android-sec-val
Advanced tools
An automated security validation system for Android applications. This tool orchestrates ADB and Appium to verify: - **Runtime Integrity**: Debuggable flags, Logcat leaks, Manifest settings. - **Storage Confidentiality**: Plaintext sensitive data in priva
An automated security validation system for Android applications. This tool orchestrates ADB and Appium to verify:
npm install -g appium && appium).npm install -g android-sec-val
# OR run directly from source
npm install
npm run build
Start your Appium server and Emulator first.
# General Usage
android-sec-val validate --package com.example.app
# With APK install and custom sensitive strings
android-sec-val validate \
--package com.example.app \
--apk ./path/to/app.apk \
--sensitive password token auth_key
| Option | Alias | Description | Default |
|---|---|---|---|
--package | -p | Target Android Package Name | (Required) |
--apk | -a | Path to APK to install | undefined |
--sensitive | -s | List of strings to grep for in storage | ['password', 'token', ...] |
--output | -o | JSON Report Path | security_report.json |
android:debuggable.allowBackup and usesCleartextTraffic.adb root)greps /data/data/<pkg> for sensitive strings./data/data/<pkg>/cache for excessive data persistence./sdcard/Android/data/<pkg> and Downloads for leakage.This tool validates defenses against the following specific attack vectors:
| Vulnerability Class | Exploit / Threat Scenario | Validated By Check |
|---|---|---|
| Insecure Data Storage | Attacker with physical access (or malware) dumps /data/data to steal Auth Tokens or PII. | checkStorageIntegrity (asserts encryption) |
| Data Leakage | Sensitive data (passwords, tokens) printed to system logs (logcat) visible to other apps/USB. | checkLogcatLeakage |
| Runtime Tampering | Attacker attaches JDWP debugger to inspect memory or hook methods. | checkDebuggable |
| Network Interception | Attacker on public WiFi (MITM) presents fake cert to steal inflight data. | checkNetworkSecurity (Pinning) |
| Backup Theft | Attacker uses adb backup to extract app data without root. | checkManifestSettings (allowBackup) |
| Cleartext Transmission | App accidentally sends HTTP traffic exposing data to passive monitoring. | checkManifestSettings (usesCleartextTraffic) |
| Cache Leakage | Sensitive images/responses persist in cache/ after logout/exit. | checkCacheHygiene |
The tool generates a JSON report:
[
{
"check_name": "debuggable_flag",
"status": "PASS",
"severity": "LOW",
"evidence": "Application is NOT debuggable",
"category": "RUNTIME"
}
]
FAQs
An automated security validation system for Android applications. This tool orchestrates ADB and Appium to verify: - **Runtime Integrity**: Debuggable flags, Logcat leaks, Manifest settings. - **Storage Confidentiality**: Plaintext sensitive data in priva
The npm package android-sec-val receives a total of 4 weekly downloads. As such, android-sec-val popularity was classified as not popular.
We found that android-sec-val demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.
Security News
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
Security News
Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.