Overview

Details

• App:
• Review Date:
• Latest Commit:
• Branch Reviewed:
• Review Lead:

Context

• High level description of what the app does
• Why are we reviewing it (high level threats)
• Any previous reviews
• Links to related reviews

Scope

• What did we look at
• source links
• does it include shared components

Architecture

• High level code paths, data flow, functionality
• Interaction between components
• Interaction with external agents
• Generally good spot to put a diagram

Documentation

• links to further information, design documentation etc
• links to relevant bugs (perhaps even a bug table if there are a few)

Design Review

• Permissions: list permission, why are they used
• Messages
• Web Activities
• Datastore:
• Connections (IAC):
• Other manifest properties (e.g redirects,origin, entry points etc)
• Enumerate data input & outputs, key data flows etc
  • server communication
  • user input
  • other inputs (indexeddb, device storage, other APIs)
  • views/templates

Implementation Review

Checklist

• XSS & HTML Injection attacks
• Secure Communications
• Information Disclosure
• Exposure of sensitive APIs
• Web Activities
• Message Handler
• Connections (IAC)
  • connections
  • app.connect
• postMessage
• Data Store
• datastores-owned
• datastores-access
• client-side storage
• Content Security Policy
  • ensure no inline styles
• API-specific guidance
• Library & component usage
  • looks for vulns in specific version
• Config files & build steps/directives
• Shared files
• Permission Specific Auditing?

Threat Analysis

• List of threats
• Mitigating controls
• Discussion of the threats

Actions & Recommendations

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);