...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SEC01-J | high | likely | low | P27 | L1 |
Automated Detection
Tools that support taint analysis enable assurance of code usage that is substantially similar to the first compliant solution. Typical taint analyses assume that one or more methods exist that can sanitize potentially tainted inputs, providing untainted outputs (or appropriate errors). The taint analysis then ensures that only untainted data is used inside the doPrivileged block. Note that the static analyses must necessarily assume that the sanitization methods are always successful, while in reality, this may not be the case.
...
The code examples using the java.security package are not applicable to Android but the principle of the rule is applicable to Android apps.
Bibliography
[API 2006] | |
Sections 6.4, | |
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities |
...