Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Complex AndroidManifest.xml analysis #35

Open
Razican opened this issue Sep 22, 2016 · 3 comments
Open

Complex AndroidManifest.xml analysis #35

Razican opened this issue Sep 22, 2016 · 3 comments

Comments

@Razican
Copy link
Member

@Razican Razican commented Sep 22, 2016

We need to add content providers, receivers, etc. to manifest analysis, and rules to decide what to analyze. Here is the complete list:

  • <provider>:
    • if android:exported="false" everything is OK.
    • if android:exported="true" and any targetSdkVersion or no android:exported and minSdkVersion < 17, we could have a vulnerability:
      • if android:permission or android:readPermission or android:writePermission, only warning.
      • if no permissions, medium or high vulnerability: other apps can read it.
  • <receiver>, <activity>, <activity-alias> or <service>:
    • if android:exported="false" everything is OK.
    • if android:exported="true" we could have a vulnerability:
      • if android:permission, only warning.
      • if no permissions, medium or high vulnerability: other apps can access it.
    • If no android:exported, we could have a vulnerability:
      • if no <intent-filter>, everything is OK.
      • if <intent-filter>:
        • if android:permission, only warning.
        • if no permissions, medium or high vulnerability: other apps can access it.

Analysis from AndroBugs: https://github.com/AndroBugs/AndroBugs_Framework/blob/master/androbugs.py

@Razican Razican added this to the SUPER 0.2.0 milestone Sep 22, 2016
@Chuky9 Chuky9 self-assigned this Oct 20, 2016
@Razican Razican modified the milestones: SUPER 0.2.0, SUPER 0.3.0 Nov 2, 2016
@Chuky9
Copy link
Member

@Chuky9 Chuky9 commented Nov 3, 2016

Complex AndroidManifest.xml analysis implemented but some clarifications are required in order to improve these detections in the next version (0.3.0). That's why this issue will remain openned.

@Chuky9 Chuky9 modified the milestones: SUPER 0.3.0, SUPER 0.2.0 Nov 3, 2016
@Razican
Copy link
Member Author

@Razican Razican commented Nov 10, 2016

This depends on #20. We suppose that it will be available before the launch of 0.3.0 with enough time to implement it, so we maintain it for 0.3.0.

@Razican Razican modified the milestones: SUPER 0.3.0, SUPER 0.4.0 Feb 11, 2017
@Razican
Copy link
Member Author

@Razican Razican commented Apr 2, 2017

Moving this to SUPER 0.5.0.

@Razican Razican modified the milestones: SUPER 0.5.0, SUPER 0.4.0 Apr 2, 2017
@Razican Razican modified the milestones: SUPER 0.5.0, SUPER 0.6.0 May 10, 2018
@Razican Razican modified the milestones: SUPER 0.6.0, SUPER 0.7.0 Nov 10, 2019
@Razican Razican modified the milestones: SUPER 0.7.0, SUPER 0.6.0 Nov 11, 2019
@Razican Razican modified the milestones: SUPER 0.6.0, SUPER 0.7.0 Mar 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.