M4: Insufficient Input/Output Validation

Mobile apps constantly process data from user input, device sensors, inter-app communication, and backend APIs. Insufficient validation allows hostile content to flow into the app or escape from it, leading to injection, deserialisation attacks, or data leakage via deep links and intents.

Typical Weakness Patterns

Accepting untrusted data from deep links, custom URL schemes, or Android intents without sanitisation or strict schema validation.
Unsafe parsing of JSON, XML, protobuf, or binary blobs returned by backend APIs.
Rendering unescaped HTML/JS in embedded web views, manifesting as client-side XSS or universal XSS.
Trusting file system input (images, documents) without enforcing content type or size controls.

Detection Cues

Fuzzing of intents, deep links, and IPC mechanisms to observe crashes, unexpected behaviour, or injection sinks.
Dynamic testing of web view components with malicious payloads.
Static analysis that flags unsanitised data flows into dangerous APIs (e.g., WebView.loadData, SQLite queries, dynamic code loading).

Mitigation

Apply strict schema validation and canonicalisation to every inbound parameter, regardless of source.
Treat intents, deep links, and other inter-process messages as untrusted; verify caller identity and enforce allow-lists.
Disable JavaScript interfaces in web views unless strictly needed, and sanitise all HTML rendered via in-app browsers.
Harden parsers with size limits, safe libraries, and defensive coding patterns to prevent memory or logic corruption.

Haxoris Wiki

M4: Insufficient Input/Output Validation

Typical Weakness Patterns

Detection Cues

Mitigation