebase messaging",FCM/APNS push tokens stored insecurely or exposed to unauthorized parties,Store push tokens in EncryptedSharedPreferences/Keychain; send to backend over HTTPS; rotate on logout,Store FCM token in EncryptedSharedPreferences; invalidate on logout; refresh periodically,Store FCM token in plaintext SharedPreferences; never invalidate on logout,M2 - Insecure Data Storage,
+Network,Mutual TLS Client Certificate,All,High,"mutual tls mtls client certificate two-way authentication pinning",Server-only TLS allows any client to connect; no client identity verification,Implement mutual TLS with client certificates for high-security APIs (banking; healthcare),Configure OkHttp SSLContext with client KeyStore; server validates client cert; cert rotation,Server-only TLS; any HTTP client can call sensitive APIs without client identity proof,M3 - Insecure Communication,
+Network,Encrypted Network Cache,All,Medium,"network cache okhttp response sensitive data encrypted http cache",HTTP response cache storing sensitive API data in plaintext on disk,Encrypt cache or disable caching for sensitive endpoints; use Cache-Control no-store,Set Cache-Control: no-store for sensitive APIs; encrypt OkHttp cache directory; clear on logout,Sensitive API responses (user profile; financial data) cached in plaintext on disk,M2 - Insecure Data Storage,
+Platform,Runtime Permission Minimization,All,High,"runtime permission dangerous minimal camera location microphone storage",Requesting excessive permissions beyond app functionality,Request minimum permissions; explain rationale; use permission-less alternatives when possible,Request ACCESS_FINE_LOCATION only when needed; use Photo Picker instead of READ_MEDIA_IMAGES,Request all permissions at startup; CAMERA + LOCATION + CONTACTS + STORAGE for a calculator app,M1 - Improper Platform Usage,https://developer.android.com/training/permissions/requesting
+Logging,Secure Logging Framework,Android,High,"logging timber release tree strip log sensitive production pii",Using Android Log.d/Log.v in production exposing sensitive data in logcat,Use Timber with release tree that strips verbose/debug; never log PII/tokens/passwords,Timber.plant(ReleaseTree()); ReleaseTree only logs WARN+ level; no PII in any log level,Log.d(TAG 'User: $email Token: $jwt Password: $pass') readable in logcat by any app,M10 - Extraneous Functionality,
+Data Storage,Secure SharedPreferences Migration,Android,Medium,"sharedpreferences migration encrypted datastore security upgrade",Migrating from plain SharedPreferences to EncryptedSharedPreferences without data loss,Implement migration strategy; read from old prefs; write to encrypted; delete old; handle corruption,Read old SharedPreferences; copy to EncryptedSharedPreferences; delete old file; add corruption handler,Plain SharedPreferences with tokens alongside EncryptedSharedPreferences; old data never deleted,M2 - Insecure Data Storage,https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences
+Platform,App Bundle Signing Security,Android,High,"app bundle aab signing play app signing key upgrade rotation",APK signed with weak key or signing key not enrolled in Play App Signing,Enroll in Play App Signing; use key upgrade for stronger algorithm; enable v3+ signature scheme,Enroll in Google Play App Signing; upgrade to ECDSA P-256; enable APK signature scheme v3,Self-signed with 1024-bit RSA key; not enrolled in Play App Signing; no key rotation plan,M8 - Code Tampering,https://developer.android.com/studio/publish/app-signing
+Privacy,Geolocation Data Protection,All,High,"geolocation location privacy background foreground precise approximate coarse",Collecting precise location when approximate suffices; tracking in background,Use ACCESS_COARSE_LOCATION when precise not needed; explain background usage; minimize retention,Request ACCESS_COARSE_LOCATION for weather; ACCESS_FINE_LOCATION only for navigation; no background,Request ACCESS_FINE_LOCATION + ACCESS_BACKGROUND_LOCATION for app that only shows local weather,M6 - Privacy Violation,https://developer.android.com/training/location
+Privacy,Camera Microphone Indicators,All,Medium,"camera microphone indicator permission privacy recording sensor access",App accessing camera/microphone without clear user awareness,Release camera/microphone immediately after use; respect indicators; handle denial gracefully,Release camera in onPause; show in-app recording indicator; graceful fallback if denied,Hold camera/microphone indefinitely in background; no user indicator of active recording,M6 - Privacy Violation,
+Privacy,AI LLM Data Leakage,All,High,"ai llm chatgpt gemini data leakage prompt injection sensitive pii third party",Sending sensitive user data (PII; credentials; health data) to third-party AI/LLM services,Sanitize data before AI calls; use on-device models for sensitive data; obtain consent; audit prompts,Strip PII before API call; use on-device ML for sensitive features; user consent for AI features,Send raw user messages health records financial data directly to third-party AI API,M6 - Privacy Violation,
+Code,Secure WebView File Access,Android,High,"webview file access javascript local storage file:// scheme disable",WebView with file:// access enabled allowing local file exfiltration,Disable file access in WebView; restrict JavaScript; use allowlist for URLs,setAllowFileAccess(false); setAllowContentAccess(false); URL allowlist; disable JS if not needed,setAllowFileAccess(true); setAllowFileAccessFromFileURLs(true); load untrusted content,M1 - Improper Platform Usage,https://developer.android.com/develop/ui/views/layout/webapps/best-practices
+Code,Secure Native Library Loading,Android,High,"native library loading so injection preload dlopen system.loadlibrary path",Loading native .so from untrusted or writable paths allowing library injection,Load .so only from app's private lib directory; verify library integrity before loading,System.loadLibrary('native-lib') from default app lib path; verify .so hash at startup,Load .so from sdcard or world-writable directory; no integrity check on loaded library,M8 - Code Tampering,
+Authentication,Credential Stuffing Protection,All,High,"credential stuffing brute force rate limit captcha account lockout login",No protection against automated credential stuffing and brute force attacks,Implement rate limiting; CAPTCHA after failures; account lockout; device fingerprinting,Rate limit 5 attempts/min; CAPTCHA after 3 failures; progressive lockout; notify user of attempts,No rate limiting; unlimited login attempts; no CAPTCHA; no account lockout policy,M4 - Insecure Authentication,
+Authentication,Secure Password Reset,All,High,"password reset token expiry email deep link otp verification",Insecure password reset flow allowing account takeover,Use time-limited tokens (15 min); single-use; validate via deep link + OTP; require identity proof,Time-limited single-use token; email + OTP verification; invalidate all sessions on reset,Password reset link never expires; reusable; no additional verification; no session invalidation,M4 - Insecure Authentication,
+Cryptography,Keystore StrongBox vs TEE,Android,High,"keystore strongbox tee hardware backed secure element titan chip",Not using hardware-backed key storage; keys stored in software-only keystore,Prefer StrongBox when available; fall back to TEE; verify security level with getSecurityLevel(),Check FEATURE_STRONGBOX_KEYSTORE; setIsStrongBoxBacked(true); fallback to TEE; verify hardware backing,Software-only keystore; keys extractable on rooted device; no hardware security verification,M5 - Insufficient Cryptography,https://developer.android.com/privacy-and-security/keystore
+Cryptography,Biometric-Bound Keystore Keys,Android,High,"biometric bound key keystore authentication required cryptoobject unlock",Keystore keys usable without biometric authentication for sensitive operations,Bind keys to biometric auth; require CryptoObject in BiometricPrompt; set validity duration,setUserAuthenticationRequired(true); setUserAuthenticationParameters(0 AUTH_BIOMETRIC_STRONG); CryptoObject,Keys accessible without authentication; no biometric binding for encryption/decryption operations,M5 - Insufficient Cryptography,https://developer.android.com/privacy-and-security/keystore
+Cryptography,Keystore Key Invalidation Handling,Android,Medium,"keystore key invalidation biometric enrollment change lockscreen fingerprint",Keys invalidated after biometric enrollment change causing app crashes or data loss,Handle KeyPermanentlyInvalidatedException; re-enroll keys gracefully; backup strategy for key loss,Catch KeyPermanentlyInvalidatedException; prompt user to re-authenticate; re-generate key; migrate data,App crashes on InvalidKeyException after user adds new fingerprint; no recovery mechanism,M5 - Insufficient Cryptography,https://developer.android.com/privacy-and-security/keystore
+Data Storage,Room Database Encryption,Android,High,"room database encryption sqlcipher sqlite encrypted saferoom",Room database storing sensitive data without encryption,Encrypt Room database with SQLCipher via SupportFactory; use hardware-backed key from Keystore,Room.databaseBuilder().openHelperFactory(SupportFactory(sqlCipherKey)); key from Android Keystore,Room.databaseBuilder(ctx AppDatabase::class.java 'db').build() unencrypted; data readable with sqlite3,M2 - Insecure Data Storage,https://www.zetetic.net/sqlcipher/sqlcipher-for-android/
+Data Storage,DataStore Encryption,Android,Medium,"datastore preferences proto encryption sensitive secure storage jetpack",Jetpack DataStore storing sensitive preferences without encryption,Encrypt DataStore with Tink EncryptedFile or custom Serializer with encryption; key from Keystore,Create encrypted DataStore with Tink StreamingAead; key stored in Android Keystore,DataStore<Preferences> storing auth tokens user PII without encryption; readable on rooted device,M2 - Insecure Data Storage,https://developer.android.com/topic/libraries/architecture/datastore
+Data Storage,Scoped Storage Security,Android,High,"scoped storage external internal mediastore saf android 10 11 file access",Accessing external storage without scoped storage restrictions (legacy mode),Use Scoped Storage; access own app-specific directory; use MediaStore for shared media; SAF for user files,context.filesDir for private; MediaStore for images/videos; SAF Intent for user documents,requestLegacyExternalStorage=true; READ_EXTERNAL_STORAGE for all files; access other apps' data,M2 - Insecure Data Storage,https://developer.android.com/training/data-storage
+Platform,Photo Picker Permissionless Access,Android,Medium,"photo picker android 13 14 media permission read_media_images visual",Using READ_MEDIA_IMAGES/READ_MEDIA_VIDEO when Photo Picker suffices,Use Android Photo Picker for media selection; no permissions needed; respects user privacy,PickVisualMedia() contract; ActivityResultContracts.PickVisualMedia(); no permission declaration,Request READ_MEDIA_IMAGES to browse all photos; access entire photo library when only need one image,M6 - Privacy Violation,https://developer.android.com/training/data-storage/shared/photopicker
+Authentication,Credential Manager Integration,Android,High,"credential manager passkey password sign-in google autofill jetpack",Using deprecated authentication APIs or custom login without Credential Manager,Migrate to Credential Manager API for passkeys; passwords; federated sign-in; unified auth flow,CredentialManager.create(context); GetCredentialRequest with passkey + password options; handle result,Custom login with SharedPreferences password storage; no passkey support; deprecated AccountManager,M4 - Insecure Authentication,https://developer.android.com/identity/sign-in/credential-manager
+Platform,Android 16 Safer Intents,Android,Medium,"android 16 safer intents intent action null filter strict mode",Android 16 enforces non-null Intent actions and stricter Intent filter matching,Ensure all Intents have explicit action; match Intent filters precisely; handle StrictMode violations,Intent(context TargetActivity::class.java).setAction('com.app.ACTION'); explicit component + action,Intent() with null action; relies on implicit resolution; crashes on Android 16 strict enforcement,M1 - Improper Platform Usage,https://developer.android.com/about/versions/16/behavior-changes-16
+Platform,Package Visibility Android 11,Android,Medium,"package visibility queries android 11 package manager installed apps",App enumerating all installed apps leaking user privacy,Declare specific package queries in manifest; use intent-based queries; minimize app enumeration,<queries><package android:name='com.specific.app'/></queries>; intent-based discovery,<uses-permission android:name='QUERY_ALL_PACKAGES'/>; enumerate all user installed apps,M6 - Privacy Violation,https://developer.android.com/training/package-visibility
+Supply Chain,Gradle Dependency Verification,Android,Critical,"gradle dependency verification checksum signature metadata xml supply chain",No verification that Gradle dependencies are authentic and untampered,Enable dependency verification with checksums and/or PGP signatures in verification-metadata.xml,gradle/verification-metadata.xml with SHA-256 checksums; PGP signature verification; --write-verification-metadata,No verification-metadata.xml; dependencies downloaded without integrity checks; vulnerable to supply chain,M6 - Insufficient Supply Chain Security,https://developer.android.com/build/dependency-verification
+Supply Chain,Gradle Dependency Locking,Android,High,"gradle dependency locking lockfile reproducible build version pin",Dynamic dependency versions (1.+ or latest) causing non-reproducible builds,Enable dependency locking; commit lockfiles to VCS; block builds with unlocked new versions,dependencyLocking { lockAllConfigurations() }; commit gradle.lockfile; CI fails on new unlocked deps,implementation('com.lib:lib:1.+') resolves different versions; no lockfile; non-reproducible builds,M6 - Insufficient Supply Chain Security,https://docs.gradle.org/current/userguide/dependency_locking.html
+Supply Chain,CI/CD Signing Security,Android,Critical,"ci cd signing keystore jks release build github actions secrets pipeline",Release signing keystore committed to repository or hardcoded in CI scripts,Store keystore in CI secrets (GitHub Actions secrets); inject at build time; never commit to repo,GitHub Actions: secrets.KEYSTORE_BASE64 decoded at build time; signingConfigs from environment variables,Keystore file committed to git; password in build.gradle.kts; visible in CI logs,M2 - Insecure Data Storage,
+Platform,Manifest Component Audit,Android,High,"manifest exported activity service receiver provider component audit android 12",Exported components accessible to malicious apps; no systematic audit,Audit all exported components; set exported=false by default; require permissions for necessary exports,Lint check for exported components; android:exported=false default; signature permission on exports,Multiple activities/services exported=true without permissions; accessible to any installed app,M1 - Improper Platform Usage,https://developer.android.com/privacy-and-security/risks/access-control-to-exported-components
+Platform,Service Binding Security,Android,High,"service bound started exported permission aidl binder ipc",Exported Service accessible without permission allowing unauthorized binding,Require custom signature-permission for bound services; validate caller identity; restrict AIDL exposure,android:permission='com.app.BIND_SERVICE' protectionLevel=signature; checkCallingPermission() in onBind,Exported service without permission; any app can bind; AIDL exposes internal methods,M1 - Improper Platform Usage,https://developer.android.com/privacy-and-security/security-tips#IPC
+Platform,Signature Permission Protection,Android,Medium,"signature permission protectionlevel custom permission app component",Using normal-level custom permissions that any app can request,Use signature-level permissions for inter-app communication between your own apps,<permission android:name='com.app.PERMISSION' android:protectionLevel='signature'/>,<permission android:protectionLevel='normal'/>; any third-party app can request and obtain,M1 - Improper Platform Usage,https://developer.android.com/privacy-and-security/security-tips
+Network,OkHttp Certificate Pinning Setup,Android,High,"okhttp certificate pinning certificatepinner sha256 hash backup pin",No certificate pinning on OkHttp client allowing MITM with rogue CA,Configure CertificatePinner with SHA-256 public key hashes; include backup pins; handle pin failure,CertificatePinner.Builder().add('api.app.com' 'sha256/AAAA...').add('api.app.com' 'sha256/BBBB...backup'),OkHttpClient() without CertificatePinner; trusts any valid certificate from any CA,M3 - Insecure Communication,https://square.github.io/okhttp/features/https/
+Network,Network Security Config Advanced,Android,High,"network security config xml domain pin cleartextTrafficPermitted debug override",Missing or incomplete network_security_config.xml allowing cleartext or missing pins,Configure comprehensive network_security_config.xml with domain pins; disable cleartext; debug overrides,<base-config cleartextTrafficPermitted='false'/>; <pin-set> per domain; <debug-overrides> for dev only,No network_security_config.xml; android:usesCleartextTraffic='true'; no certificate pinning,M3 - Insecure Communication,https://developer.android.com/privacy-and-security/security-config
+Data Storage,WorkManager Data Security,Android,Medium,"workmanager data worker background sensitive input output",Sensitive data passed in WorkManager Data objects persisted to database,Minimize sensitive data in Worker inputs; encrypt sensitive payloads; clear outputs after consumption,Pass encrypted reference/ID in Data; Worker fetches sensitive data from EncryptedSharedPreferences,workDataOf('token' to jwt 'password' to pass) persisted in WorkManager internal database,M2 - Insecure Data Storage,
+Code,Compose State Sensitive Data,Android,Medium,"compose state remember sensitive password token mutablestateof recomposition",Sensitive data held in Compose remember{} state visible during recomposition debugging,Minimize sensitive data in Compose state; clear on disposal; use PasswordVisualTransformation,PasswordVisualTransformation(); clear password on navigation; disposable state for tokens,remember { mutableStateOf(plainTextPassword) } visible in Layout Inspector and recomposition logs,M2 - Insecure Data Storage,
+Code,Navigation Compose Argument Validation,Android,High,"navigation compose deep link argument validation injection type safe serializable",Unvalidated deep link arguments in Navigation Compose allowing injection,Use @Serializable type-safe routes; validate all NavArgs; reject malformed deep link parameters,@Serializable data class Route(val id: Int); validate id range; reject negative or out-of-bounds,navArgument('id') { type = NavType.StringType } without validation; SQL injection via deep link,M1 - Improper Platform Usage,https://developer.android.com/guide/navigation/design/type-safety
+Platform,StrictMode Security Detection,Android,Medium,"strictmode disk network leak closable resource main thread detection",Not using StrictMode to detect security-relevant violations during development,Enable StrictMode in debug builds to detect disk/network on main thread; unclosed resources; leaks,StrictMode.setThreadPolicy(detectAll().penaltyLog()); StrictMode.setVmPolicy(detectLeakedClosableObjects()),No StrictMode; disk writes on main thread; leaked database cursors; cleartext network undetected,M7 - Client Code Quality,https://developer.android.com/reference/android/os/StrictMode
+Platform,Installer Verification,Android,Medium,"installer verification play store sideload package source install",App not verifying installation source allowing sideloaded modified copies,Verify installer package name at runtime; restrict features for non-Play Store installs,packageManager.getInstallSourceInfo(packageName).installingPackageName == 'com.android.vending',No installer check; sideloaded modified APK gets full functionality and server access,M8 - Code Tampering,
+Platform,BLE Bluetooth Security,Android,High,"bluetooth ble low energy pairing bonding encryption gatt security",Insecure BLE communication allowing eavesdropping and MITM on sensitive data,Use BLE secure pairing (LE Secure Connections); encrypt GATT characteristics; validate bonding state,BluetoothDevice.createBond(); encrypted GATT read/write; require BLUETOOTH_CONNECT permission,Unencrypted BLE GATT communication; no pairing required; sensitive health data sent in cleartext,M3 - Insecure Communication,https://developer.android.com/develop/connectivity/bluetooth
+Platform,NFC Security Best Practices,Android,Medium,"nfc hce host card emulation payment secure element ndef tag",Insecure NFC implementation for payments or sensitive data exchange,Use Secure Element for payment HCE; validate NDEF records; restrict NFC reader mode; encrypt payloads,HostApduService with Secure Element; validate NDEF record types; encrypt sensitive NFC payloads,HCE without Secure Element for payments; unvalidated NDEF records; cleartext NFC data exchange,M3 - Insecure Communication,https://developer.android.com/develop/connectivity/nfc
+Cryptography,Android Keystore Key Import,Android,Medium,"keystore key import wrapped secure attestation key wrapping aes",Importing encryption keys insecurely into Android Keystore,Use wrapped key import with purpose-bound wrapping key; verify key attestation after import,KeyStore.setEntry() with wrapped key; verify attestation certificate chain after import,Import raw key bytes directly; no wrapping; key exposed in memory during import process,M5 - Insufficient Cryptography,https://developer.android.com/privacy-and-security/keystore
+Platform,Android Clipboard Auto-Clear,Android,Medium,"clipboard auto clear android 13 sensitive copy paste timeout",Sensitive data copied to clipboard persists indefinitely on older Android versions,Set ClipDescription.EXTRA_IS_SENSITIVE flag; implement auto-clear timer; use PendingIntent for delayed clear,ClipData.newPlainText().apply { description.extras = persistableBundle { EXTRA_IS_SENSITIVE = true } },Copy password to clipboard; no sensitive flag; no auto-clear; data accessible to all apps indefinitely,M2 - Insecure Data Storage,https://developer.android.com/develop/ui/views/touch-and-input/copy-paste
+Lint,Google Security Lints Integration,Android,High,"android security lints google custom lint check gradle dependency vulnerability",Not using Google's android-security-lints for automated vulnerability detection,Add com.android.security.lint:lint as lintChecks dependency; run ./gradlew lint; fix all security warnings,lintChecks('com.android.security.lint:lint:1.0.3') in build.gradle; ./gradlew lint; zero security warnings,No security lint checks; vulnerabilities only found in manual review or production incidents,M7 - Client Code Quality,https://github.com/google/android-security-lints
+Lint,TrustAllX509TrustManager [Lint],Android,Critical,"trustallx509trustmanager ssl tls trust manager certificate validation bypass lint",Custom X509TrustManager with empty checkServerTrusted/checkClientTrusted trusting all certificates,Never implement empty TrustManager; use default system TrustManager; add certificate pinning,Use default TrustManagerFactory; CertificatePinner for pinning; network_security_config for custom CAs,TrustManager with empty checkServerTrusted() {} trusts all certificates including attacker's,M3 - Insecure Communication,https://developer.android.com/privacy-and-security/security-config
+Lint,SetWorldReadable SetWorldWritable [Lint],Android,High,"setWorldReadable setWorldWritable file permission mode_world_readable lint",Files created with MODE_WORLD_READABLE/WORLD_WRITABLE accessible to all apps on device,Use MODE_PRIVATE for all files; share via FileProvider with URI permissions,openFileOutput('data' MODE_PRIVATE); share via FileProvider with FLAG_GRANT_READ_URI_PERMISSION,openFileOutput('data' MODE_WORLD_READABLE) or setWorldReadable(true) accessible to any app,M2 - Insecure Data Storage,
+Lint,ExposedRootPath [Lint],Android,High,"exposed root path fileprovider root-path configuration lint security",FileProvider configured with <root-path> granting access to entire device filesystem,Never use <root-path> in FileProvider; use specific path types (files-path; cache-path; external-path),<files-path name='docs' path='shared_docs/'/> restricts to specific subdirectory,<root-path name='root' path=''/> allows access to ANY file on the device,M2 - Insecure Data Storage,https://github.com/google/android-security-lints
+Lint,SensitiveExternalPath [Lint],Android,High,"sensitive external path storage pii fileprovider external lint",Sensitive data (PII; tokens; credentials) stored via FileProvider external paths,Store sensitive data in app-internal storage only; never share via external-path or external-files-path,Use <files-path> or <cache-path> for sensitive data; <external-path> only for non-sensitive media,Sensitive user data shared via <external-files-path> accessible to other apps with storage permission,M2 - Insecure Data Storage,https://github.com/google/android-security-lints
+Lint,LogInfoDisclosure [Lint],Android,High,"log info disclosure logcat sensitive pii token password lint",Logging sensitive information (PII; tokens; passwords) via Log.d/Log.v/Log.i in production,Never log sensitive data at any level; use Timber with custom release tree; strip logs in release,Timber.plant(ReleaseTree()); log only non-sensitive context; redact PII in all log statements,Log.d(TAG 'Login user=$email token=$jwt') exposes credentials to any app reading logcat,M10 - Extraneous Functionality,https://github.com/google/android-security-lints
+Lint,DefaultCleartextTraffic [Lint],Android,High,"default cleartext traffic http api 27 network security config lint",On API 27 and below default network config trusts cleartext HTTP traffic,Set cleartextTrafficPermitted=false in network_security_config.xml; target API 28+ minimum,<base-config cleartextTrafficPermitted='false'/>; android:networkSecurityConfig in manifest,No network_security_config.xml on API 27; cleartext HTTP traffic allowed by default,M3 - Insecure Communication,https://github.com/google/android-security-lints
+Lint,DefaultTrustedUserCerts [Lint],Android,Medium,"default trusted user certs ca certificate api 23 network security lint",On API 23 and below default network config trusts user-added CA certificates enabling MITM,Set trust-anchors to system CAs only in network_security_config.xml; target API 24+ minimum,<trust-anchors><certificates src='system'/></trust-anchors> in base-config,No network_security_config.xml on API 23; user-installed CA certs trusted for app connections,M3 - Insecure Communication,https://github.com/google/android-security-lints
+Lint,DisabledSafeBrowsing [Lint],Android,Medium,"safe browsing disabled webview malicious url phishing lint",Safe Browsing disabled in WebView allowing users to visit malicious/phishing URLs,Keep Safe Browsing enabled; use enableSafeBrowsing=true; handle SafeBrowsingResponse,<meta-data android:name='android.webkit.WebView.EnableSafeBrowsing' android:value='true'/>,android:enableSafeBrowsing='false' or WebSettings.setSafeBrowsingEnabled(false),M1 - Improper Platform Usage,https://github.com/google/android-security-lints
+Lint,InsecureDnsSdkLevel [Lint],Android,Medium,"insecure dns sdk level custom dns configuration spoofing resolution lint",Custom DNS configurations on lower SDK levels susceptible to DNS spoofing attacks,Use Android OS built-in transport security on SDK 28+; avoid custom DNS resolvers,Target SDK 28+ for built-in DNS-over-TLS; use system DNS resolver,Custom DNS resolver without encryption on SDK < 28; vulnerable to DNS spoofing,M3 - Insecure Communication,https://github.com/google/android-security-lints
+Lint,StrandhoggVulnerable [Lint],Android,High,"strandhogg vulnerability task reparenting allowTaskReparenting taskAffinity lint",Activity with allowTaskReparenting or taskAffinity vulnerable to Strandhogg task hijacking,Set allowTaskReparenting=false; use empty taskAffinity; set launchMode=singleTask for sensitive activities,android:allowTaskReparenting='false'; android:taskAffinity=''; launchMode='singleTask',android:allowTaskReparenting='true' allows malicious app to hijack activity and steal credentials,M1 - Improper Platform Usage,https://github.com/google/android-security-lints
+Lint,StickyBroadcast Insecurity [Lint],Android,Medium,"sticky broadcast sendStickyBroadcast insecure permission access modify lint",Using sendStickyBroadcast/sendStickyOrderedBroadcast which any app can access and modify,Use sendBroadcast with custom permission instead; sticky broadcasts deprecated in API 21,sendBroadcast(intent 'com.app.PERMISSION') with signature-level protection,sendStickyBroadcast(intent) accessible to any app; data can be intercepted and modified,M1 - Improper Platform Usage,https://github.com/google/android-security-lints
+Lint,UnintendedExposedUrl [Lint],Android,High,"unintended exposed url debug development staging localhost ip address lint",Debug/development/staging URLs or private IP addresses left in production code,Remove all debug URLs before release; use BuildConfig fields for environment switching; CI checks,BuildConfig.BASE_URL from build flavors; no hardcoded URLs; lint + CI scan for debug endpoints,Hardcoded 'http://192.168.1.100:8080/api' or 'https://staging.internal.com' in production APK,M10 - Extraneous Functionality,https://github.com/google/android-security-lints
+Lint,VulnerableCryptoAlgorithm [Lint],Android,Critical,"vulnerable crypto algorithm md5 sha1 des rc4 weak hash lint",Using broken cryptographic algorithms (MD5; SHA-1; DES; RC4; ECB mode) detected by lint,Use AES-256-GCM for encryption; SHA-256+ for hashing; never use MD5/SHA-1/DES/RC4/ECB,MessageDigest.getInstance('SHA-256'); Cipher.getInstance('AES/GCM/NoPadding'),MessageDigest.getInstance('MD5') or Cipher.getInstance('DES/ECB/PKCS5Padding'),M5 - Insufficient Cryptography,https://github.com/google/android-security-lints
+Lint,WeakPrng [Lint],Android,High,"weak prng random java.util.Random predictable token session lint",Using java.util.Random for security-sensitive values (tokens; session IDs; OTPs),Use java.security.SecureRandom for all security contexts; never use Random for tokens or keys,SecureRandom() for token generation; SecureRandom.getInstanceStrong() for key material,Random().nextLong().toString() for session token or OTP code; predictable by attacker,M5 - Insufficient Cryptography,https://github.com/google/android-security-lints
+Lint,BluetoothDiscoveryDuration [Lint],Android,Medium,"bluetooth discovery duration zero extended attack window ble lint",Bluetooth discovery set to zero (infinite) or excessively long increasing attack window,Set reasonable discovery duration (max 120 seconds); disable when not needed; prompt user,startActivityForResult(discoverableIntent) with EXTRA_DISCOVERABLE_DURATION = 60,EXTRA_DISCOVERABLE_DURATION = 0 makes device discoverable indefinitely while app runs,M3 - Insecure Communication,https://github.com/google/android-security-lints
+Lint,MissingAutoVerify [Lint],Android,High,"missing auto verify app links deep link intent filter http https lint",Intent filter for HTTP/HTTPS URLs without autoVerify allowing other apps to hijack links,Add android:autoVerify='true' to intent filters; set up Digital Asset Links .well-known/assetlinks.json,<intent-filter android:autoVerify='true'> + /.well-known/assetlinks.json on domain,<intent-filter> with http/https data without autoVerify; any app can claim your domain's URLs,M1 - Improper Platform Usage,https://github.com/google/android-security-lints
+Lint,InsecurePermissionProtectionLevel [Lint],Android,Medium,"insecure permission protection level normal dangerous custom lint",Custom permissions declared with normal or dangerous protectionLevel instead of signature,Use protectionLevel='signature' for custom permissions; only same-signed apps can obtain,<permission android:protectionLevel='signature'/> ensures only your apps have permission,<permission android:protectionLevel='normal'/> any app can request and auto-obtain,M1 - Improper Platform Usage,https://github.com/google/android-security-lints
+Lint,UnprotectedSMSBroadcastReceiver [Lint],Android,High,"unprotected sms broadcast receiver intercept otp read message lint",BroadcastReceiver for SMS_RECEIVED without proper permission allowing SMS interception,Use SMS Retriever API instead of SMS permission; if needed require BROADCAST_SMS permission,SmsRetriever.getClient(context).startSmsRetriever() for OTP auto-read; no SMS permission needed,<receiver><intent-filter><action android:name='android.provider.Telephony.SMS_RECEIVED'/></intent-filter></receiver> without permission,M1 - Improper Platform Usage,
+Lint,HardcodedDebugMode [Lint],Android,Critical,"hardcoded debuggable debug mode manifest lint android:debuggable true",Hardcoded android:debuggable in manifest; should be controlled by build type,Remove android:debuggable from manifest; let build system set automatically; debug=false in release,Remove android:debuggable entirely; Gradle sets debuggable=true for debug and false for release,android:debuggable='true' hardcoded in AndroidManifest.xml; debug mode in production,M8 - Security Misconfiguration,
+Lint,DataExtractionRules [Lint],Android,Medium,"data extraction rules backup allowBackup android 12 fullBackupContent lint",Missing data extraction rules for Android 12+ backup configuration,Define dataExtractionRules for Android 12+ and fullBackupContent for older; exclude sensitive data,android:dataExtractionRules='@xml/data_extraction_rules' with <exclude> for sensitive paths,No data extraction rules; android:allowBackup='true' includes sensitive data in cloud backup,M2 - Insecure Data Storage,
+Lint,GrantAllUris [Lint],Android,High,"grantAllUris content provider grant-uri-permission path prefix root lint",grant-uri-permission with path='/' or empty pathPrefix exposing entire ContentProvider,Restrict grant-uri-permission to specific paths; use narrow pathPrefix for specific resources,<grant-uri-permission android:pathPrefix='/public/shared/'/> restricts to specific path,<grant-uri-permission android:path='/'/> or empty pathPrefix grants access to all provider data,M2 - Insecure Data Storage,
+Lint,PackageManagerGetSignatures [Lint],Android,Medium,"packagemanager get_signatures deprecated get_signing_certificates api 28 lint",Using deprecated GET_SIGNATURES flag vulnerable to Fake ID attacks on older Android,Use GET_SIGNING_CERTIFICATES (API 28+) for signature verification; validate full certificate chain,PackageManager.getPackageInfo(pkg GET_SIGNING_CERTIFICATES); verify apkContentsSigners,PackageManager.getPackageInfo(pkg GET_SIGNATURES) vulnerable to Fake ID on pre-API 28,M8 - Code Tampering,
+Lint,UnsafeFilenameFromContentProvider [Lint],Android,High,"unsafe filename content provider display_name path traversal sanitize lint",Trusting ContentProvider filenames without sanitization allowing path traversal attacks,Sanitize filenames from ContentProvider; reject path separators; use random generated names,Generate UUID filename; File(cacheDir UUID.randomUUID().toString() + extension),File(cacheDir cursor.getString(DISPLAY_NAME)) with '../../../etc/passwd' as filename,M1 - Improper Platform Usage,
+Code,EmptyCatchBlock Security [Detekt],Android,High,"empty catch block swallow exception security error handling detekt lint",Empty catch blocks silently swallowing security exceptions (auth failures; crypto errors),Always handle or rethrow exceptions; log security failures; never silently swallow,catch (e: AuthException) { logSecurityEvent(e); showError() } or rethrow,catch (e: Exception) { } silently ignores authentication failure or crypto error,M7 - Client Code Quality,https://detekt.dev/docs/rules/empty-blocks
+Code,GlobalScope Coroutine Usage [Detekt],Android,High,"globalscope coroutine launch async lifecycle leak detekt viewmodelscope",Using GlobalScope for coroutines causing lifecycle leaks and uncontrolled execution,Use viewModelScope; lifecycleScope; or application-scoped CoroutineScope with SupervisorJob,viewModelScope.launch { } automatically cancelled on ViewModel clear,GlobalScope.launch { fetchSensitiveData() } survives Activity destruction; leaks data,M7 - Client Code Quality,https://detekt.dev/docs/rules/coroutines
+Code,SuspendFunSwallowedCancellation [Detekt],Android,Medium,"suspend cancellation runCatching coroutine exception swallow detekt",Using runCatching in suspend functions swallowing CancellationException breaking structured concurrency,Use try-catch with explicit exception types; rethrow CancellationException; avoid runCatching in suspend,try { result } catch (e: IOException) { handleError(e) } preserves cancellation,runCatching { suspendCall() } catches CancellationException preventing coroutine cancellation,M7 - Client Code Quality,https://detekt.dev/docs/rules/coroutines
+Code,ForbiddenMethodCall Security [Detekt],Android,High,"forbidden method call detekt security insecure api ban configuration",Not configuring detekt ForbiddenMethodCall to ban insecure APIs in codebase,Configure ForbiddenMethodCall to ban insecure APIs: Log.d; Random(); MODE_WORLD_READABLE; exec(),ForbiddenMethodCall config banning java.util.Random; android.util.Log; Runtime.exec; MODE_WORLD,Insecure APIs like Random() Log.d() exec() freely used without any static analysis enforcement,M7 - Client Code Quality,https://detekt.dev/docs/rules/style
+Code,Detekt Security Integration,Android,High,"detekt static analysis kotlin code quality security complexity coroutines",Not using detekt for Kotlin static analysis to catch security and quality issues,Integrate detekt with security-focused rules; run in CI; fail build on critical findings,detekt { config.setFrom('config/detekt.yml') }; CI runs ./gradlew detekt; block on error,No static analysis; code quality and security issues only caught in manual review,M7 - Client Code Quality,https://detekt.dev/
+Code,Ktlint Code Consistency,Android,Medium,"ktlint kotlin linter formatting code style consistency wildcard import",Inconsistent code formatting and wildcard imports reducing code auditability,Integrate ktlint; enforce no-wildcard-imports; consistent style improves security review,ktlint { android.set(true) }; no-wildcard-imports; consistent formatting across team,Wildcard imports hiding dependencies; inconsistent style making security review harder,M7 - Client Code Quality,https://pinterest.github.io/ktlint/
+Code,Mixed Condition Operators [Ktlint],Android,Medium,"mixed condition operators precedence logic bug and or parentheses ktlint",Mixing && and || without parentheses causing logic bugs in security conditions,Always parenthesize mixed boolean operators; ktlint enforces this rule,if ((isAdmin && hasPermission) || isSuperUser) { } with explicit grouping,if (isAdmin && hasPermission || isSuperUser) { } ambiguous precedence may bypass auth check,M7 - Client Code Quality,https://pinterest.github.io/ktlint/
+Code,DoubleMutabilityForCollection [Detekt],Android,Medium,"double mutability collection var mutablelist concurrent modification detekt",Using var with MutableList/MutableMap causing race conditions and unintended mutations,Use val with MutableList or var with List; never combine var + Mutable in shared state,val items = mutableListOf<Item>() OR var items: List<Item> = emptyList(),var items = mutableListOf<User>() in ViewModel; race condition when reassigned during iteration,M7 - Client Code Quality,https://detekt.dev/docs/rules/potential-bugs
+Code,SleepInsteadOfDelay Coroutines [Detekt],Android,Medium,"thread.sleep suspend coroutine delay block detekt anr main thread",Using Thread.sleep() in suspend functions blocking the coroutine dispatcher thread,Use delay() in suspend functions; never block coroutine threads with Thread.sleep,suspend fun waitForRetry() { delay(1000) } suspends without blocking thread,suspend fun waitForRetry() { Thread.sleep(1000) } blocks dispatcher; may cause ANR,M7 - Client Code Quality,https://detekt.dev/docs/rules/coroutines
+Code,InjectDispatcher Coroutines [Detekt],Android,Medium,"inject dispatcher coroutine hardcoded Dispatchers.IO Default testing detekt",Hardcoding Dispatchers.IO/Default preventing testability and dispatcher control,Inject dispatchers via constructor; use @Qualifier; enables testing with TestDispatcher,class Repo @Inject constructor(@IoDispatcher private val dispatcher: CoroutineDispatcher),withContext(Dispatchers.IO) { } hardcoded; untestable; cannot swap dispatcher in tests,M7 - Client Code Quality,https://detekt.dev/docs/rules/coroutines
+Data Storage,Keychain Item Accessible When Device Locked,iOS,Critical,keychain kSecAttrAccessible accessibility constant whenUnlocked afterFirstUnlock thisDeviceOnly data protection,Using permissive Keychain accessibility constants like kSecAttrAccessibleAlways or kSecAttrAccessibleAfterFirstUnlock makes secrets accessible when the device is locked or after backup restore,Use kSecAttrAccessibleWhenUnlockedThisDeviceOnly for maximum protection; ensures item is only accessible while device is unlocked AND prevents migration via backup,kSecAttrAccessible: kSecAttrAccessibleWhenUnlockedThisDeviceOnly; SecItemAdd(query nil),kSecAttrAccessible: kSecAttrAccessibleAfterFirstUnlock; accessible when device locked,M2 - Insecure Data Storage,https://developer.apple.com/documentation/security/ksecattraccessiblewhenunlockedthisdeviceonly
+Data Storage,Keychain Sharing Across Unauthorized Apps,iOS,High,keychain access group kSecAttrAccessGroup sharing team prefix entitlement bundle seed,Misconfigured Keychain access groups can expose sensitive credentials to other apps from the same development team or fail to share when needed,Explicitly set kSecAttrAccessGroup with team ID prefix; configure keychain-access-groups entitlement; use separate access groups for different sensitivity levels,kSecAttrAccessGroup: 'ABCDE12345.com.mycompany.shared'; kSecAttrAccessible: kSecAttrAccessibleWhenUnlockedThisDeviceOnly,No access group set; defaults may leak to or hide from companion apps,M2 - Insecure Data Storage,https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps
+Data Storage,Keychain Items Survive Device Migration,iOS,High,keychain data protection class thisDeviceOnly migration backup restore itunes icloud,Keychain items without ThisDeviceOnly suffix are included in encrypted backups and can be restored to a different device; attacker with backup can extract secrets,Use ThisDeviceOnly variants for security-critical items; kSecAttrAccessibleWhenUnlockedThisDeviceOnly; re-provision credentials on new devices via re-authentication,kSecAttrAccessible: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly; never leaves device,kSecAttrAccessible: kSecAttrAccessibleAfterFirstUnlock; migrates via backup to new device,M2 - Insecure Data Storage,https://developer.apple.com/documentation/security/keychain_services/keychain_items/restricting_keychain_item_accessibility
+Platform,iOS App Attest Attestation Flow,iOS,Critical,app attest dcappattestservice attestation key generate attestKey validateAttestation hardware integrity,Without App Attest the backend cannot verify requests come from a genuine unmodified iOS app on real Apple hardware; attackers can forge API requests,Use DCAppAttestService to generate hardware-backed key pair; request attestation with server challenge; validate attestation object server-side against Apple root CA,DCAppAttestService.shared.generateKey { keyId in service.attestKey(keyId clientDataHash: challengeHash) { attestation in sendToServer(keyId attestation) } },No attestation; server trusts any HTTP request with valid auth token; curl can call all APIs,M8 - Code Tampering,https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity
+Platform,iOS App Attest Assertion Validation,iOS,High,app attest assertion generateAssertion clientDataHash request signing server validation replay prevention,Even after initial attestation each API request must have an assertion to prove it originates from the attested app instance; without per-request assertions sessions can be hijacked,Generate assertion via DCAppAttestService.generateAssertion with hash of request payload; server validates assertion checks counter to prevent replay,service.generateAssertion(keyId clientDataHash: Data(SHA256.hash(data: requestBody))) { assertion in request.addHeader('X-Apple-Assertion' assertion.base64) },Attestation done once at launch; all subsequent requests sent without assertion; server cannot verify individual requests,M8 - Code Tampering,https://developer.apple.com/documentation/devicecheck/dcappattestservice
+Platform,iOS DeviceCheck Token Fraud Prevention,iOS,Medium,devicecheck DCDevice generateToken per-device bits fraud prevention promotional abuse reinstall,Without DeviceCheck users can delete and reinstall app to reset fraud counters redeem promotions multiple times or bypass per-device restrictions,Use DCDevice.current.generateToken; send to server which queries Apple DeviceCheck API to read/set two per-device bits that persist across reinstalls,DCDevice.current.generateToken { token in sendToBackend(deviceToken: token.base64) } // server queries Apple to check/set bits,UserDefaults.standard.set(true forKey: 'hasRedeemedPromo') // reset on reinstall,M1 - Improper Platform Usage,https://developer.apple.com/documentation/devicecheck
+Data Storage,iOS NSFileProtectionComplete,iOS,Critical,data protection NSFileProtectionComplete file encryption locked device passcode FileAttributeKey ios,Files without explicit data protection or with weaker classes remain accessible when device is locked; physical attackers can read sensitive files,Apply NSFileProtectionComplete to all sensitive files; ensures encryption with passcode-derived key; inaccessible when locked,try data.write(to: fileURL options: .completeFileProtection); FileManager.setAttributes([.protectionKey: .complete]),try data.write(to: fileURL) // default protection may be insufficient for sensitive data,M2 - Insecure Data Storage,https://developer.apple.com/documentation/foundation/nsfileprotectioncomplete
+Data Storage,iOS NSFileProtectionCompleteUnlessOpen,iOS,High,data protection NSFileProtectionCompleteUnlessOpen background download write file handle locked asymmetric,Apps needing to write files while device is locked cannot use NSFileProtectionComplete; using NSFileProtectionNone removes all encryption,Use NSFileProtectionCompleteUnlessOpen for background writes; uses asymmetric crypto; file protected once handle closed and device locked,FileManager.setAttributes([.protectionKey: .completeUnlessOpen] ofItemAtPath: downloadPath) // writable in background encrypted once closed,FileManager.setAttributes([.protectionKey: .none] ofItemAtPath: downloadPath) // no encryption,M2 - Insecure Data Storage,https://developer.apple.com/documentation/foundation/nsfileprotectioncompleteunlessopen
+Network,iOS VPN Traffic Leakage,iOS,High,network extension NEVPNManager NETunnelProviderManager vpn ikev2 packet tunnel includeAllNetworks excludeLocalNetworks,VPN apps using Network Extension may leak traffic outside tunnel if not configured to capture all routes; DNS or local traffic bypasses VPN,Set includeAllNetworks=true; excludeLocalNetworks=false; implement NEOnDemandRuleConnect; use enforceRoutes on iOS 16+,proto.includeAllNetworks = true; proto.excludeLocalNetworks = false; proto.enforceRoutes = true,NETunnelProviderProtocol() // includeAllNetworks defaults to false; DNS and local traffic leak outside VPN,M3 - Insecure Communication,https://developer.apple.com/documentation/networkextension/nevpnprotocol
+Data Storage,iOS App Groups Shared Container Security,iOS,High,app group shared container UserDefaults suite NSFileCoordinator widget extension data isolation,App Group shared containers are not encrypted by default and accessible to all apps in the group potentially exposing sensitive data to less-secure extensions,Never store sensitive data in shared App Group container; use Keychain with shared access group for secrets; encrypt files in container; apply NSFileProtectionComplete,UserDefaults(suiteName: 'group.com.app').set(displayName forKey: 'widgetTitle') // non-sensitive only; secrets in Keychain,UserDefaults(suiteName: 'group.com.app').set(authToken forKey: 'token') // token accessible to any extension,M2 - Insecure Data Storage,https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_application-groups
+Data Storage,iOS UIPasteboard Clipboard Security,iOS,High,UIPasteboard clipboard copy paste localOnly expirationDate sensitive password otp ios14 notification universal,Data copied to UIPasteboard.general accessible to all apps; triggers paste notification; persists across apps; may sync via Universal Clipboard,Use UIPasteboard.withUniqueName() for app-internal operations; set localOnly=true; set expirationDate; mark password fields with isSecureTextEntry,UIPasteboard.withUniqueName().setItems([[typeAutomatic: otp]] options: [.localOnly: true .expirationDate: Date().addingTimeInterval(30)]),UIPasteboard.general.string = authToken // accessible to all apps; syncs to Mac; persists indefinitely,M2 - Insecure Data Storage,https://developer.apple.com/documentation/uikit/uipasteboard
+Platform,iOS Scene Lifecycle Snapshot Security,iOS,Medium,scene lifecycle sceneDidEnterBackground UIWindowSceneDelegate snapshot app switcher blur overlay sensitive screen,iOS captures snapshot for app switcher when app enters background; sensitive data visible to anyone viewing app switcher,In sceneDidEnterBackground overlay blur on window; remove in sceneWillEnterForeground; for SwiftUI use onChange(of: scenePhase),func sceneDidEnterBackground { let blur = UIVisualEffectView(effect: UIBlurEffect(style: .regular)); window.addSubview(blur) },No background protection; banking screen with account balance visible as snapshot in app switcher,M2 - Insecure Data Storage,https://developer.apple.com/documentation/uikit/uiwindowscenedelegate
+Code,iOS Jailbreak Detection Advanced,iOS,High,jailbreak detection cydia sileo checkra1n unc0ver palera1n fork sandbox stat dyld frida substrate,Jailbroken devices bypass iOS sandbox allowing code injection method hooking and Keychain extraction; basic checks easily bypassed by modern jailbreak tools,Multiple detection layers: check jailbreak file paths; attempt writing outside sandbox; check if fork() succeeds; scan loaded dylibs for Substrate/Frida; verify code signing,Check /Applications/Cydia.app /usr/sbin/sshd; test sandbox write; fork() check (blocked on stock iOS); scan dylibs for frida,No jailbreak detection; banking app runs with full functionality on checkra1n jailbroken device,M8 - Code Tampering,https://owasp.org/www-project-mobile-top-10/
+Network,iOS ATS Detailed Configuration,iOS,Critical,ATS app transport security NSAllowsArbitraryLoads NSExceptionDomains NSExceptionMinimumTLSVersion TLS PFS forward secrecy,Setting NSAllowsArbitraryLoads globally disables ATS allowing cleartext HTTP and weak TLS; Apple may reject submissions with blanket exceptions,Never set NSAllowsArbitraryLoads globally; use NSExceptionDomains only for specific domains; set NSExceptionMinimumTLSVersion to TLSv1.2+; keep NSExceptionRequiresForwardSecrecy true,NSExceptionDomains: legacy-api.thirdparty.com with NSExceptionMinimumTLSVersion TLSv1.2; specific domain exceptions only,NSAllowsArbitraryLoads: true // disables ATS for ALL connections,M3 - Insecure Communication,https://developer.apple.com/documentation/bundleresources/information-property-list/nsapptransportsecurity
+Platform,iOS Universal Links AASA Validation,iOS,High,universal links apple-app-site-association AASA associated domains applinks deep link hijacking verification,Custom URL schemes can be claimed by any app allowing interception; Universal Links use HTTPS and server-side verification but require correct AASA configuration,Use Universal Links instead of custom schemes; host valid AASA at /.well-known/apple-app-site-association; configure Associated Domains entitlement,AASA: applinks with specific appIDs and path patterns; Associated Domains entitlement: applinks:yourdomain.com,Custom URL scheme myapp://callback?token=abc123; any app can register myapp:// and intercept the token,M1 - Improper Platform Usage,https://developer.apple.com/documentation/xcode/supporting-associated-domains
+Cryptography,iOS Secure Enclave Key Generation,iOS,Critical,secure enclave SecKey kSecAttrTokenIDSecureEnclave P-256 elliptic curve hardware key generation biometric,Cryptographic keys generated in software can be extracted on jailbroken devices; Secure Enclave generates hardware-backed non-exportable keys,Generate keys with SecKeyCreateRandomKey using kSecAttrTokenIDSecureEnclave; use P-256 curve; bind to biometric with access control flags,SecKeyCreateRandomKey with kSecAttrTokenID: kSecAttrTokenIDSecureEnclave; kSecAttrKeyTypeECSECPrimeRandom 256-bit; biometryCurrentSet access control,SecKeyCreateRandomKey with RSA 2048 software-only key; extractable on jailbroken device,M5 - Insufficient Cryptography,https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/protecting_keys_with_the_secure_enclave
+Authentication,iOS Secure Enclave Biometric Binding,iOS,High,secure enclave biometric binding biometryCurrentSet biometryAny SecAccessControl Face ID Touch ID key usage,Secure Enclave keys without biometric binding can be used by any code in the app; stolen unlocked device allows key usage without user presence,Use .biometryCurrentSet to invalidate key when biometric enrollment changes; combine with .privateKeyUsage for per-operation biometric requirement,SecAccessControlCreateWithFlags(kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly [.privateKeyUsage .biometryCurrentSet]),SecAccessControlCreateWithFlags(kSecAttrAccessibleWhenUnlocked []) // no biometric; any process can use key,M4 - Insecure Authentication,https://developer.apple.com/documentation/security/secaccesscontrolcreateflags
+Platform,iOS BackgroundTasks Security,iOS,Medium,BGTaskScheduler BGAppRefreshTask BGProcessingTask background fetch sensitive data expiration handler,Background tasks execute with reduced security context; NSFileProtectionComplete files inaccessible; tasks may be killed leaving operations incomplete,Never access .complete-protected files in background; use .completeUntilFirstUserAuthentication; implement expiration handlers; encrypt cached data,BGTaskScheduler: task.expirationHandler = { cleanupSensitiveCache() }; syncNonSensitiveData(); task.setTaskCompleted(success: true),Background task reads auth token from .complete-protected file (fails when locked); writes to unencrypted temp file,M2 - Insecure Data Storage,https://developer.apple.com/documentation/backgroundtasks
+Code,iOS WKWebView Security Configuration,iOS,High,WKWebView configuration javascript injection allowsFileAccess WKNavigationDelegate url allowlist XSS content security policy,WKWebView with permissive configuration can execute arbitrary JavaScript access local files and navigate to malicious domains,Restrict navigation to allowlist via WKNavigationDelegate; disable JavaScript if not needed; never enable allowsFileAccessFromFileURLs; validate message handler data,config.preferences.javaScriptEnabled = false; webView.navigationDelegate = self // decidePolicyFor with URL allowlist,config.preferences.setValue(true forKey: 'allowFileAccessFromFileURLs'); webView.load(URLRequest(url: URL(string: userInput)!)),M1 - Improper Platform Usage,https://developer.apple.com/documentation/webkit/wkwebviewconfiguration
+Privacy,iOS Privacy Manifest Requirement,iOS,Critical,privacy manifest PrivacyInfo.xcprivacy NSPrivacyTracking NSPrivacyTrackingDomains NSPrivacyAccessedAPITypes required reasons API 2024,Apple requires PrivacyInfo.xcprivacy manifest declaring tracking domains and required reasons APIs; missing manifests result in App Store rejection,Create PrivacyInfo.xcprivacy; declare NSPrivacyTracking NSPrivacyTrackingDomains NSPrivacyAccessedAPITypes with reason codes; audit all SDKs,NSPrivacyTracking: false; NSPrivacyAccessedAPITypes with reason codes CA92.1 E174.1 35F9.1 per API category,No PrivacyInfo.xcprivacy; uses UserDefaults file timestamps disk space without declaring; rejected by App Store,M6 - Privacy Violation,https://developer.apple.com/documentation/bundleresources/privacy_manifest_files
+Code,iOS Entitlements Security Audit,iOS,High,entitlements audit com.apple.developer keychain-access-groups aps-environment associated-domains capabilities provisioning,Excessive entitlements expand attack surface; debug entitlements shipped in production enable debugging; misconfigured groups expose shared data,Audit entitlements before each release; remove unused capabilities; verify aps-environment is production; automate entitlement diffing in CI,CI: codesign -d --entitlements - MyApp.app | diff expected-entitlements.plist; minimal entitlements only,Debug get-task-allow in release; broad keychain-access-groups; associated-domains with wildcard; no audit,M8 - Security Misconfiguration,https://developer.apple.com/documentation/bundleresources/entitlements
+Code,iOS Code Signing Distribution Integrity,iOS,Critical,code signing codesign provisioning profile distribution certificate team identity enterprise sideload,Invalid or missing code signing allows tampered apps via enterprise certificates or sideloading; enterprise certs can distribute modified versions,Use App Store distribution; verify code signing identity at runtime; detect enterprise profiles; implement server-side bundle ID and team ID validation,Validate embedded.mobileprovision teamIdentifier matches expected; detect enterprise/ad-hoc provisioning in production,No runtime code signing validation; app re-signed with different certificate runs normally; modified IPA via enterprise profile,M8 - Code Tampering,https://developer.apple.com/documentation/xcode/distributing-your-app-for-beta-testing-and-releases
+Authentication,iOS Keychain Access Control LAContext,iOS,High,keychain access control LAContext SecAccessControl biometryCurrentSet userPresence devicePasscode kSecUseAuthenticationContext,Keychain items without SecAccessControl allow any code to read secrets without user verification,Create SecAccessControl with .biometryCurrentSet; pre-evaluate LAContext and pass via kSecUseAuthenticationContext; handle LAError.biometryLockout,LAContext with localizedReason; SecAccessControl with .biometryCurrentSet; kSecUseAuthenticationContext: context,kSecReturnData: true without access control or biometric; any code reads the token,M4 - Insecure Authentication,https://developer.apple.com/documentation/localauthentication/lacontext
+Data Storage,SwiftUI @AppStorage Sensitive Data,iOS,Critical,SwiftUI AppStorage UserDefaults sensitive token password secret plaintext plist observable,SwiftUI @AppStorage persists data to UserDefaults plaintext plist; developers may store tokens API keys or PII for convenience,Never use @AppStorage for sensitive data; use only for preferences; create custom Keychain-backed property wrapper for sensitive SwiftUI bindings,@AppStorage('isDarkMode') var isDarkMode = false // non-sensitive; @KeychainStorage('authToken') var token // custom wrapper,@AppStorage('authToken') var authToken = '' // plaintext UserDefaults; @AppStorage('userSSN') var ssn = '' // PII in plaintext,M2 - Insecure Data Storage,https://developer.apple.com/documentation/swiftui/appstorage
+Data Storage,SwiftUI State Restoration Security,iOS,Medium,SwiftUI state SceneStorage environment sensitive data restoration persistence memory scraping privacySensitive,SwiftUI @SceneStorage persists data unencrypted; @State holds sensitive data in memory; state restoration resurfaces sensitive screens,Never use @SceneStorage for sensitive data; clear sensitive @State on background; use .privacySensitive() modifier; disable restoration for sensitive flows,Text(creditCardNumber).privacySensitive(); onChange(of: scenePhase) { if background { viewModel.clearSensitiveState() } },@SceneStorage('lastViewedAccount') var accountId // persisted unencrypted; @State var password = '' held in memory after navigation,M2 - Insecure Data Storage,https://developer.apple.com/documentation/swiftui/scenestorage
+Code,iOS WKWebView JavaScript Bridge Security,iOS,High,WKWebView WKScriptMessageHandler WKUserContentController javascript bridge native injection postMessage origin,WKScriptMessageHandler bridges JS to native code; if web content compromised injected JS can call handlers to access Keychain or trigger payments,Validate sender URL origin in message handler; minimize exposed native functionality; implement allowlist of accepted message names; rate-limit calls,func userContentController(didReceive message:) { guard message.frameInfo.request.url?.host == 'trusted.example.com' else { return } },if message.name == 'getToken' { evaluateJavaScript('receiveToken(keychainToken)') } // no origin check; any page gets token,M1 - Improper Platform Usage,https://developer.apple.com/documentation/webkit/wkscriptmessagehandler
+Authentication,iOS Keychain Biometric Passcode Fallback,iOS,Medium,keychain LAContext biometry passcode fallback deviceOwnerAuthentication biometryOrPasscode lockout Face ID Touch ID,Using .biometryAny without passcode fallback permanently locks users out if biometric fails; .deviceOwnerAuthentication may be too permissive for high-security ops,Use .deviceOwnerAuthentication for standard ops (passcode fallback); .biometryCurrentSet with explicit app-level fallback for high-security; handle LAError.biometryLockout,High-sec: .biometryCurrentSet; Standard: .deviceOwnerAuthentication with passcode fallback; separate Keychain items by auth level,.biometryAny without fallback; user locked out if Face ID fails; no passcode recovery path,M4 - Insecure Authentication,https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id
+Network,iOS SSL Pinning URLSession,iOS,Critical,SSL pinning URLSession URLAuthenticationChallenge SecTrust certificate public key pin iOS MITM trust evaluation,URLSession without certificate pinning trusts any CA-signed certificate; attacker with rogue root cert can intercept all HTTPS traffic,Implement URLSessionDelegate urlSession(didReceive:) for custom trust evaluation; extract public key and compare against pinned hash; fail closed,Extract serverKey from SecTrust; SHA256 hash; compare against pinnedKeyHashes; .cancelAuthenticationChallenge on mismatch,Default URLSession; trusts any valid certificate; Charles Proxy with custom CA intercepts all traffic,M3 - Insecure Communication,https://developer.apple.com/documentation/foundation/urlsessiondelegate
+Privacy,iOS Required Reasons API Audit,iOS,High,required reasons API UserDefaults fileModificationDate systemUptime diskSpace NSPrivacyAccessedAPIType audit fingerprinting,Apple designated APIs (UserDefaults file timestamps system boot time disk space) as required reasons APIs; undeclared usage causes App Store rejection,Audit codebase and SDKs for required reasons APIs; declare NSPrivacyAccessedAPIType and reason codes in PrivacyInfo.xcprivacy,PrivacyInfo.xcprivacy: NSPrivacyAccessedAPICategoryDiskSpace reason E174.1; NSPrivacyAccessedAPICategoryUserDefaults reason CA92.1,Uses volumeAvailableCapacityKey and systemUptime without declaring in privacy manifest; app rejected,M6 - Privacy Violation,https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api
+Data Storage,Flutter Secure Storage Misconfiguration,Flutter,Critical,flutter_secure_storage keychain encryptedsharedpreferences ios android configuration aOptions iOptions,flutter_secure_storage with default options may use weaker Keychain accessibility or unencrypted storage on older Android,Configure IOSOptions with kSecAttrAccessibleWhenUnlockedThisDeviceOnly; AndroidOptions with encryptedSharedPreferences=true; set keychain account name,FlutterSecureStorage(aOptions: AndroidOptions(encryptedSharedPreferences: true) iOptions: IOSOptions(accessibility: KeychainAccessibility.when_unlocked_this_device_only)),FlutterSecureStorage() with defaults; kSecAttrAccessibleAfterFirstUnlock on iOS; plain SharedPreferences on old Android,M2 - Insecure Data Storage,https://pub.dev/packages/flutter_secure_storage
+Code,Flutter Dart Isolate Security,Flutter,High,dart isolate compute sensitive computation encryption decryption memory isolation parallel processing,Sensitive computations (encryption key derivation) on main isolate risk exposure via debugging and memory inspection,Use Isolate.run() or compute() for sensitive operations; data is copied not shared; isolate memory garbage collected independently,final result = await Isolate.run(() { return encrypt(sensitiveData key); }); // isolated memory,final encrypted = encrypt(sensitiveData key); // main isolate; visible in DevTools; shared memory,M5 - Insufficient Cryptography,https://dart.dev/language/isolates
+Platform,Flutter Platform Channel Validation,Flutter,High,platform channel MethodChannel EventChannel validation injection flutter native bridge,Platform channels (MethodChannel EventChannel) bridging Dart to native code without argument validation allow injection attacks from compromised native side,Validate all arguments in native method handlers; type-check inputs; implement allowlist of accepted method names; handle errors gracefully,channel.setMethodCallHandler { call in guard call.method == 'encrypt' else { result(FlutterMethodNotImplemented) }; guard let data = call.arguments as? String data.count < MAX_SIZE else { result(FlutterError()) } },channel.setMethodCallHandler { call in db.rawQuery(call.arguments as! String) } // SQL injection via platform channel,M1 - Improper Platform Usage,https://docs.flutter.dev/platform-integration/platform-channels
+Code,Flutter WebView Security,Flutter,High,flutter webview InAppWebView webview_flutter javascript injection xss url allowlist navigation delegate,Flutter WebView with permissive JS settings and no URL restrictions enables XSS and arbitrary navigation to phishing sites,Restrict navigation to allowlist; disable JS if not needed; validate all message handler data; use NavigationDelegate to block untrusted URLs,InAppWebView(initialUrlRequest: trusted; onNavigationRequest: (req) => allowlist.contains(req.url.host) ? NavigationDecision.navigate : NavigationDecision.prevent),WebView(initialUrl: userInput javascriptMode: JavascriptMode.unrestricted) // loads any URL with full JS,M1 - Improper Platform Usage,https://pub.dev/packages/webview_flutter
+Deep Link,Flutter Deep Link Validation,Flutter,High,flutter deep link go_router app links universal links url scheme validation parameter injection,Flutter deep link routes directly mapping URL parameters to widget state without validation allow parameter injection and auth bypass,Validate all deep link parameters; use go_router redirect guards; implement auth middleware; use App Links over custom schemes,GoRoute(path: '/invite/:code' redirect: (context state) { if (!isValidCode(state.params['code'])) return '/home'; return null; }),GoRoute(path: '/pay/:amount/:to' builder: (context state) => PaymentScreen(amount: state.params['amount']!)) // no validation,M1 - Improper Platform Usage,https://docs.flutter.dev/ui/navigation/deep-linking
+Network,Flutter Dio Certificate Pinning,Flutter,Critical,flutter dio certificate pinning ssl tls mitm SecurityContext https badCertificateCallback network,Flutter HTTP clients (dio http) without certificate pinning trust any valid CA-signed certificate enabling MITM attacks,Configure Dio with SecurityContext and pinned certificates; implement certificate validation in badCertificateCallback; include backup pins,dio.httpClientAdapter = IOHttpClientAdapter(createHttpClient: () { final client = HttpClient(context: securityContext); client.badCertificateCallback = validatePin; return client; }),Dio() without pinning; trusts any CA; MITM with user-installed cert succeeds,M3 - Insecure Communication,https://pub.dev/packages/dio
+Authentication,Flutter Local Auth Security,Flutter,High,flutter local_auth biometric authentication fingerprint face id bypass sensitive operation localAuthentication,local_auth only provides UI-level auth gate; attacker can bypass biometric check by hooking isDeviceSupported or authenticate methods,Combine local_auth with Keystore/Keychain-bound keys; use biometricOnly option; verify auth on server-side for critical operations,local_auth.authenticate(localizedReason: 'Verify' options: AuthenticationOptions(biometricOnly: true)); then use Keystore-bound token,if (await local_auth.authenticate()) showSecretData(); // client-side only; hookable; no crypto binding,M4 - Insecure Authentication,https://pub.dev/packages/local_auth
+Code,Flutter Environment Configuration Security,Flutter,High,flutter environment config --dart-define envied .env api key secret build time variable embedded,Flutter --dart-define and envied inject values at compile time; all values embedded in binary and extractable; developers store API secrets this way,Use --dart-define only for non-sensitive config; use envied with obfuscate flag; proxy sensitive API calls through backend; gitignore .env files,--dart-define=ENV=production; envied @EnviedField(obfuscate: true) for API keys; sensitive keys on backend only,--dart-define=STRIPE_KEY=sk_live_abc123 embedded in Dart code; extractable from compiled binary,M2 - Insecure Data Storage,https://pub.dev/packages/envied
+Platform,Flutter Screenshot Prevention,Flutter,Medium,flutter screenshot prevention FLAG_SECURE flutter_windowmanager screen capture recording sensitive banking,Flutter has no built-in cross-platform screenshot prevention; sensitive screens capturable via screenshots or screen recording,Use flutter_windowmanager to set FLAG_SECURE on Android; implement native iOS blur overlay; control per-screen; detect screen recording,FlutterWindowManager.addFlags(FlutterWindowManager.FLAG_SECURE); // iOS: blur overlay in applicationWillResignActive,No screenshot protection; banking screen with account balance visible in task switcher and screen recordings,M2 - Insecure Data Storage,https://pub.dev/packages/flutter_windowmanager
+Code,Flutter Secure State Management,Flutter,Medium,flutter state management riverpod bloc sensitive data provider dispose clear memory token password,Sensitive data (tokens passwords) held in Riverpod providers or BLoC states persists in memory and may be observable via DevTools,Clear sensitive state on logout and dispose; use autoDispose providers; avoid storing raw credentials in state; encrypt in-memory values,final authProvider = StateNotifierProvider.autoDispose<AuthNotifier AuthState>((ref) => AuthNotifier()); // autoDispose clears on no listeners,final tokenProvider = StateProvider<String>((ref) => ''); // token persists in memory; visible in DevTools; never cleared,M2 - Insecure Data Storage,https://riverpod.dev/
+Code,Flutter Root Jailbreak Detection,Flutter,High,flutter jailbreak root detection freeRASP flutter_jailbreak_detection talsec rooted compromised device,Flutter apps on rooted/jailbroken devices face runtime manipulation via Frida; memory inspection; and method hooking via platform channels,Use freeRASP or flutter_jailbreak_detection; implement multiple detection signals; degrade functionality on compromised devices for financial apps,Talsec.start(TalsecConfig(isProd: true androidConfig: AndroidConfig(packageName: 'com.app'))); // freeRASP multi-signal detection,No device integrity checks; banking app fully functional on rooted device with Frida attached,M8 - Code Tampering,https://pub.dev/packages/freerasp
+Supply Chain,Flutter Code Push OTA Security,Flutter,High,flutter code push ota update shorebird signing integrity verification bundle dart hot patch,Flutter OTA update services (Shorebird) push Dart code changes without app store review; unsigned updates allow malicious code injection,Enable code signing for OTA updates; verify bundle signatures before applying; implement rollback on failure; restrict to non-security-critical changes,Shorebird with code signing enabled; verify patch integrity before applying; rollback on verification failure,OTA update without code signing; accepts any bundle from server; no integrity verification,M8 - Code Tampering,https://shorebird.dev/
+Code,Flutter FFI Memory Safety,Flutter,High,flutter ffi dart:ffi native memory safety pointer use-after-free buffer overflow arena allocator,dart:ffi provides direct memory access; incorrect pointer management causes use-after-free buffer overflows and memory leaks,Use Arena allocator for automatic cleanup; validate pointer bounds; use Finalizer for native resource cleanup; avoid manual malloc/free,using((Arena arena) { final ptr = arena.allocate<Uint8>(size); processNative(ptr size); }); // Arena auto-frees,final ptr = malloc<Uint8>(size); processNative(ptr); // forgot to free; or free(ptr); ptr.ref = 0; // use-after-free,M7 - Client Code Quality,https://dart.dev/interop/c-interop
+Testing,Flutter Widget Test Security Validation,Flutter,Medium,flutter widget test security validation input sensitive screen golden test integration testing,Security-critical widgets not tested for edge cases; no validation that sensitive fields use obscureText; no tests for input sanitization,Write widget tests verifying obscureText on password fields; test input validation; golden tests for security UI; integration tests for auth flows,testWidgets('password obscured' (tester) async { await tester.pumpWidget(LoginPage()); expect(find.byType(TextField).evaluate().first.widget.obscureText true); }),No widget tests for security properties; password field not verified as obscured; no validation tests,M7 - Client Code Quality,https://docs.flutter.dev/testing
+Network,Flutter Secure HTTP Client,Flutter,Medium,flutter dio interceptor logging production sensitive authorization header strip debug response body,Dio interceptors logging full request/response bodies including auth headers persist in production builds exposing credentials,Conditionally add logging interceptors using kDebugMode; strip Authorization headers in any production logging; redact sensitive response data,if (kDebugMode) { dio.interceptors.add(LogInterceptor(responseBody: false)); } // debug only; no response body,dio.interceptors.add(LogInterceptor(requestHeader: true responseBody: true)); // logs auth headers and sensitive responses in production,M10 - Extraneous Functionality,https://pub.dev/packages/dio
+Data Storage,Flutter Clipboard Security,Flutter,Medium,flutter clipboard copy paste sensitive password otp token Clipboard.setData auto-clear,Clipboard.setData() places sensitive data on system clipboard accessible to all apps; persists indefinitely,Implement auto-clear timer for sensitive clipboard data; use secureTextEntry equivalent for passwords; provide custom copy with timeout,await Clipboard.setData(ClipboardData(text: otp)); Future.delayed(Duration(seconds: 30) () => Clipboard.setData(ClipboardData(text: ''))),await Clipboard.setData(ClipboardData(text: authToken)); // token on clipboard forever; accessible to all apps,M2 - Insecure Data Storage,https://api.flutter.dev/flutter/services/Clipboard-class.html
+Platform,Flutter Background State Security,Flutter,Medium,flutter AppLifecycleState background inactive overlay blur sensitive screen task switcher state management,Flutter app in background shows sensitive content in task switcher; AppLifecycleState.inactive/paused captures visible state,Listen to AppLifecycleState; show overlay or blur on inactive/paused; hide on resumed; use WidgetsBindingObserver,void didChangeAppLifecycleState(state) { if (state == AppLifecycleState.inactive) setState(() => showOverlay = true); },No lifecycle handling; banking screen with balance visible in task switcher to anyone with physical access,M2 - Insecure Data Storage,https://api.flutter.dev/flutter/dart-ui/AppLifecycleState.html
+Data Storage,React Native Keychain Best Practices,React Native,Critical,react-native-keychain keychain keystore biometric hardware backed setGenericPassword getGenericPassword storage,Using AsyncStorage for credentials instead of react-native-keychain; improper Keychain configuration with weak accessibility,Use react-native-keychain with WHEN_UNLOCKED_THIS_DEVICE_ONLY accessibility; enable biometric protection; prefer hardware-backed storage,Keychain.setGenericPassword(user pass { accessible: WHEN_UNLOCKED_THIS_DEVICE_ONLY storage: FB_PROTECTED_STORAGE }),AsyncStorage.setItem('password' pass) // plaintext SQLite on Android; readable on rooted device,M2 - Insecure Data Storage,https://github.com/oblador/react-native-keychain
+Code,React Native Hermes Bytecode Protection,React Native,High,hermes bytecode hbc hbcdump obfuscation reverse engineering react native javascript bundle decompile,Hermes bytecode is harder to read than plain JS but can be disassembled with hbcdump revealing function names and string literals,Enable Hermes for baseline protection; add JS obfuscation before Hermes compilation; strip debug info; enable ProGuard for Android native layer,metro.config.js: transformer: { babelTransformerPath: 'react-native-obfuscating-transformer' }; hermesEnabled: true; minifyEnabled: true,hermesEnabled: true with no additional obfuscation; string literals and function names readable via hbcdump,M9 - Reverse Engineering,https://reactnative.dev/docs/hermes
+Platform,React Native Bridge Security,React Native,High,react native bridge native module turbomodule validation injection javascript interface method authorization,Native modules via bridge or TurboModules callable from any JS code including injected scripts; without validation sensitive operations exploitable,Validate all arguments in native module methods; implement authorization checks; restrict access using package-private visibility; use typed codegen,@ReactMethod fun encryptData(data: String promise: Promise) { if (data.isEmpty()) promise.reject('INVALID'); verifyCallerContext(); promise.resolve(encrypt(data)) },@ReactMethod fun executeQuery(sql: String promise: Promise) { promise.resolve(db.rawQuery(sql)) } // SQL injection; no validation,M1 - Improper Platform Usage,https://reactnative.dev/docs/native-modules-android
+Supply Chain,React Native CodePush Integrity,React Native,Critical,codepush ota update integrity signing verification react native appcenter bundle tamper supply chain code signing,CodePush OTA updates without integrity verification allow MITM attackers to distribute malicious code bypassing platform review,Enable CodePush code signing with asymmetric keys; verify bundle signatures before applying; implement rollback; restrict to non-security changes,CodePush.sync({ deploymentKey: PRODUCTION_KEY } codePushOptions: { publicKey: PUBLIC_KEY_FOR_VERIFICATION }); // signed releases only,CodePush.sync({ installMode: InstallMode.IMMEDIATE }); // no code signing; accepts any bundle from server,M8 - Code Tampering,https://github.com/microsoft/react-native-code-push
+Network,React Native SSL Pinning,React Native,Critical,react-native-ssl-pinning certificate pinning https mitm fetch networking trustkit react native,React Native default fetch does not support certificate pinning making all API communication vulnerable to MITM attacks,Use react-native-ssl-pinning; pin public keys not certificates; include backup pins; test with Charles proxy to verify,import { fetch } from 'react-native-ssl-pinning'; fetch(url { sslPinning: { certs: ['api-cert'] } headers: { Authorization: 'Bearer ' + token } }),fetch('https://api.example.com/data'); // default fetch; no pinning; MITM with user-installed cert succeeds,M3 - Insecure Communication,https://github.com/nicutor/react-native-ssl-pinning
+Data Storage,React Native MMKV Encrypted Storage,React Native,High,react-native-mmkv asyncstorage encrypted storage sensitive token session encryption key keychain,AsyncStorage stores data in unencrypted SQLite/plist; react-native-mmkv without encryption is plaintext binary format,Use react-native-mmkv with encryption enabled; derive key from Keychain via react-native-keychain; separate instances for sensitive data,const encryptionKey = await Keychain.getGenericPassword({service: 'mmkv-key'}); new MMKV({id: 'secure' encryptionKey: key}),AsyncStorage.setItem('auth_token' jwt); // unencrypted SQLite on Android; readable on rooted device,M2 - Insecure Data Storage,https://github.com/mrousavy/react-native-mmkv
+Deep Link,React Native Deep Linking Security,React Native,High,react native deep link react-navigation linking universal links app links url scheme validation parameter,React Navigation linking mapping URL parameters to screen props without validation allows parameter injection and auth bypass,Validate all deep link parameters in screen components; implement auth middleware; use Universal Links over custom schemes,linking: { config: { screens: { Public: 'invite/:code' } } }; // validate code in screen; auth middleware for protected routes,linking: { config: { screens: { Payment: 'pay/:amount/:to' Settings: 'settings' } } }; // payment deep linkable without auth,M1 - Improper Platform Usage,https://reactnavigation.org/docs/deep-linking
+Platform,React Native Screenshot Prevention,React Native,Medium,react native screenshot prevention screen capture recording flag_secure ios blur banking sensitive,React Native has no built-in screenshot prevention; sensitive screens capturable via screenshots and screen recording,Android: FLAG_SECURE via native module; iOS: blur overlay in applicationWillResignActive; use react-native-prevent-screenshot,Android: getWindow().setFlags(FLAG_SECURE); RN: import { disableScreenCapture } from 'react-native-prevent-screenshot',No screenshot protection; account balances visible in task switcher; screen recording captures OTP codes,M2 - Insecure Data Storage,
+Code,React Native Root Jailbreak Detection,React Native,High,react native root jailbreak detection jail-monkey rooted compromised device magisk cydia frida hook,React Native apps on rooted/jailbroken devices face runtime manipulation via Frida and SSL pinning bypass,Use jail-monkey with multiple detection signals; check isJailBroken canMockLocation hookDetected isDebuggedMode; server-side verification,if (JailMonkey.isJailBroken() || JailMonkey.hookDetected() || JailMonkey.isDebuggedMode()) { showSecurityWarning(); restrictFeatures() },No device integrity checks; banking app on rooted Magisk device; Frida freely hooks JS bridge calls,M8 - Code Tampering,https://github.com/nicuorN5/jail-monkey
+Code,React Native Environment Variables Exposure,React Native,High,react-native-config dotenv environment variable api key secret .env bundle metro javascript embedded,react-native-config injects .env values into JS bundle where they are readable in Hermes bytecode or extracted from APK,Use react-native-config only for non-sensitive config; never store API secrets in .env; proxy sensitive calls through backend; gitignore .env files,.env.production: API_BASE_URL=https://api.myapp.com; ENV=production; // secrets server-side; .env* in .gitignore,.env: STRIPE_SECRET_KEY=sk_live_abc123; FIREBASE_ADMIN_KEY=AIza...; // extractable from JS bundle; committed to git,M2 - Insecure Data Storage,https://github.com/luggit/react-native-config
+Logging,React Native Flipper Production Removal,React Native,High,react native flipper debug production remove network inspector layout database facebook soloader,Flipper in production exposes network traffic database contents SharedPreferences and layout tree; increases APK size and attack surface,Remove Flipper from production builds; use release variants that exclude Flipper; remove from build.gradle and MainApplication; use __DEV__ check,if (project.hasProperty('enableFlipper')) { debugImplementation('com.facebook.flipper:...') }; // or remove for RN 0.73+,implementation('com.facebook.flipper:flipper') in all build variants; Flipper inspects production data,M10 - Extraneous Functionality,https://reactnative.dev/docs/debugging
+Code,React Native Metro Bundler Security,React Native,High,react native metro bundler development server exposed port 8081 source map network hot reload remote debug,Metro bundler on port 8081 serves full JS bundle and source maps; accessible on shared network; production must never connect,Bind Metro to localhost only; disable dev mode in release; ensure __DEV__=false in production; remove source maps; disable remote debugging,metro.config.js: server: { port: 8081 host: '127.0.0.1' }; release: __DEV__=false; no source maps; no remote debug,Metro on 0.0.0.0:8081; source maps in APK; __DEV__ checks bypassed in production,M10 - Extraneous Functionality,https://metrobundler.dev/
+Supply Chain,React Native Expo Security,React Native,High,react native expo eas update ota managed workflow secure store expo-crypto third party sdk permissions,Expo managed workflow abstracts native code reducing security control; expo-updates pushes JS OTA without review; expo-secure-store varies from react-native-keychain,Use expo-secure-store with WHEN_UNLOCKED_THIS_DEVICE_ONLY; enable EAS Update code signing; audit SDK permissions; eject for apps requiring native security modules,SecureStore.setItemAsync('token' jwt { keychainAccessible: WHEN_UNLOCKED_THIS_DEVICE_ONLY }); EAS Update with code signing,SecureStore.setItemAsync('token' jwt); // default accessibility; no EAS code signing; managed workflow for banking app,M8 - Code Tampering,https://docs.expo.dev/guides/overview/
+Code,React Native JSI Memory Access Risks,React Native,Medium,react native reanimated jsi javascript interface direct memory native host objects turbomodules c++ unsafe pointer,JSI provides direct C++ memory access from JavaScript bypassing bridge; malicious JS could exploit JSI bindings for memory access,Audit all JSI host object bindings; validate inputs in C++ host functions; avoid exposing filesystem or crypto via JSI without authorization,jsi::Value secureRead(runtime key) { if (!isAllowedKey(key)) throw jsi::JSError('Unauthorized'); return readSecure(key); },jsi::Value readFile(runtime path) { return readFileContents(path); } // arbitrary file read from JS,M7 - Client Code Quality,https://docs.swmansion.com/react-native-reanimated/
+Data Storage,React Native Clipboard Security,React Native,Medium,react native clipboard copy paste sensitive password otp token @react-native-clipboard/clipboard secure input,Clipboard.setString() places sensitive data on system clipboard accessible to all apps; persists indefinitely,Auto-clear clipboard after timeout; use secureTextEntry for passwords; provide custom copy with 30-second expiry,const copyOTP = async (otp) => { await Clipboard.setString(otp); setTimeout(() => Clipboard.setString('') 30000); },Clipboard.setString(authToken); // token on clipboard forever; <TextInput value={password} /> // no secureTextEntry,M2 - Insecure Data Storage,https://github.com/react-native-clipboard/clipboard
+Network,React Native Secure Network Configuration,React Native,High,react native network fetch interceptor axios authorization header logging sensitive production debug configuration,Axios interceptors logging full request/response with tokens persist in production; missing network_security_config and ATS review,Conditionally add logging with __DEV__; configure Android network_security_config; audit iOS ATS exceptions; redact auth headers,if (__DEV__) { axios.interceptors.request.use(req => { console.log(req.url); return req; }); }; // cleartextTrafficPermitted=false,axios.interceptors.request.use(req => { console.log(JSON.stringify(req)); }); // logs auth headers in production,M3 - Insecure Communication,https://reactnative.dev/docs/network
+Platform,React Native Background State Security,React Native,Medium,react native background appstate blur overlay task switcher sensitive screen ios android lifecycle snapshot,React Native app in background shows sensitive content in task switcher to anyone with physical device access,Listen to AppState changes; show blur overlay on background/inactive; FLAG_SECURE on Android; react-native-privacy-snapshot,AppState.addEventListener('change' state => { if (state === 'background') setShowOverlay(true); else setShowOverlay(false); }),No AppState handling; banking screen with account balance visible in task switcher,M2 - Insecure Data Storage,https://reactnative.dev/docs/appstate
+Security Testing,MobSF Automated Security Analysis,All,High,mobsf mobile security framework automated analysis static dynamic apk ipa vulnerability scanner,No automated security analysis of mobile binaries; vulnerabilities found only in manual review or production incidents,Run MobSF static analysis on APK/IPA in CI pipeline; fix critical/high findings before release; track findings over time,MobSF CI: mobsf-cli --scan apk --threshold high; zero critical findings; weekly dynamic analysis on staging,No automated security scanning; ship APK without any binary analysis; vulnerabilities discovered by attackers,M7 - Client Code Quality,https://github.com/MobSF/Mobile-Security-Framework-MobSF
+Security Testing,Objection Runtime Exploration,All,High,objection runtime exploration frida mobile security testing hooking patching bypass ssl pinning ios android,Mobile app not tested for runtime manipulation resistance; attackers can use Objection to bypass security controls,Test app with Objection to verify: SSL pinning holds; root detection works; encryption is proper; implement counter-measures,Objection testing validates: SSL pinning resists bypass; root detection triggers; RASP detects Frida; encryption keys in Keystore,App fully exploitable via Objection; SSL pinning bypassed; root detection disabled; encryption keys extracted from memory,M8 - Code Tampering,https://github.com/sensepost/objection
+Security Testing,QARK Android Security Analysis,Android,High,qark quick android review kit static analysis vulnerability exported component permissions manifest,Android app not tested with static analysis tools for common vulnerabilities like exported components and permissions,Run QARK analysis on APK; review exported components; check permissions; identify hardcoded credentials; fix findings,QARK scan: zero critical findings; all exported components reviewed; permissions minimized; no hardcoded credentials,No static analysis; exported activities with sensitive data; excessive permissions; hardcoded API keys,M7 - Client Code Quality,https://github.com/linkedin/qark
+Security Testing,Drozer Android Security Testing,Android,High,drozer android security testing framework ipc content provider activity service broadcast exploit,Android IPC components (Activities Services ContentProviders BroadcastReceivers) not tested for security vulnerabilities,Use Drozer to enumerate attack surface; test exported components; check content provider SQL injection; verify permission enforcement,Drozer: run app.package.attacksurface; run app.provider.query; verify no SQL injection; permissions enforced on all exports,No IPC security testing; content provider allows SQL injection; exported activities handle sensitive data without permissions,M1 - Improper Platform Usage,https://github.com/WithSecureLabs/drozer
+Security Testing,Burp Suite Mobile Traffic Interception,All,High,burp suite mobile proxy traffic interception api testing certificate android ios mitm pentest,Mobile API communication not tested for MITM vulnerabilities; no verification that pinning and encryption work correctly,Configure Burp proxy for mobile testing; verify SSL pinning blocks interception; test API auth; check for sensitive data in traffic,Burp testing: SSL pinning blocks proxy; tokens in Authorization header only; no PII in URLs; HSTS enforced,No interception testing; tokens in URL params; PII in GET parameters; SSL pinning absent; API accepts replayed requests,M3 - Insecure Communication,https://portswigger.net/burp/documentation/desktop/mobile
+Security Testing,OWASP ZAP Mobile API Testing,All,High,owasp zap zaproxy mobile api testing automated scanner vulnerability injection authentication,Mobile backend APIs not tested with automated security scanners for injection authentication and configuration flaws,Configure OWASP ZAP as proxy; run automated scan against API endpoints; test auth flows; fix findings in CI/CD,ZAP automated scan in CI against staging; zero high/critical findings; authentication tested; injection scanner passes,No automated API security testing; SQL injection in API; broken authentication; CORS misconfigured,M3 - Insecure Communication,https://www.zaproxy.org/docs/docker/api-scan/
+Security Testing,APKTool Reverse Engineering Resistance,Android,High,apktool reverse engineering decompile smali resources apk decode repackage tamper detection resistance,APK not tested against reverse engineering; app logic and resources trivially extractable and repackageable with APKTool,Test APK with APKTool to verify obfuscation effectiveness; ensure resources protected; verify anti-tamper and repackaging detection,APKTool decode shows obfuscated classes; encrypted strings; resource obfuscation; app detects repackaged APK,APKTool reveals all class names; readable strings with API keys; repackaged APK runs normally,M9 - Reverse Engineering,https://apktool.org/
+Security Testing,Binary Analysis Protection Ghidra,All,High,ghidra ida binary analysis reverse engineering native code so library disassembly decompile protection,Native libraries not tested against binary analysis tools; algorithms and keys extractable via disassembly,Test native code with Ghidra/IDA; verify control flow obfuscation; symbol stripping; anti-disassembly; string encryption,Ghidra: obfuscated control flow; no readable symbols; encrypted strings; anti-debug traps; opaque predicates,Native .so fully decompilable; function names readable; API keys as plain strings; no anti-disassembly,M9 - Reverse Engineering,https://ghidra-sre.org/
+AI Security,Unencrypted ML Model Assets,All,High,ml model encryption tflite coreml onnx on-device ai model theft intellectual property protection asset,TFLite CoreML or ONNX models shipped as plaintext assets in APK/IPA allowing extraction and theft of proprietary AI models,Encrypt model files at rest; decrypt into memory at runtime; use hardware-backed keys; verify model integrity before loading,Model encrypted AES-256-GCM; key from Keystore; decrypted to memory-mapped buffer; SHA-256 integrity verified; cleared after use,model.tflite as plaintext asset in APK; extractable with unzip; no integrity verification; proprietary model freely copyable,M2 - Insecure Data Storage,https://www.tensorflow.org/lite/guide/inference
+AI Security,ML Model Inference Data Leakage,All,High,ml model inference privacy data leakage membership inference model inversion side channel prediction,On-device ML model leaking training data through inference outputs via membership inference or model inversion attacks,Apply differential privacy to outputs; limit confidence scores; use output perturbation; restrict inference API access,Model outputs rounded to 2 decimals; no raw logits exposed; differential privacy noise added; rate-limited inference,Raw model logits and confidence scores exposed; unlimited inference calls; training data recoverable via inversion,M2 - Insecure Data Storage,
+AI Security,Adversarial ML Input Attacks,All,High,adversarial input attack ml model evasion perturbation robustness validation on-device ai classification,On-device ML model vulnerable to adversarial inputs crafted to cause misclassification or bypass security controls,Validate input bounds and distribution; implement preprocessing and anomaly detection; use adversarial training; ensemble verification,Input validated against expected distribution; preprocessing normalizes; ensemble cross-validates; anomaly score rejects adversarial,Raw input fed directly to model; single model for security classification; no input validation,M4 - Insufficient Input/Output Validation,https://atlas.mitre.org/techniques/AML.T0043
+AI Security,Mobile AI Prompt Injection Prevention,All,Critical,prompt injection ai llm mobile app chatbot manipulation jailbreak system prompt extraction guardrails,Mobile apps with AI chatbot features vulnerable to prompt injection system prompt extraction and jailbreaking via user input,Sanitize user input before LLM; use guardrails and output filtering; separate system/user prompts; implement content moderation; no secrets in prompts,Input sanitization layer; output guardrails; system prompt isolated; no secrets in prompts; content moderation before display,User input concatenated into LLM prompt; system prompt with API keys; no output filtering; raw LLM output displayed,M4 - Insufficient Input/Output Validation,https://owasp.org/www-project-top-10-for-large-language-model-applications/
+AI Security,Federated Learning Data Exposure,All,High,federated learning privacy gradient leakage model update aggregation differential privacy mobile training,Federated learning leaking user data through gradient updates; model poisoning via compromised devices,Apply secure aggregation; add differential privacy to gradients; verify model updates; clip gradients; Byzantine-fault-tolerant aggregation,Secure aggregation with differential privacy epsilon<1; gradient clipping; server validates norms; Byzantine-tolerant aggregation,Raw gradient updates sent to server; no differential privacy; no clipping; any device pushes arbitrary updates,M3 - Insecure Communication,
+AI Security,ML Model Integrity Verification,All,Critical,ml model integrity verification checksum signature tamper detection hash on-device ai validation replacement,On-device ML model replaced or tampered to produce malicious predictions bypassing content filters or fraud detection,Sign models with developer key; verify signature before loading; store hash in secure storage; detect modifications at runtime,Model signed Ed25519; signature verified from Keystore public key; SHA-256 hash checked; tampered model rejected,Model loaded without integrity check; attacker replaces model.tflite in repackaged APK; fraud detection bypassed,M8 - Code Tampering,
+Architecture,Zero-Trust Architecture for Mobile,All,Critical,zero trust architecture mobile never trust always verify least privilege micro-perimeter continuous validation,Mobile app implicitly trusts network or device state granting full access after initial authentication without continuous verification,Verify every request; least-privilege access; continuous device posture assessment; micro-segmented API access; short-lived tokens; mutual TLS,Every API call verified with short-lived token + device attestation + risk score; least-privilege scopes; mTLS; continuous posture check,Single login grants full API access; long-lived token; no device verification; network-based trust,M4 - Insecure Authentication,https://www.nist.gov/publications/zero-trust-architecture
+Architecture,Mutual Authentication Patterns,All,High,mutual authentication mtls client certificate two-way tls bidirectional identity verification device,Server authenticates to client via TLS but client identity not verified; any HTTP client can call APIs pretending to be the app,Implement mutual TLS with client certificates per-device; rotate certificates; validate client cert chain server-side; combine with attestation,Client cert from Keystore; mTLS handshake; server validates client cert chain + app attestation; cert rotation every 90 days,Server-only TLS; any HTTP client (curl Postman) calls all APIs; no client identity beyond bearer token,M3 - Insecure Communication,https://developer.android.com/privacy-and-security/security-ssl
+Architecture,Device Trust Assessment,All,High,device trust assessment posture integrity rooted jailbroken emulator compromised risk scoring attestation,App does not assess device trust level allowing access from rooted jailbroken or emulated devices without restrictions,Implement device trust scoring: check root/jailbreak emulator debugger hooking frameworks OS version patch level; use Play Integrity/App Attest,Device trust score from root + emulator + debugger + patch level + integrity API; high-risk devices restricted; server validates,No device assessment; banking app functional on rooted emulator with Frida and outdated OS,M1 - Improper Platform Usage,https://developer.android.com/google/play/integrity
+Architecture,Continuous Authentication Behavioral,All,Medium,continuous authentication behavioral biometrics typing pattern gait touch gesture session verification risk adaptive,User authenticated once at login; no continuous verification; stolen device with active session grants full access,Implement continuous auth using behavioral biometrics (typing touch navigation); step-up auth on anomaly detection,Behavioral model tracks touch patterns; anomaly triggers step-up biometric auth; session risk score continuously updated,Single login for entire session; no behavioral analysis; stolen device with active session gives full access for hours,M4 - Insecure Authentication,https://pages.nist.gov/800-63-4/sp800-63b.html
+Architecture,Micro-Segmentation of Mobile Data,All,High,micro-segmentation data isolation compartmentalization least privilege access control mobile architecture module,Mobile app treats all data with same access level; compromise of one feature exposes all user data and functionality,Segment data by sensitivity; isolate storage per feature; use separate encryption keys per data class; enforce access boundaries,Separate encrypted storage per module (auth payments profile); different Keystore keys per data class; module boundaries enforced,Single SharedPreferences for all data; one encryption key; any module accesses payment data; flat access architecture,M2 - Insecure Data Storage,https://developer.android.com/topic/modularization
+Architecture,Defense in Depth Mobile Architecture,All,High,defense in depth layered security multiple barriers mobile architecture redundant controls fail-safe,Mobile app relies on single security control; bypass of one mechanism grants full access to sensitive functionality,Implement multiple independent security layers: network + pinning + attestation + obfuscation + RASP + encrypted storage + server validation,7+ independent layers: TLS + cert pinning + mTLS + RASP + obfuscation + encrypted storage + server validation,Security depends solely on SSL pinning; bypass with Frida grants full API access; no additional layers,M8 - Security Misconfiguration,https://owasp.org/www-project-mobile-app-security/
+Compliance,OWASP MASVS v2 Verification,All,High,owasp masvs v2 mobile application security verification standard baseline resilience privacy storage crypto auth,No systematic mobile security verification against OWASP MASVS v2 categories MASVS-STORAGE CRYPTO AUTH NETWORK PLATFORM CODE RESILIENCE PRIVACY,Map all security controls to MASVS v2; use MAS Testing Guide for verification; L1 baseline for all apps; L2 for high-risk; R for resilience,MASVS v2 compliance matrix; all 8 categories verified; L2 for banking; MASTG test cases executed per release,No MASVS mapping; ad-hoc security controls; no verification standard; security gaps unknown until exploited,M8 - Security Misconfiguration,https://mas.owasp.org/MASVS/
+Compliance,HIPAA Mobile Health Compliance,All,Critical,hipaa mobile health phi ehr encryption access control audit trail breach notification healthcare protected,Mobile health apps handling PHI not meeting HIPAA Security Rule requirements for encryption access control and audit logging,Encrypt all PHI at rest (AES-256) and in transit (TLS 1.3); implement RBAC; maintain audit trails; session timeout; BAA with cloud providers,PHI encrypted AES-256-GCM; TLS 1.3; RBAC; full audit log; 5-min timeout; BAA with AWS/GCP; annual risk assessment,PHI in plaintext SharedPreferences; no audit logging; no session timeout; no BAA; no breach notification procedure,M2 - Insecure Data Storage,https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
+Compliance,SOC 2 Mobile Requirements,All,High,soc 2 type ii trust service criteria mobile security availability processing integrity confidentiality privacy,Mobile app development and operations not meeting SOC 2 Trust Service Criteria,Implement controls for access change management incident response encryption monitoring vendor management; document evidence,Access controls documented; PR reviews; incident response plan; encryption at rest/transit; monitoring; vendor reviews,No access documentation; direct commits to main; no incident response; plaintext data; no monitoring; unvetted SDKs,M8 - Security Misconfiguration,
+Compliance,NIST Mobile Security Guidelines,All,High,nist sp 800-163 800-124 mobile security vetting guidelines enterprise device management threat assessment,Mobile app not following NIST SP 800-163 (mobile app vetting) or SP 800-124 (mobile device management) guidelines,Follow NIST SP 800-163 for app vetting; implement SP 800-124 device management; use SP 800-157 for mobile PIV,App vetted per NIST 800-163; device management per 800-124; PIV-based auth per 800-157; assessment documented,No structured vetting; no device management policy; no NIST mapping; security assessment ad-hoc or absent,M8 - Security Misconfiguration,https://csrc.nist.gov/publications/detail/sp/800-163/rev-1/final
+Compliance,ISO 27001 Mobile Controls,All,High,iso 27001 27002 annex a mobile security controls information security management isms development,Mobile development not aligned with ISO 27001 Annex A controls for secure development access control and cryptography,Map mobile security to ISO 27001 Annex A; secure SDLC per A.14; access control A.9; crypto A.10; maintain ISMS documentation,ISMS includes mobile; secure SDLC; access control policy; crypto documented; regular internal audits; nonconformity tracking,Mobile development outside ISMS; no secure SDLC; no access control policy; crypto not documented; no audit trail,M8 - Security Misconfiguration,https://www.iso.org/standard/27001
+Compliance,GDPR Mobile Data Handling,All,Critical,gdpr mobile data protection privacy consent right erasure data portability dpia breach notification processing,Mobile app processing EU user data without GDPR compliance; no lawful basis missing consent no data deletion or portability,Implement lawful basis; granular consent; right to erasure; data portability export; DPIA for high-risk; 72h breach notification,Granular consent per purpose; delete all data on request; export in JSON; DPIA documented; 72h breach notification; DPO designated,Pre-checked consent; no deletion mechanism; no export; no DPIA; no breach notification; data retained indefinitely,M6 - Privacy Violation,https://gdpr.eu/
+Threat Modeling,STRIDE Threat Model for Mobile,All,High,stride threat model spoofing tampering repudiation information disclosure denial elevation mobile security,Mobile app developed without structured threat modeling; security risks identified reactively after incidents,Apply STRIDE: Spoofing (auth bypass) Tampering (code mod) Repudiation (no audit) Information Disclosure (leaks) DoS (resource abuse) Elevation (privilege),STRIDE analysis per feature; threat matrix maintained; mitigations mapped; reviewed quarterly; updated with features,No threat model; security risks discovered only through incidents or pen tests; reactive approach,M8 - Security Misconfiguration,https://owasp.org/www-community/Threat_Modeling
+Threat Modeling,Attack Surface Mapping Mobile,All,High,attack surface mapping mobile entry point ipc deep link api webview bluetooth nfc exported component,Mobile app attack surface not cataloged; unknown exposed entry points create unmonitored risk,Catalog all entry points: exported components deep links APIs WebViews BLE/NFC intent filters content providers JS bridges,Attack surface inventory 30+ entry points; each reviewed for input validation authorization; updated per release,No attack surface inventory; unknown exported components; unreviewed deep links; forgotten debug endpoints,M1 - Improper Platform Usage,https://owasp.org/www-project-attack-surface-detector/
+Threat Modeling,Data Flow Security Analysis,All,High,data flow diagram dfd threat analysis sensitive data transit storage processing trust boundary mobile,Sensitive data flows not mapped; data crosses trust boundaries without encryption validation or access controls,Create DFDs for sensitive data; identify trust boundaries; ensure encryption at every crossing; validate at each stage; classify sensitivity,DFD documents all PII/financial flows; trust boundaries identified; encryption at every boundary; data classified per release,No data flow analysis; PII crosses trust boundaries unencrypted; no data classification scheme,M2 - Insecure Data Storage,https://owasp.org/www-community/Threat_Modeling_Process
+Threat Modeling,Third-Party SDK Risk Assessment,All,Critical,third party risk assessment sdk library supply chain vetting permissions data collection privacy policy cve,Third-party SDKs integrated without security risk assessment; unknown data collection excessive permissions potential supply chain compromise,Assess each SDK: review permissions data collection privacy policy update frequency CVEs; conduct binary analysis; monitor behavior,SDK risk matrix scores each library; permissions audited; data collection reviewed; CVE monitoring; quarterly re-assessment,SDKs added based on feature only; no permission review; unknown data collection; outdated versions with CVEs,M6 - Insufficient Supply Chain Security,https://owasp.org/www-project-software-component-verification-standard/
+Threat Modeling,Mobile-Specific Threat Vectors,All,High,mobile threat vector side channel physical access shoulder surfing juice jacking evil twin stolen device sim swap,Mobile-specific threats not addressed: side-channel attacks physical access shoulder surfing juice jacking evil twin WiFi SIM swap,FLAG_SECURE against shoulder surfing; USB charging detection; WiFi validation; SIM-independent auth; remote wipe; biometric liveness,FLAG_SECURE on sensitive screens; USB charging warns user; WiFi validated; auth not SIM-dependent; remote wipe; liveness detection,Sensitive data visible; no USB awareness; auto-connects any WiFi; SMS-only 2FA vulnerable to SIM swap; no remote wipe,M1 - Improper Platform Usage,https://owasp.org/www-project-mobile-top-10/
+Platform,Android 14 Foreground Service Type Restrictions,Android,High,android 14 foreground service type dataSync camera location mediaPlayback health connectedDevice restriction,Android 14 requires explicit foreground service type declaration; using wrong type or missing declaration causes SecurityException,Declare correct foregroundServiceType in manifest; request associated runtime permissions; use appropriate type per service purpose,android:foregroundServiceType='location|camera' with FOREGROUND_SERVICE_LOCATION permission; type matches actual service work,No foregroundServiceType declared; app crashes on Android 14; or uses dataSync for location tracking,M1 - Improper Platform Usage,https://developer.android.com/about/versions/14/changes/fgs-types-required
+Platform,Android 14 Runtime Receiver Export,Android,Medium,android 14 runtime receiver RECEIVER_EXPORTED RECEIVER_NOT_EXPORTED registerReceiver context broadcast,Android 14 requires explicit export flag for dynamically registered BroadcastReceivers; missing flag causes SecurityException,Pass RECEIVER_NOT_EXPORTED for internal receivers; RECEIVER_EXPORTED only when other apps must send broadcasts; always validate sender,context.registerReceiver(receiver filter Context.RECEIVER_NOT_EXPORTED) // internal only,context.registerReceiver(receiver filter) // no flag; SecurityException on Android 14; or defaults to exported,M1 - Improper Platform Usage,https://developer.android.com/about/versions/14/behavior-changes-14
+Privacy,Android 14 Partial Photo Access,Android,Medium,android 14 partial photo access READ_MEDIA_VISUAL_USER_SELECTED photo picker granular permission media,Android 14 allows users to grant access to selected photos only; apps assuming full access break when user selects partial,Handle READ_MEDIA_VISUAL_USER_SELECTED permission; re-request access when needed; prefer Photo Picker; graceful partial access UI,Check READ_MEDIA_VISUAL_USER_SELECTED; show re-request UI; ActivityResultContracts.PickVisualMedia() preferred,Assume READ_MEDIA_IMAGES grants full access; app shows empty gallery when user selected partial access,M6 - Privacy Violation,https://developer.android.com/about/versions/14/changes/partial-photo-video-access
+Code,SafetyNet to Play Integrity Migration,Android,Critical,safetynet play integrity api migration attestation device verdict app integrity deprecated google standard classic,SafetyNet Attestation API deprecated and being shut down; apps still using SafetyNet will lose integrity verification,Migrate to Play Integrity API; use Standard requests for frequent checks Classic for high-value; validate tokens server-side; tiered enforcement,IntegrityManagerFactory.create(context); IntegrityTokenRequest.builder().setNonce(serverNonce); sendTokenToServer(token) // validate server-side,SafetyNet.getClient(context).attest(nonce apiKey) // deprecated; will stop working; client-side validation,M1 - Improper Platform Usage,https://developer.android.com/google/play/integrity/overview
+Authentication,Credential Manager Conditional UI,Android,High,credential manager conditional ui hybrid passkey password federated bottom sheet getCredential createCredential flow,Poor Credential Manager implementation leads to confusing UX missed passkey adoption or fallback to insecure methods,Implement conditional GetCredentialRequest for inline suggestions; support hybrid cross-device passkey; prioritize passkey over password,GetCredentialRequest(listOf(GetPasskeyOption(challenge) GetPasswordOption() GetGoogleIdOption(clientId))); unified bottom sheet,Custom password-only login; separate Google button; no passkey support; no cross-device auth; manual credential storage,M4 - Insecure Authentication,https://developer.android.com/identity/sign-in/credential-manager
+Authentication,Android Protected Confirmation API,Android,High,android protected confirmation api transaction signing hardware TEE payment confirmation ConfirmationPrompt,Sensitive transactions confirmed through standard UI dialogs that malware can manipulate or auto-dismiss,Use ConfirmationPrompt with hardware TEE; generate signing keys with setUserConfirmationRequired; verify signed CBOR server-side,ConfirmationPrompt.Builder(context).setPromptText('Send $500?').setExtraData(nonce).build().presentPrompt(executor callback),AlertDialog.Builder(context).setMessage('Confirm?').setPositiveButton('OK') { sendPayment() } // spoofable by overlay,M4 - Insecure Authentication,https://developer.android.com/privacy-and-security/security-android-protected-confirmation
+Platform,Android Companion Device Manager Security,Android,Medium,companion device manager cdm pairing bluetooth ble wifi wearos association profile permission,CompanionDeviceManager misuse exposes device discovery grants excessive profiles or fails to revoke associations,Use specific AssociationRequest filters; request only needed CompanionDeviceProfile; revoke with disassociate() on unpair; validate device identity,AssociationRequest.Builder().addDeviceFilter(BluetoothLeDeviceFilter.Builder().setNamePattern('MyDevice.*')).setSingleDevice(true),Request BLUETOOTH_SCAN + BLUETOOTH_CONNECT + ACCESS_FINE_LOCATION; never revoke association; no identity validation,M1 - Improper Platform Usage,https://developer.android.com/develop/connectivity/companion-device-pairing
+Cryptography,Jetpack Security Crypto Library,Android,High,jetpack security crypto library masterkey encryptedsharedpreferences encryptedfile aes256 keystore androidx tink,Custom encryption wrappers with incorrect key management weak algorithms or plaintext key storage,Use MasterKey with AES256_GCM; EncryptedSharedPreferences for key-value; EncryptedFile for files; never extract keys from Keystore,MasterKey.Builder(context).setKeyScheme(AES256_GCM); EncryptedSharedPreferences.create(context 'secret_prefs' masterKey SIV GCM),val key = 'mysecretkey12345'.toByteArray(); Cipher.getInstance('AES') // key in code; no keystore; weak mode,M5 - Insufficient Cryptography,https://developer.android.com/reference/androidx/security/crypto/package-summary
+Platform,ContentResolver URI Path Traversal,Android,High,contentresolver openinputstream uri validation path traversal content provider file read security,ContentResolver.openInputStream() with untrusted URIs exploited for path traversal reading arbitrary files,Validate URI scheme (only content://); canonicalize paths reject '..'; check MIME type; never pass user-controlled URIs directly,require(uri.scheme == 'content'); val type = contentResolver.getType(uri); require(type?.startsWith('image/') == true),contentResolver.openInputStream(intent.data!!) // no scheme check; no type validation; accepts file:// URIs,M1 - Improper Platform Usage,https://developer.android.com/privacy-and-security/security-tips#ContentProviders
+Authentication,AccountManager Security Deprecation,Android,High,accountmanager deprecated credential manager migration token auth authenticator password storage,AccountManager stores credentials accessible to apps with authenticator key; on rooted devices tokens extractable; API deprecated,Migrate to Credential Manager; use checkSignatures() during migration; store tokens in EncryptedSharedPreferences or Keystore,CredentialManager.create(context) replaces AccountManager; credentialManager.getCredential(context request),AccountManager.get(context).addAccountExplicitly(account password null); am.getPassword(account) // plaintext; deprecated,M4 - Insecure Authentication,https://developer.android.com/identity/sign-in/credential-manager
+Deep Link,Android App Links Verification Edge Cases,Android,High,app links verification digital asset links assetlinks.json domain https autoVerify subdomain edge case redirect,App Links verification edge cases: subdomains need separate verification; CDN redirects break verification; cert changes invalidate links,Host assetlinks.json on every domain/subdomain; ensure 200 response (not redirect); update on signing key change; test with adb pm verify-app-links,autoVerify='true'; assetlinks.json on example.com AND sub.example.com; no redirects; valid cert fingerprint,autoVerify='true' but assetlinks.json returns 301; subdomain not verified; signing key rotated without updating assetlinks,M1 - Improper Platform Usage,https://developer.android.com/training/app-links/verify-android-applinks
+Supply Chain,Gradle Build Cache Poisoning,Android,High,gradle build scan cache poisoning remote build cache task output manipulation supply chain ci cd,Remote build cache exploited through cache poisoning injecting tainted task outputs into shared cache entries,Use authenticated HTTPS for cache; restrict write to CI only; enable cache verification; rotate keys; isolate caches per branch,buildCache { remote(HttpBuildCache) { url='https://cache.internal/'; isPush=CI; credentials from secrets } } // write from CI only,buildCache { remote { url='http://shared:5071/'; isPush=true; isAllowUntrustedServer=true } } // HTTP; everyone pushes,M6 - Insufficient Supply Chain Security,https://docs.gradle.org/current/userguide/build_cache.html
+Supply Chain,AGP Security Features Not Enabled,Android,High,agp android gradle plugin security r8 full mode lint baseline dependency verification signing config resource shrink,Android Gradle Plugin security features left unconfigured: R8 full mode lint checks dependency verification resource shrinking,Enable R8 full mode; configure lint abortOnError; enable dependency verification; separate signing from build.gradle; enable shrinkResources,android { buildTypes { release { isMinifyEnabled=true; isShrinkResources=true } }; lint { abortOnError=true; checkDependencies=true } },isMinifyEnabled=false; lint { abortOnError=false } // no obfuscation; lint warnings ignored; no resource shrinking,M7 - Client Code Quality,https://developer.android.com/build
+Supply Chain,Insecure Android CI/CD Pipeline,Android,Critical,ci cd pipeline security github actions bitrise signing keystore secrets environment variable artifact pinning,CI/CD pipelines expose signing keystores log sensitive variables use outdated actions and cache dependencies without verification,Store keystore as CI secret; pin GitHub Actions to commit SHA; enable artifact signing; use dependency locking in CI; scan for leaked secrets,uses: actions/checkout@a5ac7e51b; KEYSTORE from secrets.KEYSTORE_BASE64; permissions: { contents: read } // pinned; minimal,uses: actions/checkout@v4; keystore in repo; no secret management; excessive permissions // unpinned; insecure,M6 - Insufficient Supply Chain Security,https://docs.github.com/en/actions/security-for-github-actions
+Code,Android Native Memory Safety,Android,High,memory safety rust aosp native code buffer overflow use-after-free ndk c++ asan hwasan fuzzing,Over 70% of Android security vulnerabilities from memory safety issues in C/C++ code (buffer overflows use-after-free),Use Rust for new native components; enable HWASan in debug builds; use ASan for testing; adopt smart pointers; run fuzzing on native libs,cmake: -DCMAKE_CXX_FLAGS=-fsanitize=address; Or Rust NDK: #[no_mangle] pub extern 'C' fn Java_NativeLib_process(),char buffer[256]; strcpy(buffer userInput); // buffer overflow; free(ptr); ptr->field; // use-after-free; no sanitizer,M7 - Client Code Quality,https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html
+Platform,Android SELinux Context for Apps,Android,Medium,selinux android app context untrusted_app policy mac mandatory access control sandbox neverallow,Android SELinux in untrusted_app domain silently denies access outside policy; developers unaware see mysterious failures,Test on enforcing-mode devices; check logcat for avc: denied; use Android APIs instead of direct file/socket access,Use contentResolver.query(); MediaStore; NetworkSecurityConfig; check logcat for avc: denied in testing,File('/proc/net/tcp').readText() // SELinux denied; Runtime.exec('ls /data/data/other.app') // sandbox violation,M1 - Improper Platform Usage,https://source.android.com/docs/security/features/selinux
+Platform,Foreground Service Notification Data Leak,Android,Medium,foreground service notification sensitive data visible lockscreen persistent ongoing content exposure,Foreground service notification with sensitive information visible on lock screen and to screen recording,Use VISIBILITY_SECRET or VISIBILITY_PRIVATE; show minimal content; use setPublicVersion() for redacted lock screen version,NotificationCompat.Builder(ctx channel).setContentTitle('Syncing...').setVisibility(VISIBILITY_PRIVATE).setPublicVersion(redacted),NotificationCompat.Builder(ctx channel).setContentTitle('Transferring $5000 to 4532').setVisibility(VISIBILITY_PUBLIC),M2 - Insecure Data Storage,https://developer.android.com/develop/background-work/services/foreground-services
+Data Storage,MediaStore Unauthorized Data Access,Android,High,mediastore scoped storage external media images video audio owner package privacy query column,MediaStore queries expose other apps media metadata; legacy storage mode bypasses scoped storage protections,Use Scoped Storage; query only necessary columns; prefer Photo Picker; avoid MANAGE_EXTERNAL_STORAGE; handle OWNER_PACKAGE_NAME redaction,val projection = arrayOf(_ID DISPLAY_NAME); contentResolver.query(EXTERNAL_CONTENT_URI projection) // minimal columns,requestLegacyExternalStorage=true; Environment.getExternalStorageDirectory().listFiles() // bypasses scoped storage,M6 - Privacy Violation,https://developer.android.com/training/data-storage/shared/media
+Data Storage,Insecure Download Manager Usage,Android,High,downloadmanager download security http https destination external public directory integrity verification,DownloadManager downloads to public external storage by default over potentially cleartext HTTP without integrity verification,Use HTTPS URIs; setDestinationInExternalFilesDir; verify SHA-256 after download; process immediately and move to internal storage,Request(Uri.parse('https://...')).setDestinationInExternalFilesDir(context DIRECTORY_DOWNLOADS 'file'); verify SHA-256 after download,Request(Uri.parse('http://...')).setDestinationInExternalPublicDir(DOWNLOADS 'file') // HTTP; public dir; no integrity check,M3 - Insecure Communication,https://developer.android.com/reference/android/app/DownloadManager
+Platform,Android Auto Automotive Security,Android,High,android auto automotive security distraction driver safety car host template messaging navigation data shared vehicle,Android Auto apps in safety-critical driving context; sensitive data on shared car screens; data persistence on rental vehicles,Use approved Car App Library templates only; never display sensitive data on car screen; clear cached data on disconnect; session timeout,CarAppService with Screen templates; clear sensitive data in onCarAppDisconnected(); session timeout on automotive,Display banking details on car screen; cache credentials on head unit; bypass template restrictions; no cleanup on disconnect,M1 - Improper Platform Usage,https://developer.android.com/training/cars
+Platform,Wear OS Data Exposure on Wrist,Android,Medium,wear os wearable security data sync companion device message api tile complication sensitive visible bluetooth,Wear OS displays sensitive data on always-visible wrist screen; data synced via Wearable Data Layer may be unencrypted at application layer,Encrypt data before DataClient sync; use ambient mode to hide sensitive content; implement shorter lock timeout; mask data in Tiles; support remote wipe,Encrypt before DataClient sync; Tile shows '****1234'; ambient mode hides data; lock timeout shorter than phone,dataClient.putDataItem('/balance' accountBalance.toByteArray()) // plaintext sync; Tile shows full balance visible to anyone,M2 - Insecure Data Storage,https://developer.android.com/training/wearables/data/data-layer
+Cryptography,Tink Cryptographic Library,Android,High,tink cryptographic library google encryption decryption aead hybrid digital signature streaming primitive,Custom cryptographic implementations with common mistakes like ECB mode wrong IV handling or missing authentication tags,Use Google Tink library with vetted primitives (AEAD Hybrid Streaming); hardware-backed key with AndroidKeysetManager; avoid custom crypto,AndroidKeysetManager.Builder().withKeyTemplate(AES256_GCM).withSharedPref(context 'keyset' 'master').build().getKeysetHandle(),Cipher.getInstance('AES/ECB/PKCS5Padding'); custom IV generation with Random(); no HMAC on ciphertext,M5 - Insufficient Cryptography,https://github.com/tink-crypto/tink-java
+Data Storage,EncryptedFile API for File Encryption,Android,High,encryptedfile jetpack security file-level encryption aes256 gcm hkdf streaming masterkey keystore,Sensitive files (PDFs documents exports) stored without encryption on device filesystem readable on rooted devices,Use EncryptedFile from Jetpack Security with MasterKey; provides AES256-GCM-HKDF streaming encryption; key stays in Keystore,EncryptedFile.Builder(context file masterKey FileEncryptionScheme.AES256_GCM_HKDF_4KB).build().openFileOutput(),FileOutputStream(file).write(sensitiveData) // plaintext file; readable with file manager on rooted device,M2 - Insecure Data Storage,https://developer.android.com/reference/androidx/security/crypto/EncryptedFile
+Platform,Android 15 File Integrity Manager,Android,High,android 15 file integrity manager fs-verity verification checksum tamper detection apk asset,No verification that app assets and files have not been tampered with after installation,Use FileIntegrityManager on Android 15+ to verify fs-verity protected files; check isApkVeritySupported; validate critical assets,FileIntegrityManager.isApkVeritySupported(); verify critical asset integrity at runtime using fs-verity checksums,No file integrity verification; attacker modifies asset files in repackaged APK without detection,M8 - Code Tampering,https://developer.android.com/about/versions/15/features
+Platform,Android 15 Private Space Enhanced,Android,Medium,android 15 private space hidden apps sensitive visibility launcher profile separate authentication,Android 15 Private Space hides apps in separate profile; apps not designed for it may break or expose data across profiles,Design for Private Space compatibility; handle separate profile data; respect notification constraints; test in Private Space mode,Graceful handling when in Private Space; separate data per profile; notifications work across spaces,App assumes single user profile; data shared across spaces; crashes when launcher hidden; notifications fail in Private Space,M1 - Improper Platform Usage,https://developer.android.com/about/versions/15/features
+Platform,Android 16 Safer Intents Enforcement,Android,Medium,android 16 safer intents enforcement strictmode null action filter matching component explicit,Android 16 enforces non-null Intent actions and stricter filter matching; apps with null actions or loose filters crash,Ensure all Intents have explicit action; match filters precisely; test on Android 16; handle StrictMode violations,Intent(context TargetActivity::class.java).setAction('com.app.ACTION') // explicit component + action,Intent() with null action; relies on implicit resolution; crashes on Android 16 strict enforcement,M1 - Improper Platform Usage,https://developer.android.com/about/versions/16/behavior-changes-16
+Network,Android TLS 1.3 Enforcement,Android,High,tls 1.3 enforcement ssl https minimum version protocol android network security config deprecated tls 1.0 1.1,Apps allowing TLS 1.0 or 1.1 connections vulnerable to known protocol attacks (POODLE BEAST); deprecated by IETF,Enforce TLS 1.3 minimum in network_security_config.xml; OkHttp ConnectionSpec.MODERN_TLS; disable SSLv3 TLS 1.0 1.1,ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS).tlsVersions(TlsVersion.TLS_1_3 TlsVersion.TLS_1_2).build(),ConnectionSpec.COMPATIBLE_TLS allows TLS 1.0; or no minimum version configured; vulnerable to protocol downgrade,M3 - Insecure Communication,https://developer.android.com/privacy-and-security/security-config
+Cryptography,iOS CryptoKit AES-GCM Encryption,iOS,High,cryptokit aes-gcm symmetric encryption sealed box nonce authenticated ios swift,Using custom or weak encryption instead of Apple CryptoKit vetted implementations,Use CryptoKit AES.GCM for symmetric encryption; provides authenticated encryption with built-in nonce management,let sealedBox = try AES.GCM.seal(data using: key); let encrypted = sealedBox.combined!,CCCrypt(kCCEncrypt kCCAlgorithmAES data.count) // CommonCrypto manual IV; no authentication tag,M5 - Insufficient Cryptography,https://developer.apple.com/documentation/cryptokit/aes/gcm
+Cryptography,iOS CryptoKit HKDF Key Derivation,iOS,High,cryptokit hkdf key derivation function password salt info symmetric key material ios,Deriving keys with weak methods like simple hashing instead of proper KDF,Use CryptoKit HKDF for key derivation with proper salt and info parameters,let derivedKey = HKDF<SHA256>.deriveKey(inputKeyMaterial: masterKey salt: salt info: info outputByteCount: 32),let key = SHA256.hash(data: password).withUnsafeBytes { Data($0) } // no salt; no KDF,M5 - Insufficient Cryptography,https://developer.apple.com/documentation/cryptokit/hkdf
+Data Storage,iOS Keychain Error Recovery,iOS,High,keychain error handling errSecItemNotFound errSecDuplicateItem recovery migration corruption restore,Ignoring Keychain errors crashes or silently fails leaving users locked out,Handle all OSStatus codes; implement retry for transient errors; recovery flow for errSecItemNotFound,switch status { case errSecSuccess: break; case errSecDuplicateItem: SecItemUpdate(query update); default: reAuthenticate() },let _ = SecItemAdd(query nil) // ignore return status; crash on duplicate,M2 - Insecure Data Storage,https://developer.apple.com/documentation/security/keychain_services
+Platform,iOS 18 Locked Hidden App Handling,iOS,Medium,ios 18 locked hidden app face id touch id passcode app visibility restriction developer,iOS 18 allows users to lock/hide apps; developers must handle restricted visibility,Design for locked/hidden state; ensure notifications work when hidden; test locked app behavior,Handle restricted state; notifications deliver silently when locked; content hidden from search,Assume app always visible; notifications expose sensitive content; crash when reopened from hidden,M1 - Improper Platform Usage,https://developer.apple.com/ios/
+Platform,iOS USB Restricted Mode Awareness,iOS,Medium,ios usb restricted mode data transfer accessory lockdown forensic prevention,USB Restricted Mode disables data after 1 hour locked; apps relying on USB must handle disconnection,Handle accessory disconnection events; inform users; design for intermittent USB connectivity,EAAccessoryManager: handle .EAAccessoryDidDisconnect notification; graceful reconnection flow,Assume permanent USB connection; no disconnection handling; crash when accessory restricted,M1 - Improper Platform Usage,https://support.apple.com/en-us/102647
+Privacy,iOS Granular Contact Access,iOS,High,ios 18 contacts granular access limited full selected contacts privacy CNContactStore authorization,iOS 18 allows users to share only selected contacts; apps assuming full access show incomplete data,Handle limited contact access; request only needed properties; re-prompt when contacts insufficient,CNContactStore requestAccess; handle .limited authorization; prompt user to share more if needed,Assume full contact access after grant; show empty state when limited; request all fields,M6 - Privacy Violation,https://developer.apple.com/documentation/contacts
+Platform,iOS Managed App Configuration MDM,iOS,Medium,ios mdm managed app configuration UserDefaults managed appconfig enterprise provisioning,MDM config in UserDefaults accessible to app; sensitive enterprise config exposed if compromised,Read managed config; encrypt sensitive managed values; validate config integrity on load,UserDefaults dictionary(forKey: 'com.apple.configuration.managed'); validate; encrypt sensitive values,Store enterprise API keys in managed config without encryption; trust all managed values,M2 - Insecure Data Storage,https://developer.apple.com/documentation/devicemanagement
+Platform,iOS App Clips Security Constraints,iOS,Medium,ios app clips nfc qr code limited sandbox ephemeral data sharing keychain group,App Clips run in restricted sandbox with limited Keychain; data deleted after inactivity,Use App Group for data passing; never store credentials in App Clip; verify invocation source,Validate invocation URL; share via App Group; prompt install for sensitive features,Store auth tokens in App Clip Keychain; rely on App Clip data persistence,M2 - Insecure Data Storage,https://developer.apple.com/documentation/app_clips
+Data Storage,iOS Core Data Store Encryption,iOS,High,core data persistent store encryption sqlite file protection nsfileprotection ios database,Core Data SQLite store not encrypted by default; data readable on jailbroken devices,Apply NSPersistentStoreFileProtectionKey with .complete; use NSFileProtectionComplete,let options = [NSPersistentStoreFileProtectionKey: FileProtectionType.complete]; addPersistentStore(options:),NSPersistentContainer(name: 'Model').loadPersistentStores { _ in } // no protection,M2 - Insecure Data Storage,https://developer.apple.com/documentation/coredata
+Network,iOS Network.framework TLS Configuration,iOS,High,network framework nwprotocoltls nwconnection tls 1.3 certificate pinning minimum version swift,URLSession without Network.framework TLS controls for fine-grained security,Use NWConnection for TLS control; set minimum TLS 1.3; configure pinning via sec_protocol_options,sec_protocol_options_set_min_tls_protocol_version(options .TLSv13),URLSession default TLS; no minimum version; accepts TLS 1.0,M3 - Insecure Communication,https://developer.apple.com/documentation/network
+Platform,iOS App Extension Data Isolation,iOS,High,ios extension widget data isolation app group container keychain separate process sandbox,Extensions run in separate process; sharing requires App Group; extensions have limited capabilities,Use App Group for sharing; never store credentials in shared container; Keychain for secrets,UserDefaults(suiteName: 'group.com.app') for display data; secrets via Keychain shared group,Store auth tokens in App Group UserDefaults; share passwords via shared container,M2 - Insecure Data Storage,https://developer.apple.com/documentation/foundation/nsextensioncontext
+Data Storage,iOS CloudKit Record ACL Security,iOS,High,cloudkit record security acl ckrecord private public shared zone database encryption,CloudKit public database accessible to any user; shared zones need careful ACL management,Use private database for sensitive data; CKShare with role-based access; validate ownership,CKContainer.default().privateCloudDatabase.save(record); CKShare .readWrite specific participants,CKContainer.default().publicCloudDatabase.save(sensitiveRecord) // public access,M2 - Insecure Data Storage,https://developer.apple.com/documentation/cloudkit
+Privacy,iOS HealthKit Data Requirements,iOS,Critical,healthkit health data protection hipaa phi encryption authorization sensitive medical,HealthKit data contains sensitive medical information; improper handling violates privacy,Request only needed types; check authorization per type; never store externally without encryption,requestAuthorization(toShare: [] read: [heartRateType]); encrypt cached health data,requestAuthorization(toShare: allTypes read: allTypes); cache in UserDefaults,M6 - Privacy Violation,https://developer.apple.com/documentation/healthkit
+Platform,iOS StoreKit Receipt Server Validation,iOS,High,storekit receipt validation server-side in-app purchase fraud prevention jailbreak bypass,Client-side receipt validation bypassable on jailbroken devices; fraud undetected,Validate receipts server-side; use StoreKit 2 JWS signed transactions; verify subscription,Transaction.currentEntitlements; send JWS to server; server verifies with Apple,Bundle.main.appStoreReceiptURL locally validated; jailbreak tweak grants unlimited purchases,M8 - Code Tampering,https://developer.apple.com/documentation/storekit
+Code,iOS Swift Strict Concurrency Safety,iOS,High,swift concurrency sendable actor data race isolation strict checking compile time safety,Swift 6 strict concurrency prevents data races; apps without it risk race conditions,Enable strict concurrency; mark types Sendable; use actors for shared mutable state,actor SecureStorage { private var tokens: [String: String]; func getToken(_ key: String) -> String? },class TokenManager { var tokens: [String: String] = [:] } // mutable shared state; data race,M7 - Client Code Quality,https://developer.apple.com/documentation/swift/sendable
+Network,iOS Certificate Transparency Monitoring,iOS,Medium,certificate transparency ct log sct signed timestamp tls certificate fraud detection,Not monitoring CT logs allows fraudulently issued certificates to go undetected,Monitor CT logs for unauthorized issuance; verify SCT in TLS; subscribe to CT alerts,Monitor crt.sh for domain certificates; verify SCT presence; alert on unexpected issuance,No CT monitoring; rogue CA issues certificate undetected; MITM with valid cert,M3 - Insecure Communication,https://certificate.transparency.dev/
+Privacy,iOS App Privacy Report Compliance,iOS,Medium,ios app privacy report tracking domain access sensor frequency audit analytics transparency,Privacy Report shows which domains/sensors each app accesses; excessive access erodes trust,Minimize sensor access; audit patterns; declare all tracking in privacy manifest,Audit with Privacy Report; minimize background location; declare all domains in manifest,Access location every minute; connect to 50+ tracking domains; undeclared analytics,M6 - Privacy Violation,https://developer.apple.com/app-privacy-details/
+Network,iOS Encrypted Push Notification Payload,iOS,High,push notification apns payload encryption sensitive data notification service extension decrypt,APNS payloads visible to servers; sensitive data should be encrypted end-to-end,Encrypt payload e2e; decrypt in NotificationServiceExtension; show generic text,NotificationServiceExtension: decrypt with Keychain key; show 'New message' until opened,Send OTP account balance in cleartext APNS payload; visible on lock screen,M3 - Insecure Communication,https://developer.apple.com/documentation/usernotifications/unnotificationserviceextension
+Platform,iOS Live Activity Data Exposure,iOS,Medium,ios live activity activitykit lockscreen dynamic island sensitive data exposure widget,Live Activities display data on lock screen/Dynamic Island visible without authentication,Never display sensitive data in Live Activities; mask account numbers; minimal status,Show delivery status; mask orderNumber as '****1234'; no balance in Dynamic Island,LiveActivity showing full transaction amount account number on lock screen,M2 - Insecure Data Storage,https://developer.apple.com/documentation/activitykit
+Code,iOS Xcode Build Settings Security,iOS,High,xcode build settings strip debug symbols assertions production release configuration audit,Release builds with debug symbols or assertions enabled weaken security posture,Audit settings; ENABLE_NS_ASSERTIONS=NO; STRIP_INSTALLED_PRODUCT=YES for release,Release: DEPLOYMENT_POSTPROCESSING=YES; STRIP_STYLE=all; assertions disabled,Debug settings in release; assertions enabled; full debug symbols shipped,M8 - Security Misconfiguration,https://developer.apple.com/documentation/xcode/build-settings-reference
+Code,iOS Method Swizzling Detection,iOS,High,method swizzling objc runtime manipulation hook detection ios interpose dyld,Method swizzling allows attackers to replace implementations intercepting critical calls,Detect method replacement; verify IMP pointers; use Swift-only to reduce swizzling surface,Compare Method IMP against expected; detect objc_msgSend hooks; prefer Swift structs,No runtime checks; methods freely swizzled; login bypass via method_exchangeImplementations,M8 - Code Tampering,https://developer.apple.com/documentation/objectivec/objective-c_runtime
+Platform,iOS Core Bluetooth LE Security,iOS,High,ios core bluetooth ble peripheral central encryption pairing bonding gatt privacy,CoreBluetooth LE without proper pairing allows eavesdropping on health/payment data,Use LE Secure Connections; implement bonding; encrypt GATT payloads; validate peripheral,CBCentralManager: filter by service UUID; validate peripheral; encrypt before writeValue,Scan without filter; connect any peripheral; send cleartext health data via GATT,M3 - Insecure Communication,https://developer.apple.com/documentation/corebluetooth
+Authentication,iOS Sign in with Apple Security,iOS,High,sign in with apple authentication identity token relay attack nonce privacy validation,Sign in with Apple without nonce validation allows token replay; no server verification,Generate random nonce; verify identity token JWT server-side; handle credential revocation,Include SHA256 nonce; server verifies JWT iss=appleid.apple.com and nonce match,Accept identity token without server validation; no nonce; token replayed,M4 - Insecure Authentication,https://developer.apple.com/sign-in-with-apple/
+Platform,iOS Widget Data Security,iOS,Medium,ios widgetkit timeline provider sensitive data display lockscreen homescreen refresh,Widgets display on home/lock screen without authentication; timeline entries cached,Never display sensitive data; use redaction for lock screen; refresh with minimal data,Show masked '****1234'; redact with .privacySensitive(); non-sensitive refresh data,Widget showing full account balance visible on lock screen without authentication,M2 - Insecure Data Storage,https://developer.apple.com/documentation/widgetkit
+Network,iOS URLSession Ephemeral Configuration,iOS,Medium,urlsession ephemeral cache cookie credential persistence memory-only sensitive api,URLSession.shared caches responses/cookies to disk; sensitive data persists after logout,Use .ephemeral for sensitive APIs; no disk cache; cleared on dealloc,URLSession(configuration: .ephemeral) for banking; invalidateAndCancel() on logout,URLSession.shared for bank APIs; cached responses persist on disk after logout,M2 - Insecure Data Storage,https://developer.apple.com/documentation/foundation/urlsessionconfiguration
+Code,iOS Hardened Runtime Configuration,iOS,High,hardened runtime macos catalyst library validation code injection dylib flags,Hardened Runtime with exceptions weakens security; disable-library-validation allows injection,Enable without exceptions; never use disable-library-validation; audit runtime exceptions,Hardened Runtime enabled; no disable-library-validation; minimal exceptions,disable-library-validation=true; allow-unsigned-executable-memory=true // all disabled,M8 - Security Misconfiguration,https://developer.apple.com/documentation/security/hardened_runtime
+Platform,iOS Notification Content Extension Security,iOS,Medium,ios notification content extension rich notification sensitive lock screen category,Content Extensions display rich content on lock screen; sensitive data shown without unlock,Show minimal info; use data validation; require app open for full details,Filter sensitive content in didReceive; show generic preview; require app for details,Content Extension shows medical image with diagnosis visible on lock screen,M2 - Insecure Data Storage,https://developer.apple.com/documentation/usernotificationsui
+Authentication,iOS Safari Web Credential Autofill,iOS,Medium,ios safari web credential associated domains webcredentials autofill password shared keychain,Missing webcredentials prevents Safari autofill; misconfigured AASA exposes credentials,Configure webcredentials in Associated Domains; host AASA with correct appIDs,webcredentials:example.com; AASA webcredentials.apps: [TeamID.com.app],No webcredentials; users type passwords manually; misconfigured AASA leaks to wrong app,M4 - Insecure Authentication,https://developer.apple.com/documentation/xcode/supporting-associated-domains
+Data Storage,iOS Keychain Cross-Platform Migration,iOS,Medium,keychain migration watchos tvos macos catalyst synchronizable icloud sharing platform,Keychain not configured for cross-platform sharing between iOS/watchOS/macOS apps,Use shared access groups with TeamID prefix; configure kSecAttrSynchronizable,kSecAttrAccessGroup: 'TEAMID.com.app.shared'; kSecAttrSynchronizable: true for cross-device,Separate Keychain per platform; no sync; user re-authenticates on each device,M2 - Insecure Data Storage,https://developer.apple.com/documentation/security/keychain_services
+Data Storage,iOS Secure UserDefaults Alternatives,iOS,High,userdefaults alternatives keychain sensitive preferences plist encryption storage categorize,Developers using UserDefaults for semi-sensitive data; plist readable on jailbroken devices,Categorize sensitivity; Keychain for credentials; UserDefaults only for UI preferences,Keychain for tokens; UserDefaults only for isDarkMode theme language; file protection,UserDefaults.set(apiToken forKey: 'token'); UserDefaults.set(ssn forKey: 'ssn'),M2 - Insecure Data Storage,https://developer.apple.com/documentation/foundation/userdefaults
+Data Storage,Flutter Hive Database Encryption,Flutter,High,flutter hive nosql encryption box encryptedbox aes key storage local,Hive boxes storing sensitive data without encryption; readable on rooted devices,Use Hive encryptedBox with key from flutter_secure_storage; close box on logout,final key = secureStorage.read(key: 'hiveKey'); Hive.openBox('secure' encryptionCipher: HiveAesCipher(key)),Hive.openBox('userData'); box.put('token' jwt) // unencrypted,M2 - Insecure Data Storage,https://docs.hivedb.dev/#/advanced/encrypted_box
+Authentication,Flutter Firebase App Check,Flutter,High,flutter firebase app check attestation play integrity app attest token verification,Firebase callable without App Check allows direct API abuse without app verification,Integrate firebase_app_check with Play Integrity and App Attest; enforce on console,FirebaseAppCheck.instance.activate(androidProvider: playIntegrity appleProvider: appAttest),Firebase calls without App Check; any HTTP client calls Cloud Functions,M8 - Code Tampering,https://firebase.google.com/docs/app-check/flutter/default-providers
+Code,Flutter go_router Auth Guards,Flutter,High,flutter go_router redirect authentication guard protected route middleware login,Routes accessible without authentication; deep links bypass login flow,Implement GoRouter redirect with auth state check; protect sensitive routes,GoRouter(redirect: (ctx state) { if (!loggedIn && state.matchedLocation != '/login') return '/login'; }),GoRouter(routes: [GoRoute(path: '/settings' builder: SettingsScreen)]) // no auth,M4 - Insecure Authentication,https://pub.dev/packages/go_router
+Code,Flutter Riverpod AutoDispose Security,Flutter,High,flutter riverpod autodispose provider sensitive state memory cleanup token dispose,Providers without autoDispose hold sensitive data indefinitely; visible in DevTools,Use autoDispose for sensitive providers; clear state on logout,StateProvider.autoDispose<String?>((ref) => null); ref.onDispose(() => clearData()),StateProvider<String>((ref) => '') // never disposed; token forever in memory,M2 - Insecure Data Storage,https://riverpod.dev/docs/concepts/modifiers/auto_dispose
+Supply Chain,Flutter Package Integrity Verification,Flutter,High,flutter pub.dev package integrity supply chain dependency checksum pubspec.lock,Packages not verified for integrity; dependency confusion attacks possible,Lock deps in pubspec.lock; verify checksums; use dart pub audit for CVEs,pubspec.lock committed; dart pub audit; review before integration; monitor advisories,No pubspec.lock committed; unreviewed transitive deps; no CVE scanning,M6 - Insufficient Supply Chain Security,https://dart.dev/tools/pub/security-advisories
+Code,Flutter Web CORS CSP Security,Flutter,Medium,flutter web cors content security policy cross-origin xss iframe browser,Flutter web without CORS/CSP headers vulnerable to XSS and cross-origin attacks,Configure CORS on backend; set strict CSP in index.html; restrict embedding,CSP default-src 'self'; X-Frame-Options: DENY; SameSite cookies,No CSP; no CORS restriction; app embeddable in any iframe; XSS via postMessage,M1 - Improper Platform Usage,https://docs.flutter.dev/platform-integration/web
+Data Storage,Flutter Isar Database Encryption,Flutter,Medium,flutter isar database nosql encryption inspector local storage schema,Isar without encryption stores readable binary; Inspector in debug exposes data,Use Isar encryption; disable Inspector in release; encrypt sensitive fields,Isar.open([Schema] inspector: !kReleaseMode encryption: 'password'),Isar.open([Schema]) // inspector enabled; no encryption,M2 - Insecure Data Storage,https://isar.dev/
+Code,Flutter ProGuard Native Rules,Flutter,Medium,flutter proguard rules android native r8 obfuscation keep class minify,Default ProGuard rules may strip needed classes or keep too many,Configure custom ProGuard rules; minimize keep; ensure R8 compatibility,proguard-rules.pro: keep Flutter engine; obfuscate app; test release,-keep class ** // keeps everything; defeats obfuscation,M9 - Reverse Engineering,https://docs.flutter.dev/deployment/android#shrinking
+Network,Flutter Network Image Cache Security,Flutter,Medium,flutter cached_network_image cache disk sensitive photo medical document,Cached images stored unencrypted; sensitive images accessible on rooted devices,Encrypt cache for sensitive images; clear on logout; memory-only for sensitive,CachedNetworkImage with encrypted CacheManager; maxAge 1h; clear on logout,CachedNetworkImage(imageUrl: medicalScanUrl) // unencrypted; persists after logout,M2 - Insecure Data Storage,https://pub.dev/packages/cached_network_image
+Testing,Flutter Integration Test Security,Flutter,Medium,flutter integration test security patrol e2e authentication biometric flow,Security-critical flows not tested e2e; auth regression undetected,Write integration tests for auth; test biometric gates; run in CI,patrol('payment requires biometric' ($) { expect(BiometricPrompt findsOneWidget); }),No integration tests for auth; login bypass undetected; payment without verification,M7 - Client Code Quality,https://docs.flutter.dev/testing/integration-tests
+Code,Flutter Dart Zone Error Handling,Flutter,High,flutter dart zone runZonedGuarded uncaught exception sanitize crash reporting,Uncaught exceptions may contain sensitive data sent to crash reporting,Use runZonedGuarded; sanitize errors before reporting; strip PII,runZonedGuarded(() => runApp(app) (error stack) { report(sanitize(error)); }),runApp(app) // uncaught exceptions with tokens sent raw to Crashlytics,M10 - Extraneous Functionality,https://api.dart.dev/stable/dart-async/runZonedGuarded.html
+Platform,Flutter Platform View Security,Flutter,Medium,flutter platform view androidview uikitview native embedding webview hybrid,PlatformView embedding native views can bypass Flutter security controls,Restrict to trusted SDKs; validate data passed; audit permissions,AndroidView(viewType: 'trusted-view' creationParams: sanitizedParams),AndroidView(viewType: 'webview' creationParams: {'url': userInput}) // arbitrary URL,M1 - Improper Platform Usage,https://docs.flutter.dev/platform-integration/android/platform-views
+Code,Flutter Bloc Observer Production Safety,Flutter,Medium,flutter bloc cubit event state logging observer transition production,BlocObserver logging all transitions in production exposes sensitive state,Conditionally add observer in debug only; strip sensitive state,if (kDebugMode) Bloc.observer = AppBlocObserver() // no observer in production,Bloc.observer = LogAllObserver() // logs AuthState(token: 'eyJ...') in prod,M10 - Extraneous Functionality,https://bloclibrary.dev/
+Authentication,Flutter Device Fingerprint Security,Flutter,Medium,flutter device_info_plus fingerprint emulator detection hardware identifier,No device validation allows automated abuse from emulators or clones,Use device_info_plus; detect emulator; server-side fingerprinting,DeviceInfoPlugin().androidInfo: if (!isPhysicalDevice) showWarning; sendFingerprint,No device checks; app identical on emulator; automated attacks undetected,M1 - Improper Platform Usage,https://pub.dev/packages/device_info_plus
+Code,Flutter Method Channel Rate Limiting,Flutter,Medium,flutter method channel rate limiting throttle native bridge flood dos,Channel methods callable at unlimited rate; flood causes ANR,Implement rate limiting on native handlers; throttle sensitive operations,Native: check timestamp; reject if <100ms interval; limit 10 calls/sec,invokeMethod('decrypt' data) in tight loop; causes ANR,M1 - Improper Platform Usage,https://docs.flutter.dev/platform-integration/platform-channels
+Network,Flutter Dio Interceptor Auth Safety,Flutter,Medium,flutter retrofit dio interceptor auth header token refresh logging,Interceptors not handling token refresh races; exposing auth in errors,Thread-safe token refresh; queue during refresh; strip auth from errors,QueuedInterceptorsWrapper: lock refresh; retry queued; strip Authorization from errors,onError: log(e.requestOptions.headers) // logs auth token on error,M3 - Insecure Communication,https://pub.dev/packages/dio
+Data Storage,Flutter SharedPreferences Audit,Flutter,High,flutter shared_preferences audit sensitive migration encrypted secure plaintext,SharedPreferences storing sensitive data that should be in secure_storage,Audit all keys; migrate sensitive data to flutter_secure_storage; delete old,Migration: read SharedPrefs; write FlutterSecureStorage; delete old keys,SharedPreferences with 'auth_token' 'password' alongside 'theme' // mixed,M2 - Insecure Data Storage,https://pub.dev/packages/shared_preferences
+Code,Flutter Secure Text Field Handling,Flutter,Medium,flutter textfield obscuretext password sensitive input autocomplete keyboard,Sensitive input fields without obscureText expose passwords in keyboard cache,Use obscureText for passwords; disable autocorrect; enableSuggestions false,TextField(obscureText: true autocorrect: false enableSuggestions: false),TextField(controller: passwordCtrl) // no obscure; password visible; cached by keyboard,M2 - Insecure Data Storage,https://api.flutter.dev/flutter/material/TextField-class.html
+Platform,React Native Turbo Module Typed Security,React Native,High,react native turbo module typed codegen specification validation architecture,TurboModules with loose typing allow type confusion; untyped calls accept unexpected args,Use typed TurboModule spec with codegen; validate argument types in native,TurboModule spec: typed interface; native validates types match spec,TurboModule accepts any args; integer overflow via coercion; type confusion,M1 - Improper Platform Usage,https://reactnative.dev/docs/turbo-modules
+Code,React Native Fabric Renderer Isolation,React Native,Medium,react native fabric renderer shadow node component isolation state exposure,Fabric shadow nodes may retain sensitive state; improper cleanup leaks data,Clear sensitive state on unmount; verify shadow node cleanup,useEffect(() => () => clearSensitiveState()); // cleanup on unmount,Password state retained in shadow node; accessible via debug bridge,M2 - Insecure Data Storage,https://reactnative.dev/docs/fabric-renderer
+Authentication,React Native App Auth PKCE Flow,React Native,Critical,react-native-app-auth oauth pkce authorization code browser token redirect,Custom OAuth without PKCE vulnerable to code interception; WebView auth insecure,Use react-native-app-auth with PKCE; system browser; store tokens in Keychain,authorize({ clientId scopes redirectUrl usePKCE: true }); store in Keychain,Custom WebView login; no PKCE; token in redirect URL; embedded form,M4 - Insecure Authentication,https://github.com/FormidableLabs/react-native-app-auth
+Testing,React Native Detox Security Tests,React Native,Medium,react native detox e2e security test authentication biometric flow validation,Security flows not tested e2e; auth bypass regression undetected,Write Detox tests for auth; test biometric gates; test deep link guards,it('requires biometric' async () => { expect(element(by.id('biometricPrompt'))).toBeVisible() }),No e2e security tests; login bypass deployed; payment without verification,M7 - Client Code Quality,https://wix.github.io/Detox/
+Supply Chain,React Native Patch Package Security,React Native,High,react native patch-package modification supply chain review audit custom fork,patch-package modifications bypass normal dependency vetting,Review all patches in PR; document purpose; minimize patches; prefer upstream,patches/ reviewed in PR; documented with issue link; CI validates; periodic removal,Patches applied without review; hidden auth library modifications; no docs,M6 - Insufficient Supply Chain Security,https://github.com/ds300/patch-package
+Network,React Native WebSocket Security,React Native,High,react native websocket wss authentication token origin validation encryption,WebSocket without TLS/auth allows MITM and unauthorized connections,Use wss://; authenticate via first message; validate origin server-side,new WebSocket('wss://api.app.com'); ws.onopen = () => ws.send({ type: 'auth' token }),new WebSocket('ws://api.app.com') // no TLS; no auth; data intercepted,M3 - Insecure Communication,https://reactnative.dev/docs/network#websocket-support
+Platform,React Native Push Payload Encryption,React Native,High,react native push notification payload sensitive encryption fcm apns lockscreen,Push payloads with sensitive data visible on lock screen to notification services,Encrypt sensitive payloads; decrypt in handler; show generic preview,Decrypt payload with Keychain key; show 'New message'; details on open,PushNotification({ title: 'Transfer $5000 to Account 1234' }) // on lock screen,M2 - Insecure Data Storage,https://rnfirebase.io/messaging/usage
+Platform,React Native Image Picker Security,React Native,Medium,react native image picker camera gallery file uri temp cache sensitive photo,Image picker creates temp files in accessible cache; sensitive photos persist,Move to internal storage; encrypt sensitive images; delete temps after processing,moveToSecureStorage(result.path); deleteFile(result.path); encrypt(image),setState({ idScanUri: result.path }) // temp file persists in cache,M2 - Insecure Data Storage,https://github.com/ivpusic/react-native-image-crop-picker
+Code,React Native New Architecture Security,React Native,High,react native new architecture bridgeless turbomodule fabric codegen typed,New Architecture (Bridgeless) changes security model; TurboModules need typed validation,Audit all TurboModule specs; validate codegen output; test bridgeless security,Codegen enforced typing; TurboModule native validation; test without bridge,Bridge modules migrated without security review; type validation lost in migration,M1 - Improper Platform Usage,https://reactnative.dev/docs/new-architecture-intro
+Data Storage,React Native Sensitive Info Storage,React Native,High,react-native-sensitive-info android keystore ios keychain shared preferences encrypted,Default storage mechanisms leave sensitive data unprotected; need platform-native security,Use react-native-sensitive-info with Keystore/Keychain backend; sharedPreferencesName config,SInfo.setItem('token' jwt { sharedPreferencesName: 'secure' keychainService: 'auth' }),AsyncStorage.setItem('session' JSON.stringify({ token password refreshToken })),M2 - Insecure Data Storage,https://github.com/mCodex/react-native-sensitive-info
+Authentication,React Native Biometric Auth Binding,React Native,High,react native biometric authentication crypto binding keychain hardware touchid faceid,Biometric auth as UI-only gate; hookable without cryptographic binding,Combine biometric with Keychain-bound keys; verify on server for critical ops,Keychain.getGenericPassword({ accessControl: BIOMETRY_CURRENT_SET }); server validates,if (await authenticate()) showSecret() // hookable; no crypto binding,M4 - Insecure Authentication,https://github.com/oblador/react-native-keychain
+Code,React Native Hermes Debug Strip,React Native,High,react native hermes debug symbols source map strip production reverse engineering,Hermes bytecode with debug info and source maps in production enables analysis,Strip debug info; exclude source maps from bundle; verify production build,hermesFlags: ['-O' '-output-source-map' false]; no sourcemaps in release APK,Source maps bundled in APK; debug symbols in Hermes bytecode; hbcdump readable,M9 - Reverse Engineering,https://reactnative.dev/docs/hermes
+Network,React Native API Request Signing,React Native,High,react native api request signing hmac integrity timestamp replay protection,API requests without signing allow replay attacks and parameter tampering,Sign requests with HMAC; include timestamp; server validates signature and freshness,HMAC-SHA256(method + path + timestamp + body secretKey); include in X-Signature header,fetch(url { headers: { Authorization: token } }) // no signing; replay possible,M3 - Insecure Communication,
+Platform,React Native Inter-App Communication,React Native,Medium,react native linking deep link intent url scheme inter-app data sharing,Inter-app communication via URL schemes without validation leaks data,Validate incoming URLs; sanitize parameters; use Universal Links over schemes,Linking.addEventListener('url' ({ url }) => { if (validateUrl(url)) handleDeepLink(url) }),Linking.addEventListener('url' ({ url }) => navigateTo(url)) // no validation,M1 - Improper Platform Usage,https://reactnative.dev/docs/linking
+Code,React Native Console Log Production,React Native,Medium,react native console.log production debug sensitive token removal strip,console.log statements with tokens/PII reaching production; visible in logcat/Console,Use babel-plugin-transform-remove-console; or __DEV__ guard; strip all logs,babel.config.js plugins: ['transform-remove-console'] for production builds,console.log('Token:' token 'User:' email) // readable in logcat/Xcode console,M10 - Extraneous Functionality,https://babeljs.io/docs/babel-plugin-transform-remove-console
+Supply Chain,React Native Autolinking Security Audit,React Native,Medium,react native autolinking native module pod dependency automatic linking audit,Autolinking automatically links all installed native modules; unwanted modules get access,Audit auto-linked modules; exclude unnecessary native deps; review Podfile.lock,react-native.config.js: dependencies: { 'unwanted-module': { platforms: { ios: null } } },All npm packages with native code auto-linked without review; excessive permissions,M6 - Insufficient Supply Chain Security,https://reactnative.dev/docs/linking-libraries-ios
+Platform,React Native Keyboard Security,React Native,Medium,react native keyboard input third-party secure text entry autocomplete disable,Third-party keyboards capture sensitive input; autocomplete caches passwords,secureTextEntry; autoComplete off; disable autocorrect for sensitive fields,TextInput secureTextEntry autoComplete='off' autoCorrect={false} textContentType='oneTimeCode',TextInput value={password} // no secureTextEntry; cached by keyboard; visible,M2 - Insecure Data Storage,https://reactnative.dev/docs/textinput
+Security Testing,Frida Scripting Defense Testing,All,High,frida dynamic instrumentation defense testing hook detection bypass validation,Frida hooks bypass SSL pinning root detection and authentication without detection,Test with Frida scripts; implement Frida detection; verify anti-hook measures work,DetectFrida: check /proc/self/maps for frida; check frida-server port; verify hooks fail,No anti-instrumentation; Frida attaches freely; SSL pinning bypassed in seconds,M8 - Code Tampering,https://frida.re/docs/home/
+Security Testing,Radare2 Binary Analysis Defense,All,High,radare2 r2 binary analysis disassembly reverse engineering hardcoded secrets strings,Static binary analysis reveals hardcoded secrets; unstripped symbols reveal architecture,Run r2 on own binary; check for leaked strings/keys; verify obfuscation; strip symbols,r2 -qc 'izz~api_key' app.so // verify no hardcoded secrets; symbols stripped,Hardcoded API keys found via r2 strings; unstripped symbols map entire codebase,M9 - Reverse Engineering,https://www.radare.org/
+Security Testing,Nuclei Mobile Scan Templates,All,Medium,nuclei mobile api scan template vulnerability assessment automated endpoint,Nuclei templates for mobile API endpoint scanning detect common misconfigurations,Run Nuclei with mobile templates against staging APIs; include in CI pipeline,nuclei -t mobile-api/ -target https://api.staging.app.com -severity high critical,No automated API scanning; misconfigurations deployed to production undetected,M8 - Security Misconfiguration,https://github.com/projectdiscovery/nuclei-templates
+Security Testing,Semgrep Mobile Security Rules,All,Medium,semgrep sast static analysis mobile rules android ios flutter pattern matching,Static analysis without mobile-specific rules misses platform-specific vulnerabilities,Use semgrep with mobile rulesets; custom rules for project patterns; run in CI,semgrep --config p/android-security --config p/owasp-mobile src/,No SAST; or generic rules only; platform-specific bugs like Keystore misuse undetected,M7 - Client Code Quality,https://semgrep.dev/p/android-security
+Security Testing,SAST Pipeline Integration Mobile,All,High,sast ci/cd pipeline integration static analysis github actions gitlab mobile security gate,Security testing not integrated in CI; vulnerabilities discovered only in manual review,Integrate SAST in CI pipeline; gate merges on critical findings; track metrics,GitHub Actions: run semgrep MobSF on PR; block merge if critical; track over time,Manual security review only; vulnerabilities merged to main; discovered post-release,M7 - Client Code Quality,
+Security Testing,Mobile Penetration Testing Methodology,All,High,penetration testing methodology mobile owasp mstg checklist scope reconnaissance,Ad-hoc security testing without methodology misses systematic vulnerabilities,Follow OWASP MSTG checklist; scope clearly; test data storage network auth crypto,MSTG checklist: MSTG-STORAGE MSTG-NETWORK MSTG-AUTH MSTG-CRYPTO per section,Random testing without checklist; critical areas untested; inconsistent coverage,M7 - Client Code Quality,https://mas.owasp.org/MASTG/
+Security Testing,Security Regression Test Suite,All,Medium,security regression testing automated suite ci continuous vulnerability reintroduce,Fixed vulnerabilities reintroduced in later releases without regression tests,Create security test for each fixed vulnerability; run in CI; never remove,Test suite: testSSLPinningActive testRootDetection testTokenExpiry testInputValidation,Fix vulnerability; no test added; same vulnerability reintroduced 3 releases later,M7 - Client Code Quality,
+Security Testing,Security Code Review Checklist Mobile,All,Medium,code review checklist security mobile pull request pr audit guideline,Code reviews without security checklist miss authentication storage and crypto issues,Maintain mobile security checklist for PR reviews; train developers; automate checks,Checklist: auth token handling; data storage; input validation; crypto; permissions per PR,No security checklist; reviewers check only functionality; auth bypass merged,M7 - Client Code Quality,
+AI Security,ML Model Watermarking Detection,All,High,model watermarking detection intellectual property theft verification mobile ai ml,Model theft via extraction attacks; no way to verify model ownership is legitimate,Embed watermarks in model weights; verify watermarks server-side; detect extracted models,Embed trigger patterns during training; server validates model responses to trigger inputs,No watermarking; model extracted and repackaged in competitor app; no proof of theft,M8 - Code Tampering,
+AI Security,Differential Privacy On-Device Inference,All,High,differential privacy inference on-device ai ml noise laplace epsilon budget,Inference results may leak private training data through membership inference attacks,Add calibrated noise to inference outputs; implement epsilon-budget tracking; limit queries,DPInference: addLaplaceNoise(result epsilon: 1.0); trackPrivacyBudget(query),Raw model output returned directly; membership inference reveals training data presence,M6 - Privacy Violation,
+AI Security,On-Device Training Data Isolation,All,Critical,on-device training data isolation fine-tuning personalization privacy sandbox segregate,On-device fine-tuning mixes personal training data with app data; extractable,Isolate training data in separate encrypted container; delete after training; no export,TrainingPipeline: encryptedSandbox; deleteDataAfterTraining(); preventDataExfiltration(),Training data stored alongside app data; fine-tuning data exported in backup; accessible,M2 - Insecure Data Storage,
+AI Security,LLM Guardrail SDK Integration,All,High,llm guardrail sdk prompt injection output filtering safety mobile on-device,On-device LLM without guardrails produces harmful content or leaks system prompts,Integrate guardrail SDK; filter inputs for injection; validate outputs; rate limit,GuardrailSDK: filterPromptInjection(input); validateOutput(response); rateLimitUser(userId),rawLLM.generate(userInput) // no input filtering; prompt injection leaks system prompt,M7 - Client Code Quality,
+AI Security,ML Model Access Control Policies,All,High,ml model access control authorization inference api key rate limit mobile,Model inference endpoints without access control allow unauthorized or excessive usage,Implement per-user rate limiting; require authentication; validate input size; audit usage,MLInference: authenticateUser(token); checkRateLimit(userId); validateInputSize(data); audit(),model.predict(anyInput) // no auth; no rate limit; API exhaustion; model scraping,M4 - Insecure Authentication,
+AI Security,AI Feature Toggle Security,All,Medium,ai feature toggle flag remote config a/b test model rollout disable kill switch,AI features without kill switch cannot be disabled when producing harmful outputs,Implement remote feature flags for AI features; server-side kill switch; gradual rollout,RemoteConfig: if (!aiFeatureEnabled) return fallbackBehavior(); gradualRollout(percentage: 10),AI feature hardcoded enabled; harmful outputs cannot be stopped; requires app update,M8 - Security Misconfiguration,
+Architecture,API Gateway Mobile Security Pattern,All,High,api gateway security pattern rate limiting authentication routing mobile backend,Direct backend access from mobile without API gateway lacks centralized security,Route all mobile traffic through API gateway; centralize auth rate limiting and logging,APIGateway: authenticate(token); rateLimit(userId 100/min); routeTo(backend); auditLog(request),Mobile app connects directly to microservices; no central auth; no rate limiting,M3 - Insecure Communication,
+Architecture,Secure Session Architecture Design,All,Critical,session architecture design token refresh rotation revocation concurrent device management,Sessions without proper lifecycle management allow stale or hijacked sessions,Implement short-lived access tokens; secure refresh rotation; device-bound sessions; revocation,AccessToken(15min); RefreshToken(rotate-on-use); bindToDevice(fingerprint); revokeOnLogout(),Long-lived JWT never expires; same token on all devices; no revocation mechanism,M4 - Insecure Authentication,
+Architecture,End-to-End Encryption Design Pattern,All,Critical,e2e encryption design pattern signal protocol double ratchet key exchange forward secrecy,Transport-only encryption; server sees cleartext; no forward secrecy,Implement e2e encryption with forward secrecy; Signal protocol or equivalent; key verification,Signal Protocol: X3DH key agreement; Double Ratchet; message keys deleted after use,TLS only; server stores cleartext messages; single key for all messages; no PFS,M5 - Insufficient Cryptography,https://signal.org/docs/
+Architecture,Capability-Based Access Control Mobile,All,High,capability based access control authorization token permission fine-grained resource,Role-based only; cannot grant fine-grained per-resource permissions; over-privileged tokens,Implement capability tokens for specific resources; time-limited; non-transferable; auditable,CapabilityToken: { resource: 'document/123' actions: ['read'] expires: '2025-12-01' },JWT with role: 'admin' grants access to everything; no per-resource control,M5 - Insecure Authorization,
+Architecture,Secure Enclave Architecture Integration,All,High,secure enclave tee trusted execution environment hardware key generation attestation,Security-critical operations running in main process vulnerable to memory dump,Offload crypto to hardware secure enclave; key generation in TEE; attestation verification,SecureEnclave: generateKey(inHardware: true); sign(data: payload); obtainAttestation(),Keys generated in software memory; private key extractable via memory dump; no TEE,M5 - Insufficient Cryptography,
+Architecture,Event-Driven Security Monitoring Pattern,All,Medium,event driven security monitoring siem logging anomaly detection real-time mobile,No real-time security monitoring; attacks detected only after damage,Implement event-driven security monitoring; emit security events; detect anomalies real-time,SecurityMonitor.emit(LoginEvent(userId device location)); detectAnomalies(); alertOnBreach(),No security event logging; no anomaly detection; breach discovered weeks later in audit,M7 - Client Code Quality,
+Compliance,DORA Digital Operational Resilience,All,High,dora digital operational resilience act ict risk eu financial mobile regulation,Financial mobile apps not meeting DORA ICT risk requirements face regulatory penalties,Implement ICT risk management framework; resilience testing; third-party risk monitoring,DORCompliance: ictRiskAssessment(); resilienceTest(quarterly); thirdPartyRiskMonitor(vendors),No ICT risk framework; no resilience testing; third-party outage causes extended downtime,M8 - Security Misconfiguration,https://www.eba.europa.eu/regulation-and-policy/digital-operational-resilience-act
+Compliance,CCPA CPRA California Privacy Mobile,All,High,ccpa cpra california privacy rights consumer data mobile deletion opt-out sale,Mobile apps collecting California resident data without CCPA/CPRA compliance face fines,Implement opt-out of data sale; honor deletion requests; disclose data collection; age gate,PrivacyManager: showDoNotSellToggle(); handleDeletionRequest(userId); discloseCategories(),Collect personal data without disclosure; no opt-out; ignore deletion requests; sell data,M6 - Privacy Violation,https://oag.ca.gov/privacy/ccpa
+Compliance,COPPA Children Privacy Mobile,All,Critical,coppa children privacy protection age verification parental consent mobile game education,Mobile apps used by children without COPPA compliance face FTC enforcement and fines,Age gate before data collection; verifiable parental consent; minimize data; no behavioral ads,AgeGate: if (age < 13) requireParentalConsent(); noBehavioralAds(); minimizeDataCollection(),No age verification; children tracked; behavioral ads shown; no parental consent obtained,M6 - Privacy Violation,https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule
+Compliance,App Store Security Review Guidelines,All,High,app store review guidelines security apple google play policy rejection privacy,App rejected for security policy violations causing release delays and revenue loss,Pre-review against Apple/Google security policies; automated compliance checks; stay updated,PreSubmit: checkPrivacyManifest(); validateEntitlements(); testPermissionDialogs(); policyCompliance(),Submit without review; rejected for missing privacy manifest; 2-week delay; revenue loss,M1 - Improper Platform Usage,https://developer.apple.com/app-store/review/guidelines/
+Compliance,Security Audit Logging Standards,All,High,security audit logging standards soc2 immutable trail tamper-proof timeline forensic,No audit trail for security events; forensic investigation impossible after breaches,Implement immutable audit logging; timestamp all security events; retain per compliance,AuditLog: immutableAppend(event: AuthAttempt userId timestamp ip device); retain(7years),No logging; or mutable logs overwritten; attacker erases evidence; no forensic trail,M7 - Client Code Quality,
+Compliance,Data Retention Policy Mobile Compliance,All,Medium,data retention policy compliance mobile deletion schedule auto-purge right-to-be-forgotten,Data retained indefinitely in mobile storage; violates retention policies and GDPR right to erasure,Implement auto-purge schedules; honor deletion requests within 30 days; document retention,DataRetention: autoPurge(olderThan: 90days); onDeletionRequest(userId): deleteAll(within: 30days),All user data retained forever; no purge; ignore deletion requests; violate GDPR Art 17,M6 - Privacy Violation,https://gdpr.eu/right-to-be-forgotten/
+Threat Modeling,Mobile Kill Chain Analysis,All,High,kill chain cyber mobile attack phases reconnaissance exploitation persistence exfiltration,Not analyzing attack kill chain misses early detection and prevention opportunities,Map mobile-specific kill chain; implement detection at each phase; defense in depth,KillChain: detectRecon(portScan) -> preventExploit(hardening) -> blockPersistence(integrity),No kill chain awareness; focus only on perimeter; attacker moves laterally undetected,M7 - Client Code Quality,
+Threat Modeling,Abuse Case Scenario Modeling,All,High,abuse case scenario modeling attacker perspective misuse security requirement negative test,Only modeling positive use cases; attacker abuse scenarios not considered in design,Create abuse cases for each feature; model attacker goals; derive security requirements,AbuseCase: 'Attacker replays auth token to access other accounts'; mitigation: token binding,Only functional requirements; no abuse cases; payment replay attack discovered in production,M7 - Client Code Quality,
+Threat Modeling,Mobile Risk Scoring Matrix,All,Medium,risk scoring matrix impact likelihood severity classification vulnerability priority triage,No risk scoring; all vulnerabilities treated equally; critical issues delayed,Implement risk matrix (impact x likelihood); prioritize by business risk; track metrics,RiskScore: impact(financial=5 users=10000) * likelihood(exploit=easy) = Critical; fix in 24h,All bugs in same backlog; critical auth bypass same priority as minor UI issue,M7 - Client Code Quality,
+Threat Modeling,Automated Threat Detection Mobile,All,High,automated threat detection mobile anomaly runtime behavior analytics machine learning,Manual threat detection; attacks detected hours or days after occurrence,Implement runtime anomaly detection; ML-based behavior analysis; automated alerting,ThreatDetector: monitorApiPatterns(); detectBrute(force: 10/min); alertOnAnomaly(confidence: 0.95),No runtime monitoring; brute force runs for days undetected; no automated alerts,M7 - Client Code Quality,
+Threat Modeling,Mobile Incident Response Playbook,All,High,incident response playbook mobile breach notification containment recovery forensic,No mobile-specific incident response plan; chaos during security incidents,Create mobile IR playbook; define roles; practice tabletop exercises; automate containment,IRPlaybook: detect -> contain(revokeTokens) -> investigate(forensics) -> notify(users 72h) -> recover,No IR plan; breach discovered; 2 weeks to respond; no user notification; regulatory fine,M7 - Client Code Quality,
+Platform,Android 16 Keystore Key Sharing API,Android,High,android 16 keystore key sharing api secure cryptographic material cross-app privilege,No secure key sharing between apps; developers use insecure IPC to transfer crypto material,Use Android 16 Keystore Key Sharing API for privileged cross-app key sharing,KeyStoreKeyProperties.Builder().setKeySharing(SHARING_GRANTED packageNames); share via API,Export private key via Intent extras; share crypto material through ContentProvider unencrypted,M5 - Insufficient Cryptography,https://developer.android.com/about/versions/16
+Platform,Android 16 Wi-Fi Ranging AES-256 Security,Android,Medium,android 16 wifi ranging 802.11az aes-256 mitm protection location ranging api,Wi-Fi ranging without encryption allows location spoofing and MITM attacks,Use Android 16 802.11az ranging with AES-256 encryption; RangingManager API,RangingManager: enableSecureRanging(AES256); detectMitm(); validateDistance(),Legacy Wi-Fi RTT without encryption; location spoofed; distance manipulated,M3 - Insecure Communication,https://developer.android.com/about/versions/16
+Platform,Android 16 MediaStore Unique Versions,Android,Medium,android 16 mediastore unique version per-app media access fingerprinting prevention,Shared MediaStore version allows cross-app tracking via version fingerprinting,Target Android 16 for unique MediaStore.getVersion() per app; prevents cross-app correlation,MediaStore.getVersion(context) // unique per app on API 36+; no cross-app tracking,MediaStore.getVersion shared across apps; used as cross-app fingerprint identifier,M6 - Privacy Violation,https://developer.android.com/about/versions/16
+Platform,Android 16 Intent Redirection Protection,Android,Critical,android 16 intent redirection vulnerability protection mitigation system hardening,Intent redirection attacks allow privilege escalation through exported components,Android 16 built-in intent redirection hardening; validate all incoming intents; restrict exports,Validate intent.getAction() intent.getData() before processing; android:exported=false default,Accept and forward arbitrary intents; exported activities process untrusted data blindly,M1 - Improper Platform Usage,https://developer.android.com/about/versions/16
+Platform,Android 16 Advanced Protection Mode,Android,High,android 16 advanced protection mode enterprise security toggle malware sideload 2g,Advanced Protection Mode not leveraged; users unaware of enterprise-grade protection,Detect Advanced Protection Mode; adapt app behavior; guide users to enable for sensitive apps,DevicePolicyManager.isAdvancedProtectionEnabled(); adaptSecurityPosture(enhanced: true),Ignore device security posture; same behavior regardless of protection mode,M1 - Improper Platform Usage,https://developer.android.com/about/versions/16
+Authentication,Android Credential Provider Security,Android,High,android credential provider manager passkey fido2 webauthn passwordless api 34,Custom password storage instead of Credential Manager; weak credential handling,Use Credential Manager API for passkey/password creation and retrieval; FIDO2 support,CredentialManager.create(CreatePublicKeyCredentialRequest(json)); getCredential(request),SharedPreferences.putString('password' userPassword) // plaintext credential storage,M4 - Insecure Authentication,https://developer.android.com/identity/sign-in/credential-manager
+Privacy,Android Health Connect FHIR Security,Android,Critical,android health connect fhir hl7 health records medical data privacy consent,Health Connect FHIR records contain sensitive medical data; improper handling violates privacy,Request minimal FHIR resource types; validate consent; encrypt cached health data; audit access,HealthConnectClient: readRecords(ReadRecordsRequest(FhirResource)); checkPermissions(); encrypt(),Read all FHIR resources; cache unencrypted; no consent check; share with analytics,M6 - Privacy Violation,https://developer.android.com/health-and-fitness/guides/health-connect
+Platform,Android Predictive Back Security,Android,Medium,android predictive back gesture navigation onBackPressedCallback security state cleanup,Predictive back gesture may reveal previous screen content during animation; state not cleared,Clear sensitive UI state in onBackPressedCallback; ensure no data leakage during back preview,onBackPressedDispatcher.addCallback { clearSensitiveFields(); finish() },Back gesture previews previous screen with banking data visible during swipe animation,M2 - Insecure Data Storage,https://developer.android.com/guide/navigation/custom-back/predictive-back-gesture
+Platform,Android Per-App Language Security,Android,Medium,android per-app language locale security validation resource injection localization,Per-app language selection without validation allows locale-based resource injection,Validate locale input; sanitize formatted strings; test all locale resource bundles,LocaleManager.setApplicationLocales(validated(locale)); sanitize(getString(R.string.msg)),Accept arbitrary locale string; format string injection via malicious locale resource,M1 - Improper Platform Usage,https://developer.android.com/guide/topics/resources/app-languages
+Code,Android Baseline Profile Integrity,Android,Medium,android baseline profile integrity art compilation dex verification tamper,Baseline Profiles optimized for performance; tampered profiles could alter execution paths,Sign and verify baseline profiles; generate from release build; validate in CI,BaselineProfile: generate from benchmark; include in release; verify checksum in CI,Baseline profiles from untrusted source; modified profile alters compilation; execution hijack,M8 - Code Tampering,https://developer.android.com/topic/performance/baselineprofiles
+Supply Chain,Android Gradle Version Catalog Security,Android,High,android gradle version catalog toml dependency management supply chain centralize audit,Scattered dependency versions across build files; inconsistent versions; hard to audit,Centralize in libs.versions.toml; audit versions regularly; use dependencyUpdates plugin,libs.versions.toml: [versions] okhttp = '4.12.0'; [libraries] okhttp = { module group version.ref },Dependencies scattered across build.gradle files; duplicate versions; inconsistent; hard to audit,M6 - Insufficient Supply Chain Security,https://developer.android.com/build/migrate-to-catalogs
+Platform,Android Credential Transfer API Security,Android,High,android credential transfer block restore backup migration device security validation,Credential Transfer API for device migration must prevent credential theft during transfer,Validate destination device attestation before credential transfer; encrypt during transit,CredentialTransfer: validateDestinationAttestation(); encrypt(credentials); secureChannel(),Transfer credentials via backup without encryption; any restore device gets credentials,M4 - Insecure Authentication,https://developer.android.com/identity/sign-in/credential-manager
+Privacy,Android Photo Picker Privacy Mode,Android,Medium,android photo picker privacy media selection visual system picker limited access,Apps using custom gallery get full media access; system Photo Picker grants only selected,Use system Photo Picker; no READ_MEDIA_IMAGES for selection; limited access by default,PickVisualMediaRequest(ActivityResultContracts.PickVisualMedia()) // system picker only,requestPermissions(READ_MEDIA_IMAGES); custom gallery scans all photos; full access,M6 - Privacy Violation,https://developer.android.com/training/data-storage/shared/photopicker
+Platform,Android Notification Listener Security,Android,High,android notification listener service access abuse interception sensitive content,NotificationListenerService can read all notifications including OTPs and messages,Minimize notification content; detect listeners; warn users about active listeners,NotificationManager: detect active listeners; warn user; redact OTP from notification content,Full OTP bank balance message content in notification; any listener app reads everything,M2 - Insecure Data Storage,https://developer.android.com/reference/android/service/notification/NotificationListenerService
+Platform,Android Exact Alarm Security,Android,Medium,android alarm manager exact alarm schedule execute api 31+ restriction permission,Exact alarms (SCHEDULE_EXACT_ALARM) restricted in API 31+; misuse enables persistent execution,Use inexact alarms when possible; request SCHEDULE_EXACT_ALARM only when necessary; handle denial,WorkManager for periodic; AlarmManager.setAndAllowWhileIdle() only for user-visible timing,SCHEDULE_EXACT_ALARM for background analytics; denied on API 31+; feature breaks silently,M1 - Improper Platform Usage,https://developer.android.com/about/versions/12/behavior-changes-12#exact-alarm-permission
+Privacy,Android 15 Partial Screen Sharing,Android,Medium,android 15 partial screen sharing screen capture projection sensitive content flag,Screen sharing captures entire screen including sensitive app content behind notification,Use FLAG_SECURE for sensitive screens; leverage Android 15 partial screen sharing,window.addFlags(FLAG_SECURE); // sensitive screens excluded from capture and sharing,No FLAG_SECURE; banking screen captured during screen share; credentials visible,M2 - Insecure Data Storage,https://developer.android.com/about/versions/15
+Data Storage,Android ContentProvider SQL Injection,Android,High,android contentprovider sql injection query selection selectionargs parameterized,ContentProvider query() with concatenated selection string allows SQL injection,Use parameterized queries with selectionArgs; never concatenate user input into selection,query(uri selection: 'column = ?' selectionArgs: [userInput] sortOrder: null),query(uri selection: 'column = ' + userInput) // SQL injection via crafted input,M7 - Client Code Quality,https://developer.android.com/guide/topics/providers/content-provider-basics
+Platform,Android App Startup Security Init,Android,Medium,android app startup library initializer initialization security provider order dependency,App Startup initializers run before Application.onCreate; security init order matters,Ensure security provider updated first; order initializers by dependency; validate init success,Initializer: SecurityProviderInitializer first; then EncryptionInitializer; validate order,Analytics init before security provider update; crash on old security provider; vulnerable window,M1 - Improper Platform Usage,https://developer.android.com/topic/libraries/app-startup
+Platform,Android Security Provider GMS Update,Android,Critical,android security provider gms google play services update providerinstaller tls vulnerability,Outdated security provider leaves devices vulnerable to TLS exploits; must update at startup,Call ProviderInstaller.installIfNeeded() at app startup; handle failures gracefully,ProviderInstaller.installIfNeededAsync(context callback) // updates security provider on launch,No provider update; old OpenSSL with known CVEs; TLS 1.0 fallback on older devices,M8 - Security Misconfiguration,https://developer.android.com/privacy-and-security/security-gms-provider
+Network,Android Network Security Callback,Android,Medium,android connectivitymanager network callback security vpn wifi cellular validation,Network changes (WiFi to cellular VPN disconnect) not handled; sensitive data sent over insecure network,Register NetworkCallback; validate network security before transmitting; pause on untrusted,ConnectivityManager.registerNetworkCallback(request callback); pauseOnUntrustedNetwork(),Send banking data regardless of network state; no VPN validation; data over public WiFi,M3 - Insecure Communication,https://developer.android.com/training/monitoring-device-state/connectivity-status-type
+Authentication,Android Biometric Strength Classification,Android,High,android biometric strong weak class 3 class 2 cryptobject authentication strength,Using Class 2 (weak) biometric for security-critical operations like payments,Use Class 3 (strong) biometric with CryptoObject for crypto binding; reject weak biometric,BiometricPrompt with authenticators: BIOMETRIC_STRONG; CryptoObject(cipher) for payment,BiometricPrompt(authenticators: BIOMETRIC_WEAK) // no crypto binding; hookable; UI-only gate,M4 - Insecure Authentication,https://developer.android.com/training/sign-in/biometric-auth
+Cryptography,Android KeyGenParameterSpec Configuration,Android,High,android keygenparam keystore specification purpose algorithm padding digest timeout,KeyGenParameterSpec without proper constraints allows key misuse and weakens crypto,Set specific purposes; require user auth; set validity timeout; use StrongBox if available,KeyGenParameterSpec.Builder(alias PURPOSE_SIGN).setUserAuthenticationRequired(true).setIsStrongBoxBacked(true),KeyGenParameterSpec.Builder(alias PURPOSE_ENCRYPT|PURPOSE_DECRYPT|SIGN|VERIFY) // overly broad,M5 - Insufficient Cryptography,https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder
+Platform,Android Integrity Verdict Caching Strategy,Android,Medium,android play integrity api verdict caching freshness token replay prevention,Integrity verdicts cached too long become stale; too short causes performance issues,Cache verdict appropriately; re-request for sensitive operations; validate nonce server-side,IntegrityManager: cache device verdict 4h; re-request for payment; server validates nonce,Cache integrity verdict forever; stale device status; or request every API call causing latency,M8 - Code Tampering,https://developer.android.com/google/play/integrity
+Platform,Android WorkManager Security Constraints,Android,Medium,android workmanager background work constraints encrypted data periodic security,WorkManager processing sensitive data in background without constraints or encryption,Use constraints for network type; encrypt work data; use expedited work for time-sensitive,WorkRequest: setConstraints(networkType: CONNECTED); encrypt inputData; expedited for auth,WorkManager processes auth tokens in background; no network constraint; data unencrypted,M2 - Insecure Data Storage,https://developer.android.com/topic/libraries/architecture/workmanager
+Code,Android WebView JavaScript Interface Security,Android,Critical,android webview javascript interface addjavascriptinterface xss injection bridge,addJavascriptInterface exposes native methods to JS; XSS in WebView calls native code,Restrict to @JavascriptInterface annotated methods; validate all inputs; sanitize URLs,@JavascriptInterface with input validation; WebView loadUrl only trusted URLs; CSP,addJavascriptInterface(object 'bridge') // all public methods exposed; XSS calls native,M1 - Improper Platform Usage,https://developer.android.com/reference/android/webkit/WebView
+Authentication,iOS SFSafariViewController Auth Security,iOS,High,sfsafariviewcontroller aswebauthenticationsession wkwebview oauth login browser cookie session,Using WKWebView for OAuth leaks cookies to app and is hookable; SFSafariViewController/ASWebAuthenticationSession runs in separate process,Use ASWebAuthenticationSession for OAuth flows; never embed login in WKWebView; system browser isolates cookies from app,ASWebAuthenticationSession(url: authURL callbackURLScheme: scheme) { callback in handleToken(callback) },WKWebView loading OAuth login page; app has cookie access; attacker hooks webView to steal tokens,M4 - Insecure Authentication,https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession
+Authentication,Deepfake Biometric Liveness Detection,All,Critical,deepfake biometric liveness detection presentation attack spoofing face fingerprint ai synthetic media,Biometric authentication without liveness detection (PAD) spoofed by AI deepfakes photos or 3D-printed fingerprints,Implement presentation attack detection; use platform liveness APIs; combine with device attestation; reject passive captures,BiometricPrompt with BIOMETRIC_STRONG (Class 3); iOS LAContext with .biometryCurrentSet; server-side liveness challenge,Simple camera capture for face auth; no liveness check; 2D photo or deepfake video bypasses authentication,M4 - Insecure Authentication,https://pages.nist.gov/SOFA/
+API,GraphQL Mobile API Security,All,High,graphql api security introspection query depth batching denial of service mobile client,GraphQL introspection enabled in production exposes schema; unbounded query depth causes DoS; batching allows credential stuffing,Disable introspection in production; set query depth limit; restrict query complexity; limit batch size; implement persisted queries,GraphQL: introspection(false); depthLimit(10); complexityLimit(1000); batchLimit(5); persistedQueriesOnly(production),GraphQL introspection enabled; no depth limit; unlimited batching; full schema exposed; nested query DoS,M3 - Insecure Communication,https://owasp.org/API-Security/
+Network,gRPC Mobile Channel Security,All,High,grpc mobile channel credentials tls certificate proto definition exposure reflection service,gRPC channels without TLS or with reflection service enabled expose proto definitions and allow unauthorized calls,Use TLS for all gRPC channels; disable reflection in production; implement per-RPC auth; validate proto messages,ManagedChannelBuilder.forAddress(host port).useTransportSecurity(); disable ServerReflection; interceptor(authInterceptor),ManagedChannelBuilder.forAddress(host port).usePlaintext(); ServerReflection enabled; no auth interceptor,M3 - Insecure Communication,https://grpc.io/docs/guides/auth/
+Network,DNS-over-HTTPS Mobile Configuration,All,Medium,dns doh dot dns-over-https dns-over-tls privacy leak query plaintext resolver,Plaintext DNS queries leak visited domains to network observers; ISP and public WiFi can monitor all DNS lookups,Configure DNS-over-HTTPS or DNS-over-TLS; use platform native DoH support; Android 9+ Private DNS; iOS 14+ NEDNSSettingsManager,Android: network_security_config cleartextTrafficPermitted=false + Private DNS; iOS: NEDNSSettingsManager with .https protocol,Default DNS resolver over plaintext; all domain queries visible to network; ISP logs all visited domains,M3 - Insecure Communication,https://developer.android.com/privacy-and-security/security-config