||The software stores sensitive information in a file system or device that does not have built-in access control.
||The software stores sensitive information without properly limiting read or write access by unauthorized actors.
||The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
||The software establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission.
||The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.
||The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.
||The Android application uses an implicit intent for transmitting sensitive data to other applications.
||The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
||The software uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.
||The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.