Android

Android

Learn about code vulnerability, why it happens, and how to eliminate it

Select a tutorial and start sharpening your skills!

Start

This is a free version.

Forceful Browsing

Forceful (or forced) browsing is a common attack technique used to gain access to web server resources that are restricted, or resources that are accessed outside of the intended (correct) sequence. An attacker carries out the attack by guessing, knowing or inferring the correct URL directly. If the restricted URLs, scripts, or files that reside in the web server directory are not enforced with appropriate authorization or sequencing logic, they can be vulnerable to forceful browsing attacks.

5-8 MIN

Forceful Browsing
Available in Full Version only

Excessive Logging

Excessive logging relates to the storing of information pertaining to the application state within local or remote (in the case of remote crash dumps etc) log files. When this information contains sensitive data this can present a security risk. Sensitive information can include: Passwords, personally identifiable information, payment card details, and other (static or temporary) application secrets.

5-8 MIN

Excessive Logging
Available in Full Version only

Cached Login Credentials

Cached login credentials are convenient for users because even when they’ve logged out they do not need to re-enter (again) their username and password to authenticate. However they can present an unnecessary security risk, and there are more secure patterns for achieving user convenience.

5-8 MIN

Cached Login Credentials
Available in Full Version only

Unprotected Background Screenshots

When switching between applications an automatic screenshot of application is taken and cached to allow users to easily identify the status of each running app. In certain scenarios this feature could lead to unintended leakage of sensitive information depending upon the context of the application.

5-8 MIN

Unprotected Background Screenshots
Available in Full Version only

Enable Autocomplete Fields

Auto-complete stores completed form field and passwords locally in the app, so that these fields are filled automatically when the user visits the site again. However, this allows storing of passwords or other sensitive text fields for which the app's auto-complete feature is enabled, introducing unnecessary security risk.

5-8 MIN

Enable Autocomplete Fields
Available in Full Version only

Insecure Local Storage

There are number of patterns for creating, reading, updating and deleting data locally in Android. Some approaches are more secure than others. Understand how insecure local data storage can weaken the security of mobile apps.

5-8 MIN

Insecure Local Storage
Available in Full Version only

Sensitive Data in File Storage

Vulnerabilities in local file data store occur when developers assume that users or malware will not have access to the file and subsequently store sensitive information in such data-stores on the device. This can typically lead to a security issue, should developers use local file data store for storing sensitive information e.g. Encryption Keys, Hardcoded passwords.

5-8 MIN

Sensitive Data in File Storage
Available in Full Version only

Client Side Injection

Client Side Injection vulnerabilities occur when developers trust external data without validating or sanitizing this input first. This can subsequently lead to security issues, including data leakage or execution of malicious code.

5-8 MIN

Client Side Injection