A new flat, responsive layout improves readability, spacing, and dark-mode rendering.
The Findings Index now adapts automatically between a desktop table and mobile card layout.
Reports now include summaries for:
Hardening, Component Exposure, Crypto, JavaScript Injection,
URL Redirect, Permissions, and Tapjacking.
Severity weights now reflect realistic exploitability under modern Android.
Tapjacking is treated as Informational unless paired with sensitive UI actions.
Improved formatting for component names, ADB PoC commands, severity chips,
and long package paths.
Scanning behavior has been simplified into two modes:
-all→ Full analysis-allsafe→ Full analysis without AES/JADX decompilation
Legacy toggles (-p, -perm, -js, -call, -aes, -taptrap) no longer appear
and no longer need to be managed individually.
pSlip detects Android applications vulnerable to Permission-Slip / Confused-Deputy paths by analyzing:
- exported Activities, Services, BroadcastReceivers, Providers
- intent filters and unsafe CALL/VIEW handlers
- JavaScript-enabled WebViews and URL schemes
- manifest hardening controls
- unsafe permissions and custom-role exposure
- tapjacking/taptrap surface area
- cryptographic misuse (AES/IV/key/ECB detection)
pSlip is designed for application-security testing, CI/CD pipelines, and bulk APK triage.
- CALL actions
- VIEW +
javascript:handlers - Wildcard deep links
- Weak or normal-protection custom permissions
- Hardcoded AES/DES/IV patterns
- Unsafe mode detection (ECB, static IVs, insecure PRNG)
- Layout XML parsing
- Compose tree heuristics
- Sensitive-action token scoring
- HTML and JSON output
- ADB PoC generation
- Severity + confidence scoring (0–100)
git clone https://github.com/actuator/pSlip.git
cd pSlip
sudo apt install apktool jadx# Directory sweep (full scan)
python pSlip.py . -all -html demo.html -json demo.json
# Fast sweep (skip AES/JADX)
python pSlip.py path/to/apks -allsafe -html report.htm-all Full analysis (includes AES/JADX)
-allsafe Disable AES/JADX for speed/stability
-html <file> Write HTML report
-json <file> Write JSON report
-aes-timeout <minutes> Time limit for AES/JADX work (default: 5)
Tokens used for semantic scoring:
login | auth | verify | pay | checkout | approve
password | otp | pin | confirm | secure
submit | card | transfer | send
- Category summaries (Hardening, Exposure, Crypto, JS Injection, URL Redirect, Permissions, Tapjacking)
- Responsive index (table on desktop, cards on mobile)
- Per-app findings with severity, confidence, and ADB PoC actions
- Structured dataset for automation or SIEM ingestion
