From f3ed9cb76b43c1844ebf358c7066d2623e78aef6 Mon Sep 17 00:00:00 2001
From: Thomas Cannon <thomascannon@users.noreply.github.com>
Date: Tue, 1 Oct 2024 11:22:01 +0100
Subject: [PATCH 1/2] Initial draft

---
 .../AndroidManifest_reversed.xml              | 31 ++++++++++++++++
 .../MASTG-DEMO-9999/MASTG-DEMO-9999.md        | 35 +++++++++++++++++++
 .../MASVS-CODE/MASTG-DEMO-9999/output.txt     | 11 ++++++
 .../android/MASVS-CODE/MASTG-DEMO-9999/run.sh |  1 +
 rules/mastg-android-minsdkversion.yml         | 12 +++++++
 .../android/MASVS-CODE/MASTG-TEST-9999.md     | 23 ++++++++++++
 tests-beta/ios/MASVS-CODE/MASTG-TEST-8888.md  | 23 ++++++++++++
 weaknesses/MASVS-CODE/MASWE-0077.md           | 21 +++++++++++
 8 files changed, 157 insertions(+)
 create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-9999/AndroidManifest_reversed.xml
 create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-9999/MASTG-DEMO-9999.md
 create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-9999/output.txt
 create mode 100755 demos/android/MASVS-CODE/MASTG-DEMO-9999/run.sh
 create mode 100644 rules/mastg-android-minsdkversion.yml
 create mode 100644 tests-beta/android/MASVS-CODE/MASTG-TEST-9999.md
 create mode 100644 tests-beta/ios/MASVS-CODE/MASTG-TEST-8888.md

diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-9999/AndroidManifest_reversed.xml b/demos/android/MASVS-CODE/MASTG-DEMO-9999/AndroidManifest_reversed.xml
new file mode 100644
index 0000000000..1f0a69035a
--- /dev/null
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-9999/AndroidManifest_reversed.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:android="http://schemas.android.com/apk/res/android" android:compileSdkVersion="34" android:compileSdkVersionCodename="14" package="org.owasp.mastestapp" platformBuildVersionCode="34" platformBuildVersionName="14">
+    <application android:allowBackup="true" android:appComponentFactory="androidx.core.app.CoreComponentFactory" android:dataExtractionRules="@xml/data_extraction_rules" android:debuggable="true" android:extractNativeLibs="false" android:fullBackupContent="@xml/backup_rules" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:roundIcon="@mipmap/ic_launcher_round" android:supportsRtl="true" android:testOnly="true" android:theme="@style/Theme.MASTestApp">
+        <activity android:exported="true" android:name="org.owasp.mastestapp.MainActivity" android:theme="@style/Theme.MASTestApp">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN"/>
+                <category android:name="android.intent.category.LAUNCHER"/>
+            </intent-filter>
+        </activity>
+        <activity android:exported="true" android:name="androidx.compose.ui.tooling.PreviewActivity"/>
+        <activity android:exported="true" android:name="androidx.activity.ComponentActivity"/>
+        <provider android:authorities="org.owasp.mastestapp.androidx-startup" android:exported="false" android:name="androidx.startup.InitializationProvider">
+            <meta-data android:name="androidx.emoji2.text.EmojiCompatInitializer" android:value="androidx.startup"/>
+            <meta-data android:name="androidx.lifecycle.ProcessLifecycleInitializer" android:value="androidx.startup"/>
+            <meta-data android:name="androidx.profileinstaller.ProfileInstallerInitializer" android:value="androidx.startup"/>
+        </provider>
+        <receiver android:directBootAware="false" android:enabled="true" android:exported="true" android:name="androidx.profileinstaller.ProfileInstallReceiver" android:permission="android.permission.DUMP">
+            <intent-filter>
+                <action android:name="androidx.profileinstaller.action.INSTALL_PROFILE"/>
+            </intent-filter>
+            <intent-filter>
+                <action android:name="androidx.profileinstaller.action.SKIP_FILE"/>
+            </intent-filter>
+            <intent-filter>
+                <action android:name="androidx.profileinstaller.action.SAVE_PROFILE"/>
+            </intent-filter>
+            <intent-filter>
+                <action android:name="androidx.profileinstaller.action.BENCHMARK_OPERATION"/>
+            </intent-filter>
+        </receiver>
+    </application>
+</manifest>
\ No newline at end of file
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-9999/MASTG-DEMO-9999.md b/demos/android/MASVS-CODE/MASTG-DEMO-9999/MASTG-DEMO-9999.md
new file mode 100644
index 0000000000..fc73b0d99c
--- /dev/null
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-9999/MASTG-DEMO-9999.md
@@ -0,0 +1,35 @@
+---
+platform: android
+title: Common Uses of Insecure Random APIs
+id: MASTG-DEMO-0007
+code: [java]
+test: MASTG-TEST-0204
+---
+
+### Sample
+
+{{ MastgTest.kt # MastgTest_reversed.java }}
+
+### Steps
+
+Let's run our @MASTG-TOOL-0110 rule against the sample code.
+
+{{ ../../../../rules/mastg-android-insecure-random-use.yml }}
+
+{{ run.sh }}
+
+### Observation
+
+The rule has identified five instances in the code file where an insecure random number generator is used. The specified line numbers can be located in the original code for further investigation and remediation.
+
+{{ output.txt }}
+
+### Evaluation
+
+Review each of the reported instances.
+
+- Line 12 seems to be used to generate random numbers for security purposes, in this case for generating authentication tokens.
+- Line 17 is part of the function `get_random`. Review any calls to this function to ensure that the random number is not used in a security-relevant context.
+- Line 27 is part of the password generation function which is a security-critical operation.
+
+Note that line 37 did not trigger the rule because the random number is generated using `SecureRandom` which is a secure random number generator.
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-9999/output.txt b/demos/android/MASVS-CODE/MASTG-DEMO-9999/output.txt
new file mode 100644
index 0000000000..b4cf931de3
--- /dev/null
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-9999/output.txt
@@ -0,0 +1,11 @@
+                  
+                  
+┌────────────────┐
+│ 1 Code Finding │
+└────────────────┘
+                                 
+    AndroidManifest_reversed.xml 
+       rules.mastg-android-minsdkversion
+          [MASVS-CODE] Ensure app only runs on a recent version of Android
+                                                                                       
+            2┆ <?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:android="http://schemas.android.com/apk/res/android" android:compileSdkVersion="34" android:compileSdkVersionCodename="14" package="org.owasp.mastestapp" platformBuildVersionCode="34" platformBuildVersionName="14">
\ No newline at end of file
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-9999/run.sh b/demos/android/MASVS-CODE/MASTG-DEMO-9999/run.sh
new file mode 100755
index 0000000000..26a3a7a914
--- /dev/null
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-9999/run.sh
@@ -0,0 +1 @@
+NO_COLOR=true semgrep -c ../../../../rules/mastg-android-minSdkVersion.yml ./AndroidManifest_reversed.xml --text -o output.txt
\ No newline at end of file
diff --git a/rules/mastg-android-minsdkversion.yml b/rules/mastg-android-minsdkversion.yml
new file mode 100644
index 0000000000..e6b57e7ceb
--- /dev/null
+++ b/rules/mastg-android-minsdkversion.yml
@@ -0,0 +1,12 @@
+rules:
+  - id: mastg-android-minsdkversion
+    severity: WARNING
+    languages:
+      - xml
+    metadata:
+      summary: This rule checks the value of minSdkVersion is set and is not lower than 30
+    message: "[MASVS-CODE] Ensure app only runs on a recent version of Android"
+    patterns:
+      - pattern: <uses-sdk android:minSdkVersion="$X" />
+      - metavariable-comparison:
+          comparison: int($X)<30
diff --git a/tests-beta/android/MASVS-CODE/MASTG-TEST-9999.md b/tests-beta/android/MASVS-CODE/MASTG-TEST-9999.md
new file mode 100644
index 0000000000..715fc0298f
--- /dev/null
+++ b/tests-beta/android/MASVS-CODE/MASTG-TEST-9999.md
@@ -0,0 +1,23 @@
+---
+platform: android
+title: Not Ensuring Recent Platform Version
+id: MASTG-TEST-9999
+type: [static]
+weakness: MASWE-0077
+---
+
+## Overview
+
+This test verifies whether your app ensures it is running on a recent version of Android by checking the value of `minSdkVersion` within `AndroidManifest.xml`. For the purposes of this test the value is checked to see if it is less than API level 30 (Android 11, released 2020). However, you should ensure you are using a value that is appropriate for the app being tested and balance between current market share of an API and security. If you are the app's developer the Play console has metrics specific to an app's user distribution but you can also find general metrics at [ApiLevels.com](https://apilevels.com/)
+
+## Steps
+
+Use `grep` to search the `AndroidManifest.xml` for `android:minSdkVersion`  (@MASTG-TECH-0014).
+
+## Observation
+
+The output should contain the line of the manifest that defines the `minSdkVersion`.
+
+## Evaluation
+
+The test case fails if `minSdkVersion` does not exist or the value is less than 30.
diff --git a/tests-beta/ios/MASVS-CODE/MASTG-TEST-8888.md b/tests-beta/ios/MASVS-CODE/MASTG-TEST-8888.md
new file mode 100644
index 0000000000..6afcd6b259
--- /dev/null
+++ b/tests-beta/ios/MASVS-CODE/MASTG-TEST-8888.md
@@ -0,0 +1,23 @@
+---
+platform: iOS
+title: Not Ensuring Recent OS Version
+id: MASTG-TEST-8888
+type: [static]
+weakness: MASWE-0077
+---
+
+## Overview
+
+This test verifies whether your app ensures it is running on a recent version of iOS by checking the value of `MinimumOSVersion` within `Info.plist`. For the purposes of this test the value is checked to see if it is less than 15. However, you should ensure you are using a value that is appropriate for the app being tested and balance between current market share of the iOS version and security.
+
+## Steps
+
+Use `grep` to search the `Info.plist` for `MinimumOSVersion`  (@MASTG-TECH-0058).
+
+## Observation
+
+The output should contain the line of the plist file that defines the `MinimumOSVersion`.
+
+## Evaluation
+
+The test case fails if the `MinimumOSVersion` value is less than 15.
diff --git a/weaknesses/MASVS-CODE/MASWE-0077.md b/weaknesses/MASVS-CODE/MASWE-0077.md
index 59d55a2fa5..a3a2d52eac 100644
--- a/weaknesses/MASVS-CODE/MASWE-0077.md
+++ b/weaknesses/MASVS-CODE/MASWE-0077.md
@@ -7,6 +7,9 @@ profiles: [L2]
 mappings:
   masvs-v2: [MASVS-CODE-1]
 
+refs:
+- https://developer.android.com/guide/topics/manifest/uses-sdk-element
+- https://developer.apple.com/documentation/bundleresources/information_property_list/minimumosversion
 draft:
   description: e.g. via minSdkVersion on Android and MinimumOSVersion on iOS. with
     this we Ensure services/components availability (MASVS-STORAGE-1), also the NSC/ATS
@@ -18,3 +21,21 @@ status: draft
 
 ---
 
+## Overview
+
+Every release of the mobile OS includes security patches and new security features. By supporting older versions, apps stay vulnerable to well-known threats. This control ensures that the app is running on an up-to-date platform version that has patches and security features available which in turn provides the app with a better level of protection.
+
+## Impact
+
+The impact depends on the platform, minimum version and the security issues present in that version. For example on Android before API Level 17 Content Providers may be exported by default if the exported attribute is omitted from their definition in the manifest and JavaScriptInterfaces could be abused to call methods from arbitrary Java classes using reflection.
+
+## Modes of Introduction
+
+- **Android:** The value of the `minSdkVersion` attribute in the `<uses-sdk>` element within the `AndroidManifest.xml` file.
+- **iOS:** The value of the `MinimumOSVersion` attribute in the `Info.plist` file.
+
+## Mitigations
+
+- **Android:** Update the value of the `minSdkVersion` attribute in the `<uses-sdk>` element within the `AndroidManifest.xml` file.
+- **Android:** On Android if the `targetSdkVersion` is recent and the app is running on a recent version of Android the issue is also mitigated for that specific installation.
+- **iOS:** Update value of the `MinimumOSVersion` via the iOS Deployment Target setting of the project in Xcode.

From 74987d65d4a6bf638c50ed89377d55f0fbe1b138 Mon Sep 17 00:00:00 2001
From: Thomas Cannon <thomascannon@users.noreply.github.com>
Date: Tue, 1 Oct 2024 11:30:47 +0100
Subject: [PATCH 2/2] Add missing manifest and test file

---
 .../MASTG-DEMO-9999/AndroidManifest.xml       | 29 +++++++++++++++++++
 .../MASVS-CODE/MASTG-DEMO-9999/MastgTest.kt   | 15 ++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-9999/AndroidManifest.xml
 create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-9999/MastgTest.kt

diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-9999/AndroidManifest.xml b/demos/android/MASVS-CODE/MASTG-DEMO-9999/AndroidManifest.xml
new file mode 100644
index 0000000000..9e9b31c946
--- /dev/null
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-9999/AndroidManifest.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools">
+
+    <uses-permission android:name="android.permission.INTERNET" />
+
+    <application
+        android:allowBackup="true"
+        android:dataExtractionRules="@xml/data_extraction_rules"
+        android:fullBackupContent="@xml/backup_rules"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:supportsRtl="true"
+        android:theme="@style/Theme.MASTestApp"
+        tools:targetApi="31">
+        <activity
+            android:name=".MainActivity"
+            android:exported="true"
+            android:theme="@style/Theme.MASTestApp">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application>
+
+</manifest>
\ No newline at end of file
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-9999/MastgTest.kt b/demos/android/MASVS-CODE/MASTG-DEMO-9999/MastgTest.kt
new file mode 100644
index 0000000000..6a356ae6d7
--- /dev/null
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-9999/MastgTest.kt
@@ -0,0 +1,15 @@
+package org.owasp.mastestapp
+
+import android.util.Log
+import android.content.Context
+
+class MastgTest (private val context: Context){
+
+    fun mastgTest(): String {
+        val sensitiveString = "Hello from the OWASP MASTG Test app."
+
+        Log.d("MASTG-TEST", sensitiveString)
+        return sensitiveString
+    }
+
+}
\ No newline at end of file