From b454bc38e0e5ba0dac0ff36b8a2079138b294f9c Mon Sep 17 00:00:00 2001 From: Dennis Titze Date: Wed, 6 Nov 2024 11:06:59 +0000 Subject: [PATCH 1/5] Port MASTG test 0039 --- .../MASVS-RESILIENCE/MASTG-TEST-0x39-1.md | 27 ++++++++++++++++ .../MASVS-RESILIENCE/MASTG-TEST-0x39-2.md | 31 +++++++++++++++++++ .../MASVS-RESILIENCE/MASTG-TEST-0039.md | 3 ++ tools/android/MASTG-TOOL-0121.md | 31 +++++++++++++++++++ 4 files changed, 92 insertions(+) create mode 100644 tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md create mode 100644 tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-2.md create mode 100644 tools/android/MASTG-TOOL-0121.md diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md new file mode 100644 index 0000000000..49ade5f132 --- /dev/null +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md @@ -0,0 +1,27 @@ +--- +title: Debuggable Flag Not Disabled in the AndroidManifest +platform: android +id: MASTG-TEST-0x39-1 +type: [static] +weakness: MASWE-0067 +--- + +## Overview + +This test case checks if the application has the debuggable flag set in the AndroidManifest.xml. If this flag is set, an attacker can attach a debugger, and e.g., read and modify internals of the application. + +!!! note Other ways to debug the application + Not enabling debugging in the AndroidManifest.xml does fully prevent all possibilities to debug the app. See @MASWE-0101 for more details on how to prevent debugging. + +## Steps + +1. View the AndroidManifest.xml, e.g., via @MASTG-TOOL-0121. +2. If the output of @MASTG-TOOL-0121 contains `application-debuggable`, the app has the debuggable flag set. + +## Observation + +The output should contain the contents of the AndroidManifest.xml. + +## Evaluation + +The test case fails if the debuggable flag is set. diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-2.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-2.md new file mode 100644 index 0000000000..87ace019d5 --- /dev/null +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-2.md @@ -0,0 +1,31 @@ +--- +title: Debugging enabled for WebViews +platform: android +id: MASTG-TEST-0x39-2 +type: [static] +weakness: MASWE-0067 +--- + +## Overview + +To enable debugging of Webviews, the API `WebView.setWebContentsDebuggingEnabled(true);` can be used to enable WebView debugging (see ["see Android documentation"](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/#configure_webviews_for_debugging)). + +Calling this API will enable WebView debugging for **all** of the application's WebViews, independently of the AndroidManifest.xml debuggable flag (See @MASTG-TEST-0x39-1). This allows an attached PC to eavesdrop on, and modify all communication inside WebViews. + +!!! note Other ways to debug the application + Disabling WebView debugging does not fully prevent all possibilities to debug the app and the WebViews. See @MASWE-0101 for more details on how to prevent debugging. + +## Steps + +1. Reverse engineer the app (@MASTG-TECH-0017). +2. Inspect all locations where `WebView.setWebContentsDebuggingEnabled` is called, and check + 1. if it is set to true, and + 2. if the API call can be executed during runtime. + +## Observation + +The output should contain all locations where `WebView.setWebContentsDebuggingEnabled` can be called with `true` at runtime. + +## Evaluation + +The test case fails if any locations in the application can be executed ar runtime, where WebView debugging is enabled. diff --git a/tests/android/MASVS-RESILIENCE/MASTG-TEST-0039.md b/tests/android/MASVS-RESILIENCE/MASTG-TEST-0039.md index baf9251cf0..97f0777c5a 100644 --- a/tests/android/MASVS-RESILIENCE/MASTG-TEST-0039.md +++ b/tests/android/MASVS-RESILIENCE/MASTG-TEST-0039.md @@ -7,6 +7,9 @@ platform: android title: Testing whether the App is Debuggable masvs_v1_levels: - R +status: deprecated +covered_by: [MASTG-TEST-0x39-1,MASTG-TEST-0x39-2] +deprecation_note: New version available in MASTG V2 --- ## Overview diff --git a/tools/android/MASTG-TOOL-0121.md b/tools/android/MASTG-TOOL-0121.md new file mode 100644 index 0000000000..5baa223792 --- /dev/null +++ b/tools/android/MASTG-TOOL-0121.md @@ -0,0 +1,31 @@ +--- +title: aapt2 +platform: android +source: https://play.google.com/store/apps/details?id=org.proxydroid&hl=en +--- + +Android Asset Packaging tool (aapt2) is contained in the @MASTG-TOOL-0006 within the build-tools folder. + +It requires an APK file as input and can be used for example to examine the contents of the AndroidManifest file. + +The permissions of an APK file can be viewed with: + +```bash +$ aapt d permissions app-x86-debug.apk +package: sg.vp.owasp_mobile.omtg_android +uses-permission: name='android.permission.WRITE_EXTERNAL_STORAGE' +uses-permission: name='android.permission.INTERNET' +``` + +Viewing all contents of the AndroidManifest can be performed with: + +```bash +$ aapt d badging app-x86-debug.apk +package: name='sg.vp.owasp_mobile.omtg_android' versionCode='1' versionName='1.0' compileSdkVersion='34' compileSdkVersionCodename='14' +sdkVersion:'23' +targetSdkVersion:'34' +uses-permission: name='android.permission.WRITE_EXTERNAL_STORAGE' +uses-permission: name='android.permission.INTERNET' +application-label:'OMTG Android' +... +``` From 5b427ef4c54e85794bd12151dfc5c0b66a0166ed Mon Sep 17 00:00:00 2001 From: Dennis Titze Date: Wed, 6 Nov 2024 11:09:23 +0000 Subject: [PATCH 2/5] linter --- tools/android/MASTG-TOOL-0121.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/android/MASTG-TOOL-0121.md b/tools/android/MASTG-TOOL-0121.md index 5baa223792..b148d590fd 100644 --- a/tools/android/MASTG-TOOL-0121.md +++ b/tools/android/MASTG-TOOL-0121.md @@ -4,7 +4,7 @@ platform: android source: https://play.google.com/store/apps/details?id=org.proxydroid&hl=en --- -Android Asset Packaging tool (aapt2) is contained in the @MASTG-TOOL-0006 within the build-tools folder. +Android Asset Packaging tool (aapt2) is contained in the @MASTG-TOOL-0006 within the build-tools folder. It requires an APK file as input and can be used for example to examine the contents of the AndroidManifest file. From 538a5b2c4c3a8059c7b4793b210025dc3b28463f Mon Sep 17 00:00:00 2001 From: Dennis Titze Date: Wed, 6 Nov 2024 11:46:30 +0000 Subject: [PATCH 3/5] Fix tool link --- tools/android/MASTG-TOOL-0121.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/android/MASTG-TOOL-0121.md b/tools/android/MASTG-TOOL-0121.md index b148d590fd..6a25b8a9fb 100644 --- a/tools/android/MASTG-TOOL-0121.md +++ b/tools/android/MASTG-TOOL-0121.md @@ -1,7 +1,7 @@ --- title: aapt2 platform: android -source: https://play.google.com/store/apps/details?id=org.proxydroid&hl=en +source: https://developer.android.com/tools/aapt2 --- Android Asset Packaging tool (aapt2) is contained in the @MASTG-TOOL-0006 within the build-tools folder. From 3dc34780f92f1fe65b6cf547cda1c5e6e57d9f5c Mon Sep 17 00:00:00 2001 From: titze Date: Thu, 7 Nov 2024 18:27:26 +0100 Subject: [PATCH 4/5] Update tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md Co-authored-by: Carlos Holguera --- tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md index 49ade5f132..cb52e5a019 100644 --- a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md @@ -8,7 +8,9 @@ weakness: MASWE-0067 ## Overview -This test case checks if the application has the debuggable flag set in the AndroidManifest.xml. If this flag is set, an attacker can attach a debugger, and e.g., read and modify internals of the application. +This test case checks if the application has the debuggable flag ([`android:debuggable`](https://developer.android.com/guide/topics/manifest/application-element#debug)) set to `true` in the AndroidManifest.xml. If this flag is set, an attacker can attach a debugger, and e.g., read and modify internals of the application. + +Having this flag set to `true` [is not considered a vulnerability](https://developer.android.com/privacy-and-security/risks/android-debuggable), however, it allow attackers to have more access to the app and resources than intended. !!! note Other ways to debug the application Not enabling debugging in the AndroidManifest.xml does fully prevent all possibilities to debug the app. See @MASWE-0101 for more details on how to prevent debugging. From 9cdf4e9b8d9419b491af98d7320b5071d9e3e8c1 Mon Sep 17 00:00:00 2001 From: Dennis Titze Date: Thu, 7 Nov 2024 17:56:40 +0000 Subject: [PATCH 5/5] review update --- techniques/android/MASTG-TECH-0110.md | 47 +++++++++++++++++++ .../MASVS-RESILIENCE/MASTG-TEST-0x39-1.md | 4 +- tools/android/MASTG-TOOL-0121.md | 31 ------------ tools/android/MASTG-TOOL-0123.md | 7 +++ 4 files changed, 56 insertions(+), 33 deletions(-) create mode 100644 techniques/android/MASTG-TECH-0110.md delete mode 100644 tools/android/MASTG-TOOL-0121.md create mode 100644 tools/android/MASTG-TOOL-0123.md diff --git a/techniques/android/MASTG-TECH-0110.md b/techniques/android/MASTG-TECH-0110.md new file mode 100644 index 0000000000..433b9470ff --- /dev/null +++ b/techniques/android/MASTG-TECH-0110.md @@ -0,0 +1,47 @@ +--- +title: Obtaining Information from the AndroidManifest +platform: android +--- + +Multiple ways exist to view the contents of the AndroidManifest: + +## Using @MASTG-TOOL-0011 + +The full AndroidManifest can be extracted using @MASTG-TOOL-0011: + +```sh +$ apktool d myapp.apk -s -o apktooled_app +I: Using Apktool 2.7.0 on myapp.apk +I: Loading resource table... +I: Decoding AndroidManifest.xml with resources... +I: Loading resource table from file: /home/.local/share/apktool/framework/1.apk +I: Regular manifest package... +I: Decoding file-resources... +I: Decoding values */* XMLs... +I: Copying raw classes.dex file... +I: Copying assets and libs... +I: Copying unknown files... +I: Copying original files... +I: Copying META-INF/services directory +``` + +`-s` skips baksmaliing the dex files and is faster. + +The AndroidManifest.xml is extracted and decoded to `apktooled_app/AndroidManifest.xml`, where you can simply open and view it. + +## Using @MASTG-TOOL-0123 + +If you are only interested in specific values of the manifest, you can use alternatively use @MASTG-TOOL-0123. Please note that the output of @MASTG-TOOL-0123 is not a XML file. + +Viewing all contents of the AndroidManifest can be performed with: + +```bash +$ aapt d badging app-x86-debug.apk +package: name='sg.vp.owasp_mobile.omtg_android' versionCode='1' versionName='1.0' compileSdkVersion='34' compileSdkVersionCodename='14' +sdkVersion:'23' +targetSdkVersion:'34' +uses-permission: name='android.permission.WRITE_EXTERNAL_STORAGE' +uses-permission: name='android.permission.INTERNET' +application-label:'OMTG Android' +... +``` diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md index cb52e5a019..d87bde59b3 100644 --- a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md +++ b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md @@ -17,8 +17,8 @@ Having this flag set to `true` [is not considered a vulnerability](https://devel ## Steps -1. View the AndroidManifest.xml, e.g., via @MASTG-TOOL-0121. -2. If the output of @MASTG-TOOL-0121 contains `application-debuggable`, the app has the debuggable flag set. +1. View the AndroidManifest.xml using @MASTG-TECH-0110. +2. The output shows if the application is debuggable (e.g. if `application-debuggable` is set in the output of @MASTG-TOOL-0123). ## Observation diff --git a/tools/android/MASTG-TOOL-0121.md b/tools/android/MASTG-TOOL-0121.md deleted file mode 100644 index 6a25b8a9fb..0000000000 --- a/tools/android/MASTG-TOOL-0121.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: aapt2 -platform: android -source: https://developer.android.com/tools/aapt2 ---- - -Android Asset Packaging tool (aapt2) is contained in the @MASTG-TOOL-0006 within the build-tools folder. - -It requires an APK file as input and can be used for example to examine the contents of the AndroidManifest file. - -The permissions of an APK file can be viewed with: - -```bash -$ aapt d permissions app-x86-debug.apk -package: sg.vp.owasp_mobile.omtg_android -uses-permission: name='android.permission.WRITE_EXTERNAL_STORAGE' -uses-permission: name='android.permission.INTERNET' -``` - -Viewing all contents of the AndroidManifest can be performed with: - -```bash -$ aapt d badging app-x86-debug.apk -package: name='sg.vp.owasp_mobile.omtg_android' versionCode='1' versionName='1.0' compileSdkVersion='34' compileSdkVersionCodename='14' -sdkVersion:'23' -targetSdkVersion:'34' -uses-permission: name='android.permission.WRITE_EXTERNAL_STORAGE' -uses-permission: name='android.permission.INTERNET' -application-label:'OMTG Android' -... -``` diff --git a/tools/android/MASTG-TOOL-0123.md b/tools/android/MASTG-TOOL-0123.md new file mode 100644 index 0000000000..5d2b662a13 --- /dev/null +++ b/tools/android/MASTG-TOOL-0123.md @@ -0,0 +1,7 @@ +--- +title: aapt2 +platform: android +source: https://developer.android.com/tools/aapt2 +--- + +[aapt2](https://developer.android.com/tools/aapt2), available in revision 26.0.2 and higher of the Android SDK Build Tools, is contained in the @MASTG-TOOL-0006 at `[SDK-Path]/build-tools/[version]/aapt2` and can be used for example to examine the contents of the AndroidManifest file.