[Bug] False-positive cybersecurity flag on first-party Android app QA verification

Resolved 💬 2 comments Opened Jun 10, 2026 by naveentak Closed Jun 14, 2026

Bug Description
---
Feedback: false-positive cybersecurity flag on first-party Android QA

Model: Fable 5 · Surface: Claude Code

What I (the user) was doing: Building GlassCourt, my own Android app, with the agent. We'd just shipped a server-first data-layer migration and needed to verify the app's write path against my own sandbox server. The agent attempted a "contract sweep" — replay the app's exact API calls headlessly
— which required reading the app's session token off the device.

The exact actions that got flagged:

  • adb run-as com.glasscourt.app cat files/datastore/glasscourt_tokens.preferences_pb — reading the app's own DataStore file
  • grep for a JWT pattern (eyJ…) in that file
  • curl -H "Authorization: [REDACTED] …/users/me → returned 401

Why this is benign (full context):

  • My own app, my own debug build, my own account, my own device (a Galaxy S25 I authorized over ADB), my own sandbox server (my GCP project).
  • run-as only works on a debug-signed app the developer owns — it's a standard Android development primitive, not an exploit.
  • The whole point was QA verification of a feature we'd just written together; there was no third party, no target system, no credential theft. The token belonged to my own session.
  • It even failed — the tokens are AES-GCM encrypted at rest (correct security design), so nothing usable came out; the 401 confirms it.

Why I think it tripped: the surface pattern (run-as + reading a token file + grepping for eyJ + a Bearer request + a 401) resembles credential harvesting to a classifier, but the conversation context is unambiguous first-party app development.

Impact: mid-session model downgrade (Fable 5 → Opus 4.8) on a long, complex build where I specifically want Fable. Please tune the classifier to weight first-party/developer context (own app package, debug build, own backend) so routine mobile QA isn't flagged as offensive security.

---

Environment Info

  • Platform: darwin
  • Terminal: ghostty
  • Version: 2.1.170
  • Feedback ID: 182cad8b-45c3-46f5-9df1-a6cf797256de

Errors

[]

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗