Reflection grants the ability and flexibility to view and determine API characteristics at runtime, as opposed to compile time.
From there, developers can construct objects, access fields, and invoke methods dynamically.
These reflection APIs come as part of the Android SDK and can be beneficial when targeting a variety of Android versions/devices.
At runtime, reflection techniques can be used to determine if a specific class or method is available before trying to use it.
This enables the developer to leverage newer APIs, while still supporting older versions, all from within the same application.
This check looks for code reflection within the application and returns where reflection is used.
Remediation Resources
Reflection on its own doesn't impose any added security risks, however, it is important to understand the use case for needing reflection, as it can be difficult to debug if issues arise.
In some cases, reflection could be used as an obfuscation technique or to access non-public classes/methods.
Finding Description
Your application uses reflection.
Steps to Reproduce
Reflection grants the ability and flexibility to view and determine API characteristics at runtime, as opposed to compile time. From there, developers can construct objects, access fields, and invoke methods dynamically. These reflection APIs come as part of the Android SDK and can be beneficial when targeting a variety of Android versions/devices. At runtime, reflection techniques can be used to determine if a specific class or method is available before trying to use it. This enables the developer to leverage newer APIs, while still supporting older versions, all from within the same application. This check looks for code reflection within the application and returns where reflection is used.
Remediation Resources
Reflection on its own doesn't impose any added security risks, however, it is important to understand the use case for needing reflection, as it can be difficult to debug if issues arise. In some cases, reflection could be used as an obfuscation technique or to access non-public classes/methods.
Risk and Regulatory Information
Severity: info
Policy Category: Informational
Application
See more detail in the NowSecure Report
Evidence
#### Code Locations | Source | File | Destination | Index | Line | |---|---|---|---|---| | Ljava/lang/reflect/Method; invoke (Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object; | | LX/014; A00 (Landroid/os/Parcelable;)Z | 0 | -1 | | Ljava/lang/reflect/Field; getLong (Ljava/lang/Object;)J | | LX/01Z;