OWASP · cpholguera · Jul 3, 2024 · Mar 5, 2024 · May 6, 2024 · Mar 5, 2024
diff --git a/...data-unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/MastgTest.kt b/...data-unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/MastgTest.kt
@@ -0,0 +1,62 @@
+package org.owasp.mastestapp
+
+import android.content.Context
+import android.util.Log
+import java.io.File
+import java.io.FileOutputStream
+import java.io.IOException
+import android.content.ContentValues
+import android.os.Environment
+import android.provider.MediaStore
+import java.io.OutputStream
+
+class MastgTest (private val context: Context){
+
+    fun mastgTest(): String {
+        mastgTestApi()
+        mastgTestMediaStore()
+        return "SUCCESS!!\n\nFiles have been written with API and MediaStore"
+    }
+
+    fun mastgTestApi() {
+        val externalStorageDir = context.getExternalFilesDir(null)
+        val fileName = File(externalStorageDir, "secret.txt")
+        val fileContent = "secr3tPa$$W0rd\n"
+
+        try {
+            FileOutputStream(fileName).use { output ->
+                output.write(fileContent.toByteArray())
+                Log.d("WriteExternalStorage", "File written to external storage successfully.")
+            }
+        } catch (e: IOException) {
+            Log.e("WriteExternalStorage", "Error writing file to external storage", e)
+        }
+    }
+
+    fun mastgTestMediaStore() {
+        try {
+            val resolver = context.contentResolver
+            var randomNum = (0..100).random().toString()
+            val contentValues = ContentValues().apply {
+                put(MediaStore.MediaColumns.DISPLAY_NAME, "secretFile$randomNum.txt")
+                put(MediaStore.MediaColumns.MIME_TYPE, "text/plain")
+                put(MediaStore.MediaColumns.RELATIVE_PATH, Environment.DIRECTORY_DOWNLOADS)
+            }
+            val textUri = resolver.insert(MediaStore.Downloads.EXTERNAL_CONTENT_URI, contentValues)
+
+            textUri?.let {
+                val outputStream: OutputStream? = resolver.openOutputStream(it)
+                outputStream?.use {
+                    it.write("MAS_API_KEY=8767086b9f6f976g-a8df76\n".toByteArray())
+                    it.flush()
+                }
+                Log.d("MediaStore", "File written to external storage successfully.")
+            } ?: run {
+                Log.e("MediaStore", "Error inserting URI to MediaStore.")
+            }
+        } catch (exception: Exception) {
+            Log.e("MediaStore", "Error writing file to URI from MediaStore", exception)
+        }
+    }
+}
+
diff --git a/...unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/demo.md b/...unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/demo.md
@@ -0,0 +1,42 @@
+---
+platform: android
+title: File System Snapshots from External Storage 
+tools: [adb]
+code: [kotlin]
+---
+
+### Sample
+
+The snippet below shows sample code that creates two files in the external storage using the `getExternalFilesDir` method and the `MediaStore` API.
+
+{{ MastgTest.kt }}
+
+### Steps
+
+1. Install an app on your device.
+2. Execute `run_before.sh`.
+3. Open an app and exercise it to trigger file creations.
+4. Execute `run_after.sh`.
+5. Close the app once you finish testing.
+
+{{ run_before.sh # run_after.sh }}
+
+### Observation
+
+There is a list of all created files inside `output.txt`.
+
+{{ output.txt }}
+
+Their content is inside the `./new_files/` directory and contains:
+
+A password:
+
+{{ new_files/secret.txt }}
+
+And an API key:
+
+{{ new_files/secretFile75.txt }}
+
+### Evaluation
+
+This test fails because the files are not encrypted and contain sensitive data (a password and an API key). You can further confirm this by reverse engineering the app and inspecting the code.
diff --git a/...ncrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/new_files/secret.txt b/...ncrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/new_files/secret.txt
@@ -0,0 +1 @@
+secr3tPa$$W0rd
diff --git a/...ed-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/new_files/secretFile75.txt b/...ed-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/new_files/secretFile75.txt
@@ -0,0 +1 @@
+MAS_API_KEY=8767086b9f6f976g-a8df76
diff --git a/...d-data-unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/output.txt b/...d-data-unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/output.txt
@@ -0,0 +1,2 @@
+/sdcard/Android/data/org.owasp.mastestapp/files/secret.txt
+/sdcard/Download/secretFile75.txt
diff --git a/...data-unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/run_after.sh b/...data-unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/run_after.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# SUMMARY: List all files created after the creation date of a file created in run_before
+
+adb shell "find /sdcard/ -type f -newer /data/local/tmp/test_start" > output.txt
+adb shell "rm /data/local/tmp/test_start"
+mkdir -p new_files
+while read -r line; do
+  adb pull "$line" ./new_files/
+done < output.txt
diff --git a/...ata-unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/run_before.sh b/...ata-unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/run_before.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# SUMMARY: This script creates a dummy file to mark a timestamp that we can use later
+# on to identify files created during the app exercising
+
+adb shell "touch /data/local/tmp/test_start"
diff --git a/...d-data-unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/test.md b/...d-data-unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/test.md
@@ -0,0 +1,28 @@
+---
+platform: android
+title: Files Written to External Storage
+type: [dynamic]
+---
+
+## Overview
+
+The goal of this test is to retrieve the files written to the external storage and inspect them regardless of the APIs used to write them. It uses a simple approach based on [file retrieval from the device storage](/MASTG/techniques/android/MASTG-TECH-0002) before and after the app is exercised to identify the files created during the app's execution and to check if they contain sensitive data.
+
+## Steps
+
+1. Make sure you have [adb](/MASTG/tools/android/MASTG-TOOL-0004) installed.
+2. [Install the app](/MASTG/techniques/android/MASTG-TECH-0005).
+3. Before running the app, [get the current list of files](/MASTG/techniques/android/MASTG-TECH-0002) in the external storage.
+4. Exercise the app.
+5. After running the app, retrieve the list of files in the external storage again.
+6. Calculate the difference between the two lists.
+
+## Observation
+
+The output should contain a list of files that were created on the external storage during the app's execution.
+
+## Evaluation
+
+The test case fails if the files found above are not encrypted and leak sensitive data.
+
+To confirm this, you can [reverse engineer the app](/MASTG/techniques/android/MASTG-TECH-0017) and [inspect the code](/MASTG/techniques/android/MASTG-TECH-0023).
diff --git a/...oid-data-unencrypted-shared-storage-no-user-interaction-dynamic-frida/demo-1/MastgTest.kt b/...oid-data-unencrypted-shared-storage-no-user-interaction-dynamic-frida/demo-1/MastgTest.kt
@@ -0,0 +1,61 @@
+package org.owasp.mastestapp
+
+import android.content.Context
+import android.util.Log
+import java.io.File
+import java.io.FileOutputStream
+import java.io.IOException
+import android.content.ContentValues
+import android.os.Environment
+import android.provider.MediaStore
+import java.io.OutputStream
+
+class MastgTest (private val context: Context){
+
+    fun mastgTest(): String {
+        mastgTestApi()
+        mastgTestMediaStore()
+        return "SUCCESS!!\n\nFiles have been written with API and MediaStore"
+    }
+    fun mastgTestApi() {
+        val externalStorageDir = context.getExternalFilesDir(null)
+        val fileName = File(externalStorageDir, "secret.txt")
+        val fileContent = "secr3tPa$$W0rd\n"
+
+        try {
+            FileOutputStream(fileName).use { output ->
+                output.write(fileContent.toByteArray())
+                Log.d("WriteExternalStorage", "File written to external storage successfully.")
+            }
+        } catch (e: IOException) {
+            Log.e("WriteExternalStorage", "Error writing file to external storage", e)
+        }
+    }
+
+    fun mastgTestMediaStore() {
+        try {
+            val resolver = context.contentResolver
+            var randomNum = (0..100).random().toString()
+            val contentValues = ContentValues().apply {
+                put(MediaStore.MediaColumns.DISPLAY_NAME, "secretFile$randomNum.txt")
+                put(MediaStore.MediaColumns.MIME_TYPE, "text/plain")
+                put(MediaStore.MediaColumns.RELATIVE_PATH, Environment.DIRECTORY_DOWNLOADS)
+            }
+            val textUri = resolver.insert(MediaStore.Downloads.EXTERNAL_CONTENT_URI, contentValues)
+
+            textUri?.let {
+                val outputStream: OutputStream? = resolver.openOutputStream(it)
+                outputStream?.use {
+                    it.write("MAS_API_KEY=8767086b9f6f976g-a8df76\n".toByteArray())
+                    it.flush()
+                }
+                Log.d("MediaStore", "File written to external storage successfully.")
+            } ?: run {
+                Log.e("MediaStore", "Error inserting URI to MediaStore.")
+            }
+        } catch (exception: Exception) {
+            Log.e("MediaStore", "Error writing file to URI from MediaStore", exception)
+        }
+    }
+}
+
diff --git a/...ata-unencrypted-shared-storage-no-user-interaction-dynamic-frida/demo-1/demo.md b/...ata-unencrypted-shared-storage-no-user-interaction-dynamic-frida/demo-1/demo.md
@@ -0,0 +1,43 @@
+---
+platform: android
+title: External Storage APIs Tracing with Frida
+tools: [frida]
+code: [kotlin]
+---
+
+### Sample
+
+The snippet below shows sample code that creates two files in the external storage using the `getExternalFilesDir` method and the `MediaStore` API.
+
+{{ MastgTest.kt }}
+
+### Steps
+
+1. Ensure the app is running on the target device.
+2. Execute `run.sh`.
+3. Close the app once you finish testing.
+
+The `run.sh` script will inject a Frida script called `script.js`.
+
+{{ run.sh }}
+
+The Frida script will hook and log calls to `open` and `android.content.ContentResolver.insert`.
+
+{{ script.js }}
+
+### Observation
+
+In the output you can see the paths and the relevant stack trace which helps to identify the actual APIs used to write to external storage and their respective callers.
+
+{{ output.txt }}
+
+There are two files written to the external storage:
+
+- `/storage/emulated/0/Android/data/org.owasp.mastestapp/files/secret.txt` written using `java.io.FileOutputStream` from `org.owasp.mastestapp.MastgTest.mastgTestApi(MastgTest.kt:26)`
+- `content://media/external/downloads/27` written using `android.content.ContentResolver.insert` from `org.owasp.mastestapp.MastgTest.mastgTestMediaStore(MastgTest.kt:44)`
+
+Note that the calls via `ContentResolver.insert` do not write directly to the file system, but to the `MediaStore` content provider, and therefore we can't see the actual file path, instead we see the `content://` URI.
+
+### Evaluation
+
+This test fails because the files are not encrypted and contain sensitive data (a password and an API key). You can further confirm this by reverse engineering the app and inspecting the code as well as retrieving the files from the device.