Security

Composite Recipes

Recipes that include further recipes, often including the individual recipes below.

• Find Android-specific security smells
• Find JWT misuse
• Find hard-coded secret literals
• Find injection vectors
• Find insecure TLS configuration
• Find insecure cookie / session configuration
• Find security smells in Kotlin code
• Find sensitive data in log calls
• Find weak cryptographic primitives

Recipes

• Find "Basic <base64>" literals in source
• Find "alg":"none" literal strings
• Find -----BEGIN ... PRIVATE KEY----- literals
• Find AWS Access Key literals (AKIA…)
• Find Cipher.getInstance("AES") calls without a mode
• Find Cipher.getInstance("AES/CBC/...") calls — verify integrity
• Find Cipher.getInstance("AES/ECB/...") calls
• Find Cipher.getInstance("Blowfish") calls
• Find Cipher.getInstance("DES...") calls
• Find Cipher.getInstance("DESede"/"TripleDES") calls
• Find Cipher.getInstance("RC2") calls
• Find Cipher.getInstance("RC4"/"ARCFOUR") calls
• Find Class.forName(...) calls with non-literal arguments
• Find Cookie.setHttpOnly(false) calls
• Find Cookie.setSecure(false) calls
• Find File("..." + input) constructions
• Find GitHub PAT literals (ghp_…)
• Find Google API key literals (AIza…)
• Find HostnameVerifier \{ _, _ -> true \} lambdas
• Find HttpServletResponse.sendRedirect(input) calls with non-literal arguments
• Find InitialContext.lookup(input) calls with non-literal arguments
• Find Intent("some.implicit.action") constructions
• Find IvParameterSpec(byteArrayOf(...)) constructions with a literal IV
• Find JWT literals (eyJ…-prefixed three-segment tokens)
• Find JwtBuilder.setSigningKey("literal".toByteArray()) patterns
• Find JwtBuilder.signWith(SignatureAlgorithm.NONE, ...) patterns
• Find KeyGenerator.getInstance("DES") calls
• Find KeyPairGenerator.getInstance("RSA") callers — verify 2048+ key size
• Find MODE_WORLD_READABLE references
• Find MessageDigest.getInstance("MD2") calls
• Find MessageDigest.getInstance("MD5") calls
• Find MessageDigest.getInstance("SHA-1") calls
• Find NullCipher() allocations
• Find ObjectInputStream(...) constructions
• Find PBEKeySpec(..., iterations, ...) with low iteration counts
• Find Paths.get("..." + input) calls
• Find ProcessBuilder(varargs) constructions whose first arg is non-literal
• Find Runtime.getRuntime().exec(...) calls with non-literal arguments
• Find SLF4J log calls with sensitive field names in the format string
• Find SSLContext.getInstance("SSL"/"TLSv1"/"TLSv1.1") calls
• Find ScriptEngine.eval(...) calls
• Find ScriptEngineManager.getEngineByName(...) calls
• Find SecretKeySpec(_, "DES") constructions
• Find SecureRandom.setSeed(...) with a literal seed
• Find Slack token literals (xoxb-/xoxp-/xoxa-/xoxr-/xoxs-)
• Find Statement.execute("... " + x) / executeUpdate calls
• Find Statement.executeQuery("... " + x) calls
• Find String.toByteArray() calls without an explicit charset
• Find Stripe API key literals (sk_live_… / sk_test_…)
• Find URL("http://...") literal constructions
• Find WebView.addJavascriptInterface(...) calls
• Find WebView.loadUrl("http://...") calls
• Find WebView.settings.javaScriptEnabled = true / setJavaScriptEnabled(true)
• Find WebView.settings.mixedContentMode = MIXED_CONTENT_ALWAYS_ALLOW settings
• Find WebView.settings.setAllowFileAccessFromFileURLs(true) calls
• Find WebView.settings.setSavePassword(true) calls
• Find X509TrustManager implementations with empty checkServerTrusted
• Find android.util.Log.\{d,i,v,w,e\} calls with sensitive content
• Find getSharedPreferences(_, MODE_PRIVATE) callers
• Find java.util.Random() allocations
• Find kotlin.random.Random.Default references
• Find prepareStatement("... " + x) calls
• Find println("... password ...") patterns
• Find setHostnameVerifier(ALLOW_ALL) calls
• Find two-argument Cipher.init(opmode, key) calls
• Find unsafe Java deserialization
• Find variables named password/secret/token/apiKey with a non-empty literal default