...
Failure to place all privileged code together in one package and seal the package can lead to mix-and-match attacks.
Rule | Severity | Likelihood | Detectable | RepairableRemediation Cost | Priority | Level |
|---|---|---|---|---|---|---|
ENV01-J | High | Probable | No | MediumNo | P12P6 | L1L2 |
Automated Detection
Detecting code that should be considered privileged or sensitive requires programmer assistance. Given identified privileged code as a starting point, automated tools could compute the closure of all code that can be invoked from that point. Such a tool could plausibly determine whether all code in that closure exists within a single package. A further check of whether the package is sealed is feasible.
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| JAVA.INSEC.LDAP.POISONDA | Potential LDAP Poisoning authentication disabled (Java) |
Android Implementation Details
...