Overview › Security

Security

Solid network policy, but exported components and deep links need audit.

59 findings in this category
70
SCORE

Summary

Security posture is reasonable: HTTPS is enforced via network security config, app data is not backed up, R8 obfuscation is on for release. The areas needing attention are exported components / deep links, WebView surface, and certificate pinning.

Strengths

PASS

cleartextTrafficPermitted=false

Production network security config disallows cleartext.
Costco/src/main/res/xml/network_security_config.xml
PASS

android:allowBackup=false

Membership and account data not auto-backed up off-device.
PASS

R8 in release

minifyEnabled=true, shrinkResources=true for release builds.

Findings

HIGH

Multiple exported activities + 11+ deep links

MainActivity, FindAStoreActivity, WarehouseOffersActivity are exported with deep link intent filters covering costco://, costco-dmc-widget://, and https://costco.com/*.
Recommendation: Validate every deep-link payload (no implicit trust); reject deep links that bypass auth where the destination requires a session; use android:autoVerify="true" only on App Links you fully control.
HIGH

WebView surface

WebViewLayout + Pharmacy WebView client. Even without addJavascriptInterface, WebViews can be tricked via file://, intent URLs, and same-origin issues.
Recommendation: setAllowFileAccess(false), setAllowContentAccess(false), setAllowFileAccessFromFileURLs(false); constrain shouldOverrideUrlLoading to allowlisted domains.
MEDIUM

Certificate pinning not confirmed

No evidence of certificatePinner in OkHttp configuration.
Recommendation: Pin api.costco.com + critical first-party hosts with two pins (current + backup); ship pin updates via remote config behind a kill-switch.
MEDIUM

Debug network security config trusts user CAs

Debug config trusts user-installed CAs (for Charles). Make sure debug-only manifest entries are not merged into release.
Recommendation: Confirm the debug network security config only ships in debug/internal build types; verify with ./gradlew :Costco:assembleRelease and inspecting the merged manifest.
LOW

NowSecure scanning in CI

azure-pipelines-nowsecure.yml indicates NowSecure scans run — good signal.
Recommendation: Treat NowSecure findings as PR-blocking for HIGH+; publish a security baseline and review monthly.

Specific findings in this category

59 shown
‹ Previous08 · Persistence & Storage
Costco Android · Code Review Report · Generated 2026-05-07 · 626 machine-curated findings