pSlip now detects hardcoded Segment write keys during code/config triage.
Detection is case-insensitive and catches common Java/Kotlin and JSON/config patterns, including:
SEGMENT_WRITE_KEY = "..."
segment_write_key = "...""segmentWriteKey": "..."Reports include summaries for:
Hardening, Component Exposure, Crypto, JavaScript Injection,
URL Redirect, Permissions, Tapjacking, and Secrets.
Severity weights reflect realistic exploitability under modern Android.
Tapjacking is treated as Informational unless paired with sensitive UI actions.
Improved formatting for component names, ADB PoC commands, severity chips,
and long package paths.
Scanning behavior is simplified into two modes:
-all→ Full analysis-allsafe→ Full analysis without AES/JADX decompilation
pSlip detects Android applications vulnerable to Permission-Slip / Confused-Deputy paths by analyzing:
- exported Activities, Services, BroadcastReceivers, Providers
- intent filters and unsafe CALL/VIEW handlers
- JavaScript-enabled WebViews and URL schemes
- manifest hardening controls
- unsafe permissions and custom-role exposure
- tapjacking/taptrap surface area
- cryptographic misuse (AES/IV/key/ECB detection)
- hardcoded secrets such as Segment write keys
pSlip is designed for application-security testing, CI/CD pipelines, and bulk APK triage.
- CALL actions
- VIEW +
javascript:handlers - Wildcard deep links
- Weak or normal-protection custom permissions
- Hardcoded AES/DES/IV patterns
- Unsafe mode detection (ECB, static IVs, insecure PRNG)
- Hardcoded Segment write-key detection
- Case-insensitive secret-name matching for common config styles
- Layout XML parsing
- Compose tree heuristics
- Sensitive-action token scoring
- HTML and JSON output
- ADB PoC generation
- Severity + confidence scoring (0–100)
git clone https://github.com/actuator/pSlip.git
cd pSlip
sudo apt install apktool jadx# Directory sweep (full scan)
python pSlip.py . -all -html demo.html -json demo.json
# Fast sweep (skip AES/JADX)
python pSlip.py path/to/apks -allsafe -html report.htm-all Full analysis, including code/config triage
-allsafe Disable AES/JADX/code decompilation for speed/stability
-html <file> Write HTML report
-json <file> Write JSON report
-aes-timeout <minutes> Time limit for AES/JADX work (default: 5)
pSlip detects hardcoded Segment write keys in Java, Kotlin, JSON, XML, JavaScript, TypeScript, properties, text, and smali outputs.
Examples detected:
private static final String SEGMENT_WRITE_KEY = "pHYN1qhsRsz...{
"segmentWriteKey": "CaVz3hRhBJKCNlParpK4kvWJLNUf164N"
}Matches are reported as:
Issue Type: Hardcoded Segment Write Key
Severity: High
Confidence: 95
Tokens used for semantic scoring:
login | auth | verify | pay | checkout | approve
password | otp | pin | confirm | secure
submit | card | transfer | send
- Category summaries: Hardening, Exposure, Crypto, Secrets, JS Injection, URL Redirect, Permissions, Tapjacking
- Responsive index: table on desktop, cards on mobile
- Per-app findings with severity, confidence, and ADB PoC actions
- Structured dataset for ingestion
