Releases: actuator/pSlip
1.1.4
1.1.3
pSlip v1.1.3 introduces a cleaner CLI, a modernized HTML report, and several reliability improvements.
Unified CLI
Scanning is now controlled by only two flags:
-all– full analysis-allsafe– full analysis without AES/JADX
Legacy flags have been removed from the user interface for simplicity.
Improved AES Handling
- Duplicate findings removed
- More stable timeouts
- Cleaner grouping and component paths
Updated HTML Report
- New layout with improved spacing and typography
- Responsive Findings Index (table → mobile cards)
- Category summaries for Hardening, Exposure, Crypto, JS Injection, Redirects, Permissions, Tapjacking
- Consistent severity styling
Updated Severity Scoring
Severity model aligned with Android 15 behavior.
General Fixes
- Unified scan pipeline (one pass for all categories)
- More reliable ADB PoC formatting
- Cleaner component name rendering
- Stability improvements for large directory sweeps
1.0.8
v1.0.8
Added
Always-on manifest hardening checks (no flag required):
Detects insecure android:allowBackup
Detects android:debuggable="true"
Detects android:usesCleartextTraffic="true"
Detects exported ContentProviders missing permissions
Hardening results now included in:
Console scan output
HTML reports
JSON export
Improved
Cleaner and clearer help text (+ hardening note)
Better formatting and severity ordering in HTML/JSON tables
More resilient manifest parsing (handles malformed nodes safely)
Fixed
Edge cases with odd package names and missing manifest attributes
Performance
Hardening checks add negligible overhead (manifest-only, no smali scanning)
1.0.7
pSlip 1.0.7 - Release Notes
Improvements
AES analysis timeout
New -aes-timeout flag (default 5 minutes) ensures long decompiles are skipped automatically.
JSON reporting
Added -json for structured, machine-readable output alongside HTML.
Removals
CSV reporting
Dropped broken CSV export; use JSON or HTML instead.
Stability
General cleanup and code consistency improvements.
1.0.6
Updated UI
Bug Fix: Permission-Slip flagged exported CALL-related activities
as vulnerable evenwhen they were properly protected with inline android:permission gates.
This commit adds a hotfix to check the component’s android:permission
attribute before marking it as call-vulnerable. If the component requires
any of:
android.permission.CALL_PHONE
android.permission.CALL_PRIVILEGED
android.permission.CALL_EMERGENCY
…then the activity/alias is considered gated and will not be reported.