Android: Add rules for network-security-config files #1410
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Android apps can specify security policies for network traffic in two places: the Manifest-file (outdated) and a network-security-policy.xml file. This PR adds rules for detecting a number of common issues related to these files, see the rule messages for more details.
I figure these rules walk the line between security and best-practice as a categorization - I chose best-practice as there are sometimes good reasons to deviate from these best practices, and tried to write the rules in a way where they respect the
tools:ignore
attribute (although that may not always be successful due to limitations of thegeneric
parser, and my limited knowledge of which of these attributes exist) to try to reduce the amount of annoyance to developers.As always, feedback is very welcome. I chose not to submit these rules to MobSF as they already have their own checks for these issues, which are implemented outside of their corpus of semgrep rules.