Port MASTG test 0039 (by @guardsquare) #3042
Conversation
|
|
||
| ## Steps | ||
|
|
||
| 1. View the AndroidManifest.xml, e.g., via @MASTG-TOOL-0121. |
There was a problem hiding this comment.
TOOL-0121 is objdump (ios)
There was a problem hiding this comment.
we should use MASTG-TOOL-0123
There was a problem hiding this comment.
But even better, use a technique "Obtaining Information from the AndroidManifest" (or similar title) with 2 sections to
- get the whole android manifest: can use apktool or jadx/jadx-gui
- or read properties from it: can use aapt
There was a problem hiding this comment.
Always better to use a tech. from a test rather than a tool.
There was a problem hiding this comment.
@TheDauntless I think this overlapped with landing another tool. Fixed.
@cpholguera I split it up into tech and tool.
|
|
||
| To enable debugging of Webviews, the API `WebView.setWebContentsDebuggingEnabled(true);` can be used to enable WebView debugging (see ["see Android documentation"](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/#configure_webviews_for_debugging)). | ||
|
|
||
| Calling this API will enable WebView debugging for **all** of the application's WebViews, independently of the AndroidManifest.xml debuggable flag (See @MASTG-TEST-0x39-1). This allows an attached PC to eavesdrop on, and modify all communication inside WebViews. |
There was a problem hiding this comment.
does this really apply to all webviews even if it's only called in one instance?
There was a problem hiding this comment.
Yes 🤯
This setting applies to all of the application's WebViews.
| Calling this API will enable WebView debugging for **all** of the application's WebViews, independently of the AndroidManifest.xml debuggable flag (See @MASTG-TEST-0x39-1). This allows an attached PC to eavesdrop on, and modify all communication inside WebViews. | ||
|
|
||
| !!! note Other ways to debug the application | ||
| Disabling WebView debugging does not fully prevent all possibilities to debug the app and the WebViews. See @MASWE-0101 for more details on how to prevent debugging. |
There was a problem hiding this comment.
I'm not sure if this note will confuse more than help. Let me know what you think:
What are other ways of debugging the webview if it's not using this? Do you mean that the app can be debugged by other means (but not necessarily the webviews). I guess an attacker able to use frida could call that to enable debugging ...
There was a problem hiding this comment.
I meant that setting debuggable=false still allows someone with root to attach a debugger or attach Frida, essentially debugging the app. This is handled in MASWE-101, not 100% it needs a mention here.
| 2. Inspect all locations where `WebView.setWebContentsDebuggingEnabled` is called, and check | ||
| 1. if it is set to true, and | ||
| 2. if the API call can be executed during runtime. |
There was a problem hiding this comment.
| 2. Inspect all locations where `WebView.setWebContentsDebuggingEnabled` is called, and check | |
| 1. if it is set to true, and | |
| 2. if the API call can be executed during runtime. | |
| 2. Obtain all locations where `WebView.setWebContentsDebuggingEnabled` is called and set to `true`. |
There was a problem hiding this comment.
what's meant by "if the API call can be executed during runtime"?
There was a problem hiding this comment.
https://developer.chrome.com/docs/devtools/remote-debugging/webviews/#configure_webviews_for_debugging contains a code snippet that ties the API call to the manifest debuggable flag.
What this sentence should mean is that the API call itself is not a problem if it is essentially in dead code. Maybe it still should not be in the app...
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {
if (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE))
{ WebView.setWebContentsDebuggingEnabled(true); }
}
There was a problem hiding this comment.
Ok, got it! Let's see if we should reformulate and/or use this for the evaluation and remediation as well but with more detail mentioning those conditions.
| The output should contain all locations where `WebView.setWebContentsDebuggingEnabled` can be called with `true` at runtime. | ||
|
|
||
| ## Evaluation | ||
|
|
||
| The test case fails if any locations in the application can be executed ar runtime, where WebView debugging is enabled. |
There was a problem hiding this comment.
same question as above about the "runtime" aspect. Shouldn't we just say that if we found this being true that must be fixed?
| !!! note Other ways to debug the application | ||
| Not enabling debugging in the AndroidManifest.xml does fully prevent all possibilities to debug the app. See @MASWE-0101 for more details on how to prevent debugging. |
There was a problem hiding this comment.
If we know about other ways to debug the app we should shortly note them here.
Do you mean something like the attacker can set this attribute (which would invalidate the signature) and repackage & re-sign and be able to debug the app. I think this is something we could note here.
There was a problem hiding this comment.
I meant #3042 (comment) here as well.
The resigning is a good point, not sure we want to open this topic here.
|
|
||
| ## Steps | ||
|
|
||
| 1. View the AndroidManifest.xml, e.g., via @MASTG-TOOL-0121. |
There was a problem hiding this comment.
we should use MASTG-TOOL-0123
|
|
||
| ## Steps | ||
|
|
||
| 1. View the AndroidManifest.xml, e.g., via @MASTG-TOOL-0121. |
There was a problem hiding this comment.
But even better, use a technique "Obtaining Information from the AndroidManifest" (or similar title) with 2 sections to
- get the whole android manifest: can use apktool or jadx/jadx-gui
- or read properties from it: can use aapt
|
|
||
| ## Steps | ||
|
|
||
| 1. View the AndroidManifest.xml, e.g., via @MASTG-TOOL-0121. |
There was a problem hiding this comment.
Always better to use a tech. from a test rather than a tool.
Co-authored-by: Carlos Holguera <[email protected]>
Thank you for submitting a Pull Request to the OWASP MASTG. Please make sure that:
If your PR is related to an issue. Please end your PR test with the following line:
This PR closes #3014.
I did not copy the dynamic part, since this has no benefits over the static analysis (imo).