Taint analysis comes to Android

Hello Android / Java developers,

We are happy to announce the taint analyzer detecting injection vulnerabilities was improved to support Android SDK.

What has been done?

  • Activity, Receiver, Service intent parameters and ContentProvider method params are considered as “sources”.
  • a new rule specific to Anrdoid was added: S6384 - Components should not be vulnerable to intent redirection
  • existing vulnerability rules were adjusted to considered Android “sinks”:
    • S3649: to support SQLite
    • S5131: to support Android WebView
    • S5334: to support “addJavascriptInterface”
    • S2083: to support “ParcelFileDescriptor”

This is available now on SonarCloud and is included in SonarQube 9.3.