Fortify Android checks

Question

I'm curious about what vulnerabilities the Fortify rulesets look for in Android applications. Unfortunately I'm unable to find any documentation on the same. I know that they look around for Java specific vulns along with Permission checks for Components -- anything else? SQL injection checks? Intent checks?

Answer 1

Besides all the regular Java rules, there are Android specific rules for the following categories:

Code Quality:
Android Bad Practices - Use of Released Camera
Android Bad Practices - Use of Released SQLite Resource
Android Bad Practices - Use of Released Media Resource
Unreleased Resource - Android Media

Encapsulation:
Insecure Storage - Android External Storage
System Information Leak

Input Validation and Representation:
Command Injection
Cross: Site Scripting - Persistent
Cross: Site Scripting - Poor Validation
Cross: Site Scripting - Reflected
Header Manipulation - Cookies
Log Forging
Path Manipulation
Query String Injection - Android Provider
Resource Injection
SQL Injection

Security Features:
Access Control - Android Provider
Access Control - Database
Android Bad Practices - Missing Broadcaster Permission
Android Bad Practices - Missing Receiver Permission
Android Bad Practices - Sticky Broadcast
Password Management
Password Management - Empty Password
Password Management - Hardcoded Password
Password Management - Null Password
Password Management - Weak Cryptography
Privacy Violation
Privilege Management - Android Location
Privilege Management - Android Messaging
Privilege Management - Android Telephony
Privilege Management - Missing API Permission
Privilege Management - Missing Content Provider Permission
Privilege Management - Missing Intent Permission

Answer 2

Here's the offical list of what Fortify has to offer:

• http://www.hpenterprisesecurity.com/vulncat/en/vulncat/index.html

There's to many to list.