This document lists all new security rules added in v1.3.0. A total of 17 new rules were added across 7 scanner modules, expanding coverage for React Native, Expo, Android, and iOS vulnerabilities.
- Severity: HIGH
- File Types:
.json - Description: Detects Expo OTA updates configured in
app.jsonwithout code signing verification. Without code signing, OTA updates can be tampered with via MITM attacks, allowing attackers to inject malicious code. - Detection: Checks for
expo-updatesplugin orupdatesconfig withoutcodeSigningCertificateorcodeSigningMetadata. - False Positive Mitigation: Only triggers when Expo updates are explicitly configured.
- Severity: HIGH
- File Types:
.js,.jsx,.ts,.tsx - Description: Detects
Linking.openURL()called with dynamic/variable URLs without validation. Can be exploited to open malicious URL schemes (tel:,sms:, custom deep links). - Detection: AST analysis for
Linking.openURL()with non-string-literal arguments. Checks surrounding code for validation patterns (validate,sanitize,whitelist,allowedSchemes,canOpenURL,startsWith('https')). - False Positive Mitigation: Only flags dynamic URLs (variables, expressions), not hardcoded string literals. Skips if validation logic is present nearby.
- Severity: MEDIUM
- File Types:
.js,.jsx,.ts,.tsx - Description: Detects sensitive data (passwords, tokens, API keys, SSNs, etc.) passed through React Navigation
navigate()orpush()params. Navigation params are serialized and may persist in navigation state, making them accessible via debugging tools. - Detection: AST analysis of
navigation.navigate('Screen', { token: ... })andnavigation.push()calls. Inspects property keys in the params object against a list of sensitive keywords. - False Positive Mitigation: Only checks property key names in the params object, not arbitrary variables.
- Severity: MEDIUM
- File Types:
.js,.jsx,.ts,.tsx - Description: Detects push notification handlers that log or insecurely store notification payload data containing sensitive information.
- Detection: Checks for push notification library imports (
expo-notifications,@react-native-firebase/messaging,react-native-push-notification,@notifee), then inspects notification listener callbacks forconsole.logof notification data orAsyncStoragewrites with sensitive keywords. - False Positive Mitigation: Only triggers when both a push notification import AND insecure handling pattern are present in the same file.
- Severity: HIGH
- File Types:
.js,.jsx,.ts,.tsx - Description: Detects Expo AuthSession OAuth flows with PKCE explicitly disabled (
usePKCE: false). Without PKCE, mobile OAuth flows are vulnerable to authorization code interception attacks. - Detection: Checks for
expo-auth-sessionimports, then inspectsuseAuthRequest()orstartAsync()calls forusePKCE: false. - False Positive Mitigation: Only flags when PKCE is explicitly disabled (not when it's omitted, since Expo enables PKCE by default).
- Severity: HIGH
- File Types:
.js,.jsx,.ts,.tsx - Description: Detects Realm database opened without
encryptionKeyin contexts handling sensitive data. Unencrypted Realm databases can be extracted from rooted/jailbroken devices. - Detection: AST analysis for
Realm.open()andnew Realm()calls withoutencryptionKeyin config. Checks surrounding code for sensitive context keywords (user,auth,token,payment,credential,account,medical). - False Positive Mitigation: Only triggers when sensitive data context is detected nearby. Does not flag Realm databases storing non-sensitive data.
- Severity: HIGH
- File Types:
.js,.jsx,.ts,.tsx - Description: Detects SQLite databases used without encryption (SQLCipher) for sensitive data storage. Plain SQLite databases can be extracted and read on compromised devices.
- Detection: AST analysis for
openDatabase()andopenDatabaseAsync()calls. Checks surrounding code for both sensitive context AND absence of encryption patterns (sqlcipher,encrypt,cipher,pragma key). - False Positive Mitigation: Requires both sensitive context AND missing encryption to trigger. Skips if any encryption indicator is present.
- Severity: MEDIUM
- File Types:
.js,.jsx,.ts,.tsx - Description: Detects Expo SecureStore configured with weak keychain accessibility options (
AFTER_FIRST_UNLOCKorALWAYS) for sensitive keys. These options make data accessible even when the device is locked. - Detection: AST analysis of
SecureStore.setItemAsync()calls withkeychainAccessibleoption. Cross-references the key name against sensitive keywords. - False Positive Mitigation: Only triggers when both a weak accessibility option AND a sensitive key name are present.
- Severity: MEDIUM
- File Types:
.js,.jsx,.ts,.tsx - Description: Detects WebSocket connections using unencrypted
ws://protocol. Data transmitted overws://can be intercepted via MITM attacks. - Detection: AST analysis for
new WebSocket('ws://...')andws://URL assignments to variables/properties. - False Positive Mitigation: Skips localhost/private IPs when behind
__DEV__check. Only flags URL-assigned strings (not arbitrary strings containingws://).
- Severity: MEDIUM (public IPs) / LOW (private IPs)
- File Types:
.js,.jsx,.ts,.tsx - Description: Detects hardcoded IP addresses in network URLs and API configurations. Hardcoded IPs make infrastructure changes difficult and may expose internal network topology.
- Detection: Regex matching for IP addresses in string literals within URL context or API config properties (
url,host,endpoint,server,api,base). - False Positive Mitigation: Skips test/spec/config files. Only flags IPs in URL-like or API config context (not arbitrary strings). Private IPs behind
__DEV__are skipped. Severity is reduced to LOW for private IPs.
- Severity: HIGH
- File Types:
.json - Description: Detects Expo updates URL configured over insecure HTTP in
app.json. HTTP update URLs allow MITM attackers to inject malicious code via OTA updates. - Detection: Checks
expo.updates.urlinapp.jsonforhttp://prefix. - False Positive Mitigation: Only checks the specific
updates.urlfield in Expo config.
- Severity: HIGH
- File Types:
.json - Description: Detects sensitive values (API keys, secrets, passwords) hardcoded in
app.jsonconfiguration. These values are bundled into the app binary and can be extracted. - Detection: Recursively inspects
expo.extra,expo.ios.config, andexpo.android.configobjects for keys matching sensitive patterns (secret,apikey,private_key,password,client_secret,access_token). - False Positive Mitigation: Skips values containing
process.env,${,your_,placeholder,example, orxxx(environment variable references and placeholder values).
- Severity: MEDIUM
- File Types:
.xml - Description: Detects Android activities with custom
taskAffinityattribute, which enables StrandHogg task hijacking attacks. A malicious app can set the same task affinity to intercept the activity. - Detection: Regex matching for
android:taskAffinityin AndroidManifest.xml activities. - False Positive Mitigation: Skips empty task affinity (
taskAffinity=""), which is actually the secure configuration.
- Severity: HIGH
- File Types:
.js,.jsx,.ts,.tsx,.java,.kt - Description: Detects WebView remote debugging left enabled without a build-type guard. Allows attackers with physical access to inspect and modify WebView content via Chrome DevTools.
- Detection: Text search for
setWebContentsDebuggingEnabled(true)in native code and AST analysis forwebContentsDebuggingEnabled={true}JSX prop. Checks surrounding code for__DEV__,BuildConfig.DEBUG, orisDebuggableguards. - False Positive Mitigation: Skips if a development/debug build check is present nearby.
- Severity: MEDIUM
- File Types:
.xml - Description: Detects Android manifests without a
network_security_config.xmlreference for apps that use internet permission. Without this config, the app cannot enforce certificate pinning or restrict cleartext traffic per-domain. - Detection: Checks for
android:networkSecurityConfigattribute in AndroidManifest.xml. - False Positive Mitigation: Only triggers for apps with
android.permission.INTERNETdeclared (networked apps).
- Severity: MEDIUM
- File Types:
.js,.jsx,.ts,.tsx,.m,.swift - Description: Detects sensitive data written to the iOS pasteboard (clipboard), which is shared across all apps on the device. On iOS versions before 14, any app can silently read the pasteboard.
- Detection: Text search for
UIPasteboardorpasteboardusage combined with sensitive data context keywords. - False Positive Mitigation: Only triggers when both pasteboard usage AND sensitive data context are found in the same file.
- Severity: LOW
- File Types:
.js,.jsx,.ts,.tsx - Description: Detects sensitive apps without protection against iOS app snapshots. iOS captures a screenshot of the app when it enters the background for the app switcher, potentially exposing sensitive data.
- Detection: Checks App entry files for sensitive app indicators, then looks for snapshot protection patterns (
AppState+ blur/overlay,react-native-privacy-snapshot,ScreenCapture.prevent). - False Positive Mitigation: Only checks App entry point files. Requires sensitive app indicators. Checks for multiple protection library patterns.
- Severity: HIGH
- File Types:
.js,.jsx,.ts,.tsx - Description: Detects custom/DIY cryptographic implementations instead of standard libraries. Rolling your own crypto is a well-known anti-pattern that leads to exploitable vulnerabilities.
- Detection: AST analysis for function declarations with names matching DIY crypto patterns (
customEncrypt,simpleHash,xorCipher,caesarEncrypt,base64EncodePassword). Also detects XOR-based "encryption" function calls. - False Positive Mitigation: Skips test/spec files and node_modules. Checks if the function body uses an established crypto library (CryptoJS, expo-crypto, tweetnacl, forge) -- if so, it's a wrapper, not DIY crypto.
- Severity: MEDIUM
- File Types:
.js,.jsx,.ts,.tsx - Description: Detects authentication/session management files without session timeout or inactivity expiry logic. Without timeouts, stolen tokens remain valid indefinitely.
- Detection: Checks files with auth/session/login in the filename for presence of authentication logic AND absence of timeout-related keywords (
timeout,expir,ttl,maxAge,inactivity,autoLogout,idle). - False Positive Mitigation: Only checks auth-related files (filename must contain
auth,session, orlogin). Requires presence of authentication logic before flagging missing timeout.
| Scanner | New Rules | Rule IDs |
|---|---|---|
| React Native / Expo | 5 | EXPO_UPDATES_NO_CODE_SIGNING, INSECURE_LINKING_OPEN, SENSITIVE_NAVIGATION_PARAMS, PUSH_NOTIFICATION_SENSITIVE_DATA, EXPO_AUTH_SESSION_NO_PKCE |
| Storage | 3 | UNENCRYPTED_REALM_DATABASE, UNENCRYPTED_SQLITE_DATABASE, EXPO_SECURE_STORE_WEAK_OPTIONS |
| Network | 2 | INSECURE_WEBSOCKET, HARDCODED_IP_ADDRESS |
| Config | 2 | EXPO_UPDATES_INSECURE_URL, EXPO_SENSITIVE_CONFIG_EXPOSED |
| Android | 3 | ANDROID_TASK_AFFINITY_VULNERABILITY, ANDROID_WEBVIEW_DEBUG_ENABLED, ANDROID_MISSING_NETWORK_SECURITY_CONFIG |
| iOS | 2 | IOS_INSECURE_PASTEBOARD_USAGE, IOS_MISSING_APP_SNAPSHOT_PROTECTION |
| Cryptography | 1 | CUSTOM_CRYPTO_IMPLEMENTATION |
| Authentication | 1 | MISSING_SESSION_TIMEOUT |
| Total | 17 |