.env

# .env

# // VULNERABILITIES //

# - Insecure logging
INSECURE_LOGGING_RULE_ID=android/insecure-logging
INSECURE_LOGGING_PRECISION=high
INSECURE_LOGGING_NAME=Insecure Logging
INSECURE_LOGGING_SEV=7.5
INSECURE_LOGGING_CWE=external/cwe/cwe-346
INSECURE_LOGGING_REMEDIATION=" \n\n### Recommendation\n\n The application implements insecure logging practices, potentially exposing sensitive information in system logs. This vulnerability allows attackers to access sensitive data, credentials, and user information through log files, which can be easily accessed on rooted devices or through debugging tools. Insecure logging can lead to exposure of user credentials, session tokens, and personal information that could be used for account compromise or identity theft.\n\n**Key risks include:**\n- Exposure of user credentials and authentication tokens\n- Leakage of personal identifiable information (PII)\n- Disclosure of sensitive business logic and internal operations\n- Exposure of API keys and system configurations in logs\n- Creation of persistent records of sensitive data\n\n**Recommended actions:**\n- Implement different logging levels for development and production environments\n- Never log sensitive data such as passwords, tokens, or personal information\n- Use log filtering and masking for potentially sensitive data fields\n- Ensure logs are not accessible to other applications on the device\n- Consider implementing secure centralized logging for production environments\n\n### Fixed Code\n```java\nif (Log.isLoggable(\"DEBUG\", Log.DEBUG)) {\n    Log.d(\"DEBUG\", \"User attempted login\");\n}\n```\n\n### References\n- [Android Developers: Log](https://developer.android.com/reference/android/util/Log)\n- [OWASP Mobile Top 10: Insecure Logging](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures)\n\n### Evidence\n"


# - Root Detection
ROOT_DETECTION_RULE_ID=android/root-detection
ROOT_DETECTION_PRECISION=high
ROOT_DETECTION_NAME=Lack of Root Detection
ROOT_DETECTION_SEV=8.0
ROOT_DETECTION_CWE=external/cwe/cwe-937
ROOT_DETECTION_REMEDIATION=" \n\n### Recommendation\n\n The application lacks robust root detection mechanisms, allowing potential attackers to run it on rooted devices. This vulnerability exposes the app to system-level access, privilege escalation, and unauthorized manipulation of app data and functionality. Root-based attacks can lead to compromise of sensitive data, bypass of security controls, and manipulation of app behavior.\n\n**Key risks include:**\n- Unauthorized access to app's private storage and databases\n- Manipulation of runtime memory and security controls\n- Interception of encrypted communications\n- Bypass of platform security mechanisms and app integrity checks\n\n**Recommended actions:**\n- Implement multiple layers of root detection as bypass methods evolve\n- Consider the impact on custom Android ROMs and legitimate root users\n- Implement secure data storage regardless of root detection\n- Test detection mechanisms across different Android versions and devices\n- Combine root detection with runtime integrity checks and SSL pinning for defense in depth\n\n### Fixed Code\n```java\npublic class RootDetector {\n    public static boolean isDeviceRooted() {\n        String[] rootIndicators = {\n            \"/system/bin/su\",\n            \"/system/xbin/su\",\n            \"/sbin/su\",\n            \"/system/app/Superuser.apk\",\n            \"/data/app/com.topjohnwu.magisk\",\n            \"/system/app/supersu/supersu.apk\"\n        };\n        \n        for (String path : rootIndicators) {\n            if (new File(path).exists()) {\n                return true;\n            }\n        }\n        return false;\n    }\n}\n```\n\n### References\n- [OWASP MASVS](https://mas.owasp.org/MASVS/controls/MASVS-RESILIENCE-1/)\n- [Android Root Detection](https://github.com/scottyab/rootbeer)\n\n### Evidence\n"



# - Emulator Detection 
EMULATOR_DETECTION_RULE_ID=android/emulator-detection
EMULATOR_DETECTION_PRECISION=high
EMULATOR_DETECTION_NAME=Lack of Emulator Detection
EMULATOR_DETECTION_SEV=7.5
EMULATOR_DETECTION_CWE=external/cwe/cwe-940
EMULATOR_DETECTION_REMEDIATION=" \n\n### Recommendation\n\n The application lacks robust emulator detection mechanisms, allowing potential attackers to run it in emulated environments. This vulnerability exposes the app to reverse engineering, debugging, and systematic analysis of its security controls and sensitive logic. Emulator-based attacks can lead to intellectual property theft, security bypass, and unauthorized access to premium features.\n\n**Key risks include:**\n- Exposure of proprietary algorithms and business logic\n- Bypass of authentication and authorization mechanisms\n- Extraction of hardcoded secrets and encryption keys\n- Automated large-scale attacks using emulator farms\n\n**Recommended actions:**\n- Regularly update detection methods as emulators evolve.\n- Balance security with legitimate use cases (some users may use emulators).\n- Consider graceful degradation instead of complete app blocking.\n- Thoroughly test detection mechanisms to avoid false positives on legitimate devices.\n- Integrate emulator detection with other security measures for a comprehensive defense strategy.\n\n### Fixed Code\n```java\npublic boolean isEmulator() {\n    String[] knownEmulatorDevices = {\"generic\", \"unknown\", \"google_sdk\", \"Emulator\", \"Android SDK built for x86\"};\n    for (String device : knownEmulatorDevices) {\n        if (Build.MODEL.contains(device) || Build.MANUFACTURER.contains(device)) {\n            return true;\n        }\n    }\n    return (Build.BRAND.startsWith(\"generic\") && Build.DEVICE.startsWith(\"generic\")) || \"google_sdk\".equals(Build.PRODUCT);\n}\n```\n\n### References\n- [MASWE-0099](https://mas.owasp.org/MASWE/MASVS-RESILIENCE/MASWE-0099)\n\n### Evidence\n"



# - Insecure Storage in Shared Preferences  
INSECURE_STORAGE_SP_RULE_ID=android/insecure-storage-shared-prefs  
INSECURE_STORAGE_SP_PRECISION=high  
INSECURE_STORAGE_SP_NAME=Insecure Storage in Shared Preferences  
INSECURE_STORAGE_SP_SEV=8.0  
INSECURE_STORAGE_SP_CWE=external/cwe/cwe-312  
INSECURE_STORAGE_SP_REMEDIATION=" \n\n### Recommendation\n\n The application stores sensitive data in SharedPreferences without encryption, making it accessible to attackers through root access or backup extraction. Avoid storing sensitive information in SharedPreferences or encrypt it using Android's EncryptedSharedPreferences API.\n\n### Vulnerable Code\n```java\n// Storing sensitive data in SharedPreferences without encryption\nSharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(context);\nSharedPreferences.Editor editor = prefs.edit();\neditor.putString(\"user_token\", \"sensitive_data\"); // Plaintext storage\neditor.apply();\n```\n\n**Key risks include:**\n- Exposure of user credentials and authentication tokens\n- Leakage of personal identifiable information (PII)\n- Disclosure of API keys and other application secrets\n- Unauthorized access to premium features or content\n- Potential for data manipulation leading to app misbehavior\n\n**Recommended actions:**\n- Never store sensitive data in plain text in SharedPreferences\n- Use Android's EncryptedSharedPreferences for storing sensitive information\n- Consider using the Android Keystore system for key management\n- Implement additional layers of encryption for highly sensitive data\n- Regularly audit and rotate stored secrets and keys\n\n### Fixed Code\n```java\n// Encrypting data before storing in SharedPreferences\nSharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(context);\nSharedPreferences.Editor editor = prefs.edit();\neditor.putString(\"user_token\", encryptData(\"sensitive_data\"));\neditor.apply();\n\nprivate String encryptData(String data) {\n    try {\n        Key key = new SecretKeySpec(\"your-secret-key\".getBytes(), \"AES\");\n        Cipher cipher = Cipher.getInstance(\"AES\");\n        cipher.init(Cipher.ENCRYPT_MODE, key);\n        return Base64.encodeToString(cipher.doFinal(data.getBytes()), Base64.DEFAULT);\n    } catch (Exception e) {\n        e.printStackTrace();\n        return null;\n    }\n}\n```\n\n### References\n- [MASWE-0007](https://mas.owasp.org/MASWE/MASVS-STORAGE/MASWE-0007)\n- [CODEQL - Shared Preferences](https://codeql.github.com/codeql-query-help/java/java-android-cleartext-storage-shared-prefs)\n\n### Evidence\n"


# - Insecure Storage - SQLITE
INSECURE_STORAGE_SQLITE_RULE_ID=android/insecure-storage-sqlite  
INSECURE_STORAGE_SQLITE_PRECISION=high  
INSECURE_STORAGE_SQLITE_NAME=Insecure Storage in SQLite
INSECURE_STORAGE_SQLITE_SEV=8.0  
INSECURE_STORAGE_SQLITE_CWE=external/cwe/cwe-312  
INSECURE_STORAGE_SQLITE_REMEDIATION=" \n\n### Recommendation\n\n The application stores sensitive data in SQLite databases without encryption, exposing critical information to potential attackers. This vulnerability allows unauthorized access to structured data storage through root access, backup extraction, or file system access. Insecure SQLite storage can lead to mass data exposure, including user credentials, personal information, and business-critical data, potentially resulting in large-scale data breaches and privacy violations.\n\n**Key risks include:**\n- Bulk extraction of user credentials and session data\n- Mass exposure of personal identifiable information (PII)\n- Unauthorized access to cached API responses and business data\n- Database manipulation leading to application security bypasses\n- Extraction of encrypted data for offline cracking attempts\n\n**Recommended actions:**\n- Implement SQLCipher or other encryption solutions for sensitive databases\n- Use parameterized queries to prevent SQL injection\n- Consider file-level encryption in addition to database encryption\n- Implement proper key management using the Android Keystore system\n- Regularly validate database integrity and access controls\n\n### Fixed Code\n```java\n// Using SQLCipher to encrypt SQLite database\npublic class SecureDBHelper extends net.sqlcipher.database.SQLiteOpenHelper {\n    private static final String DATABASE_NAME = \"secure_users.db\";\n    private static final int DATABASE_VERSION = 1;\n\n    public SecureDBHelper(Context context) {\n        super(context, DATABASE_NAME, null, DATABASE_VERSION);\n    }\n\n    @Override\n    public void onCreate(net.sqlcipher.database.SQLiteDatabase db) {\n        db.execSQL(\"CREATE TABLE users (id INTEGER PRIMARY KEY, username TEXT, password TEXT)\");\n    }\n\n    public void insertUser(String username, String password, String passphrase) {\n        ContentValues values = new ContentValues();\n        values.put(\"username\", username);\n        values.put(\"password\", hashPassword(password));\n        try (net.sqlcipher.database.SQLiteDatabase db = getWritableDatabase(passphrase)) {\n            db.insert(\"users\", null, values);\n        }\n    }\n\n    private String hashPassword(String password) {\n        return BCrypt.hashpw(password, BCrypt.gensalt(12));\n    }\n}\n```\n\n### References\n- [SQLCipher for Android](https://www.zetetic.net/sqlcipher/sqlcipher-for-android/)\n- [OWASP Mobile Security](https://owasp.org/www-project-mobile-security-testing-guide/)\n\n### Evidence\n"


# - Lack of SSL Pinning
SSL_PINNING_RULE_ID=android/lack-ssl-pinning
SSL_PINNING_PRECISION=high  
SSL_PINNING_NAME=Lack Of SSL Pinning
SSL_PINNING_SEV=8.0
SSL_PINNING_CWE=external/cwe/cwe-295
SSL_PINNING_REMEDIATION=" \n\n### Recommendation\n\n The application lacks SSL certificate pinning, leaving it vulnerable to man-in-the-middle (MITM) attacks. This vulnerability allows attackers to intercept, view, and potentially modify encrypted network traffic between the app and servers, even when HTTPS is used. The absence of SSL pinning can lead to sensitive data exposure, session hijacking, and injection of malicious data or commands, compromising the integrity and confidentiality of user data and app functionality.\n\n**Key risks include:**\n- Interception of user credentials and session tokens\n- Exposure of sensitive API communications and responses\n- Potential for data manipulation in transit\n- Bypass of server authentication, enabling phishing attacks\n- Injection of malicious code or commands into the app's data stream\n\n**Recommended actions:**\n- Implement certificate pinning for all critical API endpoints\n- Regularly update pinned certificates to align with server certificate rotations\n- Consider using both public key and certificate pinning for enhanced security\n- Implement fallback mechanisms to handle certificate changes without app updates\n- Thoroughly test pinning implementation to avoid breaking legitimate connections\n\n### Fixed Code\n```java\nimport okhttp3.CertificatePinner;\nimport okhttp3.OkHttpClient;\n\npublic class SecureHttpClient {\n    public OkHttpClient getPinnedClient() {\n        CertificatePinner certificatePinner = new CertificatePinner.Builder()\n            .add(\"yourdomain.com\", \"sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\")\n            .build();\n\n        return new OkHttpClient.Builder()\n            .certificatePinner(certificatePinner)\n            .build();\n    }\n}\n```\n\n### References\n- [OWASP Pinning Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html)\n- [SSL Pinning Android](https://medium.com/@KaushalVasava/ssl-pinning-in-android-app-bf211b57b3be)\n\n### Evidence\n"


# - Insecure Storage - SDCARD
INSECURE_STORAGE_SDCARD_RULE_ID=android/insecure-ssd
INSECURE_STORAGE_SDCARD_PRECISION=high  
INSECURE_STORAGE_SDCARD_NAME=Insecure Storage in External Storage
INSECURE_STORAGE_SDCARD_SEV=9.0
INSECURE_STORAGE_SDCARD_CWE=external/cwe/cwe-295
INSECURE_STORAGE_SDCARD_REMEDIATION=" \n\n### Recommendation\n\n The application stores sensitive data on the device's external storage (SDCARD) without proper encryption or access controls. This vulnerability exposes critical information to any app with read external storage permissions, as well as to attackers with physical access to the device. Insecure storage on SDCARD can lead to unauthorized access to user data, potential malware infections, and privacy breaches, compromising user trust and potentially violating data protection regulations.\n\n**Key risks include:**\n- Unauthorized access to sensitive user files by other apps\n- Exposure of application data to malware or file manager apps\n- Data theft through physical access to the device or removable storage\n- Potential manipulation of app data leading to security bypasses\n- Violation of privacy laws and regulations (e.g., GDPR, CCPA)\n\n**Recommended actions:**\n- Avoid storing sensitive data on external storage whenever possible\n- Implement strong encryption for any data that must be stored externally\n- Use Android's scoped storage model for better file access control\n- Consider using ContentProvider for sharing files instead of direct SDCARD access\n- Regularly audit and clean up any data stored on external storage\n\n### Fixed Code\n```java\n// Encrypting data before writing to external storage\nString filename = \"user_data.txt\";\nString data = encryptData(\"sensitive_data\");\nFile sdCard = Environment.getExternalStorageDirectory();\nFile dir = new File(sdCard.getAbsolutePath() + \"/MyApp\");\ndir.mkdirs();\nFile file = new File(dir, filename);\nFileOutputStream fos = new FileOutputStream(file);\nfos.write(data.getBytes());\nfos.close();\n\nprivate String encryptData(String data) {\n    try {\n        Key key = new SecretKeySpec(\"your-secret-key\".getBytes(), \"AES\");\n        Cipher cipher = Cipher.getInstance(\"AES\");\n        cipher.init(Cipher.ENCRYPT_MODE, key);\n        return Base64.encodeToString(cipher.doFinal(data.getBytes()), Base64.DEFAULT);\n    } catch (Exception e) {\n        e.printStackTrace();\n        return null;\n    }\n}\n```\n\n### References\n- [MASTG-Android Data Storage](https://mas.owasp.org/MASTG/0x05d-Testing-Data-Storage/)\n- [Android Developer Guide - Data Storage](https://developer.android.com/training/data-storage)\n\n### Evidence\n"

# - MOCK DATA / TEST DATA
MOCK_USER_NAME=user321@outlook.com
MOCK_PASSWORD=password123

# - Proxy Config
PROXY_PORT=8082
PROXY_HOST=10.0.3.2 # - The default IP to point to host machine through Genymotion

# - Webhook config
WEBHOOK_PORT=8083
WEBHOOK_SERVER=localhost