Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Android: Add rules for network-security-config files #1410

Merged
merged 1 commit into from Aug 11, 2021
Merged

Android: Add rules for network-security-config files #1410

merged 1 commit into from Aug 11, 2021

Conversation

malexmave
Copy link
Contributor

Android apps can specify security policies for network traffic in two places: the Manifest-file (outdated) and a network-security-policy.xml file. This PR adds rules for detecting a number of common issues related to these files, see the rule messages for more details.

I figure these rules walk the line between security and best-practice as a categorization - I chose best-practice as there are sometimes good reasons to deviate from these best practices, and tried to write the rules in a way where they respect the tools:ignore attribute (although that may not always be successful due to limitations of the generic parser, and my limited knowledge of which of these attributes exist) to try to reduce the amount of annoyance to developers.

As always, feedback is very welcome. I chose not to submit these rules to MobSF as they already have their own checks for these issues, which are implemented outside of their corpus of semgrep rules.

@malexmave
Add linter rules for Android network policies
1331161 
Android apps can specify security policies for network traffic
in two places: the Manifest-file (outdated) and a network-
security-policy.xml file. This commit adds rules for detecting
a number of common issues related to these files.
@malexmave malexmave mentioned this pull request Aug 6, 2021
Closed
minusworld
minusworld reviewed Aug 11, 2021
View reviewed changes
java/android/best-practice/manifest-security-features.yaml
patterns:
- pattern: |
android:usesCleartextTraffic="true"
- pattern-not-inside: |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice

minusworld
minusworld approved these changes Aug 11, 2021
View reviewed changes
Copy link
Member

@minusworld minusworld left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These look awesome. Thank you!

@minusworld minusworld merged commit 892961e into semgrep:develop Aug 11, 2021
@malexmave malexmave deleted the rule/android-nsc branch August 11, 2021 06:49
ievans pushed a commit that referenced this pull request Sep 17, 2021
@malexmave @ievans
Add linter rules for Android network policies (#1410)
10d45b0 
Android apps can specify security policies for network traffic
in two places: the Manifest-file (outdated) and a network-
security-policy.xml file. This commit adds rules for detecting
a number of common issues related to these files.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@minusworld minusworld minusworld approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@malexmave @minusworld