Overview › Security Controls · WCAG 2.2 · Licenses
Security Controls · WCAG 2.2 · Licenses
Detailed static-analysis report for security controls · wcag 2.2 · licenses.
Executive summary
The security baseline is solid (HTTPS-only, AES-256-GCM Keystore, biometric auth, R8 obfuscation, backup disabled). The notable gaps are WebView lockdown, no Play Integrity API, no FLAG_SECURE on sensitive screens, no Data Extraction Rules, and uncertainty around certificate pinning activation. WCAG 2.2 conformance is poor — most criteria fail or partially pass. Seven commercial SDKs require licensing review, and no GPL/LGPL copyleft dependencies were found.
Security controls matrix
| Control | Status | Evidence / Note |
|---|---|---|
| HTTPS-only (Network Security Config) | PRESENT | Costco/src/main/res/xml/network_security_config.xml · cleartextTrafficPermitted="false" |
| Certificate pinning | CONFIRM | CertificatePinner import found in shared/common/.../RetrofitServiceImpl.kt — verify pins are populated, not commented out |
| android:allowBackup=false | PRESENT | Costco/src/main/AndroidManifest.xml line 53 |
| data_extraction_rules.xml | ABSENT | Required for Android 12+ device transfer behavior |
| backup_rules.xml | ABSENT | Mitigated by allowBackup=false |
| R8 / minification | ENABLED | Release build sets minifyEnabled=true, shrinkResources=true |
| Biometric auth | PRESENT | Costco/.../BiometricUtilImpl.java uses BiometricPrompt |
| AndroidKeystore (AES-256-GCM) | PRESENT | shared/storage/.../KeyStoreManagerImpl.kt lines 16-85 |
| Encrypted token persistence | PRESENT | Tokens encrypted via KeyStoreManager before DataStore write |
| Play Integrity API | ABSENT | No IntegrityManager imports detected |
| Root / tamper detection | ABSENT | No RootBeer / SafetyNet / Play Integrity |
| WebView lockdown | PARTIAL | WebView used in pharmacy + main; explicit setAllowFileAccess(false) not found |
| FLAG_SECURE on sensitive screens | ABSENT | No FLAG_SECURE blocks screen capture on payment / DMC screens |
| Debug logging stripped in release | PARTIAL | Timber present; no explicit ProGuard rule strips Timber.* in release |
| NowSecure scanning in CI | PRESENT | azure-pipelines-nowsecure.yml |
WCAG 2.2 conformance summary
| Criterion | Level | Status | Note |
|---|---|---|---|
| 1.1.1 Non-text Content | A | PARTIAL | Some contentDescription set; many Composables omit it |
| 1.3.1 Info & Relationships | A | PARTIAL | Some semantics/role; coverage incomplete |
| 1.4.3 Contrast (Minimum) | AA | FAIL | Design tokens auto-generated; no contrast validation in pipeline |
| 1.4.4 Resize Text | AA | FAIL | Hardcoded sp values; no font-scale 200% snapshot |
| 2.4.7 Focus Visible | AA | PARTIAL | Some focusable(); not consistent |
| 2.5.5 Target Size | AAA | FAIL | No 48dp minimum target enforcement visible |
| 4.1.2 Name, Role, Value | A | PARTIAL | Some role semantics; many gaps |
CRITICAL
WCAG 2.2 conformance gap
Three FAILs (contrast, text resize, target size) and four PARTIALs. For a Canada-targeted retail app this is also an AODA exposure.
Recommendation: Run a one-time codemod for contentDescription. Add Compose-rule contrast assertions in design-token build. Add 48dp target enforcement via
Modifier.minimumInteractiveComponentSize(). Snapshot every Composable at fontScale = 2.0f.Open-source license audit
| License family | Examples | Risk |
|---|---|---|
| Apache 2.0 | Most Google / AndroidX / Kotlin / Square / Firebase libs | SAFE |
| MIT | Timber, Coil, Lottie, MockK, Turbine | SAFE |
| BSD | BouncyCastle 1.70, ZXing, Hamcrest | SAFE |
| LGPL / GPL | None detected | CLEAR |
| Proprietary / Commercial | Adobe Marketing Cloud (BOM 3.17.0), Contentstack 4.0.0, NokNok FIDO2 9.2.0, ThreatMetrix 7.7-71, Mastercard ClickToPay, OneTrust, Lucidworks | REVIEW LICENSING |
MEDIUM
7 commercial SDKs need licensing audit
Adobe, Contentstack, NokNok, ThreatMetrix, Mastercard, OneTrust, Lucidworks. Each likely has per-MAU pricing or seat-based licensing.
Recommendation: Confirm contracts are current. Document the renewal calendar in a vendor-management doc. Track usage metrics so renewals are negotiated from data.
INFO
Generate machine-readable license report
Use the
com.jaredsburrows:gradle-license-plugin or oss-licenses-plugin to produce a release-time license inventory and an in-app Open Source Notices screen.Costco Android · Code Review Report · Generated 2026-05-07 · 626 machine-curated findings