SShortSingh.
Back to feed

MobSF Static Analysis Flags Critical Android Vulnerabilities Before App Deployment

0
·1 views

A developer tested the open-source Mobile Security Framework (MobSF) by running its static analysis engine via a local Docker container against an intentionally vulnerable Android app. Within 60 seconds, the tool surfaced two critical flaws: a hardcoded AWS API key (CWE-798) and an insecure SharedPreferences data storage implementation (CWE-312). The hardcoded key can be extracted by anyone using tools like Apktool after downloading the app, while the insecure storage leaves session tokens readable on rooted devices. The exercise highlights the importance of shifting security checks to the source-code level before an APK is compiled and distributed. The author also envisions embedding such SAST capabilities directly into IDEs as plugins, enabling developers to catch vulnerabilities in real time as they write code.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

How Developers Are Prompting AI Agents to Push Back Instead of Just Agreeing

AI sycophancy — the tendency of large language models to validate user ideas even when they are flawed — poses a practical challenge for developers relying on AI agents for critical feedback. This behavior stems from reinforcement learning with human feedback (RLHF), which trains models to prioritize user approval over technical accuracy. A developer writing for DEV Community explored whether a custom 'skill' could be engineered to make AI agents deliver genuine pushback rather than empty agreement. Through iterative testing, they found that brief, structured, rule-based prompts outperformed verbose, human-style instructions in producing honest AI responses. The experiment highlighted both the promise and the current limitations of prompt-level interventions as a countermeasure to AI sycophancy.

0
ProgrammingDEV Community ·

Developer shares Kotlin, Retrofit, and Coroutines stack for open-source Android app

A developer has published a practical guide detailing the architecture and code patterns used to build a production-ready Android app for MyZubster, an open-source skill exchange platform. The app is built with Kotlin and follows the MVVM plus Repository pattern, using Retrofit with OkHttp for networking and Coroutines with StateFlow for asynchronous operations. JWT-based authentication is handled via a custom AuthInterceptor that automatically attaches tokens to outgoing API requests, while credentials are stored locally using SharedPreferences. Additional features include paginated booking history powered by a ViewModel, QR code generation for Monero payment addresses using the ZXing library, and a session countdown timer for user session management. The guide highlights key architectural takeaways such as separating data sources from UI logic, automating token injection, and using reactive streams for efficient UI updates.

0
ProgrammingDEV Community ·

How to Build Multi-Tenant SaaS Using Next.js, Prisma and PostgreSQL

A practical architecture guide outlines three multi-tenancy strategies for SaaS applications built with Next.js, Prisma, and PostgreSQL. The recommended default approach uses a shared database schema with a tenant ID column on every table, suitable for 100 to 10,000 tenants. For stronger data isolation, developers can implement PostgreSQL Row-Level Security policies that enforce tenant filtering at the database level, acting as a safeguard when application code misses a filter. The guide also warns that PgBouncer in transaction mode can strip session variables before queries execute, and recommends using session mode or setting tenant context within the same transaction. Developers are advised to start with the shared schema model and migrate specific tenants to stricter isolation only as business needs grow.

0
ProgrammingDEV Community ·

Developer Builds Client-Side Privacy Scrubber to Strip PII Before AI Prompts Are Sent

A developer has released an open-source, browser-based tool designed to automatically detect and redact sensitive information from text before it is submitted to AI models like ChatGPT. The tool uses regex-based scanning to replace personally identifiable information — such as names, emails, phone numbers, and addresses — with neutral placeholders, ensuring no raw data leaves the user's browser. A locally stored encrypted vault maps each placeholder back to its original value, allowing users to restore real details after receiving an AI-generated response. The project was motivated by growing concerns over inadvertent data leakage, including potential HIPAA violations and corporate IP exposure, which the developer observed in everyday workflows. Future plans include adding named entity recognition for more accurate detection, a browser extension for inline scrubbing, and a lightweight API for enterprise team integration.

MobSF Static Analysis Flags Critical Android Vulnerabilities Before App Deployment · ShortSingh