Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port MASTG test 0039 (by @guardsquare) #3042

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Port MASTG test 0039 (by @guardsquare) #3042

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b454bc3
Port MASTG test 0039
titze Nov 6, 2024
5b427ef
linter
titze Nov 6, 2024
538a5b2
Fix tool link
titze Nov 6, 2024
3dc3478
Update tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md
titze Nov 7, 2024
9cdf4e9
review update
titze Nov 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
title: Debuggable Flag Not Disabled in the AndroidManifest
platform: android
id: MASTG-TEST-0x39-1
type: [static]
weakness: MASWE-0067
---

## Overview

This test case checks if the application has the debuggable flag set in the AndroidManifest.xml. If this flag is set, an attacker can attach a debugger, and e.g., read and modify internals of the application.
titze marked this conversation as resolved.
Show resolved Hide resolved

!!! note Other ways to debug the application
Not enabling debugging in the AndroidManifest.xml does fully prevent all possibilities to debug the app. See @MASWE-0101 for more details on how to prevent debugging.
Comment on lines +15 to +16
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we know about other ways to debug the app we should shortly note them here.

Do you mean something like the attacker can set this attribute (which would invalidate the signature) and repackage & re-sign and be able to debug the app. I think this is something we could note here.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant #3042 (comment) here as well.

The resigning is a good point, not sure we want to open this topic here.


## Steps

1. View the AndroidManifest.xml, e.g., via @MASTG-TOOL-0121.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TOOL-0121 is objdump (ios)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should use MASTG-TOOL-0123

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But even better, use a technique "Obtaining Information from the AndroidManifest" (or similar title) with 2 sections to

  • get the whole android manifest: can use apktool or jadx/jadx-gui
  • or read properties from it: can use aapt

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Always better to use a tech. from a test rather than a tool.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@TheDauntless I think this overlapped with landing another tool. Fixed.

@cpholguera I split it up into tech and tool.

2. If the output of @MASTG-TOOL-0121 contains `application-debuggable`, the app has the debuggable flag set.

## Observation

The output should contain the contents of the AndroidManifest.xml.

## Evaluation

The test case fails if the debuggable flag is set.
31 changes: 31 additions & 0 deletions tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x39-2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
---
title: Debugging enabled for WebViews
platform: android
id: MASTG-TEST-0x39-2
type: [static]
weakness: MASWE-0067
---

## Overview

To enable debugging of Webviews, the API `WebView.setWebContentsDebuggingEnabled(true);` can be used to enable WebView debugging (see ["see Android documentation"](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/#configure_webviews_for_debugging)).

Calling this API will enable WebView debugging for **all** of the application's WebViews, independently of the AndroidManifest.xml debuggable flag (See @MASTG-TEST-0x39-1). This allows an attached PC to eavesdrop on, and modify all communication inside WebViews.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this really apply to all webviews even if it's only called in one instance?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes 🤯

This setting applies to all of the application's WebViews.

https://developer.chrome.com/docs/devtools/remote-debugging/webviews/#configure_webviews_for_debugging

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh wow 😨


!!! note Other ways to debug the application
Disabling WebView debugging does not fully prevent all possibilities to debug the app and the WebViews. See @MASWE-0101 for more details on how to prevent debugging.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if this note will confuse more than help. Let me know what you think:

What are other ways of debugging the webview if it's not using this? Do you mean that the app can be debugged by other means (but not necessarily the webviews). I guess an attacker able to use frida could call that to enable debugging ...

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant that setting debuggable=false still allows someone with root to attach a debugger or attach Frida, essentially debugging the app. This is handled in MASWE-101, not 100% it needs a mention here.


## Steps

1. Reverse engineer the app (@MASTG-TECH-0017).
2. Inspect all locations where `WebView.setWebContentsDebuggingEnabled` is called, and check
1. if it is set to true, and
2. if the API call can be executed during runtime.
Comment on lines +21 to +23
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
2. Inspect all locations where `WebView.setWebContentsDebuggingEnabled` is called, and check
1. if it is set to true, and
2. if the API call can be executed during runtime.
2. Obtain all locations where `WebView.setWebContentsDebuggingEnabled` is called and set to `true`.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what's meant by "if the API call can be executed during runtime"?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://developer.chrome.com/docs/devtools/remote-debugging/webviews/#configure_webviews_for_debugging contains a code snippet that ties the API call to the manifest debuggable flag.

What this sentence should mean is that the API call itself is not a problem if it is essentially in dead code. Maybe it still should not be in the app...

if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {
    if (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE))
    { WebView.setWebContentsDebuggingEnabled(true); }
}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, got it! Let's see if we should reformulate and/or use this for the evaluation and remediation as well but with more detail mentioning those conditions.


## Observation

The output should contain all locations where `WebView.setWebContentsDebuggingEnabled` can be called with `true` at runtime.

## Evaluation

The test case fails if any locations in the application can be executed ar runtime, where WebView debugging is enabled.
Comment on lines +27 to +31
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same question as above about the "runtime" aspect. Shouldn't we just say that if we found this being true that must be fixed?

3 changes: 3 additions & 0 deletions tests/android/MASVS-RESILIENCE/MASTG-TEST-0039.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ platform: android
title: Testing whether the App is Debuggable
masvs_v1_levels:
- R
status: deprecated
covered_by: [MASTG-TEST-0x39-1,MASTG-TEST-0x39-2]
deprecation_note: New version available in MASTG V2
---

## Overview
Expand Down
31 changes: 31 additions & 0 deletions tools/android/MASTG-TOOL-0121.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
---
title: aapt2
platform: android
source: https://developer.android.com/tools/aapt2
---

Android Asset Packaging tool (aapt2) is contained in the @MASTG-TOOL-0006 within the build-tools folder.

It requires an APK file as input and can be used for example to examine the contents of the AndroidManifest file.

The permissions of an APK file can be viewed with:

```bash
$ aapt d permissions app-x86-debug.apk
package: sg.vp.owasp_mobile.omtg_android
uses-permission: name='android.permission.WRITE_EXTERNAL_STORAGE'
uses-permission: name='android.permission.INTERNET'
```

Viewing all contents of the AndroidManifest can be performed with:

```bash
$ aapt d badging app-x86-debug.apk
package: name='sg.vp.owasp_mobile.omtg_android' versionCode='1' versionName='1.0' compileSdkVersion='34' compileSdkVersionCodename='14'
sdkVersion:'23'
targetSdkVersion:'34'
uses-permission: name='android.permission.WRITE_EXTERNAL_STORAGE'
uses-permission: name='android.permission.INTERNET'
application-label:'OMTG Android'
...
```