[MASWE-0077] Running on a recent Platform Version Not Ensured

demos/android/MASVS-CODE/MASTG-DEMO-9999/AndroidManifest.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools">
+
+    <uses-permission android:name="android.permission.INTERNET" />
+
+    <application
+        android:allowBackup="true"
+        android:dataExtractionRules="@xml/data_extraction_rules"
+        android:fullBackupContent="@xml/backup_rules"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:supportsRtl="true"
+        android:theme="@style/Theme.MASTestApp"
+        tools:targetApi="31">
+        <activity
+            android:name=".MainActivity"
+            android:exported="true"
+            android:theme="@style/Theme.MASTestApp">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application>
+
+</manifest>

demos/android/MASVS-CODE/MASTG-DEMO-9999/AndroidManifest_reversed.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:android="http://schemas.android.com/apk/res/android" android:compileSdkVersion="34" android:compileSdkVersionCodename="14" package="org.owasp.mastestapp" platformBuildVersionCode="34" platformBuildVersionName="14">
+    <application android:allowBackup="true" android:appComponentFactory="androidx.core.app.CoreComponentFactory" android:dataExtractionRules="@xml/data_extraction_rules" android:debuggable="true" android:extractNativeLibs="false" android:fullBackupContent="@xml/backup_rules" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:roundIcon="@mipmap/ic_launcher_round" android:supportsRtl="true" android:testOnly="true" android:theme="@style/Theme.MASTestApp">
+        <activity android:exported="true" android:name="org.owasp.mastestapp.MainActivity" android:theme="@style/Theme.MASTestApp">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN"/>
+                <category android:name="android.intent.category.LAUNCHER"/>
+            </intent-filter>
+        </activity>
+        <activity android:exported="true" android:name="androidx.compose.ui.tooling.PreviewActivity"/>
+        <activity android:exported="true" android:name="androidx.activity.ComponentActivity"/>
+        <provider android:authorities="org.owasp.mastestapp.androidx-startup" android:exported="false" android:name="androidx.startup.InitializationProvider">
+            <meta-data android:name="androidx.emoji2.text.EmojiCompatInitializer" android:value="androidx.startup"/>
+            <meta-data android:name="androidx.lifecycle.ProcessLifecycleInitializer" android:value="androidx.startup"/>
+            <meta-data android:name="androidx.profileinstaller.ProfileInstallerInitializer" android:value="androidx.startup"/>
+        </provider>
+        <receiver android:directBootAware="false" android:enabled="true" android:exported="true" android:name="androidx.profileinstaller.ProfileInstallReceiver" android:permission="android.permission.DUMP">
+            <intent-filter>
+                <action android:name="androidx.profileinstaller.action.INSTALL_PROFILE"/>
+            </intent-filter>
+            <intent-filter>
+                <action android:name="androidx.profileinstaller.action.SKIP_FILE"/>
+            </intent-filter>
+            <intent-filter>
+                <action android:name="androidx.profileinstaller.action.SAVE_PROFILE"/>
+            </intent-filter>
+            <intent-filter>
+                <action android:name="androidx.profileinstaller.action.BENCHMARK_OPERATION"/>
+            </intent-filter>
+        </receiver>
+    </application>
+</manifest>

demos/android/MASVS-CODE/MASTG-DEMO-9999/MASTG-DEMO-9999.md

@@ -0,0 +1,35 @@
+---
+platform: android
+title: Common Uses of Insecure Random APIs
+id: MASTG-DEMO-0007
+code: [java]
+test: MASTG-TEST-0204
+---
+
+### Sample
+
+{{ MastgTest.kt # MastgTest_reversed.java }}
+
+### Steps
+
+Let's run our @MASTG-TOOL-0110 rule against the sample code.
+
+{{ ../../../../rules/mastg-android-insecure-random-use.yml }}
+
+{{ run.sh }}
+
+### Observation
+
+The rule has identified five instances in the code file where an insecure random number generator is used. The specified line numbers can be located in the original code for further investigation and remediation.
+
+{{ output.txt }}
+
+### Evaluation
+
+Review each of the reported instances.
+
+- Line 12 seems to be used to generate random numbers for security purposes, in this case for generating authentication tokens.
+- Line 17 is part of the function `get_random`. Review any calls to this function to ensure that the random number is not used in a security-relevant context.
+- Line 27 is part of the password generation function which is a security-critical operation.
+
+Note that line 37 did not trigger the rule because the random number is generated using `SecureRandom` which is a secure random number generator.

demos/android/MASVS-CODE/MASTG-DEMO-9999/MastgTest.kt

@@ -0,0 +1,15 @@
+package org.owasp.mastestapp
+
+import android.util.Log
+import android.content.Context
+
+class MastgTest (private val context: Context){
+
+    fun mastgTest(): String {
+        val sensitiveString = "Hello from the OWASP MASTG Test app."
+
+        Log.d("MASTG-TEST", sensitiveString)
+        return sensitiveString
+    }
+
+}

demos/android/MASVS-CODE/MASTG-DEMO-9999/output.txt

@@ -0,0 +1,11 @@
+
+
+┌────────────────┐
+│ 1 Code Finding │
+└────────────────┘
+
+    AndroidManifest_reversed.xml 
+       rules.mastg-android-minsdkversion
+          [MASVS-CODE] Ensure app only runs on a recent version of Android
+
+            2┆ <?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:android="http://schemas.android.com/apk/res/android" android:compileSdkVersion="34" android:compileSdkVersionCodename="14" package="org.owasp.mastestapp" platformBuildVersionCode="34" platformBuildVersionName="14">

demos/android/MASVS-CODE/MASTG-DEMO-9999/run.sh

@@ -0,0 +1 @@
+NO_COLOR=true semgrep -c ../../../../rules/mastg-android-minSdkVersion.yml ./AndroidManifest_reversed.xml --text -o output.txt

rules/mastg-android-minsdkversion.yml

@@ -0,0 +1,12 @@
+rules:
+  - id: mastg-android-minsdkversion
+    severity: WARNING
+    languages:
+      - xml
+    metadata:
+      summary: This rule checks the value of minSdkVersion is set and is not lower than 30
+    message: "[MASVS-CODE] Ensure app only runs on a recent version of Android"
+    patterns:
+      - pattern: <uses-sdk android:minSdkVersion="$X" />
+      - metavariable-comparison:
+          comparison: int($X)<30

tests-beta/android/MASVS-CODE/MASTG-TEST-9999.md

@@ -0,0 +1,23 @@
+---
+platform: android
+title: Not Ensuring Recent Platform Version
+id: MASTG-TEST-9999
+type: [static]
+weakness: MASWE-0077
+---
+
+## Overview
+
+This test verifies whether your app ensures it is running on a recent version of Android by checking the value of `minSdkVersion` within `AndroidManifest.xml`. For the purposes of this test the value is checked to see if it is less than API level 30 (Android 11, released 2020). However, you should ensure you are using a value that is appropriate for the app being tested and balance between current market share of an API and security. If you are the app's developer the Play console has metrics specific to an app's user distribution but you can also find general metrics at [ApiLevels.com](https://apilevels.com/)
+
+## Steps
+
+Use `grep` to search the `AndroidManifest.xml` for `android:minSdkVersion`  (@MASTG-TECH-0014).
+
+## Observation
+
+The output should contain the line of the manifest that defines the `minSdkVersion`.
+
+## Evaluation
+
+The test case fails if `minSdkVersion` does not exist or the value is less than 30.

tests-beta/ios/MASVS-CODE/MASTG-TEST-8888.md

@@ -0,0 +1,23 @@
+---
+platform: iOS
+title: Not Ensuring Recent OS Version
+id: MASTG-TEST-8888
+type: [static]
+weakness: MASWE-0077
+---
+
+## Overview
+
+This test verifies whether your app ensures it is running on a recent version of iOS by checking the value of `MinimumOSVersion` within `Info.plist`. For the purposes of this test the value is checked to see if it is less than 15. However, you should ensure you are using a value that is appropriate for the app being tested and balance between current market share of the iOS version and security.
+
+## Steps
+
+Use `grep` to search the `Info.plist` for `MinimumOSVersion`  (@MASTG-TECH-0058).
+
+## Observation
+
+The output should contain the line of the plist file that defines the `MinimumOSVersion`.
+
+## Evaluation
+
+The test case fails if the `MinimumOSVersion` value is less than 15.

weaknesses/MASVS-CODE/MASWE-0077.md

@@ -7,6 +7,9 @@ profiles: [L2]
 mappings:
   masvs-v2: [MASVS-CODE-1]
 
+refs:
+- https://developer.android.com/guide/topics/manifest/uses-sdk-element
+- https://developer.apple.com/documentation/bundleresources/information_property_list/minimumosversion
 draft:
   description: e.g. via minSdkVersion on Android and MinimumOSVersion on iOS. with
     this we Ensure services/components availability (MASVS-STORAGE-1), also the NSC/ATS
@@ -18,3 +21,21 @@ status: draft
 
 ---
 
+## Overview
+
+Every release of the mobile OS includes security patches and new security features. By supporting older versions, apps stay vulnerable to well-known threats. This control ensures that the app is running on an up-to-date platform version that has patches and security features available which in turn provides the app with a better level of protection.
+
+## Impact
+
+The impact depends on the platform, minimum version and the security issues present in that version. For example on Android before API Level 17 Content Providers may be exported by default if the exported attribute is omitted from their definition in the manifest and JavaScriptInterfaces could be abused to call methods from arbitrary Java classes using reflection.
+
+## Modes of Introduction
+
+- **Android:** The value of the `minSdkVersion` attribute in the `<uses-sdk>` element within the `AndroidManifest.xml` file.
+- **iOS:** The value of the `MinimumOSVersion` attribute in the `Info.plist` file.
+
+## Mitigations
+
+- **Android:** Update the value of the `minSdkVersion` attribute in the `<uses-sdk>` element within the `AndroidManifest.xml` file.
+- **Android:** On Android if the `targetSdkVersion` is recent and the app is running on a recent version of Android the issue is also mitigated for that specific installation.
+- **iOS:** Update value of the `MinimumOSVersion` via the iOS Deployment Target setting of the project in Xcode.