[Provide a general description of the issue.]
[Describe how to assess this given either the source code or installer package (APK/IPA/etc.), but without running the app. Tailor this to the general situation (e.g., in some situations, having the decompiled classes is just as good as having the original source, in others it might make a bigger difference). If required, include a subsection about how to test with or without the original sources.]
[Use the <sup> tag to reference external sources, e.g. Meyer's recipe for tomato soup[1].]
[Describe how to test for this issue by running and interacting with the app. This can include everything from simply monitoring network traffic or aspects of the app’s behavior to code injection, debugging, instrumentation, etc.]
[Describe the best practices that developers should follow to prevent this issue.]
- MX - Title - Link
- V6.1: "The app only requires the minimum set of permissions necessary."
- CWE-XXX - Title
- [1] Meyer's Recipe for Tomato Soup - http://www.finecooking.com/recipes/meyers-classic-tomato-soup.aspx
- Tool - Link
[Provide a general description of the issue.]
[Describe how to assess this given either the source code or installer package (APK/IPA/etc.), but without running the app. Tailor this to the general situation (e.g., in some situations, having the decompiled classes is just as good as having the original source, in others it might make a bigger difference). If required, include a subsection about how to test with or without the original sources.]
[Use the <sup> tag to reference external sources, e.g. Meyer's recipe for tomato soup[1].]
[Describe how to test for this issue by running and interacting with the app. This can include everything from simply monitoring network traffic or aspects of the app’s behavior to code injection, debugging, instrumentation, etc.]
[Describe the best practices that developers should follow to prevent this issue.]
- MX - Title - Link
- V6.2: "All inputs from external sources are validated. This includes data received via the GUI, IPC mechanisms such as intents, custom URLs, and network sources."
- CWE-XXX - Title
- [1] Meyer's Recipe for Tomato Soup - http://www.finecooking.com/recipes/meyers-classic-tomato-soup.aspx
- Tool - Link
[Provide a general description of the issue.]
[Describe how to assess this given either the source code or installer package (APK/IPA/etc.), but without running the app. Tailor this to the general situation (e.g., in some situations, having the decompiled classes is just as good as having the original source, in others it might make a bigger difference). If required, include a subsection about how to test with or without the original sources.]
[Use the <sup> tag to reference external sources, e.g. Meyer's recipe for tomato soup[1].]
[Describe how to test for this issue by running and interacting with the app. This can include everything from simply monitoring network traffic or aspects of the app’s behavior to code injection, debugging, instrumentation, etc.]
[Describe the best practices that developers should follow to prevent this issue.]
- MX - Title - Link
- V6.3: "All user input is sanitized, including input obtained via the UI, as well as input originating from QR codes, NFC data, and other sources."
- CWE-XXX - Title
- [1] Meyer's Recipe for Tomato Soup - http://www.finecooking.com/recipes/meyers-classic-tomato-soup.aspx
- Tool - Link
[Provide a general description of the issue.]
[Describe how to assess this given either the source code or installer package (APK/IPA/etc.), but without running the app. Tailor this to the general situation (e.g., in some situations, having the decompiled classes is just as good as having the original source, in others it might make a bigger difference). If required, include a subsection about how to test with or without the original sources.]
[Use the <sup> tag to reference external sources, e.g. Meyer's recipe for tomato soup[1].]
[Describe how to test for this issue by running and interacting with the app. This can include everything from simply monitoring network traffic or aspects of the app’s behavior to code injection, debugging, instrumentation, etc.]
[Describe the best practices that developers should follow to prevent this issue.]
- MX - Title - Link
- V6.4: "The app does not export sensitive functionality via custom URL schemes."
- CWE-XXX - Title
- [1] Meyer's Recipe for Tomato Soup - http://www.finecooking.com/recipes/meyers-classic-tomato-soup.aspx
- Tool - Link
[Provide a general description of the issue.]
[Describe how to assess this given either the source code or installer package (APK/IPA/etc.), but without running the app. Tailor this to the general situation (e.g., in some situations, having the decompiled classes is just as good as having the original source, in others it might make a bigger difference). If required, include a subsection about how to test with or without the original sources.]
[Use the <sup> tag to reference external sources, e.g. Meyer's recipe for tomato soup[1].]
[Describe how to test for this issue by running and interacting with the app. This can include everything from simply monitoring network traffic or aspects of the app’s behavior to code injection, debugging, instrumentation, etc.]
[Describe the best practices that developers should follow to prevent this issue.]
- MX - Title - Link
- V6.5: "The app does not export sensitive functionality through IPC facilities."
- CWE-XXX - Title
- [1] Meyer's Recipe for Tomato Soup - http://www.finecooking.com/recipes/meyers-classic-tomato-soup.aspx
- Tool - Link
[Provide a general description of the issue.]
[Describe how to assess this given either the source code or installer package (APK/IPA/etc.), but without running the app. Tailor this to the general situation (e.g., in some situations, having the decompiled classes is just as good as having the original source, in others it might make a bigger difference). If required, include a subsection about how to test with or without the original sources.]
[Use the <sup> tag to reference external sources, e.g. Meyer's recipe for tomato soup[1].]
[Describe how to test for this issue by running and interacting with the app. This can include everything from simply monitoring network traffic or aspects of the app’s behavior to code injection, debugging, instrumentation, etc.]
[Describe the best practices that developers should follow to prevent this issue.]
- MX - Title - Link
- V6.6: "JavaScript is disabled in WebViews unless explicitly required."
- CWE-XXX - Title
- [1] Meyer's Recipe for Tomato Soup - http://www.finecooking.com/recipes/meyers-classic-tomato-soup.aspx
- Tool - Link
[Provide a general description of the issue.]
[Describe how to assess this given either the source code or installer package (APK/IPA/etc.), but without running the app. Tailor this to the general situation (e.g., in some situations, having the decompiled classes is just as good as having the original source, in others it might make a bigger difference). If required, include a subsection about how to test with or without the original sources.]
[Use the <sup> tag to reference external sources, e.g. Meyer's recipe for tomato soup[1].]
[Describe how to test for this issue by running and interacting with the app. This can include everything from simply monitoring network traffic or aspects of the app’s behavior to code injection, debugging, instrumentation, etc.]
[Describe the best practices that developers should follow to prevent this issue.]
- MX - Title - Link
- V6.7: "File access is disabled in WebViews unless explicitly required."
- CWE-XXX - Title
- [1] Meyer's Recipe for Tomato Soup - http://www.finecooking.com/recipes/meyers-classic-tomato-soup.aspx
- Tool - Link
[Provide a general description of the issue.]
[Describe how to assess this given either the source code or installer package (APK/IPA/etc.), but without running the app. Tailor this to the general situation (e.g., in some situations, having the decompiled classes is just as good as having the original source, in others it might make a bigger difference). If required, include a subsection about how to test with or without the original sources.]
[Use the <sup> tag to reference external sources, e.g. Meyer's recipe for tomato soup[1].]
[Describe how to test for this issue by running and interacting with the app. This can include everything from simply monitoring network traffic or aspects of the app’s behavior to code injection, debugging, instrumentation, etc.]
[Describe the best practices that developers should follow to prevent this issue.]
- MX - Title - Link
- V6.8: "If JavaScript is required in a WebView, the WebView is restricted to a specific URL, and no unfiltered user input is rendered in the WebView."
- CWE-XXX - Title
- [1] Meyer's Recipe for Tomato Soup - http://www.finecooking.com/recipes/meyers-classic-tomato-soup.aspx
- Tool - Link
[Provide a general description of the issue.]
[Describe how to assess this given either the source code or installer package (APK/IPA/etc.), but without running the app. Tailor this to the general situation (e.g., in some situations, having the decompiled classes is just as good as having the original source, in others it might make a bigger difference). If required, include a subsection about how to test with or without the original sources.]
[Use the <sup> tag to reference external sources, e.g. Meyer's recipe for tomato soup[1].]
[Describe how to test for this issue by running and interacting with the app. This can include everything from simply monitoring network traffic or aspects of the app’s behavior to code injection, debugging, instrumentation, etc.]
[Describe the best practices that developers should follow to prevent this issue.]
- MX - Title - Link
- V6.9: "The app does not load user-supplied local resources into WebViews."
- CWE-XXX - Title
- [1] Meyer's Recipe for Tomato Soup - http://www.finecooking.com/recipes/meyers-classic-tomato-soup.aspx
- Tool - Link
[Provide a general description of the issue.]
[Describe how to assess this given either the source code or installer package (APK/IPA/etc.), but without running the app. Tailor this to the general situation (e.g., in some situations, having the decompiled classes is just as good as having the original source, in others it might make a bigger difference). If required, include a subsection about how to test with or without the original sources.]
[Use the <sup> tag to reference external sources, e.g. Meyer's recipe for tomato soup[1].]
[Describe how to test for this issue by running and interacting with the app. This can include everything from simply monitoring network traffic or aspects of the app’s behavior to code injection, debugging, instrumentation, etc.]
[Describe the best practices that developers should follow to prevent this issue.]
- MX - Title - Link
- V6.9: "The app does not load user-supplied local resources into WebViews."
- CWE-XXX - Title
- [1] Meyer's Recipe for Tomato Soup - http://www.finecooking.com/recipes/meyers-classic-tomato-soup.aspx
- Tool - Link
[Provide a general description of the issue.]
[Describe how to assess this given either the source code or installer package (APK/IPA/etc.), but without running the app. Tailor this to the general situation (e.g., in some situations, having the decompiled classes is just as good as having the original source, in others it might make a bigger difference). If required, include a subsection about how to test with or without the original sources.]
[Use the <sup> tag to reference external sources, e.g. Meyer's recipe for tomato soup[1].]
[Describe how to test for this issue by running and interacting with the app. This can include everything from simply monitoring network traffic or aspects of the app’s behavior to code injection, debugging, instrumentation, etc.]
[Describe the best practices that developers should follow to prevent this issue.]
- MX - Title - Link
- V6.10: "If Java objects are exposed in a WebView, verify that the WebView only renders JavaScript contained within the app package."
- CWE-XXX - Title
- [1] Meyer's Recipe for Tomato Soup - http://www.finecooking.com/recipes/meyers-classic-tomato-soup.aspx
- Tool - Link
Check [1]
[Describe how to assess this given either the source code or installer package (APK/IPA/etc.), but without running the app. Tailor this to the general situation (e.g., in some situations, having the decompiled classes is just as good as having the original source, in others it might make a bigger difference). If required, include a subsection about how to test with or without the original sources.]
[Use the <sup> tag to reference external sources, e.g. Meyer's recipe for tomato soup[1].]
[Describe how to test for this issue by running and interacting with the app. This can include everything from simply monitoring network traffic or aspects of the app’s behavior to code injection, debugging, instrumentation, etc.]
[Describe the best practices that developers should follow to prevent this issue.]
- MX - Title - Link
- V6.11: "The app leverages operating system features that allow updating of outdated system components."
- CWE-XXX - Title
- [1] Update Security Provider - https://developer.android.com/training/articles/security-gms-provider.html
- Tool - Link
[Provide a general description of the issue.]
[Describe how to assess this given either the source code or installer package (APK/IPA/etc.), but without running the app. Tailor this to the general situation (e.g., in some situations, having the decompiled classes is just as good as having the original source, in others it might make a bigger difference). If required, include a subsection about how to test with or without the original sources.]
[Use the <sup> tag to reference external sources, e.g. Meyer's recipe for tomato soup[1].]
[Describe how to test for this issue by running and interacting with the app. This can include everything from simply monitoring network traffic or aspects of the app’s behavior to code injection, debugging, instrumentation, etc.]
[Describe the best practices that developers should follow to prevent this issue.]
- MX - Title - Link
- V6.12: "The app checks its installation source, and only runs if installed from a trusted source (e.g. Google Play Store / Apple App Store)."
- CWE-XXX - Title
- [1] Meyer's Recipe for Tomato Soup - http://www.finecooking.com/recipes/meyers-classic-tomato-soup.aspx
- Tool - Link
[Provide a general description of the issue.]
[Describe how to assess this given either the source code or installer package (APK/IPA/etc.), but without running the app. Tailor this to the general situation (e.g., in some situations, having the decompiled classes is just as good as having the original source, in others it might make a bigger difference). If required, include a subsection about how to test with or without the original sources.]
[Use the <sup> tag to reference external sources, e.g. Meyer's recipe for tomato soup[1].]
[Describe how to test for this issue by running and interacting with the app. This can include everything from simply monitoring network traffic or aspects of the app’s behavior to code injection, debugging, instrumentation, etc.]
[Describe the best practices that developers should follow to prevent this issue.]
- MX - Title - Link
- V6.13: "The app detects whether it is being executed on a rooted or jailbroken device. Depending on the business requirement, users are warned, or the app is terminated if the device is rooted or jailbroken."
- CWE-XXX - Title
- [1] Meyer's Recipe for Tomato Soup - http://www.finecooking.com/recipes/meyers-classic-tomato-soup.aspx
- Tool - Link