Sticky broadcasts cannot be secured with a permission and therefore are accessible to any receiver. If these broadcasts contain sensitive data or reach a malicious receiver, the application may be compromised.

Example 1: The following code sends a sticky broadcast.

...
context.sendStickyBroadcast(intent);
...

Defining new permissions on the android.permission namespace can have unexpected consequences when the OS is updated. If the newer version of the OS defines the exact same permission, the Android Package Management Service (PMS) will silently grant the permission to the app without asking the user allowing privilege escalation attacks.

As this component only expects to receive broadcast messages from the system and not other components, it should be private (inaccessible to other components.)

Hardware and device specific identifiers persist across data wipes and factory resets. One should not rely on these to generate unique identifiers that are used to authorize or authenticate users.

Moreover, leakage of universally unique identifiers, that can be associated with personal information, pose a threat to user privacy and security.

Certain frameworks such as AngularJS limit the protocols that may be set for links to other sites and images. This is primarily to prevent inline JavaScript from running, which may lead to additional cross-site scripting vulnerabilities within the application.

Example 1: The following changes the default allow list of protocols in AngularJS to also allow image HTML elements to allow inline JavaScript.

myModule.config(function($compileProvider){
    $compileProvider.imgSrcSanitizationWhitelist(/^(http(s)?|javascript):.*/);
});

Strict Contextual Escaping (SCE) is a mechanism in AngularJS applications that helps protect the application from attackers. This can prevent many attack vectors across different types of vulnerabilites. The most prominent protection is against certain types of cross-site scripting attacks. In this application, this protection mechanism is specifically disabled.

Example 1: In this example we disable SCE on a module.

myModule.config(function($sceProvider){
  $sceProvider.enabled(false);
});

The application uses code that enables the permessage-deflate WebSocket extension which allows for compression over encrypted connections. Enabling this type of compression makes the application subject to the CRIME and BREACH type of attacks.

Example 1: The following code sets DangerousEnableCompression to true in order to enable the 'per-message-deflate' extension:

    app.Run(async context => {
        using var websocket = await context.WebSockets.AcceptWebSocketAsync(new WebSocketAcceptContext() { DangerousEnableCompression = true });
        await websocket.SendAsync(...);
        await websocket.ReceiveAsync(...);
        await websocket.CloseAsync(WebSocketCloseStatus.NormalClosure, null, default);
    });
    

Example 2: The following code uses DangerousDeflateOptions to set the options for the 'per-message-deflate' extension:

    using ClientWebSocket ws = new() {
        Options = {
            CollectHttpResponseDetails = true,
            DangerousDeflateOptions = new WebSocketDeflateOptions() {
                ClientMaxWindowBits = 10,
                ServerMaxWindowBits = 10
            }
        }
    };