npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

android-sec-val

v1.0.0-beta.0

Published

An automated security validation system for Android applications. This tool orchestrates ADB and Appium to verify: - **Runtime Integrity**: Debuggable flags, Logcat leaks, Manifest settings. - **Storage Confidentiality**: Plaintext sensitive data in priva

Downloads

84

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

karthiksakekarthiksake

Keywords

Readme

Android Security Validator

An automated security validation system for Android applications. This tool orchestrates ADB and Appium to verify:

  • Runtime Integrity: Debuggable flags, Logcat leaks, Manifest settings.
  • Storage Confidentiality: Plaintext sensitive data in private storage (Requires Root).
  • Network Security: Resilience against MITM attacks (Certificate Pinning).

Prerequisites

  • Node.js (v14+)
  • ADB installed and in PATH.
  • Appium Server running (npm install -g appium && appium).
  • Android Emulator (AOSP Image recommended for Root access).

Installation

npm install -g android-sec-val
# OR run directly from source
npm install
npm run build

Usage

Start your Appium server and Emulator first.

# General Usage
android-sec-val validate --package com.example.app

# With APK install and custom sensitive strings
android-sec-val validate \
  --package com.example.app \
  --apk ./path/to/app.apk \
  --sensitive password token auth_key

Options

| Option | Alias | Description | Default | |--------|-------|-------------|---------| | --package | -p | Target Android Package Name | (Required) | | --apk | -a | Path to APK to install | undefined | | --sensitive | -s | List of strings to grep for in storage | ['password', 'token', ...] | | --output | -o | JSON Report Path | security_report.json |

Security Checks

Runtime

  1. Debuggable Flag: Checks android:debuggable.
  2. Manifest Analysis: Checks allowBackup and usesCleartextTraffic.
  3. Logcat Leakage: Monitors logs for provided sensitive strings.

Storage (Requires adb root)

  1. Local Storage Inspection: Recursively greps /data/data/<pkg> for sensitive strings.
  2. Cache Hygiene: Checks /data/data/<pkg>/cache for excessive data persistence.
  3. External Storage: Checks /sdcard/Android/data/<pkg> and Downloads for leakage.

Network

  1. Network Logic: Currently supports manual network validation hooks (see source).

Static Analysis

  1. Exported Components: Detects insecurely exported Activities/Services.
  2. Permission Audit: Flags dangerous permissions (SMS, Contacts, Location).
  3. Hardcoded Secrets: Extracts APK from device and scans for keys (AWS, Bearer, etc.).

Threat Model Coverage (Exploits Detected)

This tool validates defenses against the following specific attack vectors:

| Vulnerability Class | Exploit / Threat Scenario | Validated By Check | |---------------------|---------------------------|-------------------| | Insecure Data Storage | Attacker with physical access (or malware) dumps /data/data to steal Auth Tokens or PII. | checkStorageIntegrity (asserts encryption) | | Data Leakage | Sensitive data (passwords, tokens) printed to system logs (logcat) visible to other apps/USB. | checkLogcatLeakage | | Runtime Tampering | Attacker attaches JDWP debugger to inspect memory or hook methods. | checkDebuggable | | Network Interception | Attacker on public WiFi (MITM) presents fake cert to steal inflight data. | checkNetworkSecurity (Pinning) | | Backup Theft | Attacker uses adb backup to extract app data without root. | checkManifestSettings (allowBackup) | | Cleartext Transmission | App accidentally sends HTTP traffic exposing data to passive monitoring. | checkManifestSettings (usesCleartextTraffic) | | Cache Leakage | Sensitive images/responses persist in cache/ after logout/exit. | checkCacheHygiene |

Report

The tool generates a JSON report:

[
  {
    "check_name": "debuggable_flag",
    "status": "PASS",
    "severity": "LOW",
    "evidence": "Application is NOT debuggable",
    "category": "RUNTIME"
  }
]