319687C3-9523-4647-95B4-3FBC435E1404 Custom Android Rules Custom Android Rules 39C542E2-0464-4E37-8E3C-E06065AD4981 Taint source for Location +LOCATION android\.location Location get(Latitude|Longitude) return B24B904F-7B53-4C7F-A845-83F8B3871ADC Taint source for IMEI +IMEI android\.telephony TelephonyManager getDeviceId return 252EE007-7F07-4E30-A20C-BF38D40E753E Taint source for IMSI +IMSI android\.telephony TelephonyManager getSubscriberId return 324F14AE-57FA-453C-8548-4CC95D751EC6 Taint source for ICC_ID +ICC_ID android\.telephony TelephonyManager getSimSerialNumber return 53832DA3-AD51-4BE8-9E23-D5DC00CB6DA1 Taint source for Phone Number +PH_NUM android\.telephony TelephonyManager getLine1Number return 3FC7F0CE-57BA-4CD9-83BB-3F66AD8CD2DD Propatates the taint on a Handler message (may have lots of false positives) android\.os Handler obtainMessage 0... return 964BCC89-93BB-4E82-832A-495CB9866515 Propatates the taint on a Handler message (may have lots of false positives) android\.os Handler sendMessage 0 this 8484CE94-F30A-4409-A531-9562549C2CDA Identify an OutputStream for {Http}URLConnection java\.net URLConnection getOutputStream return +NETOUT 12DD8495-75A9-4100-969C-BC4054332D93 Identify an InputStream for {Http}URLConnection java\.net URLConnection getInputStream return +NETIN 02DFB1E0-9B86-4B14-9C91-06CC486D4AD2 Propagate taint marking for output streams and writers java\.io (OutputStream|Writer) init\^ 0 this B873E558-0950-4067-B2C0-3D1B17D606EE Propagate taint marking for input streams and readers java\.io (InputStream|Reader) init\^ 0 this C415D7A7-CD02-4032-B79F-4B59C15FB2DC Propagate taint marking to read information java\.io (InputStream|Reader) read this 0 9A748FC4-3AEE-424A-AEC5-0493DF8E7412 Identify an input from HttpResponse org\.apache\.http HttpResponse getEntity return +NETIN AF14B8FC-B929-404A-9972-9F32411F1C92 Propagate taint marking to information from HttpResponse entity org\.apache\.http\.util EntityUtils (toString|toByteArray|getContentCharSet) 0 return E76ADE06-6AC1-4DCC-B2F9-05E5B6461BD0 Identify input from Intent Messages android\.content Intent get.* return +IPCIN 8F598EA0-B0DD-46ED-9C79-39B47FE4CFC6 The log file is a dangerous place to write sensitive info Android Secrecy Information Leak to Log (Location) 5.0 0... android\.util Log .* 39121ABB-68BA-4FA9-88D8-ECFB5EAD8BA8 The log file is a dangerous place to write sensitive info Android Secrecy Information Leak to Log (Phone Identifier) 5.0 0... android\.util Log .* AB1CC8A6-9356-434F-AAA9-2C810EF1865A Taint sink for OutputStream and friends Custom Android Android Exfiltration Sensitive Info to Network - OutputStream (Location) 5.0 0 this java\.io (OutputStream|Writer) write 6BEDF9E8-6124-43DF-9A72-5DF137A78EB6 Taint sink for OutputStream and friends Custom Android Android Exfiltration Sensitive Info to Network - OutputStream (Phone Info) 5.0 0 this java\.io (OutputStream|Writer) write 552E2188-CDC6-4569-8293-B0DD057A6698 Information leak to a URL Custom Android Android Exfiltration Sensitive Info to Network - URL (Location) 5.0 0... java\.net URL (init\^|set) 934CC1C2-BA06-496D-81C5-0870AE52310A Information leak to a URL Custom Android Android Exfiltration Sensitive Info to Network - URL (Phone Info) 5.0 0... java\.net URL (init\^|set) C339BA37-C662-4CD7-BA32-16C5336587F4 Information leak to HTTP Post parameter Custom Android Android Exfiltration Sensitive Info to Network - HttpClient Param (Location) 5.0 0 org\.apache\.http\.client\.methods HttpEntityEnclosingRequestBase setEntity B530926F-5117-42F7-A6B7-0C2C6F24943C Information leak to HTTP Post parameter Custom Android Android Exfiltration Sensitive Info to Network - HttpClient Param (Phone Info) 5.0 0 org\.apache\.http\.client\.methods HttpEntityEnclosingRequestBase setEntity 8AECEDD6-DBB1-4B42-872F-FDFBE32D1D49 Propagate taint marking for BasicNameValuePair org\.apache\.http\.message BasicNameValuePair init\^ 0... this 181A68D5-D154-4E21-AB08-0FF2E34D3A47 Propagate taint marking for AbstractHttpEntity (e.g., URLEncodedFormEntity) org\.apache\.http\.entity AbstractHttpEntity init\^ 0... this 2C2AEE41-0F87-4C63-BE5E-CC2EA8445908 Propagate taint marking for HttpEntity (e.g., URLEncodedFormEntity) org\.apache\.http\.entity HttpEntity init\^ 0... this 82E82E70-6723-4BB3-A1C4-805689655A86 Information leak to HTTP property Custom Android Android Exfiltration Sensitive Info to Network - HTTP Property (Location) 5.0 0,1 java\.net URLConnection setRequestProperty B13EFF2A-DC12-45B9-BA20-E929FB960582 Information leak to HTTP property Custom Android Android Exfiltration Sensitive Info to Network - HTTP Property (Phone Info) 5.0 0,1 java\.net setRequestProperty setEntity B5F33436-E2AC-4373-82FC-42B52099DC64 Propagates the NETIN flag from component string to ComponentName android\.content ComponentName init\^ 0... this 96D5FE90-2C13-47E0-A2AC-EA9706A97910 Network info to the Intent address Custom Android Android Integrity Network to Intent Address (constructor) 5.0 0 android\.content Intent init\^ java.lang.String 01AD50BF-3D50-4A67-B9BA-094B0580CE29 Network info to the Intent address Custom Android Android Integrity Network to Intent Address (setAction) 5.0 0 android\.content Intent setAction BB0CB6F9-2697-48BA-A865-AB73656A67D2 Network info to the Intent address Custom Android Android Integrity Network to Intent Address (setClassName|setComponent) 5.0 0... android\.content Intent (setClassName|setComponent) CCAE59C7-A564-417F-A597-FA8862ED2406 Network info to the Intent address Custom Android Android Integrity IPC to Intent Address (constructor) 5.0 0 android\.content Intent init\^ java.lang.String 7EFD9748-D329-4429-9FEC-FA2E940E6698 Network info to the Intent address Custom Android Android Integrity IPC to Intent Address (setAction) 5.0 0 android\.content Intent setAction B3E8086D-0700-40EF-AA91-7C7440BCB516 Network info to the Intent address Custom Android Android Integrity IPC to Intent Address (setClassName|setComponent) 5.0 0... android\.content Intent (setClassName|setComponent) 36B9101F-E8F3-458E-95A9-02041A0FBC76 Looks for unprotected, public intent broadcats Custom Android Android Secrecy Unprotected Intent Broadcast 5.0 android\.content Intent init\^ android\.content Intent init\^ android.content.Intent android\.content Intent init\^ java.lang.string android\.content Intent init\^ android.content.Context java.lang.Class android\.content Intent setClass.* android\.content Intent setComponent android\.content Intent putExtra android\.content Context sendBroadcast android.content.Intent android\.content Context sendBroadcast android.content.Intent java.lang.String specified { i.$new_class(...) } start -> empty { i.$new(...) | i.$new_action(...) } empty -> specified { i.$set_class(...) | i.$set_component(...)} empty -> has_data { i.$put_extra(...) } has_data -> specified { i.$set_class(...) | i.$set_component(...)} has_data -> unsafe { $unprotected_bcast(i) | $protected_bcast(i, null) } ]]> F8D2775A-106E-4827-9285-3856EF1E1768 Ensures that setPreviewDisplay is used whenever a video source is used Custom Android Android Exfiltration Background Video 5.0 Starts video recording without calling setPreviewDisplay() android\.media MediaRecorder init\^ android\.media MediaRecorder setVideoSource android\.media MediaRecorder setPreviewDisplay android\.media MediaRecorder start alloc { r.new(...) } alloc -> preview { r.$setPreview(...) } alloc -> video { r.$setVideo(...) } video -> video_preview { r.$setPreview(...) } preview -> video_preview { r.$setVideo(...) } video -> unsafe_start { r.$start(...) } ]]> 6F30A869-45C6-448D-8419-9C28C2A22197 Use of microphone without path from an Activity Custom Android Android Exfiltration Background Audio (AudioRecord) 5.0 No path from Activity to call to AudioRecord.read() 5FC87571-E78F-4A41-9CD4-E391A39BB64F Use of microphone or camera without path from an Activity Custom Android Android Exfiltration Background Audio/Video (MediaRecorder) 5.0 No path from Activity to call to MediaRecorder.start() A53F5A3D-C8C7-40E8-92F8-1A9F85C0F47C Null check for IPC in component Custom Android Android Availability IPC Null Check 5.0 android\.content Intent getAction android\.content Intent get.*Extra(s)? android\.os Bundle get.* java.lang.String .* .* .* accessed { i = $getAction(...) | i = $getExtra(...) | i = $bget(...) } accessed -> checked { #compare(i, null) } accessed -> used { i.$any(...) } ]]> 69DEA227-49C8-4C61-B028-6B4825D8F763 Null check for IPC in component Custom Android Android Availability IPC Null Check (Service) 5.0 android\.app Service .* android\.content Intent getAction android\.content Intent get.*Extra(s)? android\.os Bundle get.* java.lang.String .* .* .* accessed { i = $getAction(...) | i = $getExtra(...) | i = $bget(...) } accessed -> checked { #compare(i, null) } accessed -> used { i.$any(...) } ]]> AA7286F5-BC28-47A3-B927-BB6AE7A1724A Null check for IPC in component Custom Android Android Availability IPC Null Check (Receiver) 5.0 android\.content BroadcastReceiver .* android\.content Intent getAction android\.content Intent get.*Extra(s)? android\.os Bundle get.* java.lang.String .* .* .* accessed { i = $getAction(...) | i = $getExtra(...) | i = $bget(...) } accessed -> checked { #compare(i, null) } accessed -> used { i.$any(...) } ]]> B0060613-012C-4AC5-9205-E0E6469E503E Null check for IPC in component Custom Android Android Availability IPC Null Check (Activity) 5.0 android\.app Activity .* android\.content Intent getAction android\.content Intent get.*Extra(s)? android\.os Bundle get.* java.lang.String .* .* .* accessed { i = $getAction(...) | i = $getExtra(...) | i = $bget(...) } accessed -> checked { #compare(i, null) } accessed -> used { i.$any(...) } ]]> 0C393891-7902-4E38-AB02-204EAA1C0D04 Custom Android Android Integrity Unsafe Pending Intent 5.0 PendingIntent objects should only be created from Intents with the destination component class name specified explicitly. android\.content Intent init\^ android\.content Intent init\^ android.content.Intent android\.content Intent init\^ java.lang.string android\.content Intent init\^ android.content.Context java.lang.Class android\.content Intent setClass.* android\.content Intent setComponent android\.app PendingIntent get(Activity|Broadcast|Service) specified { i.$new_class(...) } start -> empty { i.$new(...) | i.$new_action(...) } empty -> specified { i.$set_class(...) | i.$set_component(...)} empty -> unsafe { $getp(?, ?, i, ?) } ]]> A50DCA3D-9D7B-47E4-BCE0-A189BC4A2973 Custom Android Android Integrity Unsafe Pending Intent (RemoteView, so okay?) 5.0 PendingIntent objects should only be created from Intents with the destination component class name specified explicitly. android\.content Intent init\^ android\.content Intent init\^ android.content.Intent android\.content Intent init\^ java.lang.string android\.content Intent init\^ android.content.Context java.lang.Class android\.content Intent setClass.* android\.content Intent setComponent android\.app PendingIntent get(Activity|Broadcast|Service) android\.widget RemoteViews setOnClickPendingIntent specified { i.$new_class(...) } start -> empty { i.$new(...) | i.$new_action(...) } empty -> specified { i.$set_class(...) | i.$set_component(...)} empty -> unsafe { p = $getp(?, ?, i, ?) } unsafe -> onclick { $onClick(?, p) } ]]> AC882B23-4161-4CC3-9638-92D7F71A9669 Look for unprotected public dynamic broadcast recievers Custom Android Android Integrity Unprotected Broadcast Receiver 5.0 Only protected broadcast receivers should specify an IntentFilter that contains anction string subscriptions. android\.content Context registerReceiver android.content.BroadcastReceiver android.content.IntentFilter android\.content Context registerReceiver android.content.BroadcastReceiver android.content.IntentFilter java.lang.String android.os.Handler android\.content IntentFilter init\^ android\.content IntentFilter init\^ java.lang.String android\.content IntentFilter init\^ android.content.IntentFilter android\.content IntentFilter addAction java.lang.String public { if.$newIF_public(...) } start -> empty_if { if.$newIF(...) } empty_if -> public { if.$addIF_action(...) } public -> unprotected { $unprotectedReg(?, if) | $protectedReg(?, if, null, ?) } ]]> 3C8446E0-BC96-42D3-A6FD-F867AFC97599 Finds static parameters to SMS send call Custom Android Android Service Abuse Constant Phone Number for SMS 5.0 default android\.telephony SmsManager (sendTextMessage|sendDataMessage|sendMultipartTextMessage) 952B14B7-C6AA-4945-AEE2-1572EED9E768 Finds hardcode phone numbers format: tel:123456789 Custom Android Android Service Abuse Hardcoded Phone Number 5.0 default android\.net Uri parse ^tel: F22C1722-5810-4AAD-8DE8-E17C854F101D Finds hardcode phone numbers format: tel: and 900 Custom Android Android Service Abuse Hardcoded Phone Number (900) 5.0 default android\.net Uri parse ^tel:.*900 30D704E6-79DF-4992-A9C3-C1C5106B66BF Code retrieves IMEI Custom Android Android Exfiltration Retrieves IMEI 5.0 C6B53CB1-E782-4E62-A722-376FE7060397 Code retrieves IMSI Custom Android Android Exfiltration Retrieves IMSI 5.0 34CC0D71-128C-4894-9DE2-769DBB7C304E Code retrieves ICC-ID Custom Android Android Exfiltration Retrieves ICC-ID 5.0 B6D3A998-A1D3-439B-8F4E-0D15C7D8D2B8 Code retrieves Phone Number Custom Android Android Exfiltration Retrieves Phone Number 5.0 D85BC835-75B1-4E28-96B8-CD3A89593CF1 Code retrieves Location Custom Android Android Exfiltration Retrieves Location (getLastKnownLocation) 5.0 3A5D02C4-B0B2-4576-890A-F4DD842A1A97 Code retrieves Location Custom Android Android Exfiltration Retrieves Location (requestLocationUpdates) 5.0 94A43DC7-1B50-457D-84D6-CA27ED823AF0 Code retrieves Location Custom Android Android Exfiltration Retrieves Location (LocationListener) 5.0 033370F4-ADEF-4DF4-99EA-C498B5EEEB02 Code retrieves info about installed applications Custom Android Android Exfiltration Retrieves Installed Applications (get) 5.0 0F7BC9D7-3E15-41FB-BC2A-341DCC899FF6 Code retrieves info about installed applications Custom Android Android Exfiltration Retrieves Installed Applications (query) 5.0 C94B7C76-4A74-4CBF-924F-BD040D25BC36 Uses normal sockets Custom Android Android Suspicious Uses Socket.connect() Directly 5.0 EDE3D4CC-106C-484C-802A-EDEBB73AB881 Uses normal sockets Custom Android Android Suspicious Uses new Socket(InetAddress|String) Directly 5.0