If you like tools like SonarQube to continuously check your code quality and you’re a Xamarin developer that wants to make sure their app is secure, you’ll love the Xamarin Security Scanner. The Scanner finds security vulnerabilities by analysing the source code, also known as Static Application Security Testing (SAST).
The Scanner is inspired by Quick Android Review Kit (QARK), a tool created by LinkedIn to look for several security related Android application vulnerabilities. Take note that the Scanner only finds security vulnerabilities in Xamarin.Android. Xamarin.Forms and Xamarin.iOS aren’t supported yet.
The tool reports the following issues:
- Certificate validation overwritten
- Permissions may not be enforced
- Unsafe cipher mode used
- External storage is used
- Hardcoded HTTP URL found
- Logging was found
- Access to phone number
- WorldReadable file found
- Backups are enabled
- App has debugging enabled
- App supports outdated Android version
- App contains a private key
When the Scanner finds one (or more) of the above issues, it’ll provide you with a clear output on where you can find the issue.
You can exclude certain vulnerabilities as well, if you supply a reason why you don’t think it makes your app vulnerable. The Scanner is created by Wesley de Kraker under the supervision of Martijn Hazebroek as graduate intern of Info Support.
Conclusion & Download
The Scanner is a neat and simple way to do some basic security vulnerabilities checks for your Xamarin.Android apps. Right now, it only works with the source code but it would be great to work with packaged applications as well by decompiling it.
Also, the tool would be improved with Xamarin.Forms and .iOS support, as well as a plugin for Azure DevOps to include it in your pipeline. It has a lot of potential and makes life certainly easier for developers!
Is the Scanner something you’d like to add to your projects? What improvements would you like to see? Let me know what you think in the comments and feel free to improve the code by creating a pull request.