By making your app more secure, you help preserve user trust and device integrity.
This page presents a set of common security issues that Android app developers face. You can use this content in the following ways:
- Learn more about how to proactively secure your apps.
- Understand how to react in the event that one of these issues is discovered in your app.
The following list contains links to dedicated pages for each individual issue, sorted into categories based on OWASP MASVS controls. Each page includes a summary, impact statement, and tips for mitigating the risk to your app.
MASVS-STORAGE: Storage
- Improperly Exposed Directories to FileProvider
- Log Info Disclosure
- Path traversal
- Sensitive Data Stored in External Storage
- Zip Path Traversal
MASVS-CRYPTO: Cryptography
MASVS-NETWORK: Network Communication
MASVS-PLATFORM: Platform Interaction
- Content resolvers
- Implicit Intent hijacking
- Insecure API usage
- Insecure broadcast receivers
- Intent redirection
- Permission-based access control to exported components
- Pending Intents
- Sender of Pending Intents
- Sticky Broadcasts
- StrandHogg Attack / Task Affinity Vulnerability
- Tapjacking
- Unsafe use of deep links
- WebView – Native bridges
- android:debuggable
- android:exported
MASVS-CODE: Code Quality
- Cross-App Scripting
- Custom Permissions
- createPackageContext
- Dynamic code loading
- Improperly trusting ContentProvider-provided filename
- Insecure API or Library
- Insecure Machine-to-Machine communication setup
- Security best practices for backups
- Secure Clipboard Handling
- SQL injection
- Test/Debug Features
- Unsafe Deserialization
- Unsafe HostnameVerifier
- Unsafe X509TrustManager
- Use of native code
- XML External Entities Injection
- Webviews - Unsafe URI Loading