(#) com.android.security.lint:lint

Project
:   https://github.com/google/android-security-lints
Vendor
:   Google - Android 3P Vulnerability Research
Contact
:   https://github.com/google/android-security-lints
Feedback
:   https://github.com/google/android-security-lints/issues
Min
:   Lint 4.1
Compiled
:   Lint 8.0 and 8.1
Artifact
:   com.android.security.lint:lint:1.0.3

(##) Included Issues

|Issue Id                                                                        |Issue Description                                                                |
|--------------------------------------------------------------------------------|---------------------------------------------------------------------------------|
|[VulnerableCryptoAlgorithm](VulnerableCryptoAlgorithm.md.html)                  |Application uses vulnerable cryptography algorithms                              |
|[UnsafeCryptoAlgorithmUsage](UnsafeCryptoAlgorithmUsage.md.html)                |Application uses unsafe cipher modes or paddings with cryptographic algorithms   |
|[MissingAutoVerifyAttribute](MissingAutoVerifyAttribute.md.html)                |Application has custom scheme intent filters with missing `autoVerify` attributes|
|[InsecureDnsSdkLevel](InsecureDnsSdkLevel.md.html)                              |Application vulnerable to DNS spoofing attacks                                   |
|[StrandhoggVulnerable](StrandhoggVulnerable.md.html)                            |Application vulnerable to Strandhogg attacks                                     |
|[TapjackingVulnerable](TapjackingVulnerable.md.html)                            |Application's UI is vulnerable to tapjacking attacks                             |
|[DefaultCleartextTraffic](DefaultCleartextTraffic.md.html)                      |Application by default permits cleartext traffic                                 |
|[DefaultTrustedUserCerts](DefaultTrustedUserCerts.md.html)                      |Application by default trusts user-added CA certificates                         |
|[UnintendedExposedUrl](UnintendedExposedUrl.md.html)                            |Application may have a debugging or development URL publicly exposed             |
|[UnintendedPrivateIpAddress](UnintendedPrivateIpAddress.md.html)                |Application may have a private IP address publicly exposed                       |
|[ExposedRootPath](ExposedRootPath.md.html)                                      |Application specifies the device root directory                                  |
|[SensitiveExternalPath](SensitiveExternalPath.md.html)                          |Application may expose sensitive info like PII by storing it in external storage |
|[WeakPrng](WeakPrng.md.html)                                                    |Application uses non-cryptographically secure pseudorandom number generators     |
|[DisabledAllSafeBrowsing](DisabledAllSafeBrowsing.md.html)                      |Application has disabled safe browsing for all WebView objects                   |
|[InsecurePermissionProtectionLevel](InsecurePermissionProtectionLevel.md.html)  |Custom permission created with a normal `protectionLevel`                        |
|[UnsanitizedContentProviderFilename](UnsanitizedContentProviderFilename.md.html)|Trusting ContentProvider filenames without any sanitization                      |
|[InsecureStickyBroadcastsMethod](InsecureStickyBroadcastsMethod.md.html)        |Usage of insecure sticky broadcasts                                              |
|[InsecureStickyBroadcastsPermission](InsecureStickyBroadcastsPermission.md.html)|Usage of insecure sticky broadcasts                                              |

(##) Including

!!!
   This is not a built-in check. To include it, add the below dependency
   to your project. This lint check is included in the lint documentation,
   but the Android team may or may not agree with its recommendations.

```
// build.gradle.kts
lintChecks("com.android.security.lint:lint:1.0.3")

// build.gradle
lintChecks 'com.android.security.lint:lint:1.0.3'

// build.gradle.kts with version catalogs:
lintChecks(libs.com.android.security.lint.lint)

# libs.versions.toml
[versions]
com-android-security-lint-lint = "1.0.3"
[libraries]
# For clarity and text wrapping purposes the following declaration is
# shown split up across lines, but in TOML it needs to be on a single
# line (see https://github.com/toml-lang/toml/issues/516) so adjust
# when pasting into libs.versions.toml:
com-android-security-lint-lint = {
    module = "com.android.security.lint:lint",
    version.ref = "com-android-security-lint-lint"
}
```

1.0.3 is the version this documentation was generated from;
there may be newer versions available.

(##) Changes

* 1.0.1: First version includes DefaultCleartextTraffic,
  DefaultTrustedUserCerts, DisabledAllSafeBrowsing, ExposedRootPath,
  InsecureDnsSdkLevel, InsecurePermissionProtectionLevel,
  MissingAutoVerifyAttribute, SensitiveExternalPath,
  StrandhoggVulnerable, TapjackingVulnerable, UnintendedExposedUrl,
  UnintendedPrivateIpAddress, UnsafeCryptoAlgorithmUsage,
  VulnerableCryptoAlgorithm, WeakPrng.
* 1.0.2: Adds InsecureStickyBroadcastsMethod,
  InsecureStickyBroadcastsPermission,
  UnsanitizedFilenameFromContentProvider.
* 1.0.3: Adds UnsanitizedContentProviderFilename. Removes
  UnsanitizedFilenameFromContentProvider.

(##) Version Compatibility

There are multiple older versions available of this library:

| Version            | Date     | Issues | Compatible | Compiled      | Requires |
|-------------------:|----------|-------:|------------|--------------:|---------:|
|               1.0.3|          |      18|         Yes|    8.0 and 8.1|8.0 and 8.1|
|               1.0.2|          |      18|         Yes|    8.0 and 8.1|8.0 and 8.1|
|               1.0.1|          |      15|         Yes|    8.0 and 8.1|8.0 and 8.1|

<!-- Markdeep: --><style class="fallback">body{visibility:hidden;white-space:pre;font-family:monospace}</style><script src="markdeep.min.js" charset="utf-8"></script><script src="https://morgan3d.github.io/markdeep/latest/markdeep.min.js" charset="utf-8"></script><script>window.alreadyProcessedMarkdeep||(document.body.style.visibility="visible")</script>