? Attacking Android.

Объемное руководство, которое описывает различные методы компрометации Android устройств.

ContentProvider Management in Android Applications;
Protecting Exported Services with Strong Permissions in Android;
Protecting Against Directory Traversal Vulnerabilities in Android;
Preventing Unauthorized Access to Sensitive Activities in Android;
Avoid Storing Sensitive Information on External Storage (SD Card) Without Encryption;
Logging Sensitive Information in Android;
Securing Sensitive Data in Android;
Cache;
Do not use world readable or writeable to share files between apps;
Do not broadcast sensitive information using an implicit intent;
Do not allow WebView to access sensitive local resource through file scheme
WebView Security Concerns;
Do not provide addJavascriptInterface method access in a WebView which could contain untrusted content. (API level JELLY_BEAN or below)Noncompliant Code Example;
Enable serialization compatibility during class evolution;
Do not deviate from the proper signatures of serialization methods;
Exclude unsanitized user input from format strings;
Sanitize untrusted data included in a regular expression;
Define wrappers around native methods;
Do not allow exceptions to expose sensitive information;
Do not encode noncharacter data as a string;
Do not release apps that are debuggable;
Consider privacy concerns when using Geolocation API;
Properly verify server certificate on SSL/TLS;
Specify permissions when creating files via the NDK.

#Android #DevSecOps