From afbe4b50abba9cab7419fe09a050b7e75dfc10bd Mon Sep 17 00:00:00 2001 From: Mohamed Elyousfi Date: Wed, 20 Dec 2023 14:33:27 +0100 Subject: [PATCH 1/2] add APK_MIN_SDK_VERSION to KB --- .../_LOW/APK_MIN_SDK_VERSION/description.md | 2 ++ .../_LOW/APK_MIN_SDK_VERSION/meta.json | 21 +++++++++++++++++++ .../APK_MIN_SDK_VERSION/recommendation.md | 6 ++++++ 3 files changed, 29 insertions(+) create mode 100644 MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/description.md create mode 100644 MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/meta.json create mode 100644 MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/recommendation.md diff --git a/MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/description.md b/MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/description.md new file mode 100644 index 00000000..a9efa6af --- /dev/null +++ b/MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/description.md @@ -0,0 +1,2 @@ +The `android:minSdkVersion` attribute specifies the minimum Android API level required by the application. Setting a low `minSdkVersion` may allow the application to run on older Android versions but could expose users to security vulnerabilities. + diff --git a/MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/meta.json b/MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/meta.json new file mode 100644 index 00000000..9ea6dad1 --- /dev/null +++ b/MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/meta.json @@ -0,0 +1,21 @@ +{ + "risk_rating": "low", + "short_description": "Application sets the minSdkVersion attribute to allow usage on Android versions earlier than 23.", + "references": { + "Android API Levels": "https://developer.android.com/guide/topics/manifest/uses-sdk-element#min" + }, + "title": "Attribute minSdkVersion set", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "privacy_issue": false, + "security_issue": true, + "categories": { + "GDPR": [ + "ART_24", + "ART_32" + ], + "PCI_STANDARDS":[ + "REQ_6_2", + "REQUIREMENT_6_3" + ] + } +} \ No newline at end of file diff --git a/MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/recommendation.md b/MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/recommendation.md new file mode 100644 index 00000000..a0f0feeb --- /dev/null +++ b/MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/recommendation.md @@ -0,0 +1,6 @@ +Consider setting the `android:minSdkVersion` attribute to a value that corresponds to a more recent Android version. This can help ensure that the application benefits from security improvements and reduces the risk of vulnerabilities associated with older Android releases. + +=== "XML" + ```xml + + ``` From 4b24380f425a4db5a267b268cca6fb26912ae527 Mon Sep 17 00:00:00 2001 From: Mohamed Elyousfi Date: Wed, 20 Dec 2023 15:45:37 +0100 Subject: [PATCH 2/2] Fix comments --- MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/meta.json | 9 +++++---- .../ANDROID/_LOW/APK_MIN_SDK_VERSION/recommendation.md | 7 +------ 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/meta.json b/MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/meta.json index 9ea6dad1..375b5276 100644 --- a/MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/meta.json +++ b/MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/meta.json @@ -1,10 +1,11 @@ { "risk_rating": "low", - "short_description": "Application sets the minSdkVersion attribute to allow usage on Android versions earlier than 23.", + "short_description": "Application sets the minSdkVersion attribute to allow usage of older versions of Android which may expose users to security vulnerabilities..", "references": { - "Android API Levels": "https://developer.android.com/guide/topics/manifest/uses-sdk-element#min" + "Android API Levels": "https://developer.android.com/guide/topics/manifest/uses-sdk-element#min", + "Target API level requirements for Google Play apps" : "https://support.google.com/googleplay/android-developer/answer/11926878?hl=en" }, - "title": "Attribute minSdkVersion set", + "title": "Old minSdkVersion", "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "privacy_issue": false, "security_issue": true, @@ -15,7 +16,7 @@ ], "PCI_STANDARDS":[ "REQ_6_2", - "REQUIREMENT_6_3" + "REQ_6_3" ] } } \ No newline at end of file diff --git a/MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/recommendation.md b/MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/recommendation.md index a0f0feeb..cc685943 100644 --- a/MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/recommendation.md +++ b/MOBILE_CLIENT/ANDROID/_LOW/APK_MIN_SDK_VERSION/recommendation.md @@ -1,6 +1 @@ -Consider setting the `android:minSdkVersion` attribute to a value that corresponds to a more recent Android version. This can help ensure that the application benefits from security improvements and reduces the risk of vulnerabilities associated with older Android releases. - -=== "XML" - ```xml - - ``` +Consider setting the `android:targetSdkVersion` attribute to a value that corresponds to a more recent Android version. This can help ensure that the application benefits from security improvements and reduces the risk of vulnerabilities associated with older Android releases. \ No newline at end of file