Kiuwan December 2015 release

Nobody shoud be left aside these holidays: check out some reasons to get together and be happy with our new Christmas release!

androidKiuwan gets stronger on Android

Android developers should be even happier: We added 31 new rules to the security, reliability and efficiency categories. No more excuses for not analyzing your Android apps:

  1. Avoid defining styles with dinamically generated id’s.
  2. AdapterViews cannot have children in xml.
  3. Avoid improper access to application data.
  4. Avoid SQL code formed with non neutralized user input.
  5. Avoid using AbsoluteLayout.
  6. Do not call a recycled resource.
  7. Transactions have to be completed calling commit() method.
  8. Avoid improper access to context created data.
  9. Avoid unsafe log access.
  10. Do not Release debuggable apps.
  11. Activities extending PreferenceActivity should not be exported.
  12. A permission have to be required to receive or bind a exported receiver.
  13. A permission have to be required to receive or bind a exported service.
  14. Checks versionCode and versionName are literals.
  15. Make sure WakeLock is liberated.
  16. Annotate methods with @JavascriptInterface.
  17. Limit the accessibility of a app’s sensitive ContentProvider.
  18. Resources must be recycled after using them.
  19. Check super method is caller into the implementation.
  20. onClick method must exists.
  21. Check allowBackup attribute is disabled.
  22. Alias and resource types have to be the same.
  23. Cycles can’t exist in resources definition.
  24. Check ScrollViews just have one children.
  25. Do not use SecureRandom with a fixed seed.
  26. Avoid using the cipher with ECB mode or without specifying the mode.
  27. Use the result of a permission check.
  28. Check required API levels are specified.
  29. Use SparseArray instead of a Map with Integer keys.
  30. Avoid wrapper classes constructor calls.
  31. Type check for views with an assigned id.

Moving forward with security

If you didn’t know already, during 2015 we’ve been seriously committed to analyzing security the way you need. For those concerned about the security of their applications, this is our Christmas present for you, more improvements in Kiuwan’s security analysis:

In Java:

  • Enhanced data-flow analysis, with better evaluation for expressions and constant values.
  • Better support for security behavior in common frameworks and libraries.
  • Improved false positive rates for most “injection” rules.
  • New security checks added to Java:

(CWE-284) Java access restriction subverted.
(CWE-95) Dynamic code injection in scripting API.
(CWE-94) Dynamic code injection during XML deserialization.
(CWE-352) Cross-site request forgery (CSRF).
(CWE-134) Exclude unsanitized user input from format strings.
(CWE-235) HTTP path/parameter pollution (HPPP).
(CWE-89) Avoid SQL code formed with non neutralized user input in iBatis .
(CWE-330, CWE-338) – Use of insufficient random values.
(CWE-552) File disclosure in server-side J2EE forward/include .
(CWE-601) URL Redirection to Untrusted Site (Open Redirect).
(CWE-114) Library loaded from untrusted source.
(CWE-185) Regular expression injection.
(CWE-918) Server-Side Request Forgery (SSRF).
(CWE-346) Too much allowed origins in HTML5 Access-Control-Allow-Origin header.
(CWE-501) Trust boundary violation.
(CWE-391) Unhandled SSL exception.
(CWE-611, CWE-776) XML entity injection.
(CWE-643) Avoid XPath expressions formed with non neutralized user input.

In JSP:
New security checks added to JSP:

(CWE-917, CWE-95) Expression Language (EL / OGNL) injection
(CWE-94) JSP File Inclusion vulnerability

In Cobol:

  • Improve Cobol security scanner.
  • Overall improvement in accuracy Cobol safety rules.
  • New rule for OS Command Injection.
  • New checkpoints in the ‘Hardcoded password’ rule.
  • The detection rules injection vulnerabilities now report the complete path from source variable and sink.
  • Better support for embedded SQL.

We are not stopping here, 2016 is just ahead and we will be equally committed to broaden our security analysis to even more technologies.