-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[MASWE-0077] Running on a recent Platform Version Not Ensured #2904
Draft
thomascannon
wants to merge
2
commits into
OWASP:master
Choose a base branch
from
thomascannon:issue2747
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
29 changes: 29 additions & 0 deletions
29
demos/android/MASVS-CODE/MASTG-DEMO-9999/AndroidManifest.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
<?xml version="1.0" encoding="utf-8"?> | ||
<manifest xmlns:android="http://schemas.android.com/apk/res/android" | ||
xmlns:tools="http://schemas.android.com/tools"> | ||
|
||
<uses-permission android:name="android.permission.INTERNET" /> | ||
|
||
<application | ||
android:allowBackup="true" | ||
android:dataExtractionRules="@xml/data_extraction_rules" | ||
android:fullBackupContent="@xml/backup_rules" | ||
android:icon="@mipmap/ic_launcher" | ||
android:label="@string/app_name" | ||
android:roundIcon="@mipmap/ic_launcher_round" | ||
android:supportsRtl="true" | ||
android:theme="@style/Theme.MASTestApp" | ||
tools:targetApi="31"> | ||
<activity | ||
android:name=".MainActivity" | ||
android:exported="true" | ||
android:theme="@style/Theme.MASTestApp"> | ||
<intent-filter> | ||
<action android:name="android.intent.action.MAIN" /> | ||
|
||
<category android:name="android.intent.category.LAUNCHER" /> | ||
</intent-filter> | ||
</activity> | ||
</application> | ||
|
||
</manifest> |
31 changes: 31 additions & 0 deletions
31
demos/android/MASVS-CODE/MASTG-DEMO-9999/AndroidManifest_reversed.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
<?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:android="http://schemas.android.com/apk/res/android" android:compileSdkVersion="34" android:compileSdkVersionCodename="14" package="org.owasp.mastestapp" platformBuildVersionCode="34" platformBuildVersionName="14"> | ||
<application android:allowBackup="true" android:appComponentFactory="androidx.core.app.CoreComponentFactory" android:dataExtractionRules="@xml/data_extraction_rules" android:debuggable="true" android:extractNativeLibs="false" android:fullBackupContent="@xml/backup_rules" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:roundIcon="@mipmap/ic_launcher_round" android:supportsRtl="true" android:testOnly="true" android:theme="@style/Theme.MASTestApp"> | ||
<activity android:exported="true" android:name="org.owasp.mastestapp.MainActivity" android:theme="@style/Theme.MASTestApp"> | ||
<intent-filter> | ||
<action android:name="android.intent.action.MAIN"/> | ||
<category android:name="android.intent.category.LAUNCHER"/> | ||
</intent-filter> | ||
</activity> | ||
<activity android:exported="true" android:name="androidx.compose.ui.tooling.PreviewActivity"/> | ||
<activity android:exported="true" android:name="androidx.activity.ComponentActivity"/> | ||
<provider android:authorities="org.owasp.mastestapp.androidx-startup" android:exported="false" android:name="androidx.startup.InitializationProvider"> | ||
<meta-data android:name="androidx.emoji2.text.EmojiCompatInitializer" android:value="androidx.startup"/> | ||
<meta-data android:name="androidx.lifecycle.ProcessLifecycleInitializer" android:value="androidx.startup"/> | ||
<meta-data android:name="androidx.profileinstaller.ProfileInstallerInitializer" android:value="androidx.startup"/> | ||
</provider> | ||
<receiver android:directBootAware="false" android:enabled="true" android:exported="true" android:name="androidx.profileinstaller.ProfileInstallReceiver" android:permission="android.permission.DUMP"> | ||
<intent-filter> | ||
<action android:name="androidx.profileinstaller.action.INSTALL_PROFILE"/> | ||
</intent-filter> | ||
<intent-filter> | ||
<action android:name="androidx.profileinstaller.action.SKIP_FILE"/> | ||
</intent-filter> | ||
<intent-filter> | ||
<action android:name="androidx.profileinstaller.action.SAVE_PROFILE"/> | ||
</intent-filter> | ||
<intent-filter> | ||
<action android:name="androidx.profileinstaller.action.BENCHMARK_OPERATION"/> | ||
</intent-filter> | ||
</receiver> | ||
</application> | ||
</manifest> |
35 changes: 35 additions & 0 deletions
35
demos/android/MASVS-CODE/MASTG-DEMO-9999/MASTG-DEMO-9999.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
--- | ||
platform: android | ||
title: Common Uses of Insecure Random APIs | ||
id: MASTG-DEMO-0007 | ||
code: [java] | ||
test: MASTG-TEST-0204 | ||
--- | ||
|
||
### Sample | ||
|
||
{{ MastgTest.kt # MastgTest_reversed.java }} | ||
|
||
### Steps | ||
|
||
Let's run our @MASTG-TOOL-0110 rule against the sample code. | ||
|
||
{{ ../../../../rules/mastg-android-insecure-random-use.yml }} | ||
|
||
{{ run.sh }} | ||
|
||
### Observation | ||
|
||
The rule has identified five instances in the code file where an insecure random number generator is used. The specified line numbers can be located in the original code for further investigation and remediation. | ||
|
||
{{ output.txt }} | ||
|
||
### Evaluation | ||
|
||
Review each of the reported instances. | ||
|
||
- Line 12 seems to be used to generate random numbers for security purposes, in this case for generating authentication tokens. | ||
- Line 17 is part of the function `get_random`. Review any calls to this function to ensure that the random number is not used in a security-relevant context. | ||
- Line 27 is part of the password generation function which is a security-critical operation. | ||
|
||
Note that line 37 did not trigger the rule because the random number is generated using `SecureRandom` which is a secure random number generator. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
package org.owasp.mastestapp | ||
|
||
import android.util.Log | ||
import android.content.Context | ||
|
||
class MastgTest (private val context: Context){ | ||
|
||
fun mastgTest(): String { | ||
val sensitiveString = "Hello from the OWASP MASTG Test app." | ||
|
||
Log.d("MASTG-TEST", sensitiveString) | ||
return sensitiveString | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
|
||
|
||
┌────────────────┐ | ||
│ 1 Code Finding │ | ||
└────────────────┘ | ||
|
||
AndroidManifest_reversed.xml | ||
rules.mastg-android-minsdkversion | ||
[MASVS-CODE] Ensure app only runs on a recent version of Android | ||
|
||
2┆ <?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:android="http://schemas.android.com/apk/res/android" android:compileSdkVersion="34" android:compileSdkVersionCodename="14" package="org.owasp.mastestapp" platformBuildVersionCode="34" platformBuildVersionName="14"> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
NO_COLOR=true semgrep -c ../../../../rules/mastg-android-minSdkVersion.yml ./AndroidManifest_reversed.xml --text -o output.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
rules: | ||
- id: mastg-android-minsdkversion | ||
severity: WARNING | ||
languages: | ||
- xml | ||
metadata: | ||
summary: This rule checks the value of minSdkVersion is set and is not lower than 30 | ||
message: "[MASVS-CODE] Ensure app only runs on a recent version of Android" | ||
patterns: | ||
- pattern: <uses-sdk android:minSdkVersion="$X" /> | ||
- metavariable-comparison: | ||
comparison: int($X)<30 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
--- | ||
platform: android | ||
title: Not Ensuring Recent Platform Version | ||
id: MASTG-TEST-9999 | ||
type: [static] | ||
weakness: MASWE-0077 | ||
--- | ||
|
||
## Overview | ||
|
||
This test verifies whether your app ensures it is running on a recent version of Android by checking the value of `minSdkVersion` within `AndroidManifest.xml`. For the purposes of this test the value is checked to see if it is less than API level 30 (Android 11, released 2020). However, you should ensure you are using a value that is appropriate for the app being tested and balance between current market share of an API and security. If you are the app's developer the Play console has metrics specific to an app's user distribution but you can also find general metrics at [ApiLevels.com](https://apilevels.com/) | ||
|
||
## Steps | ||
|
||
Use `grep` to search the `AndroidManifest.xml` for `android:minSdkVersion` (@MASTG-TECH-0014). | ||
|
||
## Observation | ||
|
||
The output should contain the line of the manifest that defines the `minSdkVersion`. | ||
|
||
## Evaluation | ||
|
||
The test case fails if `minSdkVersion` does not exist or the value is less than 30. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
--- | ||
platform: iOS | ||
title: Not Ensuring Recent OS Version | ||
id: MASTG-TEST-8888 | ||
type: [static] | ||
weakness: MASWE-0077 | ||
--- | ||
|
||
## Overview | ||
|
||
This test verifies whether your app ensures it is running on a recent version of iOS by checking the value of `MinimumOSVersion` within `Info.plist`. For the purposes of this test the value is checked to see if it is less than 15. However, you should ensure you are using a value that is appropriate for the app being tested and balance between current market share of the iOS version and security. | ||
|
||
## Steps | ||
|
||
Use `grep` to search the `Info.plist` for `MinimumOSVersion` (@MASTG-TECH-0058). | ||
|
||
## Observation | ||
|
||
The output should contain the line of the plist file that defines the `MinimumOSVersion`. | ||
|
||
## Evaluation | ||
|
||
The test case fails if the `MinimumOSVersion` value is less than 15. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.