Add tests for manifest analysis and update roadmap

Author: davideagostini

build.gradle.kts

@@ -17,6 +17,7 @@ dependencies {
     implementation("com.android.tools.build:gradle:8.2.2")
     implementation(gradleApi())
     implementation(localGroovy())
+    testImplementation("org.junit.jupiter:junit-jupiter:5.10.0")
 }
 
 java {

docs/README.md

@@ -34,17 +34,39 @@ Analyzes your built APK to understand its composition and identify optimization
 ### 3. Security Check
 Identifies common security vulnerabilities in your Android project.
 
-**Checks:**
+**Build Configuration Checks:**
 | Issue | Severity | Description |
 |-------|----------|-------------|
 | Debug Enabled in Release | HIGH | debuggable=true in release build |
 | ProGuard/R8 Disabled | HIGH | minifyEnabled=false in release |
 | Debug App ID | MEDIUM | Application ID contains .debug or .test |
+
+**Manifest Security Checks:**
+| Issue | Severity | Description |
+|-------|----------|-------------|
 | Manifest Debuggable | HIGH | android:debuggable="true" in manifest |
 | Allow Backup | MEDIUM | android:allowBackup="true" |
 | Cleartext Traffic | MEDIUM | android:usesCleartextTraffic="true" |
 | Exported Component | LOW | Exported without permission |
 
+**Permission Analysis:**
+| Issue | Severity | Description |
+|-------|----------|-------------|
+| Dangerous Permission | HIGH/MEDIUM | Dangerous permissions (READ_SMS, CAMERA, etc.) |
+| Permission Not Defined | MEDIUM | Uses undefined custom permission |
+
+**Component Security:**
+| Issue | Severity | Description |
+|-------|----------|-------------|
+| Exported Service | MEDIUM | Service exported without permission |
+| Exported Receiver | MEDIUM | Broadcast receiver exported without permission |
+| Exported Provider | HIGH | Content provider exported without permission |
+
+**Intent Filter Security:**
+| Issue | Severity | Description |
+|-------|----------|-------------|
+| Intent Filter Data Exposure | LOW | Intent filter may expose data |
+
 ### 4. Resource Analysis
 Optimizes your app's resources to reduce APK size.
 
@@ -349,10 +371,10 @@ Check the `reportPath` configuration and ensure the directory is writable.
 - **HTTP URL detection**: Find cleartext HTTP URLs in code
 - **Certificate pinning**: Check for certificate pinning implementation
 
-#### 6. Enhanced Manifest Analysis
-- **Permission analysis**: Review permission usage
-- **Component security**: Detailed exported component analysis
-- **Intent filter security**: Check for intent filter vulnerabilities
+#### 6. Enhanced Manifest Analysis ✅ IMPLEMENTED
+- **Permission analysis**: Review permission usage ✅
+- **Component security**: Detailed exported component analysis ✅
+- **Intent filter security**: Check for intent filter vulnerabilities ✅
 
 #### 7. CI/CD Integration
 - **JSON/XML export**: Machine-readable report formats

src/main/kotlin/com/davideagostini/analyzer/tasks/SecurityCheckTask.kt

@@ -17,9 +17,41 @@ enum class SecurityIssueType(val displayName: String) {
     MANIFEST_DEBUGGABLE("Manifest Debuggable Flag"),
     ALLOW_BACKUP_ENABLED("Backup Enabled"),
     CLEARTEXT_TRAFFIC("Cleartext Traffic Allowed"),
-    EXPORTED_COMPONENT("Exported Component Without Permission")
+    EXPORTED_COMPONENT("Exported Component Without Permission"),
+    // New: Permission Analysis
+    DANGEROUS_PERMISSION("Dangerous Permission Usage"),
+    PERMISSION_NOT_DEFINED("Permission Not Defined"),
+    // New: Component Security
+    EXPORTED_SERVICE("Exported Service Without Permission"),
+    EXPORTED_RECEIVER("Exported Broadcast Receiver Without Permission"),
+    EXPORTED_PROVIDER("Exported Content Provider Without Permission"),
+    // New: Intent Filter Security
+    INTENT_FILTER_DATA_EXPOSURE("Intent Filter May Expose Data")
 }
 
+/**
+ * Dangerous permissions that should be reviewed.
+ */
+private val DANGEROUS_PERMISSIONS = listOf(
+    "READ_CALENDAR", "WRITE_CALENDAR",
+    "CAMERA", "READ_CONTACTS", "WRITE_CONTACTS",
+    "GET_ACCOUNTS", "ACCESS_FINE_LOCATION", "ACCESS_COARSE_LOCATION",
+    "RECORD_AUDIO", "READ_PHONE_STATE", "READ_PHONE_NUMBERS",
+    "CALL_PHONE", "READ_CALL_LOG", "WRITE_CALL_LOG",
+    "SEND_SMS", "RECEIVE_SMS", "READ_SMS",
+    "WRITE_EXTERNAL_STORAGE", "READ_EXTERNAL_STORAGE",
+    "BODY_SENSORS", "ACCESS_BACKGROUND_LOCATION"
+)
+
+/**
+ * Permissions that should always require explicit declaration.
+ */
+private val HIGH_RISK_PERMISSIONS = listOf(
+    "READ_CALL_LOG", "WRITE_CALL_LOG", "PROCESS_OUTGOING_CALLS",
+    "READ_SMS", "RECEIVE_SMS", "SEND_SMS",
+    "WRITE_SETTINGS", "SYSTEM_ALERT_WINDOW"
+)
+
 /**
  * Task that checks for security best practices.
  */
@@ -174,11 +206,141 @@ open class SecurityCheckTask : DefaultTask() {
                 }
             }
 
+            // Enhanced Manifest Analysis
+            checkPermissions(content)
+            checkComponentSecurity(content)
+            checkIntentFilterSecurity(content)
+
         } catch (e: Exception) {
             logger.warn("Could not analyze manifest: ${e.message}")
         }
     }
 
+    private fun checkPermissions(content: String) {
+        // Check for dangerous permissions
+        DANGEROUS_PERMISSIONS.forEach { permission ->
+            if (content.contains("android.permission.$permission")) {
+                val severity = if (permission in HIGH_RISK_PERMISSIONS) Severity.HIGH else Severity.MEDIUM
+                findings.add(
+                    SecurityFinding(
+                        type = SecurityIssueType.DANGEROUS_PERMISSION,
+                        severity = severity,
+                        message = "Uses dangerous permission: $permission - Review if absolutely necessary",
+                        location = "AndroidManifest.xml (uses-permission)",
+                        buildType = "all"
+                    )
+                )
+            }
+        }
+
+        // Check for permission declarations
+        val permissionDeclarations = Regex("""<permission[^>]*android:name="([^"]+)"""").findAll(content)
+        val declaredPermissions = permissionDeclarations.map { it.groupValues[1] }.toSet()
+
+        // Check for uses-permission with undefined permissions
+        val usesPermissions = Regex("""android:name="android\.permission\.([^"]+)"""").findAll(content)
+        usesPermissions.forEach { match ->
+            val permName = "android.permission.${match.groupValues[1]}"
+            if (permName !in declaredPermissions && !permName.startsWith("android.permission.COMPANION_")) {
+                // Only warn for custom permissions, not system permissions
+                if (!permName.startsWith("android.permission.")) {
+                    findings.add(
+                        SecurityFinding(
+                            type = SecurityIssueType.PERMISSION_NOT_DEFINED,
+                            severity = Severity.MEDIUM,
+                            message = "Uses permission '$permName' that is not explicitly declared",
+                            location = "AndroidManifest.xml (uses-permission)",
+                            buildType = "all"
+                        )
+                    )
+                }
+            }
+        }
+    }
+
+    private fun checkComponentSecurity(content: String) {
+        // Check exported services without permission
+        val servicePattern = """<service[^>]*android:exported="true"[^>]*>""".toRegex()
+        servicePattern.findAll(content).forEach { match ->
+            val serviceContent = match.value
+            if (!serviceContent.contains("android:permission=")) {
+                val nameMatch = Regex("""android:name="([^"]+)"""").find(serviceContent)
+                val componentName = nameMatch?.groupValues?.get(1) ?: "Unknown Service"
+                findings.add(
+                    SecurityFinding(
+                        type = SecurityIssueType.EXPORTED_SERVICE,
+                        severity = Severity.MEDIUM,
+                        message = "Exported service '$componentName' has no permission protection",
+                        location = "AndroidManifest.xml ($componentName)",
+                        buildType = "all"
+                    )
+                )
+            }
+        }
+
+        // Check exported broadcast receivers without permission
+        val receiverPattern = """<receiver[^>]*android:exported="true"[^>]*>""".toRegex()
+        receiverPattern.findAll(content).forEach { match ->
+            val receiverContent = match.value
+            if (!receiverContent.contains("android:permission=")) {
+                val nameMatch = Regex("""android:name="([^"]+)"""").find(receiverContent)
+                val componentName = nameMatch?.groupValues?.get(1) ?: "Unknown Receiver"
+                findings.add(
+                    SecurityFinding(
+                        type = SecurityIssueType.EXPORTED_RECEIVER,
+                        severity = Severity.MEDIUM,
+                        message = "Exported broadcast receiver '$componentName' has no permission protection",
+                        location = "AndroidManifest.xml ($componentName)",
+                        buildType = "all"
+                    )
+                )
+            }
+        }
+
+        // Check exported content providers without permission
+        val providerPattern = """<provider[^>]*android:exported="true"[^>]*>""".toRegex()
+        providerPattern.findAll(content).forEach { match ->
+            val providerContent = match.value
+            if (!providerContent.contains("android:permission=") && !providerContent.contains("android:grantUriPermissions=")) {
+                val nameMatch = Regex("""android:name="([^"]+)"""").find(providerContent)
+                val componentName = nameMatch?.groupValues?.get(1) ?: "Unknown Provider"
+                findings.add(
+                    SecurityFinding(
+                        type = SecurityIssueType.EXPORTED_PROVIDER,
+                        severity = Severity.HIGH,
+                        message = "Exported content provider '$componentName' has no permission protection",
+                        location = "AndroidManifest.xml ($componentName)",
+                        buildType = "all"
+                    )
+                )
+            }
+        }
+    }
+
+    private fun checkIntentFilterSecurity(content: String) {
+        // Check for intent filters with data exposure risk
+        val intentFilterPattern = """<intent-filter[^>]*>[\s\S]*?</intent-filter>""".toRegex()
+        intentFilterPattern.findAll(content).forEach { match ->
+            val intentFilter = match.value
+
+            // Check for implicit intents with data
+            if (intentFilter.contains("<data ") && intentFilter.contains("android:exported=\"true\"")) {
+                val actionMatch = Regex("""<action[^>]*android:name="([^"]+)"""").find(intentFilter)
+                val action = actionMatch?.groupValues?.get(1) ?: "Unknown"
+
+                findings.add(
+                    SecurityFinding(
+                        type = SecurityIssueType.INTENT_FILTER_DATA_EXPOSURE,
+                        severity = Severity.LOW,
+                        message = "Intent filter with action '$action' may expose data - verify intent handling",
+                        location = "AndroidManifest.xml (intent-filter)",
+                        buildType = "all"
+                    )
+                )
+            }
+        }
+    }
+
     private fun logFindings() {
         logger.quiet("=".repeat(50))
         logger.quiet("Security Check Results")