From b454bc38e0e5ba0dac0ff36b8a2079138b294f9c Mon Sep 17 00:00:00 2001 From: Dennis Titze Date: Wed, 6 Nov 2024 11:06:59 +0000 Subject: [PATCH 01/10] Port MASTG test 0039 --- .../MASVS-RESILIENCE/MASTG-TEST-0x39-1.md | 27 ++++++++++++++++ .../MASVS-RESILIENCE/MASTG-TEST-0x39-2.md | 31 +++++++++++++++++++ .../MASVS-RESILIENCE/MASTG-TEST-0039.md | 3 ++ tools/android/MASTG-TOOL-0121.md | 31 +++++++++++++++++++ 4 files changed, 92 insertions(+) create mode 100644 tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md create mode 100644 tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-2.md create mode 100644 tools/android/MASTG-TOOL-0121.md diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md new file mode 100644 index 0000000000..49ade5f132 --- /dev/null +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md @@ -0,0 +1,27 @@ +--- +title: Debuggable Flag Not Disabled in the AndroidManifest +platform: android +id: MASTG-TEST-0x39-1 +type: [static] +weakness: MASWE-0067 +--- + +## Overview + +This test case checks if the application has the debuggable flag set in the AndroidManifest.xml. If this flag is set, an attacker can attach a debugger, and e.g., read and modify internals of the application. + +!!! note Other ways to debug the application + Not enabling debugging in the AndroidManifest.xml does fully prevent all possibilities to debug the app. See @MASWE-0101 for more details on how to prevent debugging. + +## Steps + +1. View the AndroidManifest.xml, e.g., via @MASTG-TOOL-0121. +2. If the output of @MASTG-TOOL-0121 contains `application-debuggable`, the app has the debuggable flag set. + +## Observation + +The output should contain the contents of the AndroidManifest.xml. + +## Evaluation + +The test case fails if the debuggable flag is set. diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-2.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-2.md new file mode 100644 index 0000000000..87ace019d5 --- /dev/null +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-2.md @@ -0,0 +1,31 @@ +--- +title: Debugging enabled for WebViews +platform: android +id: MASTG-TEST-0x39-2 +type: [static] +weakness: MASWE-0067 +--- + +## Overview + +To enable debugging of Webviews, the API `WebView.setWebContentsDebuggingEnabled(true);` can be used to enable WebView debugging (see ["see Android documentation"](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/#configure_webviews_for_debugging)). + +Calling this API will enable WebView debugging for **all** of the application's WebViews, independently of the AndroidManifest.xml debuggable flag (See @MASTG-TEST-0x39-1). This allows an attached PC to eavesdrop on, and modify all communication inside WebViews. + +!!! note Other ways to debug the application + Disabling WebView debugging does not fully prevent all possibilities to debug the app and the WebViews. See @MASWE-0101 for more details on how to prevent debugging. + +## Steps + +1. Reverse engineer the app (@MASTG-TECH-0017). +2. Inspect all locations where `WebView.setWebContentsDebuggingEnabled` is called, and check + 1. if it is set to true, and + 2. if the API call can be executed during runtime. + +## Observation + +The output should contain all locations where `WebView.setWebContentsDebuggingEnabled` can be called with `true` at runtime. + +## Evaluation + +The test case fails if any locations in the application can be executed ar runtime, where WebView debugging is enabled. diff --git a/tests/android/MASVS-RESILIENCE/MASTG-TEST-0039.md b/tests/android/MASVS-RESILIENCE/MASTG-TEST-0039.md index baf9251cf0..97f0777c5a 100644 --- a/tests/android/MASVS-RESILIENCE/MASTG-TEST-0039.md +++ b/tests/android/MASVS-RESILIENCE/MASTG-TEST-0039.md @@ -7,6 +7,9 @@ platform: android title: Testing whether the App is Debuggable masvs_v1_levels: - R +status: deprecated +covered_by: [MASTG-TEST-0x39-1,MASTG-TEST-0x39-2] +deprecation_note: New version available in MASTG V2 --- ## Overview diff --git a/tools/android/MASTG-TOOL-0121.md b/tools/android/MASTG-TOOL-0121.md new file mode 100644 index 0000000000..5baa223792 --- /dev/null +++ b/tools/android/MASTG-TOOL-0121.md @@ -0,0 +1,31 @@ +--- +title: aapt2 +platform: android +source: https://play.google.com/store/apps/details?id=org.proxydroid&hl=en +--- + +Android Asset Packaging tool (aapt2) is contained in the @MASTG-TOOL-0006 within the build-tools folder. + +It requires an APK file as input and can be used for example to examine the contents of the AndroidManifest file. + +The permissions of an APK file can be viewed with: + +```bash +$ aapt d permissions app-x86-debug.apk +package: sg.vp.owasp_mobile.omtg_android +uses-permission: name='android.permission.WRITE_EXTERNAL_STORAGE' +uses-permission: name='android.permission.INTERNET' +``` + +Viewing all contents of the AndroidManifest can be performed with: + +```bash +$ aapt d badging app-x86-debug.apk +package: name='sg.vp.owasp_mobile.omtg_android' versionCode='1' versionName='1.0' compileSdkVersion='34' compileSdkVersionCodename='14' +sdkVersion:'23' +targetSdkVersion:'34' +uses-permission: name='android.permission.WRITE_EXTERNAL_STORAGE' +uses-permission: name='android.permission.INTERNET' +application-label:'OMTG Android' +... +``` From 5b427ef4c54e85794bd12151dfc5c0b66a0166ed Mon Sep 17 00:00:00 2001 From: Dennis Titze Date: Wed, 6 Nov 2024 11:09:23 +0000 Subject: [PATCH 02/10] linter --- tools/android/MASTG-TOOL-0121.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/android/MASTG-TOOL-0121.md b/tools/android/MASTG-TOOL-0121.md index 5baa223792..b148d590fd 100644 --- a/tools/android/MASTG-TOOL-0121.md +++ b/tools/android/MASTG-TOOL-0121.md @@ -4,7 +4,7 @@ platform: android source: https://play.google.com/store/apps/details?id=org.proxydroid&hl=en --- -Android Asset Packaging tool (aapt2) is contained in the @MASTG-TOOL-0006 within the build-tools folder. +Android Asset Packaging tool (aapt2) is contained in the @MASTG-TOOL-0006 within the build-tools folder. It requires an APK file as input and can be used for example to examine the contents of the AndroidManifest file. From 538a5b2c4c3a8059c7b4793b210025dc3b28463f Mon Sep 17 00:00:00 2001 From: Dennis Titze Date: Wed, 6 Nov 2024 11:46:30 +0000 Subject: [PATCH 03/10] Fix tool link --- tools/android/MASTG-TOOL-0121.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/android/MASTG-TOOL-0121.md b/tools/android/MASTG-TOOL-0121.md index b148d590fd..6a25b8a9fb 100644 --- a/tools/android/MASTG-TOOL-0121.md +++ b/tools/android/MASTG-TOOL-0121.md @@ -1,7 +1,7 @@ --- title: aapt2 platform: android -source: https://play.google.com/store/apps/details?id=org.proxydroid&hl=en +source: https://developer.android.com/tools/aapt2 --- Android Asset Packaging tool (aapt2) is contained in the @MASTG-TOOL-0006 within the build-tools folder. From 3dc34780f92f1fe65b6cf547cda1c5e6e57d9f5c Mon Sep 17 00:00:00 2001 From: titze Date: Thu, 7 Nov 2024 18:27:26 +0100 Subject: [PATCH 04/10] Update tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md Co-authored-by: Carlos Holguera --- tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md index 49ade5f132..cb52e5a019 100644 --- a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md @@ -8,7 +8,9 @@ weakness: MASWE-0067 ## Overview -This test case checks if the application has the debuggable flag set in the AndroidManifest.xml. If this flag is set, an attacker can attach a debugger, and e.g., read and modify internals of the application. +This test case checks if the application has the debuggable flag ([`android:debuggable`](https://developer.android.com/guide/topics/manifest/application-element#debug)) set to `true` in the AndroidManifest.xml. If this flag is set, an attacker can attach a debugger, and e.g., read and modify internals of the application. + +Having this flag set to `true` [is not considered a vulnerability](https://developer.android.com/privacy-and-security/risks/android-debuggable), however, it allow attackers to have more access to the app and resources than intended. !!! note Other ways to debug the application Not enabling debugging in the AndroidManifest.xml does fully prevent all possibilities to debug the app. See @MASWE-0101 for more details on how to prevent debugging. From 9cdf4e9b8d9419b491af98d7320b5071d9e3e8c1 Mon Sep 17 00:00:00 2001 From: Dennis Titze Date: Thu, 7 Nov 2024 17:56:40 +0000 Subject: [PATCH 05/10] review update --- techniques/android/MASTG-TECH-0110.md | 47 +++++++++++++++++++ .../MASVS-RESILIENCE/MASTG-TEST-0x39-1.md | 4 +- tools/android/MASTG-TOOL-0121.md | 31 ------------ tools/android/MASTG-TOOL-0123.md | 7 +++ 4 files changed, 56 insertions(+), 33 deletions(-) create mode 100644 techniques/android/MASTG-TECH-0110.md delete mode 100644 tools/android/MASTG-TOOL-0121.md create mode 100644 tools/android/MASTG-TOOL-0123.md diff --git a/techniques/android/MASTG-TECH-0110.md b/techniques/android/MASTG-TECH-0110.md new file mode 100644 index 0000000000..433b9470ff --- /dev/null +++ b/techniques/android/MASTG-TECH-0110.md @@ -0,0 +1,47 @@ +--- +title: Obtaining Information from the AndroidManifest +platform: android +--- + +Multiple ways exist to view the contents of the AndroidManifest: + +## Using @MASTG-TOOL-0011 + +The full AndroidManifest can be extracted using @MASTG-TOOL-0011: + +```sh +$ apktool d myapp.apk -s -o apktooled_app +I: Using Apktool 2.7.0 on myapp.apk +I: Loading resource table... +I: Decoding AndroidManifest.xml with resources... +I: Loading resource table from file: /home/.local/share/apktool/framework/1.apk +I: Regular manifest package... +I: Decoding file-resources... +I: Decoding values */* XMLs... +I: Copying raw classes.dex file... +I: Copying assets and libs... +I: Copying unknown files... +I: Copying original files... +I: Copying META-INF/services directory +``` + +`-s` skips baksmaliing the dex files and is faster. + +The AndroidManifest.xml is extracted and decoded to `apktooled_app/AndroidManifest.xml`, where you can simply open and view it. + +## Using @MASTG-TOOL-0123 + +If you are only interested in specific values of the manifest, you can use alternatively use @MASTG-TOOL-0123. Please note that the output of @MASTG-TOOL-0123 is not a XML file. + +Viewing all contents of the AndroidManifest can be performed with: + +```bash +$ aapt d badging app-x86-debug.apk +package: name='sg.vp.owasp_mobile.omtg_android' versionCode='1' versionName='1.0' compileSdkVersion='34' compileSdkVersionCodename='14' +sdkVersion:'23' +targetSdkVersion:'34' +uses-permission: name='android.permission.WRITE_EXTERNAL_STORAGE' +uses-permission: name='android.permission.INTERNET' +application-label:'OMTG Android' +... +``` diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md index cb52e5a019..d87bde59b3 100644 --- a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md @@ -17,8 +17,8 @@ Having this flag set to `true` [is not considered a vulnerability](https://devel ## Steps -1. View the AndroidManifest.xml, e.g., via @MASTG-TOOL-0121. -2. If the output of @MASTG-TOOL-0121 contains `application-debuggable`, the app has the debuggable flag set. +1. View the AndroidManifest.xml using @MASTG-TECH-0110. +2. The output shows if the application is debuggable (e.g. if `application-debuggable` is set in the output of @MASTG-TOOL-0123). ## Observation diff --git a/tools/android/MASTG-TOOL-0121.md b/tools/android/MASTG-TOOL-0121.md deleted file mode 100644 index 6a25b8a9fb..0000000000 --- a/tools/android/MASTG-TOOL-0121.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: aapt2 -platform: android -source: https://developer.android.com/tools/aapt2 ---- - -Android Asset Packaging tool (aapt2) is contained in the @MASTG-TOOL-0006 within the build-tools folder. - -It requires an APK file as input and can be used for example to examine the contents of the AndroidManifest file. - -The permissions of an APK file can be viewed with: - -```bash -$ aapt d permissions app-x86-debug.apk -package: sg.vp.owasp_mobile.omtg_android -uses-permission: name='android.permission.WRITE_EXTERNAL_STORAGE' -uses-permission: name='android.permission.INTERNET' -``` - -Viewing all contents of the AndroidManifest can be performed with: - -```bash -$ aapt d badging app-x86-debug.apk -package: name='sg.vp.owasp_mobile.omtg_android' versionCode='1' versionName='1.0' compileSdkVersion='34' compileSdkVersionCodename='14' -sdkVersion:'23' -targetSdkVersion:'34' -uses-permission: name='android.permission.WRITE_EXTERNAL_STORAGE' -uses-permission: name='android.permission.INTERNET' -application-label:'OMTG Android' -... -``` diff --git a/tools/android/MASTG-TOOL-0123.md b/tools/android/MASTG-TOOL-0123.md new file mode 100644 index 0000000000..5d2b662a13 --- /dev/null +++ b/tools/android/MASTG-TOOL-0123.md @@ -0,0 +1,7 @@ +--- +title: aapt2 +platform: android +source: https://developer.android.com/tools/aapt2 +--- + +[aapt2](https://developer.android.com/tools/aapt2), available in revision 26.0.2 and higher of the Android SDK Build Tools, is contained in the @MASTG-TOOL-0006 at `[SDK-Path]/build-tools/[version]/aapt2` and can be used for example to examine the contents of the AndroidManifest file. From d03c037e8062edae6157ed0cc397a1b127e531ca Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Wed, 20 Nov 2024 09:47:20 +0100 Subject: [PATCH 06/10] update IDs --- techniques/android/MASTG-TECH-0110.md | 14 +++--- techniques/android/MASTG-TECH-0117.md | 47 +++++++++++++++++++ .../MASVS-RESILIENCE/MASTG-TEST-0226.md | 29 ++++++++++++ .../MASVS-RESILIENCE/MASTG-TEST-0227.md | 31 ++++++++++++ .../MASVS-RESILIENCE/MASTG-TEST-0x39-1.md | 4 +- .../MASVS-RESILIENCE/MASTG-TEST-0039.md | 2 +- tools/android/MASTG-TOOL-0124.md | 7 +++ 7 files changed, 124 insertions(+), 10 deletions(-) create mode 100644 techniques/android/MASTG-TECH-0117.md create mode 100644 tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0226.md create mode 100644 tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0227.md create mode 100644 tools/android/MASTG-TOOL-0124.md diff --git a/techniques/android/MASTG-TECH-0110.md b/techniques/android/MASTG-TECH-0110.md index 433b9470ff..f2a453f131 100644 --- a/techniques/android/MASTG-TECH-0110.md +++ b/techniques/android/MASTG-TECH-0110.md @@ -29,19 +29,19 @@ I: Copying META-INF/services directory The AndroidManifest.xml is extracted and decoded to `apktooled_app/AndroidManifest.xml`, where you can simply open and view it. -## Using @MASTG-TOOL-0123 +## Using @MASTG-TOOL-0124 -If you are only interested in specific values of the manifest, you can use alternatively use @MASTG-TOOL-0123. Please note that the output of @MASTG-TOOL-0123 is not a XML file. +If you are only interested in specific values of the manifest, you can use alternatively use @MASTG-TOOL-0124. Please note that the output is not a XML file. Viewing all contents of the AndroidManifest can be performed with: ```bash -$ aapt d badging app-x86-debug.apk -package: name='sg.vp.owasp_mobile.omtg_android' versionCode='1' versionName='1.0' compileSdkVersion='34' compileSdkVersionCodename='14' -sdkVersion:'23' +$ aapt d badging MASTG-DEMO-0001.apk +package: name='org.owasp.mastestapp' versionCode='1' versionName='1.0' platformBuildVersionName='14' platformBuildVersionCode='34' compileSdkVersion='34' compileSdkVersionCodename='14' +sdkVersion:'29' targetSdkVersion:'34' -uses-permission: name='android.permission.WRITE_EXTERNAL_STORAGE' uses-permission: name='android.permission.INTERNET' -application-label:'OMTG Android' +uses-permission: name='org.owasp.mastestapp.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION' +application-label:'MASTestApp' ... ``` diff --git a/techniques/android/MASTG-TECH-0117.md b/techniques/android/MASTG-TECH-0117.md new file mode 100644 index 0000000000..f2a453f131 --- /dev/null +++ b/techniques/android/MASTG-TECH-0117.md @@ -0,0 +1,47 @@ +--- +title: Obtaining Information from the AndroidManifest +platform: android +--- + +Multiple ways exist to view the contents of the AndroidManifest: + +## Using @MASTG-TOOL-0011 + +The full AndroidManifest can be extracted using @MASTG-TOOL-0011: + +```sh +$ apktool d myapp.apk -s -o apktooled_app +I: Using Apktool 2.7.0 on myapp.apk +I: Loading resource table... +I: Decoding AndroidManifest.xml with resources... +I: Loading resource table from file: /home/.local/share/apktool/framework/1.apk +I: Regular manifest package... +I: Decoding file-resources... +I: Decoding values */* XMLs... +I: Copying raw classes.dex file... +I: Copying assets and libs... +I: Copying unknown files... +I: Copying original files... +I: Copying META-INF/services directory +``` + +`-s` skips baksmaliing the dex files and is faster. + +The AndroidManifest.xml is extracted and decoded to `apktooled_app/AndroidManifest.xml`, where you can simply open and view it. + +## Using @MASTG-TOOL-0124 + +If you are only interested in specific values of the manifest, you can use alternatively use @MASTG-TOOL-0124. Please note that the output is not a XML file. + +Viewing all contents of the AndroidManifest can be performed with: + +```bash +$ aapt d badging MASTG-DEMO-0001.apk +package: name='org.owasp.mastestapp' versionCode='1' versionName='1.0' platformBuildVersionName='14' platformBuildVersionCode='34' compileSdkVersion='34' compileSdkVersionCodename='14' +sdkVersion:'29' +targetSdkVersion:'34' +uses-permission: name='android.permission.INTERNET' +uses-permission: name='org.owasp.mastestapp.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION' +application-label:'MASTestApp' +... +``` diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0226.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0226.md new file mode 100644 index 0000000000..a16276523b --- /dev/null +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0226.md @@ -0,0 +1,29 @@ +--- +title: Debuggable Flag Not Disabled in the AndroidManifest +platform: android +id: MASTG-TEST-0226 +type: [static] +weakness: MASWE-0067 +--- + +## Overview + +This test case checks if the application has the debuggable flag ([`android:debuggable`](https://developer.android.com/guide/topics/manifest/application-element#debug)) set to `true` in the AndroidManifest.xml. If this flag is set, an attacker can attach a debugger, and e.g., read and modify internals of the application. + +Having this flag set to `true` [is not considered a vulnerability](https://developer.android.com/privacy-and-security/risks/android-debuggable), however, it allow attackers to have more access to the app and resources than intended. + +!!! note Other ways to debug the application + Not enabling debugging in the AndroidManifest.xml does fully prevent all possibilities to debug the app. See @MASWE-0101 for more details on how to prevent debugging. + +## Steps + +1. View the AndroidManifest.xml using @MASTG-TECH-0117. +2. The output shows if the application is debuggable (e.g. if `application-debuggable` is set in the output of @MASTG-TOOL-0123). + +## Observation + +The output should contain the contents of the AndroidManifest.xml. + +## Evaluation + +The test case fails if the debuggable flag is set. diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0227.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0227.md new file mode 100644 index 0000000000..3916300e11 --- /dev/null +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0227.md @@ -0,0 +1,31 @@ +--- +title: Debugging enabled for WebViews +platform: android +id: MASTG-TEST-0227 +type: [static] +weakness: MASWE-0067 +--- + +## Overview + +To enable debugging of Webviews, the API `WebView.setWebContentsDebuggingEnabled(true);` can be used to enable WebView debugging (see ["see Android documentation"](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/#configure_webviews_for_debugging)). + +Calling this API will enable WebView debugging for **all** of the application's WebViews, independently of the AndroidManifest.xml debuggable flag (See @MASTG-TEST-0x39-1). This allows an attached PC to eavesdrop on, and modify all communication inside WebViews. + +!!! note Other ways to debug the application + Disabling WebView debugging does not fully prevent all possibilities to debug the app and the WebViews. See @MASWE-0101 for more details on how to prevent debugging. + +## Steps + +1. Reverse engineer the app (@MASTG-TECH-0017). +2. Inspect all locations where `WebView.setWebContentsDebuggingEnabled` is called, and check + 1. if it is set to true, and + 2. if the API call can be executed during runtime. + +## Observation + +The output should contain all locations where `WebView.setWebContentsDebuggingEnabled` can be called with `true` at runtime. + +## Evaluation + +The test case fails if any locations in the application can be executed ar runtime, where WebView debugging is enabled. diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md index d87bde59b3..a16276523b 100644 --- a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md @@ -1,7 +1,7 @@ --- title: Debuggable Flag Not Disabled in the AndroidManifest platform: android -id: MASTG-TEST-0x39-1 +id: MASTG-TEST-0226 type: [static] weakness: MASWE-0067 --- @@ -17,7 +17,7 @@ Having this flag set to `true` [is not considered a vulnerability](https://devel ## Steps -1. View the AndroidManifest.xml using @MASTG-TECH-0110. +1. View the AndroidManifest.xml using @MASTG-TECH-0117. 2. The output shows if the application is debuggable (e.g. if `application-debuggable` is set in the output of @MASTG-TOOL-0123). ## Observation diff --git a/tests/android/MASVS-RESILIENCE/MASTG-TEST-0039.md b/tests/android/MASVS-RESILIENCE/MASTG-TEST-0039.md index 97f0777c5a..fa3877bbbe 100644 --- a/tests/android/MASVS-RESILIENCE/MASTG-TEST-0039.md +++ b/tests/android/MASVS-RESILIENCE/MASTG-TEST-0039.md @@ -8,7 +8,7 @@ title: Testing whether the App is Debuggable masvs_v1_levels: - R status: deprecated -covered_by: [MASTG-TEST-0x39-1,MASTG-TEST-0x39-2] +covered_by: [MASTG-TEST-0226,MASTG-TEST-0227] deprecation_note: New version available in MASTG V2 --- diff --git a/tools/android/MASTG-TOOL-0124.md b/tools/android/MASTG-TOOL-0124.md new file mode 100644 index 0000000000..db35f0a41e --- /dev/null +++ b/tools/android/MASTG-TOOL-0124.md @@ -0,0 +1,7 @@ +--- +title: aapt2 +platform: android +source: https://developer.android.com/tools/aapt2 +--- + +[aapt2](https://developer.android.com/tools/aapt2), available in Android SDK Build Tools since revision 26.0.2, is contained in the @MASTG-TOOL-0006 at `[SDK-Path]/build-tools/[version]/aapt2` and can be used, for example, to examine the contents of the AndroidManifest file. From 5dd2027b8c2e8a73574b1f2b371f0ca63d3eaddb Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Wed, 20 Nov 2024 09:49:06 +0100 Subject: [PATCH 07/10] delete renamed files --- techniques/android/MASTG-TECH-0110.md | 47 ------------------- .../MASVS-RESILIENCE/MASTG-TEST-0x39-1.md | 29 ------------ .../MASVS-RESILIENCE/MASTG-TEST-0x39-2.md | 31 ------------ 3 files changed, 107 deletions(-) delete mode 100644 techniques/android/MASTG-TECH-0110.md delete mode 100644 tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md delete mode 100644 tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-2.md diff --git a/techniques/android/MASTG-TECH-0110.md b/techniques/android/MASTG-TECH-0110.md deleted file mode 100644 index f2a453f131..0000000000 --- a/techniques/android/MASTG-TECH-0110.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Obtaining Information from the AndroidManifest -platform: android ---- - -Multiple ways exist to view the contents of the AndroidManifest: - -## Using @MASTG-TOOL-0011 - -The full AndroidManifest can be extracted using @MASTG-TOOL-0011: - -```sh -$ apktool d myapp.apk -s -o apktooled_app -I: Using Apktool 2.7.0 on myapp.apk -I: Loading resource table... -I: Decoding AndroidManifest.xml with resources... -I: Loading resource table from file: /home/.local/share/apktool/framework/1.apk -I: Regular manifest package... -I: Decoding file-resources... -I: Decoding values */* XMLs... -I: Copying raw classes.dex file... -I: Copying assets and libs... -I: Copying unknown files... -I: Copying original files... -I: Copying META-INF/services directory -``` - -`-s` skips baksmaliing the dex files and is faster. - -The AndroidManifest.xml is extracted and decoded to `apktooled_app/AndroidManifest.xml`, where you can simply open and view it. - -## Using @MASTG-TOOL-0124 - -If you are only interested in specific values of the manifest, you can use alternatively use @MASTG-TOOL-0124. Please note that the output is not a XML file. - -Viewing all contents of the AndroidManifest can be performed with: - -```bash -$ aapt d badging MASTG-DEMO-0001.apk -package: name='org.owasp.mastestapp' versionCode='1' versionName='1.0' platformBuildVersionName='14' platformBuildVersionCode='34' compileSdkVersion='34' compileSdkVersionCodename='14' -sdkVersion:'29' -targetSdkVersion:'34' -uses-permission: name='android.permission.INTERNET' -uses-permission: name='org.owasp.mastestapp.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION' -application-label:'MASTestApp' -... -``` diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md deleted file mode 100644 index a16276523b..0000000000 --- a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -title: Debuggable Flag Not Disabled in the AndroidManifest -platform: android -id: MASTG-TEST-0226 -type: [static] -weakness: MASWE-0067 ---- - -## Overview - -This test case checks if the application has the debuggable flag ([`android:debuggable`](https://developer.android.com/guide/topics/manifest/application-element#debug)) set to `true` in the AndroidManifest.xml. If this flag is set, an attacker can attach a debugger, and e.g., read and modify internals of the application. - -Having this flag set to `true` [is not considered a vulnerability](https://developer.android.com/privacy-and-security/risks/android-debuggable), however, it allow attackers to have more access to the app and resources than intended. - -!!! note Other ways to debug the application - Not enabling debugging in the AndroidManifest.xml does fully prevent all possibilities to debug the app. See @MASWE-0101 for more details on how to prevent debugging. - -## Steps - -1. View the AndroidManifest.xml using @MASTG-TECH-0117. -2. The output shows if the application is debuggable (e.g. if `application-debuggable` is set in the output of @MASTG-TOOL-0123). - -## Observation - -The output should contain the contents of the AndroidManifest.xml. - -## Evaluation - -The test case fails if the debuggable flag is set. diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-2.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-2.md deleted file mode 100644 index 87ace019d5..0000000000 --- a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-2.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Debugging enabled for WebViews -platform: android -id: MASTG-TEST-0x39-2 -type: [static] -weakness: MASWE-0067 ---- - -## Overview - -To enable debugging of Webviews, the API `WebView.setWebContentsDebuggingEnabled(true);` can be used to enable WebView debugging (see ["see Android documentation"](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/#configure_webviews_for_debugging)). - -Calling this API will enable WebView debugging for **all** of the application's WebViews, independently of the AndroidManifest.xml debuggable flag (See @MASTG-TEST-0x39-1). This allows an attached PC to eavesdrop on, and modify all communication inside WebViews. - -!!! note Other ways to debug the application - Disabling WebView debugging does not fully prevent all possibilities to debug the app and the WebViews. See @MASWE-0101 for more details on how to prevent debugging. - -## Steps - -1. Reverse engineer the app (@MASTG-TECH-0017). -2. Inspect all locations where `WebView.setWebContentsDebuggingEnabled` is called, and check - 1. if it is set to true, and - 2. if the API call can be executed during runtime. - -## Observation - -The output should contain all locations where `WebView.setWebContentsDebuggingEnabled` can be called with `true` at runtime. - -## Evaluation - -The test case fails if any locations in the application can be executed ar runtime, where WebView debugging is enabled. From d60ce5e1dc70c25e6c4e3dcb4bbb24ce3ba03069 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Wed, 20 Nov 2024 09:50:00 +0100 Subject: [PATCH 08/10] delete renamed files --- tools/android/MASTG-TOOL-0123.md | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 tools/android/MASTG-TOOL-0123.md diff --git a/tools/android/MASTG-TOOL-0123.md b/tools/android/MASTG-TOOL-0123.md deleted file mode 100644 index 5d2b662a13..0000000000 --- a/tools/android/MASTG-TOOL-0123.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -title: aapt2 -platform: android -source: https://developer.android.com/tools/aapt2 ---- - -[aapt2](https://developer.android.com/tools/aapt2), available in revision 26.0.2 and higher of the Android SDK Build Tools, is contained in the @MASTG-TOOL-0006 at `[SDK-Path]/build-tools/[version]/aapt2` and can be used for example to examine the contents of the AndroidManifest file. From 10dd7d97f5fdd0b95c33ef493bb56b1939999485 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Wed, 20 Nov 2024 10:11:45 +0100 Subject: [PATCH 09/10] update tests content --- .../MASVS-RESILIENCE/MASTG-TEST-0226.md | 8 ++--- .../MASVS-RESILIENCE/MASTG-TEST-0227.md | 30 +++++++++++++------ 2 files changed, 25 insertions(+), 13 deletions(-) diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0226.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0226.md index a16276523b..217b3732de 100644 --- a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0226.md +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0226.md @@ -1,5 +1,5 @@ --- -title: Debuggable Flag Not Disabled in the AndroidManifest +title: Debuggable Flag Enabled in the AndroidManifest platform: android id: MASTG-TEST-0226 type: [static] @@ -18,12 +18,12 @@ Having this flag set to `true` [is not considered a vulnerability](https://devel ## Steps 1. View the AndroidManifest.xml using @MASTG-TECH-0117. -2. The output shows if the application is debuggable (e.g. if `application-debuggable` is set in the output of @MASTG-TOOL-0123). +2. Search the output for the debuggable flag (e.g. `android:debuggable` if using @MASTG-TOOL-0011 or `application-debuggable` if using @MASTG-TOOL-0124). ## Observation -The output should contain the contents of the AndroidManifest.xml. +The output should contain the value of the debuggable flag from the AndroidManifest.xml or be empty. ## Evaluation -The test case fails if the debuggable flag is set. +The test case fails if the debuggable flag is set to `true`. diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0227.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0227.md index 3916300e11..d75397ccc7 100644 --- a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0227.md +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0227.md @@ -1,5 +1,5 @@ --- -title: Debugging enabled for WebViews +title: Debugging Enabled for WebViews platform: android id: MASTG-TEST-0227 type: [static] @@ -8,24 +8,36 @@ weakness: MASWE-0067 ## Overview -To enable debugging of Webviews, the API `WebView.setWebContentsDebuggingEnabled(true);` can be used to enable WebView debugging (see ["see Android documentation"](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/#configure_webviews_for_debugging)). +To enable debugging of Webviews, the API `WebView.setWebContentsDebuggingEnabled(true);` can be used to enable WebView debugging (see the ["Android documentation"](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/#configure_webviews_for_debugging)). -Calling this API will enable WebView debugging for **all** of the application's WebViews, independently of the AndroidManifest.xml debuggable flag (See @MASTG-TEST-0x39-1). This allows an attached PC to eavesdrop on, and modify all communication inside WebViews. +Calling this API will enable WebView debugging for **all** of the application's WebViews allowing an attached PC to eavesdrop on, and modify all communication inside WebViews. + +This flag works independently of the AndroidManifest.xml debuggable flag (see @MASTG-TEST-0226), so even if the app is not debuggable, the WebViews can be debuggable. !!! note Other ways to debug the application Disabling WebView debugging does not fully prevent all possibilities to debug the app and the WebViews. See @MASWE-0101 for more details on how to prevent debugging. ## Steps -1. Reverse engineer the app (@MASTG-TECH-0017). -2. Inspect all locations where `WebView.setWebContentsDebuggingEnabled` is called, and check - 1. if it is set to true, and - 2. if the API call can be executed during runtime. +1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary and look for uses of: + - `WebView.setWebContentsDebuggingEnabled` being set to `true`. + - `ApplicationInfo.FLAG_DEBUGGABLE`. ## Observation -The output should contain all locations where `WebView.setWebContentsDebuggingEnabled` can be called with `true` at runtime. +The output should contain all locations where `WebView.setWebContentsDebuggingEnabled` can be called with `true` at runtime as well as any uses of `ApplicationInfo.FLAG_DEBUGGABLE`. ## Evaluation -The test case fails if any locations in the application can be executed ar runtime, where WebView debugging is enabled. +The test case fails if there are any instances of WebView debugging being enabled and they can be always executed at runtime (meaning that the app does not check for the `ApplicationInfo.FLAG_DEBUGGABLE`). + +To mitigate this issue you can set the `WebView.setWebContentsDebuggingEnabled` calls to `false` or completely remove them altogether. + +If you want to enable WebView debugging only when debuggable is `true`, Android recommends [checking the debuggable flag at runtime](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/#configure_webviews_for_debugging): + +```kotlin +if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) { + if (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) + { WebView.setWebContentsDebuggingEnabled(true); } +} +``` From 79344af837587e85973404bc2e0266cdef97311f Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Wed, 20 Nov 2024 10:56:07 +0100 Subject: [PATCH 10/10] update tests content --- .../MASVS-RESILIENCE/MASTG-TEST-0226.md | 21 ++++++------ .../MASVS-RESILIENCE/MASTG-TEST-0227.md | 32 ++++++++++++------- 2 files changed, 33 insertions(+), 20 deletions(-) diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0226.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0226.md index 217b3732de..3c335db745 100644 --- a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0226.md +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0226.md @@ -8,22 +8,25 @@ weakness: MASWE-0067 ## Overview -This test case checks if the application has the debuggable flag ([`android:debuggable`](https://developer.android.com/guide/topics/manifest/application-element#debug)) set to `true` in the AndroidManifest.xml. If this flag is set, an attacker can attach a debugger, and e.g., read and modify internals of the application. +This test case checks if the app has the `debuggable` flag ([`android:debuggable`](https://developer.android.com/guide/topics/manifest/application-element#debug)) set to `true` in the `AndroidManifest.xml`. When this flag is enabled, it allows the app to be debugged enabling attackers to inspect the app’s internals, bypass security controls, or manipulate runtime behavior. -Having this flag set to `true` [is not considered a vulnerability](https://developer.android.com/privacy-and-security/risks/android-debuggable), however, it allow attackers to have more access to the app and resources than intended. - -!!! note Other ways to debug the application - Not enabling debugging in the AndroidManifest.xml does fully prevent all possibilities to debug the app. See @MASWE-0101 for more details on how to prevent debugging. +Although having the `debuggable` flag set to `true` [is not considered a direct vulnerability](https://developer.android.com/privacy-and-security/risks/android-debuggable), it significantly increases the attack surface by providing unauthorized access to app data and resources, particularly in production environments. ## Steps -1. View the AndroidManifest.xml using @MASTG-TECH-0117. -2. Search the output for the debuggable flag (e.g. `android:debuggable` if using @MASTG-TOOL-0011 or `application-debuggable` if using @MASTG-TOOL-0124). +1. Obtain the `AndroidManifest.xml` file using @MASTG-TECH-0117. +2. Search for the `debuggable` flag: + - Look for `android:debuggable` if analyzing raw XML using tools like @MASTG-TOOL-0011. + - Look for `application-debuggable` if using @MASTG-TOOL-0124. ## Observation -The output should contain the value of the debuggable flag from the AndroidManifest.xml or be empty. +The output should explicitly show whether the `debuggable` flag is set (`true` or `false`). If the flag is not specified, it is treated as `false` by default for release builds. ## Evaluation -The test case fails if the debuggable flag is set to `true`. +The test case fails if the `debuggable` flag is explicitly set to `true`. This indicates that the app is configured to allow debugging, which is inappropriate for production environments. + +To mitigate this issue, ensure the debuggable flag in the AndroidManifest.xml is set to false for all release builds. + +**Note:** Disabling debugging via the `debuggable` flag is an important first step but does not fully protect the app from advanced attacks. Skilled attackers can enable debugging through various means, such as binary patching (see @MASTG-TECH-0038) to allow attachment of a debugger or the use of binary instrumentation tools like @MASTG-TOOL-0001 to achieve similar capabilities. For apps requiring a higher level of security, consider implementing anti-debugging techniques as an additional layer of defense. Refer to @MASWE-0101 for detailed guidance. diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0227.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0227.md index d75397ccc7..4eeba07266 100644 --- a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0227.md +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0227.md @@ -8,14 +8,9 @@ weakness: MASWE-0067 ## Overview -To enable debugging of Webviews, the API `WebView.setWebContentsDebuggingEnabled(true);` can be used to enable WebView debugging (see the ["Android documentation"](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/#configure_webviews_for_debugging)). +The `WebView.setWebContentsDebuggingEnabled(true)` API enables debugging for **all** WebViews in the application. This feature can be useful during development, but introduces significant security risks if left enabled in production. When enabled, a connected PC can debug, eavesdrop, or modify communication within any WebView in the application. See the ["Android Documentation"](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/#configure_webviews_for_debugging) for more details. -Calling this API will enable WebView debugging for **all** of the application's WebViews allowing an attached PC to eavesdrop on, and modify all communication inside WebViews. - -This flag works independently of the AndroidManifest.xml debuggable flag (see @MASTG-TEST-0226), so even if the app is not debuggable, the WebViews can be debuggable. - -!!! note Other ways to debug the application - Disabling WebView debugging does not fully prevent all possibilities to debug the app and the WebViews. See @MASWE-0101 for more details on how to prevent debugging. +Note that this flag works independently of the `debuggable` attribute in the `AndroidManifest.xml` (see @MASTG-TEST-0226). Even if the app is not marked as debuggable, the WebViews can still be debugged by calling this API. ## Steps @@ -25,15 +20,21 @@ This flag works independently of the AndroidManifest.xml debuggable flag (see @M ## Observation -The output should contain all locations where `WebView.setWebContentsDebuggingEnabled` can be called with `true` at runtime as well as any uses of `ApplicationInfo.FLAG_DEBUGGABLE`. +The output should list: + +- All locations where `WebView.setWebContentsDebuggingEnabled` is called with `true` at runtime. +- Any references to `ApplicationInfo.FLAG_DEBUGGABLE`. ## Evaluation -The test case fails if there are any instances of WebView debugging being enabled and they can be always executed at runtime (meaning that the app does not check for the `ApplicationInfo.FLAG_DEBUGGABLE`). +The test case fails if `WebView.setWebContentsDebuggingEnabled(true)` is called unconditionally or in contexts where the `ApplicationInfo.FLAG_DEBUGGABLE` flag is not checked. + +To mitigate this issue: -To mitigate this issue you can set the `WebView.setWebContentsDebuggingEnabled` calls to `false` or completely remove them altogether. +- Set `WebView.setWebContentsDebuggingEnabled` to `false` in production, or remove the calls entirely if they are unnecessary. +- If WebView debugging is required during development, ensure it is enabled only when the app is in a debuggable state by [checking the `ApplicationInfo.FLAG_DEBUGGABLE` flag at runtime](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/#configure_webviews_for_debugging). -If you want to enable WebView debugging only when debuggable is `true`, Android recommends [checking the debuggable flag at runtime](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/#configure_webviews_for_debugging): +For example: ```kotlin if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) { @@ -41,3 +42,12 @@ if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) { { WebView.setWebContentsDebuggingEnabled(true); } } ``` + +**Note:** Disabling WebView debugging this way helps protect an app already running on a device. For an attacker to exploit WebView debugging, they must have physical access to the device (e.g., a stolen or test device) or remote access through malware or other malicious means. Additionally, the device must typically be unlocked, and the attacker would need to know the device PIN, password, or biometric authentication to gain full control and connect debugging tools like `adb` or Chrome DevTools. + +However, disabling WebView debugging does not eliminate all attack vectors. An attacker could: + +1. Patch the app to add calls to these APIs (see @MASTG-TECH-0038), then repackage and re-sign it (see @MASTG-TECH-0039). +2. Use runtime method hooking (see @MASTG-TECH-0043) to enable WebView debugging dynamically at runtime. + +Disabling WebView debugging serves as one layer of defense to reduce risks but should be combined with other security measures.