Skip to content

MASTG-TOOL-0110: semgrep

semgrep is a static code scanner that is able to scan Java, Kotlin and Swift.

Techniques

MASTG-TECH-0014: Static Analysis on Android MASTG-TECH-0108: Taint Analysis

Tests

MASTG-TEST-0231: References to Logging APIs MASTG-TEST-0206: Undeclared PII in Network Traffic Capture MASTG-TEST-0245: References to Platform Version APIs MASTG-TEST-0247: References to APIs for Detecting Secure Screen Lock MASTG-TEST-0227: Debugging Enabled for WebViews MASTG-TEST-0221: Broken Symmetric Encryption Algorithms MASTG-TEST-0212: Use of Hardcoded Cryptographic Keys in Code MASTG-TEST-0312: References to Explicit Security Provider in Cryptographic APIs MASTG-TEST-0208: Insufficient Key Sizes MASTG-TEST-0232: Broken Symmetric Encryption Modes

Demos

MASTG-DEMO-0005: App Writing to External Storage via the MediaStore API MASTG-DEMO-0004: App Writing to External Storage with Scoped Storage Restrictions MASTG-DEMO-0064: Uses of Caching UI Elements with semgrep MASTG-DEMO-0003: App Writing to External Storage without Scoped Storage Restrictions MASTG-DEMO-0033: Dangerous Permissions in the AndroidManifest with semgrep MASTG-DEMO-0040: Debuggable Flag Enabled in the AndroidManifest with semgrep MASTG-DEMO-0078: App Leaking Sensitive Data via Notifications MASTG-DEMO-0079: App Exposing Access and Verification Codes in Text Input Fields MASTG-DEMO-0029: Uses of WebViews Allowing Content Access with semgrep MASTG-DEMO-0032: Uses of WebViews Allowing Local File Access with semgrep MASTG-DEMO-0061: Uses of FLAG_SECURE with semgrep MASTG-DEMO-0025: Uses of Build.VERSION.SDK_INT with semgrep MASTG-DEMO-0056: WebView Ignoring TLS Errors in onReceivedSslError MASTG-DEMO-0057: Network Security Configuration Allows User-Added Certificates MASTG-DEMO-0055: Use of the HostnameVerifier that Allows Any Hostname MASTG-DEMO-0054: Use of a TrustManager that Does Not Validate Certificate Chains MASTG-DEMO-0039: Detecting StrictMode PenaltyLog Usage with Semgrep MASTG-DEMO-0028: Uses of KeyguardManager.isDeviceSecure and BiometricManager.canAuthenticate with semgrep MASTG-DEMO-0007: Common Uses of Insecure Random APIs MASTG-DEMO-0012: Cryptographic Key Generation With Insufficient Key Length MASTG-DEMO-0017: Use of Hardcoded AES Key in SecretKeySpec with semgrep MASTG-DEMO-0008: Uses of Non-random Sources MASTG-DEMO-0023: Uses of Broken Encryption Modes in Cipher with semgrep MASTG-DEMO-0022: Uses of Broken Symmetric Encryption Algorithms in Cipher with semgrep MASTG-DEMO-0075: Uses of Explicit Security Providers in Cryptographic APIs with semgrep MASTG-DEMO-0071: References to Asymmetric Key Pairs Used For Multiple Purposes with Semgrep