Security Review: Mobile Platform Vulnerabilities

• SharedPreferences in MODE_WORLD_READABLE (deprecated but still in legacy code)
• Plaintext secrets in SharedPreferences without EncryptedSharedPreferences
• SQLite databases with sensitive data unencrypted
• External storage (SD card) for sensitive files
• Hardcoded secrets in strings.xml or BuildConfig

Red flags:

// ❌ UNSAFE
val prefs = getSharedPreferences("auth", Context.MODE_PRIVATE)
prefs.edit().putString("api_key", apiKey).apply()  // Plaintext

2. Android Exported Components [MASVS-PLATFORM]

• Exported=true without permission checks
• Intent filters making components implicitly exported
• ContentProviders exported by default (API <17)
• Missing signature-level permissions for inter-app communication

Red flags:

<!-- ❌ UNSAFE -->
<activity android:name=".AdminActivity" android:exported="true" />
<service android:name=".PaymentService" android:exported="true" />

3. Android Intent Injection [MASVS-PLATFORM]

• Unvalidated Intent extras passed to startActivity
• Implicit Intents for sensitive operations
• PendingIntent with mutable flags (FLAG_MUTABLE on API 31+)
• Intent data not sanitized before use

Red flags:

// ❌ UNSAFE
val url = intent.getStringExtra("url")
webView.loadUrl(url)  // Attacker-controlled URL

4. Android WebView Security [MASVS-PLATFORM]

• JavaScript enabled with untrusted content
• File access enabled (setAllowFileAccess)
• Universal XSS via loadDataWithBaseURL with file://
• Missing WebViewClient.shouldOverrideUrlLoading validation
• @JavascriptInterface exposed to untrusted pages

Red flags:

// ❌ UNSAFE
webView.settings.javaScriptEnabled = true
webView.settings.allowFileAccessFromFileURLs = true
webView.addJavascriptInterface(jsInterface, "Android")
webView.loadUrl(userProvidedUrl)

5. Android Insecure Crypto [MASVS-CRYPTO]

• Hardcoded encryption keys in code
• Weak algorithms (DES, RC4, MD5)
• ECB mode (predictable patterns)
• Not using Android Keystore for key storage
• Predictable IVs or reused IVs

Red flags:

// ❌ UNSAFE
val key = "hardcoded1234567"
val cipher = Cipher.getInstance("AES/ECB/PKCS5Padding")

6. Android Network Security Config [MASVS-NETWORK]

• cleartextTrafficPermitted=true
• Custom trust anchors without certificate pinning
• Debug certificates trusted in release builds
• Missing network_security_config.xml (defaults to cleartext allowed on API <28)

Red flags:

<!-- ❌ UNSAFE -->
<network-security-config>
    <base-config cleartextTrafficPermitted="true" />
</network-security-config>

7. Android Logging Sensitive Data [MASVS-STORAGE]

• Log.d/Log.i with PII, tokens, keys in release builds
• No ProGuard removing logs
• Stack traces logged with sensitive data
• Crashlytics/Sentry without data sanitization

Red flags:

// ❌ UNSAFE
Log.d("Auth", "Token: $authToken")
Log.i("User", "SSN: ${user.ssn}")

8. Android Backup Exposure [MASVS-STORAGE]

• allowBackup=true without fullBackupContent rules
• Auto-backup including sensitive files (databases, SharedPreferences)
• No android:fullBackupOnly
• Cloud backup enabled for sensitive apps

Red flags:

<!-- ❌ UNSAFE -->
<application android:allowBackup="true" ... >

Detection Strategy — iOS

1. iOS Insecure Storage [MASVS-STORAGE]

• UserDefaults for sensitive data (tokens, keys)
• Plist files with secrets in app bundle or Documents
• Core Data without encryption
• Not using Keychain for credentials

Red flags:

// ❌ UNSAFE
UserDefaults.standard.set(apiToken, forKey: "token")
try? data.write(to: documentsURL.appendingPathComponent("secret.dat"))

2. iOS ATS Bypass [MASVS-NETWORK]

• NSAllowsArbitraryLoads=true in Info.plist
• NSExceptionDomains disabling ATS for production domains
• NSAllowsArbitraryLoadsInWebContent for WKWebView
• NSExceptionAllowsInsecureHTTPLoads for specific domains

Red flags:

<!-- ❌ UNSAFE -->
<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

3. iOS URL Scheme Hijacking [MASVS-PLATFORM]

• Custom URL schemes without validation
• Universal Links misconfigured or not implemented
• URL parameters not sanitized before use
• No AASA file (Apple App Site Association) for universal links

Red flags:

// ❌ UNSAFE
func application(_ app: UIApplication, open url: URL, options: [UIApplication.OpenURLOptionsKey : Any] = [:]) -> Bool {
    webView.load(URLRequest(url: url))  // Unvalidated
    return true
}

4. iOS Keychain Misuse [MASVS-CRYPTO]

• Wrong accessibility class (e.g., kSecAttrAccessibleAlways instead of WhenUnlocked)
• No kSecAttrAccessControl for Touch ID/Face ID items
• Keychain items not marked as non-migratable (kSecAttrSynchronizable=false)
• No Keychain access group for shared items

Red flags:

// ❌ UNSAFE
let query: [String: Any] = [
    kSecClass as String: kSecClassGenericPassword,
    kSecAttrAccount as String: "token",
    kSecValueData as String: token.data(using: .utf8)!,
    kSecAttrAccessible as String: kSecAttrAccessibleAlways  // Wrong!
]

5. iOS Pasteboard Leak [MASVS-STORAGE]

• Sensitive data copied to UIPasteboard.general
• No pasteboard.setItems options (localOnly, expirationDate)
• Password fields allowing copy
• Universal clipboard syncing sensitive data to iCloud

Red flags:

// ❌ UNSAFE
UIPasteboard.general.string = user.creditCardNumber

6. iOS Screenshot Exposure [MASVS-STORAGE]

• No blur/overlay when app enters background (applicationDidEnterBackground)
• Sensitive screens not hidden during app switcher
• Screenshots allowed for secure content

Red flags:

// ❌ Missing: No applicationDidEnterBackground implementation to hide sensitive views

7. iOS Insecure Crypto [MASVS-CRYPTO]

• Deprecated CommonCrypto instead of CryptoKit
• ECB mode encryption
• Hardcoded keys/IVs
• Weak algorithms (DES, RC4, MD5)

Red flags:

// ❌ UNSAFE
let key = "hardcoded12345"
CCCrypt(CCOperation(kCCEncrypt), CCAlgorithm(kCCAlgorithmDES), ...)

8. iOS Jailbreak Detection Bypass [MASVS-RESILIENCE]

• Trivial jailbreak checks (file existence only)
• No runtime integrity checks
• String-based detection easily bypassed by hooking
• No anti-hooking protection

Red flags:

// ❌ WEAK
func isJailbroken() -> Bool {
    return FileManager.default.fileExists(atPath: "/Applications/Cydia.app")
}

Detection Strategy — Shared Mobile

1. Certificate Pinning [MASVS-NETWORK]

See also: security-supply-chain skill for detailed pinning guidance.

2. Biometric Auth Bypass [MASVS-AUTH]

• Local-only biometric check without backend token validation
• Fallback to no auth on biometric failure
• Biometric used as sole factor for sensitive operations

Red flags (iOS):

// ❌ UNSAFE: Local-only
let context = LAContext()
if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: nil) {
    context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: "Auth") { success, _ in
        if success {
            self.showSecretData()  // No backend verification!
        }
    }
}

3. Deep Link Hijacking [MASVS-PLATFORM]

• Unvalidated deep link parameters used in navigation
• Open redirect via deep link
• XSS in WebView via deep link
• Multiple apps claiming same deep link scheme

4. Binary Hardening [MASVS-RESILIENCE]

• Missing ProGuard/R8 (Android release builds)
• Debug symbols in release (dSYM uploaded but not stripped)
• No root/jailbreak detection
• No anti-tamper checks

5. Privacy/Data Collection [MASVS-PRIVACY]

• Excessive permissions requested without justification
• Location tracking without user consent
• Clipboard snooping on app launch
• Third-party SDKs with tracking

Review Instructions

Step 1: Android Storage Security

# Search for insecure patterns
rg "MODE_WORLD_READABLE|getSharedPreferences.*MODE_PRIVATE|\.putString\(.*api|\.putString\(.*token"
rg "openOrCreateDatabase|SQLiteDatabase.openDatabase"

Check for EncryptedSharedPreferences usage:

// ✅ SAFE
val masterKey = MasterKey.Builder(context)
    .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
    .build()
val prefs = EncryptedSharedPreferences.create(
    context,
    "secure_prefs",
    masterKey,
    EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
    EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)

Step 2: Android Exported Components

# Check AndroidManifest.xml
grep -r "android:exported=\"true\"" AndroidManifest.xml
grep -r "<intent-filter>" AndroidManifest.xml  # Implicitly exported

Step 3: iOS ATS Configuration

# Check Info.plist
grep -A 10 "NSAppTransportSecurity" */Info.plist

Step 4: Biometric Implementation

// ✅ SAFE: Backend verification
let context = LAContext()
context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: "Auth") { success, error in
    if success {
        // Get short-lived token from backend
        self.apiClient.getBiometricToken { token in
            // Use token for sensitive operation
        }
    }
}

Step 5: Deep Link Validation

// ✅ SAFE
val uri = intent.data
if (uri?.host != "myapp.com" || !uri.pathSegments.all { it.matches(Regex("[a-zA-Z0-9-]+")) }) {
    finish()
    return
}

Migration Coverage

OWASP References

• Mobile Application Security
• OWASP MASVS
• Certificate Pinning

Quick Checklist — Android

• EncryptedSharedPreferences for sensitive data
• No exported components without permission checks
• Intent extras validated before use
• WebView JavaScript disabled or content trusted
• Android Keystore used for encryption keys
• network_security_config.xml with cert pinning
• Log statements removed in release (ProGuard)
• allowBackup=false or with fullBackupContent rules

Quick Checklist — iOS

• Keychain used for sensitive data (not UserDefaults)
• ATS enabled (no NSAllowsArbitraryLoads)
• Universal Links for deep linking (not custom URL schemes alone)
• Keychain accessibility: WhenUnlocked or WhenUnlockedThisDeviceOnly
• Sensitive data not copied to general pasteboard
• Background blur implemented in applicationDidEnterBackground
• CryptoKit used (not CommonCrypto)
• Jailbreak detection with runtime integrity checks

Quick Checklist — Shared

• Certificate pinning implemented
• Biometric auth validated by backend token
• Deep link parameters sanitized
• Code obfuscation enabled (ProGuard/R8, dSYM stripping)
• Minimal permissions requested