first commit

backend/toolbox/modules/android/custom_rules/clipboard-sensitive-data.yaml

@@ -0,0 +1,15 @@
+rules:
+  - id: clipboard-sensitive-data
+    severity: WARNING
+    languages: [java]
+    message: "Sensitive data may be copied to the clipboard."
+    metadata:
+      authors:
+        - Guerric ELOI (FuzzingLabs)
+      category: security
+      area: clipboard
+      verification-level: [L1]
+    paths:
+      include:
+        - "**/*.java"
+    pattern: "$CLIPBOARD.setPrimaryClip($CLIP)"

backend/toolbox/modules/android/custom_rules/hardcoded-secrets.yaml

@@ -0,0 +1,23 @@
+rules:
+  - id: hardcoded-secrets
+    severity: WARNING
+    languages: [java]
+    message: "Possible hardcoded secret found in variable '$NAME'."
+    metadata:
+      authors:
+        - Guerric ELOI (FuzzingLabs)
+      owasp-mobile: M2
+      category: secrets
+      verification-level: [L1]
+    paths:
+      include:
+        - "**/*.java"
+    patterns:
+      - pattern-either:
+          - pattern: 'String $NAME = "$VAL";'
+          - pattern: 'final String $NAME = "$VAL";'
+          - pattern: 'private String $NAME = "$VAL";'
+          - pattern: 'public static String $NAME = "$VAL";'
+          - pattern: 'static final String $NAME = "$VAL";'
+      - pattern-regex: "$NAME =~ /(?i).*(api|key|token|secret|pass|auth|session|bearer|access|private).*/"
+

backend/toolbox/modules/android/custom_rules/insecure-data-storage.yaml

@@ -0,0 +1,18 @@
+rules:
+  - id: insecure-data-storage
+    severity: WARNING
+    languages: [java]
+    message: "Potential insecure data storage (external storage)."
+    metadata:
+      authors:
+        - Guerric ELOI (FuzzingLabs)
+      owasp-mobile: M2
+      category: security
+      area: storage
+      verification-level: [L1]
+    paths:
+      include:
+        - "**/*.java"
+    pattern-either:
+      - pattern: "$CTX.openFileOutput($NAME, $MODE)"
+      - pattern: "Environment.getExternalStorageDirectory()"

backend/toolbox/modules/android/custom_rules/insecure-deeplink.yaml

@@ -0,0 +1,16 @@
+rules:
+  - id: insecure-deeplink
+    severity: WARNING
+    languages: [xml]
+    message: "Potential insecure deeplink found in intent-filter."
+    metadata:
+      authors:
+        - Guerric ELOI (FuzzingLabs)
+      category: component
+      area: manifest
+      verification-level: [L1]
+    paths:
+      include:
+        - "**/AndroidManifest.xml"
+    pattern: |
+      <intent-filter>

backend/toolbox/modules/android/custom_rules/insecure-logging.yaml

@@ -0,0 +1,21 @@
+rules:
+  - id: insecure-logging
+    severity: WARNING
+    languages: [java]
+    message: "Sensitive data logged via Android Log API."
+    metadata:
+      authors:
+        - Guerric ELOI (FuzzingLabs)
+      owasp-mobile: M2
+      category: logging
+      verification-level: [L1]
+    paths:
+      include:
+        - "**/*.java"
+    patterns:
+      - pattern-either:
+          - pattern: "Log.d($TAG, $MSG)"
+          - pattern: "Log.e($TAG, $MSG)"
+          - pattern: "System.out.println($MSG)"
+      - pattern-regex: "$MSG =~ /(?i).*(password|token|secret|api|auth|session).*/"
+

backend/toolbox/modules/android/custom_rules/intent-redirection.yaml

@@ -0,0 +1,15 @@
+rules:
+  - id: intent-redirection
+    severity: WARNING
+    languages: [java]
+    message: "Potential intent redirection: using getIntent().getExtras() without validation."
+    metadata:
+      authors:
+        - Guerric ELOI (FuzzingLabs)
+      category: intent
+      area: intercomponent
+      verification-level: [L1]
+    paths:
+      include:
+        - "**/*.java"
+    pattern: "$ACT.getIntent().getExtras()"

backend/toolbox/modules/android/custom_rules/sensitive_data_sharedPreferences.yaml

@@ -0,0 +1,18 @@
+rules:
+  - id: sensitive-data-in-shared-preferences
+    severity: WARNING
+    languages: [java]
+    message: "Sensitive data may be stored in SharedPreferences. Please review the key '$KEY'."
+    metadata:
+      authors:
+        - Guerric ELOI (FuzzingLabs)
+      owasp-mobile: M2
+      category: security
+      area: storage
+      verification-level: [L1]
+    paths:
+      include:
+        - "**/*.java"
+    patterns:
+      - pattern: "$EDITOR.putString($KEY, $VAL);"
+      - pattern-regex: "$KEY =~ /(?i).*(username|password|pass|token|auth_token|api_key|secret|sessionid|email).*/"

backend/toolbox/modules/android/custom_rules/sqlite-injection.yaml

@@ -0,0 +1,21 @@
+rules:
+  - id: sqlite-injection
+    severity: ERROR
+    languages: [java]
+    message: "Possible SQL injection: concatenated input in rawQuery or execSQL."
+    metadata:
+      authors:
+        - Guerric ELOI (FuzzingLabs)
+      owasp-mobile: M7
+      category: injection
+      area: database
+      verification-level: [L1]
+    paths:
+      include:
+        - "**/*.java"
+    patterns:
+      - pattern-either:
+          - pattern: "$DB.rawQuery($QUERY, ...)"
+          - pattern: "$DB.execSQL($QUERY)"
+      - pattern-regex: "$QUERY =~ /.*\".*\".*\\+.*/"
+

backend/toolbox/modules/android/custom_rules/vulnerable-activity.yaml

@@ -0,0 +1,16 @@
+rules:
+  - id: vulnerable-activity
+    severity: WARNING
+    languages: [xml]
+    message: "Activity exported without permission."
+    metadata:
+      authors:
+        - Guerric ELOI (FuzzingLabs)
+      category: component
+      area: manifest
+      verification-level: [L1]
+    paths:
+      include:
+        - "**/AndroidManifest.xml"
+    pattern: |
+      <activity android:exported="true"

backend/toolbox/modules/android/custom_rules/vulnerable-content-provider.yaml

@@ -0,0 +1,16 @@
+rules:
+  - id: vulnerable-content-provider
+    severity: WARNING
+    languages: [xml]
+    message: "ContentProvider exported without permission."
+    metadata:
+      authors:
+        - Guerric ELOI (FuzzingLabs)
+      category: component
+      area: manifest
+      verification-level: [L1]
+    paths:
+      include:
+        - "**/AndroidManifest.xml"
+    pattern: |
+      <provider android:exported="true"

backend/toolbox/modules/android/custom_rules/vulnerable-service.yaml

@@ -0,0 +1,16 @@
+rules:
+  - id: vulnerable-service
+    severity: WARNING
+    languages: [xml]
+    message: "Service exported without permission."
+    metadata:
+      authors:
+        - Guerric ELOI (FuzzingLabs)
+      category: component
+      area: manifest
+      verification-level: [L1]
+    paths:
+      include:
+        - "**/AndroidManifest.xml"
+    pattern: |
+      <service android:exported="true"

backend/toolbox/modules/android/custom_rules/webview-javascript-enabled.yaml

@@ -0,0 +1,16 @@
+rules:
+  - id: webview-javascript-enabled
+    severity: ERROR
+    languages: [java]
+    message: "WebView with JavaScript enabled can be dangerous if loading untrusted content."
+    metadata:
+      authors:
+        - Guerric ELOI (FuzzingLabs)
+      owasp-mobile: M7
+      category: webview
+      area: ui
+      verification-level: [L1]
+    paths:
+      include:
+        - "**/*.java"
+    pattern: "$W.getSettings().setJavaScriptEnabled(true)"

backend/toolbox/modules/android/custom_rules/webview-load-arbitrary-url.yaml

@@ -0,0 +1,16 @@
+rules:
+  - id: webview-load-arbitrary-url
+    severity: WARNING
+    languages: [java]
+    message: "Loading unvalidated URL in WebView may cause open redirect or XSS."
+    metadata:
+      authors:
+        - Guerric ELOI (FuzzingLabs)
+      owasp-mobile: M7
+      category: webview
+      area: ui
+      verification-level: [L1]
+    paths:
+      include:
+        - "**/*.java"
+    pattern: "$W.loadUrl($URL)"