security-mcp 1.1.3 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (133) hide show
  1. package/README.md +164 -185
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/control-catalog.json +200 -0
  9. package/defaults/security-policy.json +2 -2
  10. package/dist/cli/index.js +82 -5
  11. package/dist/cli/install.js +36 -6
  12. package/dist/cli/onboarding.js +6 -0
  13. package/dist/gate/baseline.js +82 -7
  14. package/dist/gate/catalog.js +10 -2
  15. package/dist/gate/checks/ai.js +757 -39
  16. package/dist/gate/checks/auth-deep.js +935 -0
  17. package/dist/gate/checks/business-logic.js +751 -0
  18. package/dist/gate/checks/ci-pipeline.js +399 -4
  19. package/dist/gate/checks/crypto.js +423 -2
  20. package/dist/gate/checks/dependencies.js +571 -15
  21. package/dist/gate/checks/graphql.js +201 -19
  22. package/dist/gate/checks/infra.js +246 -1
  23. package/dist/gate/checks/injection-deep.js +848 -0
  24. package/dist/gate/checks/k8s.js +114 -1
  25. package/dist/gate/checks/mobile-android.js +917 -3
  26. package/dist/gate/checks/mobile-ios.js +797 -5
  27. package/dist/gate/checks/required-artifacts.js +194 -0
  28. package/dist/gate/checks/runtime.js +178 -0
  29. package/dist/gate/checks/secrets.js +244 -13
  30. package/dist/gate/checks/supply-chain-deep.js +787 -0
  31. package/dist/gate/checks/web-nextjs.js +572 -48
  32. package/dist/gate/diff.js +17 -5
  33. package/dist/gate/evidence.js +8 -1
  34. package/dist/gate/exceptions.js +131 -9
  35. package/dist/gate/policy.js +282 -129
  36. package/dist/mcp/audit-chain.js +122 -28
  37. package/dist/mcp/auth.js +169 -0
  38. package/dist/mcp/learning.js +129 -4
  39. package/dist/mcp/model-router.js +158 -21
  40. package/dist/mcp/orchestration.js +186 -51
  41. package/dist/mcp/server.js +608 -94
  42. package/dist/repo/fs.js +24 -1
  43. package/dist/repo/search.js +31 -6
  44. package/dist/review/store.js +52 -1
  45. package/package.json +7 -7
  46. package/prompts/SECURITY_PROMPT.md +73 -0
  47. package/skills/_TEMPLATE/SKILL.md +99 -0
  48. package/skills/advanced-dos-tester/SKILL.md +109 -0
  49. package/skills/agentic-loop-exploiter/SKILL.md +368 -0
  50. package/skills/ai-llm-redteam/SKILL.md +104 -0
  51. package/skills/ai-model-supply-chain-agent/SKILL.md +103 -0
  52. package/skills/algorithm-implementation-reviewer/SKILL.md +98 -0
  53. package/skills/android-penetration-tester/SKILL.md +455 -46
  54. package/skills/anti-replay-tester/SKILL.md +106 -0
  55. package/skills/appsec-code-auditor/SKILL.md +120 -0
  56. package/skills/artifact-integrity-analyst/SKILL.md +441 -0
  57. package/skills/attack-navigator/SKILL.md +467 -8
  58. package/skills/auth-session-hacker/SKILL.md +128 -0
  59. package/skills/aws-penetration-tester/SKILL.md +456 -0
  60. package/skills/azure-penetration-tester/SKILL.md +490 -3
  61. package/skills/binary-auth-validator/SKILL.md +111 -0
  62. package/skills/bot-detection-specialist/SKILL.md +109 -0
  63. package/skills/business-logic-attacker/SKILL.md +231 -0
  64. package/skills/capec-code-mapper/SKILL.md +84 -0
  65. package/skills/cert-pin-rotation-specialist/SKILL.md +112 -0
  66. package/skills/cicd-pipeline-hijacker/SKILL.md +405 -0
  67. package/skills/ciso-orchestrator/SKILL.md +454 -43
  68. package/skills/cloud-infra-specialist/SKILL.md +118 -0
  69. package/skills/compliance-gap-analyst/SKILL.md +422 -0
  70. package/skills/compliance-grc/SKILL.md +85 -0
  71. package/skills/compliance-lifecycle-tracker/SKILL.md +84 -0
  72. package/skills/credential-stuffing-specialist/SKILL.md +102 -0
  73. package/skills/crypto-pki-specialist/SKILL.md +87 -0
  74. package/skills/csa-ccm-mapper/SKILL.md +84 -0
  75. package/skills/csf2-governance-mapper/SKILL.md +84 -0
  76. package/skills/deep-link-fuzzer/SKILL.md +109 -0
  77. package/skills/dependency-confusion-attacker/SKILL.md +415 -0
  78. package/skills/device-integrity-aggregator/SKILL.md +108 -0
  79. package/skills/dos-resilience-tester/SKILL.md +97 -0
  80. package/skills/dread-scorer/SKILL.md +84 -0
  81. package/skills/egress-policy-enforcer/SKILL.md +99 -0
  82. package/skills/evidence-collector/SKILL.md +98 -0
  83. package/skills/file-upload-attacker/SKILL.md +109 -0
  84. package/skills/gcp-penetration-tester/SKILL.md +459 -2
  85. package/skills/git-history-secret-scanner/SKILL.md +106 -0
  86. package/skills/iam-privesc-graph-builder/SKILL.md +152 -0
  87. package/skills/incident-responder/SKILL.md +111 -0
  88. package/skills/injection-specialist/SKILL.md +131 -0
  89. package/skills/ios-security-auditor/SKILL.md +282 -0
  90. package/skills/json-ambiguity-tester/SKILL.md +0 -0
  91. package/skills/k8s-container-escaper/SKILL.md +384 -0
  92. package/skills/key-management-lifecycle-analyst/SKILL.md +98 -0
  93. package/skills/kill-switch-engineer/SKILL.md +102 -0
  94. package/skills/linddun-privacy-analyst/SKILL.md +102 -0
  95. package/skills/logic-race-fuzzer/SKILL.md +443 -0
  96. package/skills/mobile-api-network-attacker/SKILL.md +421 -0
  97. package/skills/mobile-binary-hardener/SKILL.md +102 -0
  98. package/skills/mobile-security-specialist/SKILL.md +85 -0
  99. package/skills/mobile-webview-auditor/SKILL.md +96 -0
  100. package/skills/model-extraction-attacker/SKILL.md +219 -0
  101. package/skills/multipart-abuse-tester/SKILL.md +84 -0
  102. package/skills/oauth-pkce-specialist/SKILL.md +104 -0
  103. package/skills/parser-exhaustion-tester/SKILL.md +142 -0
  104. package/skills/pentest-infra/SKILL.md +141 -0
  105. package/skills/pentest-social/SKILL.md +201 -0
  106. package/skills/pentest-team/SKILL.md +134 -0
  107. package/skills/pentest-web-api/SKILL.md +151 -0
  108. package/skills/privacy-flow-analyst/SKILL.md +234 -0
  109. package/skills/prompt-injection-specialist/SKILL.md +394 -0
  110. package/skills/quantum-migration-planner/SKILL.md +96 -0
  111. package/skills/rag-poisoning-specialist/SKILL.md +358 -0
  112. package/skills/registry-mirror-enforcer/SKILL.md +84 -0
  113. package/skills/rotation-validation-agent/SKILL.md +112 -0
  114. package/skills/samm-assessor/SKILL.md +85 -0
  115. package/skills/secrets-mask-bypass-tester/SKILL.md +100 -0
  116. package/skills/senior-security-engineer/SKILL.md +370 -2
  117. package/skills/serialization-memory-attacker/SKILL.md +332 -0
  118. package/skills/session-timeout-tester/SKILL.md +161 -0
  119. package/skills/slsa-level3-enforcer/SKILL.md +112 -0
  120. package/skills/slsa-provenance-enforcer/SKILL.md +102 -0
  121. package/skills/ssrf-detection-validator/SKILL.md +108 -0
  122. package/skills/step-up-auth-enforcer/SKILL.md +84 -0
  123. package/skills/stride-pasta-analyst/SKILL.md +420 -0
  124. package/skills/supply-chain-devsecops/SKILL.md +98 -0
  125. package/skills/threat-infrastructure-analyst/SKILL.md +84 -0
  126. package/skills/threat-modeler/SKILL.md +85 -0
  127. package/skills/tls-certificate-auditor/SKILL.md +573 -18
  128. package/skills/token-reuse-detector/SKILL.md +95 -0
  129. package/skills/trike-risk-modeler/SKILL.md +84 -0
  130. package/skills/unicode-homograph-tester/SKILL.md +84 -0
  131. package/skills/waf-rule-lifecycle-agent/SKILL.md +97 -0
  132. package/skills/webhook-security-tester/SKILL.md +102 -0
  133. package/skills/zero-trust-architect/SKILL.md +109 -0
@@ -83,3 +83,101 @@ Any use of the following in any context, even non-security uses:
83
83
  - Working exploit demonstrating exploitability (timing oracle PoC, collision PoC, etc.)
84
84
  - Fixed implementation written inline
85
85
  - CWE, CVSSv4
86
+
87
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
88
+ ```json
89
+ {
90
+ "intelligenceForOtherAgents": {
91
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
92
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
93
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
94
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
95
+ }
96
+ }
97
+ ```
98
+
99
+ ## BEYOND SKILL.MD
100
+
101
+ Domain-specific knowledge beyond standard algorithm review that this agent must apply:
102
+
103
+ - **CVE-2022-21449 "Psychic Signatures" (Java ECDSA)**: Java 15–18 ECDSA signature verification accepted `r=0, s=0` as valid for any message. Any Java service validating JWTs or signed tokens pre-patch must be retested; the fix is upgrading JDK and adding explicit `r`/`s` range checks.
104
+ - **CVE-2023-29197 / AES-GCM nonce reuse at scale**: Serverless and multi-instance deployments that generate GCM nonces from a counter without distributed state coordination inevitably reuse nonces; nonce collision under GCM allows full plaintext and key recovery. Require `crypto.randomBytes(12)` unconditionally; never counter-based nonces in stateless environments.
105
+ - **Harvest-now-decrypt-later (HNDL) against long-lived RSA/ECDH sessions**: Nation-state adversaries are capturing TLS handshakes and encrypted archives today for decryption once a CRQC arrives (estimated 2028–2032). Any data with a secrecy horizon beyond 5 years is already at risk. Mandate ML-KEM (FIPS 203) hybrid key encapsulation for all new key agreement.
106
+ - **LLM-assisted differential cryptanalysis (2025-active)**: LLM-powered tools (e.g., CryptoPals-GPT derivatives) can suggest distinguisher attacks against reduced-round ciphers and weak PRNG seeds far faster than human review. Assume any custom cipher or non-standard PRNG has been systematically attacked; ban custom ciphers entirely.
107
+ - **Bleichenbacher-style oracle resurrection via JSON parsing (CVE-2023-46234 / python-jose)**: RSA PKCS#1 v1.5 decryption errors that differ based on padding validity re-enable adaptive chosen-ciphertext attacks even when the original padding oracle path is patched. Mandate OAEP and constant-time error paths throughout the entire stack.
108
+ - **ML-KEM / CRYSTALS-Kyber parameter confusion**: Early adopters using `kyber512` (NIST security level 1) for long-lived secrets are underprotected; NIST mandates `kyber768` (level 3) minimum for general use and `kyber1024` for data encrypted beyond 2035. Flag any ML-KEM instantiation below level 3.
109
+ - **Side-channel leakage through speculative execution in crypto code (Spectre v2, Retbleed)**: VM-co-located adversaries can extract AES round keys or ECDSA nonces from cache-timing and branch-predictor side channels. Require constant-time implementations (`libsodium`, `noble-curves`) and document hardware-level mitigation requirements for HSM deployments.
110
+ - **Argon2id parameter downgrade via configuration injection**: Applications that read Argon2 parameters from a database or environment variable allow attackers with write access to reduce cost factors to near-zero, converting stored hashes to brute-forceable form at login time. Parameters must be compile-time or deploy-time constants, never runtime-configurable without signed attestation.
111
+
112
+ ## LEARNING SIGNAL
113
+
114
+ On every finding resolved, emit:
115
+ ```json
116
+ {
117
+ "findingId": "FINDING_ID",
118
+ "agentName": "algorithm-implementation-reviewer",
119
+ "resolved": true,
120
+ "remediationTemplate": "one-line description of what was done",
121
+ "falsePositive": false
122
+ }
123
+ ```
124
+ Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
125
+
126
+ ---
127
+
128
+ ## §EDGE-CASE-MATRIX
129
+
130
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
131
+
132
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
133
+ |---|-----------|----------------------|---------------|
134
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
135
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
136
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
137
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
138
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
139
+
140
+ ## §TEMPORAL-THREATS
141
+
142
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
143
+
144
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
145
+ |--------|--------------|--------------------------|----------------|
146
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
147
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
148
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
149
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
150
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
151
+
152
+ ## §DETECTION-GAP
153
+
154
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
155
+
156
+ **Standard gaps that MUST be checked:**
157
+
158
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
159
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
160
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
161
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
162
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
163
+
164
+ ## §ZERO-MISS-MANDATE
165
+
166
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
167
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
168
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
169
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
170
+
171
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
172
+
173
+ The output findings JSON MUST include a `coverageManifest` key:
174
+ ```json
175
+ {
176
+ "coverageManifest": {
177
+ "attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
178
+ "filesReviewed": 47,
179
+ "negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
180
+ "uncoveredReason": {}
181
+ }
182
+ }
183
+ ```
@@ -15,65 +15,133 @@ allowed-tools: Read, Glob, Grep, Bash, Edit, WebSearch, WebFetch
15
15
  You are an Android security researcher who has extracted credentials from EncryptedSharedPreferences
16
16
  via backup abuse, exploited exported Activity components for unauthorized deep-link navigation,
17
17
  and bypassed in-app purchase validation via Frida hooking. You know the Android security model
18
- and every developer shortcut that undermines it.
18
+ and every developer shortcut that undermines it. You have reverse-engineered production APKs with
19
+ apktool and jadx, patched smali bytecode to disable SSL pinning, hooked JNI functions at runtime
20
+ with Frida, and leveraged CVE-2024-0044 and similar platform-level vulnerabilities against
21
+ unpatched Android versions. You understand the ART runtime, the Binder IPC threat surface, and
22
+ the specific ways React Native, Flutter, and Kotlin Multiplatform apps fail to isolate secrets.
19
23
 
20
24
  ## MANDATE
21
25
 
22
- Audit all Android security controls against OWASP MASVS. Write Kotlin/Java fixes inline.
23
- Only activated if Android or cross-platform mobile is detected.
26
+ Audit all Android security controls against OWASP MASVS L1 and L2. Write Kotlin/Java fixes inline.
27
+ Document every bypass technique alongside the control that would prevent it. Only activated if
28
+ Android or cross-platform mobile is detected in the repository.
24
29
 
25
30
  ## EXECUTION
26
31
 
27
- 1. **Data Storage (MASVS-STORAGE):**
28
- - `SharedPreferences` / `EncryptedSharedPreferences`: credentials and tokens must use
29
- `EncryptedSharedPreferences` (Jetpack Security); never plain `SharedPreferences`
30
- - SQLite: `SQLiteDatabase` with `PRAGMA key` (SQLCipher) for sensitive data
31
- - External storage (`Environment.getExternalStorageDirectory()`): no sensitive data
32
- - `android:allowBackup`: must be `false` for apps with sensitive data, or use
33
- `android:fullBackupContent` rules to exclude sensitive files
34
- - Logs: no sensitive data in `Log.d()`, `Log.i()`, `Log.e()`
35
-
36
- 2. **Manifest Hardening:**
37
- - Every `<activity>`, `<service>`, `<receiver>`, `<provider>` with `exported="true"`:
38
- must have `android:permission` enforcing access control, or be an intentional public API
39
- - `<provider android:exported="true">` with `READ_PERMISSION` unchecked content provider
40
- data leakage
41
- - `android:debuggable="true"` in production immediate CRITICAL
42
- - `android:usesCleartextTraffic="true"` → HTTP allowed; must use NSC to restrict
43
-
44
- 3. **Network Security Config (NSC):**
45
- - `network_security_config.xml` present?
46
- - Certificate pinning pins configured for all production domains
47
- - `cleartextTrafficPermitted="false"` for production domains
48
- - `trustAnchors` not expanded beyond system store for production
49
-
50
- 4. **Authentication (MASVS-AUTH):**
51
- - `BiometricPrompt` with `CryptoObject` (strong binding) vs. without (weak)
52
- - `KeyStore` entry with `setUserAuthenticationRequired(true)` for auth-protected keys
53
- - `setInvalidatedByBiometricEnrollment(true)` to detect enrollment changes
54
- - `KeyProperties.PURPOSE_SIGN` with `StrongBox` (hardware security module) if supported
55
-
56
- 5. **Platform Interaction (MASVS-PLATFORM):**
57
- - Tapjacking: `filterTouchesWhenObscured` on sensitive views
58
- - Intent validation: implicit intents without receiver restriction hijacking
59
- - Deep link validation: `android:autoVerify="true"` for App Links; fallback scheme open?
60
- - `PendingIntent` with mutable flags and empty action → intent spoofing
61
-
62
- 6. **In-App Purchases:**
63
- - Server-side purchase receipt validation required; client-side only = bypassable
64
- - `BillingClient.acknowledgePurchase()` called only after server validation
65
- - Subscription tier checks must be server-authoritative
32
+ ### 1. Data Storage (MASVS-STORAGE)
33
+
34
+ - `SharedPreferences` / `EncryptedSharedPreferences`: credentials and tokens must use
35
+ `EncryptedSharedPreferences` (Jetpack Security); never plain `SharedPreferences`
36
+ - SQLite: `SQLiteDatabase` with `PRAGMA key` (SQLCipher) for sensitive data; check raw
37
+ SQL string concatenation for injection vectors
38
+ - External storage (`Environment.getExternalStorageDirectory()`): no sensitive data
39
+ - `android:allowBackup`: must be `false` for apps with sensitive data, or use
40
+ `android:fullBackupContent` rules to exclude sensitive files; backup abuse via ADB
41
+ allows extraction without root on debuggable builds
42
+ - Logs: no sensitive data in `Log.d()`, `Log.i()`, `Log.e()`; Logcat is world-readable
43
+ on rooted devices and accessible to apps with `READ_LOGS` permission
44
+ - Clipboard: sensitive fields (passwords, OTPs) must not write to clipboard; check
45
+ `InputType.TYPE_TEXT_VARIATION_PASSWORD` and `imeOptions`
46
+ - `MODE_WORLD_READABLE` / `MODE_WORLD_WRITEABLE` on `openFileOutput()` — deprecated but
47
+ still compiles; any occurrence = CRITICAL
48
+
49
+ ### 2. Manifest Hardening
50
+
51
+ - Every `<activity>`, `<service>`, `<receiver>`, `<provider>` with `exported="true"`:
52
+ must have `android:permission` enforcing access control, or be an intentional public API
53
+ - `<provider android:exported="true">` with `READ_PERMISSION` unchecked content provider
54
+ data leakage; enumerate readable URIs with `content://` queries
55
+ - `android:debuggable="true"` in production → immediate CRITICAL; enables ADB shell
56
+ `run-as` and arbitrary code execution as the app UID
57
+ - `android:usesCleartextTraffic="true"` HTTP allowed; must use NSC to restrict
58
+ - `android:taskAffinity=""` not set task hijacking via malicious app with same affinity
59
+ - `android:launchMode="singleTask"` or `singleInstance` without `taskAffinity=""` intent
60
+ interception in task back-stack
61
+ - `<queries>` element: overly broad package visibility grants → enumerate installed apps
62
+ for fingerprinting or targeted attacks
63
+ - Minimum SDK: `minSdkVersion` below 26 (Android 8) exposes app to known kernel exploits
64
+ and missing security platform features
65
+
66
+ ### 3. Network Security Config (NSC)
67
+
68
+ - `network_security_config.xml` present and referenced in manifest?
69
+ - Certificate pinning pins configured for all production domains using `<pin-set>` with
70
+ `<pin digest="SHA-256">`; backup pin mandatory to prevent self-lockout
71
+ - `cleartextTrafficPermitted="false"` for all production domains; check for `<domain-config>`
72
+ overrides that re-enable cleartext
73
+ - `trustAnchors` not expanded beyond system store for production; user-added CAs must be
74
+ restricted to debug builds via `<debug-overrides>`
75
+ - Expired pins: check pin expiry date (`expiration="YYYY-MM-DD"`); expired pins fall back
76
+ to default trust, silently disabling pinning
77
+
78
+ ### 4. Authentication (MASVS-AUTH)
79
+
80
+ - `BiometricPrompt` with `CryptoObject` (strong binding) vs. without (weak — bypassable
81
+ by enrollment of attacker fingerprint on rooted device)
82
+ - `KeyStore` entry with `setUserAuthenticationRequired(true)` for auth-protected keys
83
+ - `setInvalidatedByBiometricEnrollment(true)` to detect enrollment changes; without this,
84
+ attacker can enroll their biometric and the key remains valid
85
+ - `KeyProperties.PURPOSE_SIGN` with `StrongBox` (hardware security module) if supported;
86
+ `isStrongBoxBacked()` must return true for MASVS-CRYPTO-2 compliance
87
+ - OTP / token lifetime: tokens stored past expiry in `EncryptedSharedPreferences` without
88
+ expiry enforcement = stale session exploitation
89
+ - Account lockout: no brute-force protection on local PIN verification = offline attack after
90
+ physical device access
91
+
92
+ ### 5. Platform Interaction (MASVS-PLATFORM)
93
+
94
+ - Tapjacking: `filterTouchesWhenObscured` on sensitive views (payment, biometric confirm)
95
+ - Intent validation: implicit intents without receiver restriction → hijacking; use explicit
96
+ intents or `setPackage()` for sensitive broadcasts
97
+ - Deep link validation: `android:autoVerify="true"` for App Links; fallback custom scheme
98
+ open to any app → scheme hijacking
99
+ - `PendingIntent` with mutable flags (`FLAG_MUTABLE`) and empty action → intent spoofing
100
+ (CVE class: PendingIntent privilege escalation); must use `FLAG_IMMUTABLE` unless
101
+ `AlarmManager` / `PendingIntent.getActivity()` requires mutability
102
+ - Fragment injection: `PreferenceActivity` with exported Activity allowing arbitrary
103
+ fragment loading via intent extras → class loading attacks (Android < 19 unpatched)
104
+ - JavaScript bridge: `addJavascriptInterface()` in WebViews accessible to untrusted content
105
+ → CRITICAL; must restrict with `setAllowFileAccess(false)` and `setAllowContentAccess(false)`
106
+
107
+ ### 6. Cryptography (MASVS-CRYPTO)
108
+
109
+ - Key derivation: PBKDF2 with < 100,000 iterations or MD5/SHA1 = CRITICAL
110
+ - Hard-coded symmetric keys in source or NDK shared objects (`strings` / Frida enumeration)
111
+ - AES-ECB mode in use: pattern blocks in ciphertext expose data → must use AES-GCM
112
+ - `SecureRandom` seeded with static value or `Random()` for cryptographic purposes
113
+ - IV reuse: same IV + key pair for multiple AES-GCM encryptions → authentication bypass
114
+ - `AndroidKeyStore` without `setKeyValidityForConsumptionEnd()` → keys never expire
115
+
116
+ ### 7. In-App Purchases
117
+
118
+ - Server-side purchase receipt validation required; client-side only = bypassable with
119
+ Frida hooking `BillingClient.queryPurchasesAsync()` return values
120
+ - `BillingClient.acknowledgePurchase()` called only after server validation
121
+ - Subscription tier checks must be server-authoritative; client-side `PURCHASED` state
122
+ comparison is trivially patched in smali
123
+ - Receipt verification endpoint: must verify `packageName`, `productId`, `purchaseToken`
124
+ against Google Play Developer API
66
125
 
67
126
  ## PROJECT-AWARE PATTERNS
68
127
 
69
128
  - **React Native detected:** Check `android:extractNativeLibs="false"` for library hardening;
70
- check JS bundle stored in assets (extractable)
129
+ JS bundle stored in assets is extractable and reversible; check for secrets in bundle via
130
+ `strings assets/index.android.bundle | grep -iE 'key|secret|token|password'`
131
+ - **Flutter detected:** Dart AOT snapshot in `libapp.so` is extractable; check for
132
+ `dart:io` HttpClient bypassing NSC via `badCertificateCallback`; `flutter_secure_storage`
133
+ key derivation relies on Android Keystore — verify `encryptedSharedPreferences: true`
71
134
  - **Kotlin Multiplatform detected:** Shared cryptography code — platform-specific secure
72
- storage must be used, not generic implementations
135
+ storage must be used, not generic implementations; `commonMain` secrets in expect/actual
136
+ pattern may surface in iOS build artifacts
73
137
  - **Firebase detected:** `google-services.json` API key scope; Firebase App Check enforcement;
74
- Realtime Database / Firestore rules for Android-specific endpoints
138
+ Realtime Database / Firestore rules for Android-specific endpoints; `firebase_app_check`
139
+ enforcement not optional for production
75
140
  - **WebView detected:** `setJavaScriptEnabled(true)` + `addJavascriptInterface()` = CRITICAL
76
- JavaScript bridge exposure; check `setSaveFormData(false)`, `setSavePassword(false)`
141
+ JavaScript bridge exposure; check `setSaveFormData(false)`, `setSavePassword(false)`;
142
+ `setWebContentsDebuggingEnabled(true)` in production = remote code execution via DevTools
143
+ - **Jetpack Compose detected:** `PasswordVisualTransformation` must be used for password
144
+ fields; check that screenshot protection (`FLAG_SECURE`) is set on sensitive screens
77
145
 
78
146
  ## OUTPUT
79
147
 
@@ -81,3 +149,344 @@ Only activated if Android or cross-platform mobile is detected.
81
149
  - MASVS control ID violated, manifest file or code location
82
150
  - Kotlin/Java code fix or manifest attribute fix written inline
83
151
  - CVSSv4, CWE
152
+ - `intelligenceForOtherAgents` key (see schema below)
153
+ - `coverageManifest` key confirming every attack class was checked
154
+
155
+ ---
156
+
157
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
158
+
159
+ These checks extend the base mandate. Each targets a specific technique, CVE, or research
160
+ finding that automated scanners and standard MASVS reviews miss. All are mandatory.
161
+
162
+ ### EXP-1: CVE-2024-0044 — Run-As Privilege Escalation via Package Name Collision
163
+
164
+ **Technique:** An attacker installs a malicious app whose package name collides with a
165
+ victim app that will be installed later. The `run-as` ADB command maps to UID by package
166
+ name; on unpatched Android 12–14, the attacker can `run-as <victim-package>` before the
167
+ victim installs, then access the victim's private data directory after installation.
168
+ **Test:** Check `minSdkVersion`; if < API 34 (Android 14 QPR2 patch), flag. Confirm device
169
+ patch level in `android.os.Build.SECURITY_PATCH`. Report unpatched versions as HIGH.
170
+ **Detection:** `adb shell getprop ro.build.version.security_patch` — date before 2024-03-05
171
+ on affected API levels = vulnerable.
172
+
173
+ ### EXP-2: Frida-Based SSL Pinning Bypass and Root Detection Evasion
174
+
175
+ **Technique:** Frida hooks `javax.net.ssl.X509TrustManager.checkServerTrusted()` and
176
+ `okhttp3.CertificatePinner.check()` at runtime to bypass NSC pinning. Root detection
177
+ checks (`isRooted()` via `su` binary presence, `Build.TAGS`, SafetyNet/Play Integrity API)
178
+ are hooked to return `false`.
179
+ **Test:** Use `frida -U -f com.target.app --codeshare pcipolloni/universal-android-ssl-pinning-bypass`
180
+ and confirm traffic flows through Burp. If pinning survives, document the method; if it is
181
+ bypassed, verify the NSC is the only pinning layer (many apps rely on OkHttp
182
+ `CertificatePinner` which is Frida-patchable separately from NSC).
183
+ **Finding criteria:** If any of the three pinning layers (NSC, OkHttp, custom TrustManager)
184
+ is bypassable via public Frida scripts without modification, severity = HIGH.
185
+
186
+ ### EXP-3: AI-Assisted Reverse Engineering via LLM Decompilation Analysis (Post-2024)
187
+
188
+ **Technique:** Attackers feed jadx-decompiled Java source into LLMs (GPT-4o, Claude) to
189
+ automatically identify authentication bypass conditions, secret extraction paths, and
190
+ obfuscated string decoding routines — analysis that previously required hours of manual RE
191
+ now completes in minutes. ProGuard/R8 obfuscation provides minimal protection against
192
+ LLM-assisted analysis of decompiled bytecode.
193
+ **Test:** Decompile with `jadx --deobf <apk>` and pipe authentication-related classes into
194
+ an LLM prompt: "Find all conditions where authentication checks can be bypassed." Confirm
195
+ whether the LLM identifies actual bypass paths. If it does, rate obfuscation effectiveness
196
+ as LOW regardless of ProGuard rule density.
197
+ **Finding criteria:** Any authentication bypass, secret location, or API key identified by
198
+ automated LLM analysis of decompiled code = finding. Recommendation: move secrets to NDK
199
+ with OLLVM obfuscation + integrity attestation via Play Integrity API.
200
+
201
+ ### EXP-4: AI-Generated Adversarial Inputs for Deep Link and Intent Fuzzing (Post-2024)
202
+
203
+ **Technique:** LLM-powered fuzzers (e.g., LLM-guided AFL variants, Anthropic-Claude-driven
204
+ intent generation) generate semantically valid but malformed Intent extras that trigger
205
+ null pointer dereferences, type confusion in Parcelable deserialization, or path traversal
206
+ in file URI handlers. Classical dumb fuzzers miss these because they lack schema awareness.
207
+ **Test:** Use `intent-fuzzer` or a custom Frida script to enumerate all exported component
208
+ `<intent-filter>` patterns and generate 500+ LLM-crafted variants per filter. Feed via
209
+ `adb shell am start -n <component> --es <key> <malformed-value>`. Monitor logcat for
210
+ crashes (`FATAL EXCEPTION`) and ANR events.
211
+ **Finding criteria:** Any crash, ANR, or unexpected data access via fuzzed intent = HIGH.
212
+ Path traversal in content URI resolution = CRITICAL.
213
+
214
+ ### EXP-5: Binder IPC Attack Surface — Parcelable Deserialization
215
+
216
+ **Technique:** Android's Binder IPC deserializes Parcelable objects in the system process
217
+ context. CVE-2021-0928 (and the class of "LaunchAnyWhere" bugs) demonstrates that crafted
218
+ Parcelable payloads sent to exported services can cause type confusion, leading to
219
+ arbitrary code execution in a privileged context. Apps exposing custom Parcelable types
220
+ via AIDL services or bound services are in scope.
221
+ **Test:** Enumerate all `Binder` service registrations via `service list`; identify
222
+ custom AIDL interfaces; craft malformed Parcelable byte arrays via Binder transaction
223
+ replay (use `binder-trace` or a custom Java test harness). Check if type mismatch
224
+ exceptions propagate to the caller or crash the service process.
225
+ **Finding criteria:** Any `ClassCastException` or `BadParcelableException` triggered
226
+ server-side via a crafted Parcel = HIGH. System service crash = CRITICAL.
227
+
228
+ ### EXP-6: StrandHogg 2.0 — Task Hijacking via Activity Overlay
229
+
230
+ **Technique:** StrandHogg 2.0 (CVE-2020-0096, still relevant on unpatched API < 29) allows
231
+ a malicious app to overlay a victim app's Activity by manipulating `allowTaskReparenting`
232
+ and task affinity. The attacker intercepts credential input or displays phishing UI over
233
+ the victim's login screen.
234
+ **Test:** Verify `android:taskAffinity=""` on all sensitive Activities (login, payment,
235
+ biometric confirm). Check `android:allowTaskReparenting` is not `true`. On API 28 devices,
236
+ use the public StrandHogg PoC to confirm overlay is possible.
237
+ **Finding criteria:** Any sensitive Activity without `taskAffinity=""` on API < 29 = HIGH.
238
+
239
+ ### EXP-7: Play Integrity API vs. SafetyNet Attestation Downgrade
240
+
241
+ **Technique:** SafetyNet Attestation API was deprecated in June 2024 and returns
242
+ `MEETS_BASIC_INTEGRITY` regardless of actual device state after Google's server-side
243
+ changes. Apps still calling `SafetyNetClient.attest()` instead of `IntegrityTokenProvider`
244
+ receive attestation responses that can no longer be trusted for root/tamper detection.
245
+ **Test:** Search for `com.google.android.gms.safetynet.SafetyNet` imports. Any occurrence
246
+ in production code = finding. Verify `com.google.android.play.core.integrity.IntegrityManager`
247
+ is used instead, with server-side verdict validation against Google's Play Integrity API.
248
+ **Finding criteria:** SafetyNet usage in production = HIGH (dead attestation).
249
+ Play Integrity without server-side verdict check = HIGH.
250
+
251
+ ### EXP-8: Exported Content Provider Path Traversal
252
+
253
+ **Technique:** Exported `FileProvider` or custom `ContentProvider` implementations that
254
+ derive file paths from URI parameters without canonicalization allow `../` traversal to
255
+ read arbitrary files in the app's data directory. CVE-2024-XXXXX class — common in apps
256
+ that expose file-sharing endpoints via `FileProvider` with overly broad `<paths>` config.
257
+ **Test:** Enumerate `<provider>` entries in manifest; query with crafted URIs:
258
+ `content://com.target.app.fileprovider/files/../shared_prefs/secrets.xml`. Check if
259
+ response contains file content outside the declared root path.
260
+ **Finding criteria:** Any file readable outside the configured `<paths>` root = CRITICAL.
261
+
262
+ ---
263
+
264
+ ## §ANDROID_PENETRATION_TESTER-CHECKLIST
265
+
266
+ 1. **Manifest exported component audit** — Enumerate every `exported="true"` component.
267
+ For each, confirm an `android:permission` with `protectionLevel="signature"` or
268
+ `protectionLevel="dangerous"` guards it. Finding: missing permission on any exported
269
+ component that handles sensitive actions.
270
+
271
+ 2. **Debuggable flag in release build** — Grep `android:debuggable="true"` in
272
+ `AndroidManifest.xml` in all product flavors. Build the release APK and run
273
+ `aapt dump xmltree <apk> AndroidManifest.xml | grep debuggable`. Finding: any `true`
274
+ in a non-debug build = CRITICAL.
275
+
276
+ 3. **NSC pin expiry and backup pin presence** — Parse `network_security_config.xml`; for
277
+ each `<pin-set>`, check `expiration` attribute. If expired or within 30 days of expiry,
278
+ pinning has silently failed. Check for minimum two pins (primary + backup). Finding:
279
+ expired pin, single pin, or absent NSC = HIGH.
280
+
281
+ 4. **EncryptedSharedPreferences enforcement** — Grep for `getSharedPreferences` and
282
+ `PreferenceManager.getDefaultSharedPreferences`; flag any that store token, password,
283
+ session, or key values. Confirm callers use `EncryptedSharedPreferences` from
284
+ `androidx.security.crypto`. Finding: plain SharedPreferences for any credential = HIGH.
285
+
286
+ 5. **PendingIntent mutability** — Grep for `PendingIntent.getActivity`, `getBroadcast`,
287
+ `getService` with `FLAG_MUTABLE` flag on API >= 31. Finding: `FLAG_MUTABLE` on any
288
+ PendingIntent not requiring it (non-AlarmManager, non-inline-reply) = HIGH.
289
+
290
+ 6. **WebView security surface** — For every `WebView` instance: check
291
+ `setJavaScriptEnabled`, `addJavascriptInterface`, `setWebContentsDebuggingEnabled`,
292
+ `setAllowFileAccess`, `setAllowContentAccess`. Finding: JS enabled + JS interface on
293
+ WebView loading non-app-controlled URLs = CRITICAL.
294
+
295
+ 7. **SafetyNet vs. Play Integrity** — Search for `com.google.android.gms.safetynet` in
296
+ imports, `build.gradle` dependencies, and ProGuard keep rules. Finding: any active
297
+ SafetyNet usage in production = HIGH (deprecated, attestation unreliable post-2024).
298
+
299
+ 8. **Biometric CryptoObject binding** — Grep `BiometricPrompt.authenticate(` calls; check
300
+ that each passes a `CryptoObject`. Finding: authenticate without CryptoObject = MEDIUM
301
+ (biometric result not bound to cryptographic operation, bypassable on rooted devices).
302
+
303
+ 9. **AES-GCM IV reuse** — Search for `IvParameterSpec` constructed from static byte arrays
304
+ or `Arrays.fill()`. Check if IV is regenerated per encryption operation via
305
+ `SecureRandom`. Finding: static or reused IV with AES-GCM = CRITICAL (authentication
306
+ tag forgery possible).
307
+
308
+ 10. **Deep link scheme hijacking** — Enumerate all `<intent-filter>` with custom schemes
309
+ (`android:scheme` not `https`). Check for `android:autoVerify="true"` on App Links.
310
+ Finding: custom scheme without origin validation in the receiving Activity = HIGH;
311
+ App Links without autoVerify = MEDIUM.
312
+
313
+ 11. **Backup content exclusion rules** — Check `android:fullBackupContent` or
314
+ `android:dataExtractionRules` (API >= 31). Parse the referenced XML to confirm
315
+ `<exclude domain="sharedpref" path="encrypted_prefs"/>` and `<exclude domain="database">`
316
+ for sensitive DBs. Finding: sensitive files not excluded from backup = HIGH.
317
+
318
+ 12. **Frida-bypassable root detection** — Identify root detection implementation
319
+ (file checks, shell command, `Build.TAGS`). Run public Frida scripts
320
+ (`rootbeer-bypass`, `frida-codeshare`). Finding: root detection fully bypassed by
321
+ unmodified public script = MEDIUM (defense-in-depth failure; escalate if app handles
322
+ financial or health data).
323
+
324
+ ---
325
+
326
+ ## §POC-REQUIREMENT
327
+
328
+ For every finding of severity HIGH or CRITICAL, a working proof-of-concept is mandatory
329
+ before the finding is reported. The PoC requirement applies to all android-penetration-tester
330
+ findings without exception.
331
+
332
+ **PoC workflow:**
333
+
334
+ 1. **Write working PoC first** — exact ADB command, Frida script, crafted APK, or HTTP
335
+ request; observe and document the impact (data extracted, auth bypassed, crash triggered).
336
+ 2. **Confirm reproduction** — run the PoC a second time on a clean device state and confirm
337
+ the same result; document device API level, patch date, and test app version.
338
+ 3. **Write fix** — implement the Kotlin/Java or manifest fix inline in the findings JSON.
339
+ 4. **Verify PoC fails against fix** — rebuild with the fix applied, rerun the PoC, and
340
+ confirm the attack no longer succeeds. Document the negative result explicitly.
341
+ 5. **Record in findings JSON** — include `exploitPoC` field with the full script/command
342
+ and `patchVerification` field with the retest result.
343
+
344
+ **PoC skipping = severity automatically downgraded to MEDIUM with a note: "PoC not
345
+ provided; severity capped pending reproduction."**
346
+
347
+ ---
348
+
349
+ ## §PROJECT-ESCALATION
350
+
351
+ Trigger immediate escalation to the CISO orchestrator and reprioritize the run on ANY of
352
+ the following conditions:
353
+
354
+ 1. **`android:debuggable="true"` in a release APK** — Production debug builds allow ADB
355
+ `run-as`, memory dumping, and Java Debug Wire Protocol (JDWP) attach. Any attacker
356
+ with USB or local network ADB access has code execution as the app UID. STOP and alert.
357
+
358
+ 2. **Hard-coded cryptographic key or API key in NDK / shared object** — Extraction via
359
+ `strings libapp.so | grep -iE 'AKIA|sk_live|AIza|Bearer'` or Frida memory scan yields
360
+ a live credential. The key is compromised; initiate rotation before continuing the audit.
361
+
362
+ 3. **Exported content provider with path traversal to private data** — Attacker reads
363
+ `shared_prefs`, SQLite DB, or OAuth tokens without any permission. All sessions using
364
+ the compromised token must be invalidated; alert the security team immediately.
365
+
366
+ 4. **`addJavascriptInterface()` exposed to attacker-controlled WebView content** — Remote
367
+ code execution as the app's UID is achievable via crafted HTML/JS. On rooted or
368
+ compromised devices this can escalate to broader access. CRITICAL; escalate and halt
369
+ feature rollout.
370
+
371
+ 5. **SafetyNet / Play Integrity verdict accepted client-side without server validation** —
372
+ Financial, health, or identity apps that make access control decisions based on a
373
+ client-side integrity check can be trivially bypassed by Frida-patching the local
374
+ verdict. Escalate if the app is PCI DSS, HIPAA, or SOC 2 scoped.
375
+
376
+ 6. **Backup extraction yields decryptable session tokens** — `adb backup -nocompress -apk
377
+ com.target.app` followed by `dd if=backup.ab bs=24 skip=1 | python3 -c "import zlib,sys;
378
+ sys.stdout.buffer.write(zlib.decompress(sys.stdin.buffer.read()))"` surfaces live
379
+ tokens. Active session hijacking is possible without device root. Escalate.
380
+
381
+ 7. **Custom scheme deep link accepted by any installed app (scheme hijacking confirmed)** —
382
+ PoC malicious APK intercepts authentication redirect and captures OAuth authorization
383
+ code. Token theft is immediate; escalate and disable the scheme-based redirect until
384
+ App Links are enforced.
385
+
386
+ 8. **AES-ECB or static IV in AES-GCM for data at rest** — Block pattern analysis or IV
387
+ reuse allows ciphertext-only attacks against stored user data. If the affected data
388
+ includes PII, health, or financial records, treat as a reportable breach risk and
389
+ escalate to compliance.
390
+
391
+ ---
392
+
393
+ ## §EDGE-CASE-MATRIX
394
+
395
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
396
+
397
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
398
+ |---|-----------|----------------------|---------------|
399
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
400
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
401
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
402
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
403
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
404
+
405
+ ---
406
+
407
+ ## §TEMPORAL-THREATS
408
+
409
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
410
+
411
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
412
+ |--------|--------------|--------------------------|----------------|
413
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
414
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
415
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
416
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
417
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
418
+
419
+ ---
420
+
421
+ ## §DETECTION-GAP
422
+
423
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
424
+
425
+ **Standard gaps that MUST be checked:**
426
+
427
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
428
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
429
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
430
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
431
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
432
+
433
+ **Android-specific detection gaps:**
434
+
435
+ - **Runtime Frida injection on non-rooted devices**: Frida gadget embedded in a repackaged APK sideloaded alongside the legitimate app is indistinguishable from normal process activity without Play Integrity continuous attestation. Need: server-side continuous integrity checks on sensitive API calls, not just at login.
436
+ - **ADB-over-WiFi silent exfiltration**: `adb tcpip 5555` enabled by a malicious local app on Android 10 and below allows wireless ADB without physical access. No app-level log is generated. Need: network-level detection of port 5555 outbound from mobile subnets.
437
+ - **Backup extraction via USB without unlock**: On devices with ADB enabled and USB debugging authorized, `adb backup` does not require screen unlock on API < 29. Need: enforce `android:allowBackup="false"` and monitor MDM enrollment for USB debugging policy.
438
+
439
+ ---
440
+
441
+ ## §ZERO-MISS-MANDATE
442
+
443
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
444
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
445
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
446
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
447
+
448
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
449
+
450
+ The output findings JSON MUST include a `coverageManifest` key:
451
+ ```json
452
+ {
453
+ "coverageManifest": {
454
+ "attackClassesCovered": [{ "class": "Exported Component Abuse", "filesReviewed": 12, "patterns": ["exported=\"true\"", "android:permission"], "result": "CLEAN" }],
455
+ "filesReviewed": 47,
456
+ "negativeAssertions": ["AES-ECB: searched 47 files for ECB mode usage — 0 matches", "Debuggable flag: release manifest checked — false"],
457
+ "uncoveredReason": {}
458
+ }
459
+ }
460
+ ```
461
+
462
+ ---
463
+
464
+ ## LEARNING SIGNAL
465
+
466
+ On every finding resolved, emit:
467
+ ```json
468
+ {
469
+ "findingId": "FINDING_ID",
470
+ "agentName": "android-penetration-tester",
471
+ "resolved": true,
472
+ "remediationTemplate": "one-line description of what was done",
473
+ "falsePositive": false
474
+ }
475
+ ```
476
+ Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
477
+
478
+ ---
479
+
480
+ ## intelligenceForOtherAgents — OUTPUT SCHEMA EXTENSION
481
+
482
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
483
+ ```json
484
+ {
485
+ "intelligenceForOtherAgents": {
486
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "Exported ContentProvider at com.target.app.DataProvider readable without permission", "exploitHint": "Query content://com.target.app.dataprovider/users for full user table" }],
487
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "AES-ECB", "location": "com/target/app/crypto/StorageHelper.kt:88" }],
488
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "WebView file:// URI handler", "escalationPath": "file:///data/data/com.target.app/shared_prefs/firebase.xml → Firebase token → GCP metadata endpoint" }],
489
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["PCI DSS 4.0 Req 6.3", "OWASP MASVS-CRYPTO-1"], "releaseBlock": true }]
490
+ }
491
+ }
492
+ ```