Hello Android developers,
There are a lot security-sensitive configurations to care about while developing an Android application and it’s not easy to know what each of these configurations imply from a security perspective.
This is why we added rules on the Java, Kotlin and XML analyzers so that you pay attention to these security-sensitive configurations and know the impact these configurations can have on your Android application or your users.
Java and Kotlin Rules:
- S6362: Enabling JavaScript support for WebViews is security-sensitive
- S6363: Enabling file access for WebViews is security-sensitive
-
S4507: Delivering code in production with debug features activated is security-sensitive
- WebView support was added for the existing S4507 Security Hotspot
-
S5332: Using clear-text protocols is security-sensitive
- WebView support was added for the existing S4507 Security Hotspot
- S5322: Receiving intents is security-sensitive
- S5320: Broadcasting intents is security-sensitive
- S2053: Hashes should include an unpredictable salt
- S4347: “SecureRandom” seeds should not be predictable
XML Rules:
- S5322: Receiving intents is security-sensitive
- S6359: Custom permissions should not be defined in the ‘android.permission’ namespace
- S6358: Allowing application backup is security-sensitive
- S6361: Defining a single permission for read and write access of Content Providers is security-sensitive
- S5332: Using clear-text protocols is security-sensitive
This is available now on SonarCloud and will be included in SonarQube 9.2.
Alex