KeySweeper is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.
All keystrokes are logged online and locally. SMS alerts are sent upon trigger words, usernames or URLs, exposing passwords. If unplugged, KeySweeper continues to operate using its internal battery and auto-recharges upon repowering. A web based tool allows live keystroke monitoring.
The following rules and guidelines are specific only to the Android platform. These do not apply to the development of Java or C programs for non-Android platforms. (The full set of Android -relevant rules and guidelines are here.) The term sensitive incorporates the Java glossary definition of sensitive data, as well as the Android concept of permission-protected.
DRD00-J. Do not store sensitive information on external storage (SD card) unless encrypted first
DRD01-J. Limit the accessibility of an app’s sensitive content provider
DRD02-J. Do not allow WebView to access sensitive local resource through file scheme
DRD03-J. Do not broadcast sensitive information using an implicit intent
DRD04-J. Do not log sensitive information
DRD05-J. Do not grant URI permissions on implicit intents
DRD06-J. Do not act on malicious intents
DRD07-J. Protect exported services with strong permissions
DRD08-J. Always canonicalize a URL received by a content provider
DRD09-J: Restrict access to sensitive activities
DRD10-J. Do not release apps that are debuggable
DRD11-J. Ensure that sensitive data is kept secure
DRD12-J. Do not trust data that is world writable
DRD14-J. Check that a calling app has appropriate permissions before responding
DRD15-J. Consider privacy concerns when using Geolocation API
DRD16-J. Explicitly define the exported attribute for private components
DRD17-J. Do not use the Android cryptographic security provider encryption default for AES
DRD18-J. Do not use the default behavior in a cryptographic library if it does not use recommended practices
DRD19-J. Properly verify server certificate on SSL/TLS