diff options
| author | Albin <albin@mullvad.net> | 2023-11-22 14:17:21 +0100 |
|---|---|---|
| committer | Albin <albin@mullvad.net> | 2023-11-22 15:27:47 +0100 |
| commit | caa00c4a5584a139343f424db1796fa53672f53c (patch) | |
| tree | 3dc7c40cb733193726182d863bf667c91db04029 /android | |
| parent | 284ef737263cea2e080f6b614a4ea999655d690b (diff) | |
| download | mullvadvpn-caa00c4a5584a139343f424db1796fa53672f53c.tar.xz mullvadvpn-caa00c4a5584a139343f424db1796fa53672f53c.zip | |
Add mobsf config to suppress and document issues
Diffstat (limited to 'android')
| -rw-r--r-- | android/config/config.mobsf | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/android/config/config.mobsf b/android/config/config.mobsf new file mode 100644 index 0000000000..0b00ae401a --- /dev/null +++ b/android/config/config.mobsf @@ -0,0 +1,28 @@ +--- +- ignore-rules: + # Sensitive data isn't logged. There's also an external issue to scan log calls (DROID-527). + - android_kotlin_logging + + # The kotlin code isn't responsible for any external API communication and therefore the risk for + # including sensitive credentials is very small. This check also caused many false-positives since + # the keyword "key" is used throughout the app to for arguments, bundles and preferences. + - android_kotlin_hardcoded + + # Intentially not prevented due to a technical user base. We might however want to inform users, + # which is something we'll review in an externally tracked issue (DROID-528). + - android_root_detection + - android_safetynet + + # The backend API communication is done by the Mullvad Daemon which is built in rust. + - android_ssl_pinning + - android_certificate_pinning + - android_certificate_transparency + + # Sensitive screens currently prevent screenshots. + - android_prevent_screenshot + + # Will be investigate in the externally tracked issue DROID-529. + - android_tapjacking + + # We've currently decided to support Android 8. + - android_manifest_insecure_minsdk |