Security Rules

Detects sensitive data stored in AsyncStorage (tokens, passwords, credentials). AsyncStorage stores data in plaintext and is accessible to all apps with root access.

Identifies hardcoded API keys, JWT tokens, AWS credentials, and secrets in source code. These can be extracted from app bundles.

AsyncStorage storing PII (email, phone, SSN, credit card) without encryption. Required for GDPR/CCPA compliance.

Redux persist configuration without encryption transform for sensitive data.

Sensitive data copied to clipboard (accessible by other apps).

WebView loading HTTP URLs instead of HTTPS.

Network requests without timeout configuration. Can lead to resource exhaustion and denial of service if requests hang indefinitely.

TLS version less than 1.2 or custom httpsAgent with insecure options. Weak TLS configurations are vulnerable to protocol downgrade attacks.

WebView with dangerous default configurations that can enable XSS and code injection.

WebView with JavaScript enabled loading dynamic or user-controlled content.

WebView with file access enabled - allows access to local files.

WebView without URL validation on navigation - potential open redirect.

WebView onMessage handler without origin validation.

WebView with DOM storage enabled - may expose sensitive data.

WebView with geolocation enabled - requires proper permission handling.

WebView allows mixed content - HTTPS pages can load HTTP resources.

WebView with caching enabled - may cache sensitive content.

Native module calls without input validation.

WebView loading content without proper security headers like Content-Security-Policy (CSP) or X-Frame-Options. Missing headers can enable XSS and clickjacking attacks.

Math.random() used for security-sensitive operations (tokens, session IDs, encryption keys, OTP codes). Only flagged when used in security contexts - general use like Math.random() * 100 is ignored.

OAuth/access token passed in URL query parameters - logged in browser history.

SSL certificate pinning not implemented. While this is a recommended hardening measure against MITM attacks, many legitimate apps operate securely without it. Consider implementing for high-security applications.

JWT token retrieved from storage without expiration validation.

Password or sensitive input field without secureTextEntry property.

Biometric authentication falling back to insecure methods like PIN stored in JavaScript or plaintext password. Fallback mechanisms should be as secure as the primary authentication method.

No root/jailbreak detection for sensitive apps (banking, fintech, healthcare). Rooted/jailbroken devices can bypass security controls and expose sensitive data.

Use of weak crypto algorithms like MD5, SHA1, DES, or RC4.

Encryption keys hardcoded in source code.

Network request/response logging enabled (Axios interceptors, fetch logging). Logs may contain auth tokens, API keys, and sensitive request data.

Backend error responses surfaced directly to UI or stack traces shown in production. Error messages can expose internal system details, credentials, or sensitive data paths.

Debugger statements or __DEV__ checks in production code. Debug code exposes internal state and can bypass security checks.

Deep link handlers without proper URL validation. Malicious apps can trigger arbitrary deep links to execute unauthorized actions.

Sensitive screens without screenshot/screen recording protection. Screenshots can expose sensitive data in photo galleries and backups.

dangerouslySetInnerHTML used with potentially unsafe content. Enables XSS attacks if user input is rendered as HTML.

eval() or Function constructor used - code injection risk. Allows arbitrary code execution.

console.log() statements logging sensitive data.

Sensitive data passed in navigation params or state.

No tamper detection, checksum/signature verification, or integrity APIs (Play Integrity API, App Attest). Apps without integrity checks are vulnerable to modification and reverse engineering.

Detects 27+ types of exposed API keys and secrets including Firebase, AWS, Stripe, GitHub tokens, RSA keys, JWT tokens, and more. Exposed API keys lead to unauthorized access, data breaches, and financial loss.

Environment file (.env) with secrets potentially committed to repository. .env files contain production secrets and should never be in version control.

Test credentials or example passwords found in source code (test@test.com, admin/admin, demo passwords). Test credentials often work in production or reveal credential format.

Debug or development endpoints exposed in production code (/debug, /dev, /test, /admin). Debug endpoints bypass authentication and expose internal functionality.

Redux DevTools enabled in production. Exposes entire application state including sensitive data.

Storybook imports detected in production code. Increases bundle size and may expose component internals.

Source map reference in production bundle. Source maps reveal original source code including comments and logic.

android:usesCleartextTraffic="true" in AndroidManifest.xml - allows unencrypted HTTP.

android:debuggable="true" in production manifest - allows debuggers to attach.

Exported Android component without permission protection - other apps can access.

Broadcast receiver without permission protection - any app can send broadcasts.

android:allowBackup="true" - app data included in cloud backups.

Overly permissive intent filter may expose unintended functionality.

Android Keystore configuration without StrongBox, user authentication, or using weak block modes like ECB. Insecure Keystore usage weakens encryption and key protection.

Files written to external storage, shared directories, or without encryption. Externally stored files are accessible to other apps and users.

Android permissions declared but not used in code. Unnecessary permissions raise privacy concerns and user distrust.

App Transport Security disabled via NSAllowsArbitraryLoads - allows insecure HTTP.

ATS exception allows insecure loads for entire domains unnecessarily.

Missing usage descriptions for privacy-sensitive permissions (Camera, Location, etc).

Potentially unnecessary background modes enabled - privacy concerns.

Universal links configured without proper validation.

Custom URL scheme without validation code - any app can open.

Keychain access group configuration may expose data to other apps.

Keychain items using kSecAttrAccessibleAlways, missing kSecAttrAccessControl, or no biometric/passcode protection. Always-accessible keychain items can be extracted without user authentication.

Potentially dangerous permissions in app.json. Overreaching permissions raise privacy concerns.

JSON.parse on untrusted input, eval-like dynamic object construction, or native deserialization without validation. Can lead to code execution or prototype pollution attacks.

App requests more permissions than necessary. Privacy concern, users may decline installation.

Known risky SDKs detected such as session replay tools or ad SDKs in sensitive apps. Some SDKs collect excessive data or introduce security vulnerabilities.