From d3cb11b182290438aa8306a364ee10a5e915feb9 Mon Sep 17 00:00:00 2001 From: Dennis Titze Date: Mon, 4 Nov 2024 18:48:23 +0000 Subject: [PATCH 1/4] Port MASTG test 0019 --- .../MASVS-NETWORK/MASTG-TEST-0x19-1.md | 25 +++++++++++++++++ .../MASVS-NETWORK/MASTG-TEST-0x19-2.md | 25 +++++++++++++++++ .../MASVS-NETWORK/MASTG-TEST-0x19-3.md | 28 +++++++++++++++++++ .../MASVS-NETWORK/MASTG-TEST-0x19-4.md | 17 +++++++++++ .../MASVS-NETWORK/MASTG-TEST-0x19-5.md | 28 +++++++++++++++++++ .../android/MASVS-NETWORK/MASTG-TEST-0019.md | 3 ++ 6 files changed, 126 insertions(+) create mode 100644 tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-1.md create mode 100644 tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-2.md create mode 100644 tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-3.md create mode 100644 tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-4.md create mode 100644 tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md diff --git a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-1.md b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-1.md new file mode 100644 index 0000000000..d051ef67a5 --- /dev/null +++ b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-1.md @@ -0,0 +1,25 @@ +--- +title: HTTP URLs +platform: android +id: MASTG-TEST-0x19-1 +type: [static] +weakness: MASWE-0050 +--- + +## Overview + +The app should not contain any HTTP URLs which might be used for communicating with a server. + +## Steps + +1. Reverse engineer the app (@MASTG-TECH-0017). +2. Run a static analysis (@MASTG-TECH-0014) tool and look for any `http://` URLs. +3. Verify the found URLs are actually used for communication. + +## Observation + +The output contains a list of URLs which are used for communication. + +## Evaluation + +The test case fails if any HTTP URLs are used for communication. diff --git a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-2.md b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-2.md new file mode 100644 index 0000000000..b6353699b6 --- /dev/null +++ b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-2.md @@ -0,0 +1,25 @@ +--- +title: SSLSockets without Hostname Verification +platform: android +id: MASTG-TEST-0x19-2 +type: [static] +weakness: MASWE-0050 +--- + +## Overview + +`SSLSocket` does not perform hostname verification (see ["Android documentation"](https://developer.android.com/privacy-and-security/security-ssl#WarningsSslSocket)). This needs to be implemented securely by the app itself. + +## Steps + +1. Reverse engineer the app (@MASTG-TECH-0017). +2. Run a static analysis (@MASTG-TECH-0014) tool and look for all usages of `SSLSocket`. +3. Verify each usage performans manual hostname verification correctly. + +## Observation + +The output contains a list locations where `SSLSocket` is used and if hostname verification is done correctly for each. + +## Evaluation + +The test case fails if any hostname verification is missing, or implemented insecurely. diff --git a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-3.md b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-3.md new file mode 100644 index 0000000000..053103f8d6 --- /dev/null +++ b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-3.md @@ -0,0 +1,28 @@ +--- +title: Cleartext traffic permitted +platform: android +id: MASTG-TEST-0x19-3 +type: [static] +weakness: MASWE-0050 +--- + +## Overview + +Since Android 9 (API level 28) cleartext HTTP traffic is blocked by default (thanks to the [default Network Security Configuration](../../../Document/0x05g-Testing-Network-Communication.md#default-configurations)) but there are multiple ways in which an application can still send it: + +- Setting the [`android:usesCleartextTraffic`](https://developer.android.com/guide/topics/manifest/application-element#usesCleartextTraffic "Android documentation - usesCleartextTraffic flag") attribute of the `` tag in the AndroidManifest.xml file. Note that this flag is ignored in case the Network Security Configuration is configured. +- Configuring the Network Security Configuration to enable cleartext traffic by setting the `cleartextTrafficPermitted` attribute to true on `` elements. + +## Steps + +1. Reverse engineer the app (@MASTG-TECH-0017). +2. Verify `usesCleartextTraffic` is not set to `true` in the AndroidManifest.xml +3. Inspect the AndroidManifest.xml, and check if a `networkSecurityConfig` is set in the `` tag. If yes, inspect the referenced file, and make sure `cleartextTrafficPermitted` is not set to `true` for any domain. + +## Observation + +The output contains a list of domains for which cleartext traffic is enabled. + +## Evaluation + +The test case fails if any cleartext traffic is permitted. diff --git a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-4.md b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-4.md new file mode 100644 index 0000000000..51548f0db7 --- /dev/null +++ b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-4.md @@ -0,0 +1,17 @@ +--- +title: Cleartext traffic is allowed for cross-platform frameworks +platform: android +id: MASTG-TEST-0x19-4 +type: [static] +weakness: MASWE-0050 +--- + +## Overview + +Cross-platform frameworks (e.g. Flutter, React native, ...), typically have their own implementations for HTTP libraries, where cleartext traffic can be allowed. + +## Steps + +## Observation + +## Evaluation diff --git a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md new file mode 100644 index 0000000000..9bc0db4fb9 --- /dev/null +++ b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md @@ -0,0 +1,28 @@ +--- +title: Cleartext traffic observed +platform: network +id: MASTG-TEST-0x19-5 +type: [dynamic] +weakness: MASWE-0050 +--- + +## Overview + +Intercept the tested app's incoming and outgoing network traffic and make sure that this traffic is encrypted. + +## Steps + +You can use one of the following approaches: + +- Set up @MASTG-TECH-0010 (for Android) or @MASTG-TECH-0062 (for iOS) to capture all traffic and make sure no communication is done in cleartext. +- Capture all traffic with an interception proxy like @MASTG-TOOL-0077, @MASTG-TOOL-0079, or @MASTG-TOOL-0097 and make sure no request is done in cleartext. Interception proxies like Burp and OWASP ZAP will show HTTP(S) traffic only. You can, however, use a Burp plugin such as [Burp-non-HTTP-Extension](https://github.com/summitt/Burp-Non-HTTP-Extension "Burp-non-HTTP-Extension") or the tool [mitm-relay](https://github.com/jrmdev/mitm_relay "mitm-relay") to decode and visualize communication via XMPP and other protocols. + +Note: Some applications may not function correctly with proxies like Burp and OWASP ZAP because of Certificate Pinning. In such a scenario, you can still use the other technique. + +## Observation + +The output contains a list of cleartext network requests. + +## Evaluation + +The test case fails if any cleartext requests are logged. diff --git a/tests/android/MASVS-NETWORK/MASTG-TEST-0019.md b/tests/android/MASVS-NETWORK/MASTG-TEST-0019.md index a1098d4c94..0ce518994b 100644 --- a/tests/android/MASVS-NETWORK/MASTG-TEST-0019.md +++ b/tests/android/MASVS-NETWORK/MASTG-TEST-0019.md @@ -8,6 +8,9 @@ title: Testing Data Encryption on the Network masvs_v1_levels: - L1 - L2 +status: deprecated +covered_by: [MASTG-TEST-0x19-1,MASTG-TEST-0x19-2,,MASTG-TEST-0x19-3,MASTG-TEST-0x19-4,MASTG-TEST-0x19-5] +deprecation_note: New version available in MASTG V2 --- ## Overview From 1f8be5ddf31c9619fd34dd7be4a5db6fb7f68902 Mon Sep 17 00:00:00 2001 From: Dennis Titze Date: Tue, 5 Nov 2024 09:32:54 +0000 Subject: [PATCH 2/4] Fix markdown --- tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md index 9bc0db4fb9..2ec1e39933 100644 --- a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md +++ b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md @@ -8,7 +8,7 @@ weakness: MASWE-0050 ## Overview -Intercept the tested app's incoming and outgoing network traffic and make sure that this traffic is encrypted. +Intercept the tested app's incoming and outgoing network traffic and make sure that this traffic is encrypted. ## Steps From 355ea51db7b6943ab8277edbcde0c49aeadeae3f Mon Sep 17 00:00:00 2001 From: Dennis Titze Date: Tue, 5 Nov 2024 17:50:06 +0000 Subject: [PATCH 3/4] Review feedback --- .../android/MASVS-NETWORK/MASTG-TEST-0x19-1.md | 9 +++++++-- .../android/MASVS-NETWORK/MASTG-TEST-0x19-2.md | 14 +++++++++----- .../android/MASVS-NETWORK/MASTG-TEST-0x19-3.md | 6 +++--- .../android/MASVS-NETWORK/MASTG-TEST-0x19-4.md | 13 ++----------- .../android/MASVS-NETWORK/MASTG-TEST-0x19-5.md | 10 ++++++++-- .../android/MASVS-NETWORK/MASTG-TEST-0x19-6.md | 8 ++++++++ tests/android/MASVS-NETWORK/MASTG-TEST-0019.md | 2 +- 7 files changed, 38 insertions(+), 24 deletions(-) create mode 100644 tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-6.md diff --git a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-1.md b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-1.md index d051ef67a5..54a3943627 100644 --- a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-1.md +++ b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-1.md @@ -8,13 +8,18 @@ weakness: MASWE-0050 ## Overview -The app should not contain any HTTP URLs which might be used for communicating with a server. +An app may have hardcoded HTTP URLs in the app binary, in libs binaries and other places within the APK. + +Those URLs are not necessarily used for communication, but can indicate locations where a server is contacted without TLS. + +!!! warning Limitations + If such URLs are actually insecure can depend on other factors. For example if HTTP traffic is disabled in the AndroidManifest, trying to access such URLs will result in an exception, and no insecure connection is made. ## Steps 1. Reverse engineer the app (@MASTG-TECH-0017). 2. Run a static analysis (@MASTG-TECH-0014) tool and look for any `http://` URLs. -3. Verify the found URLs are actually used for communication. +3. Verify the found URLs are actually used for communication by inspecting all locations where these URLs are used. ## Observation diff --git a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-2.md b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-2.md index b6353699b6..0aa465c029 100644 --- a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-2.md +++ b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-2.md @@ -1,24 +1,28 @@ --- -title: SSLSockets without Hostname Verification +title: SSLSockets not Properly Verifying Hostnames platform: android id: MASTG-TEST-0x19-2 type: [static] -weakness: MASWE-0050 +weakness: MASWE-0052 --- ## Overview -`SSLSocket` does not perform hostname verification (see ["Android documentation"](https://developer.android.com/privacy-and-security/security-ssl#WarningsSslSocket)). This needs to be implemented securely by the app itself. +`SSLSocket` does not perform hostname verification (see ["Android documentation"](https://developer.android.com/privacy-and-security/security-ssl#WarningsSslSocket)) by default. This needs to be implemented securely by the app itself. + +A secure way isto implement an own `HostnameVerifier` which forwards the hostname verification to the `verify()` method of the `DefaultHostnameVerifier()`Be aware that `HostnameVerifier.verify()` does not throw an exception on error. Instead, it returns a boolean result that must explicitly check by the app. + +See ["Unsafe HostnameVerifier"](https://developer.android.com/privacy-and-security/risks/unsafe-hostname) for more information about insecure `HostnameVerifiers`. ## Steps 1. Reverse engineer the app (@MASTG-TECH-0017). 2. Run a static analysis (@MASTG-TECH-0014) tool and look for all usages of `SSLSocket`. -3. Verify each usage performans manual hostname verification correctly. +3. Verify each `SSLSocket` attaches a `HostnameVerifier` and verify the implementation of the HostnameVerifier is secure. ## Observation -The output contains a list locations where `SSLSocket` is used and if hostname verification is done correctly for each. +The output contains a list of locations where `SSLSocket` is used and does not perform hostname verification or does so incorrectly. ## Evaluation diff --git a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-3.md b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-3.md index 053103f8d6..8c96f026ed 100644 --- a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-3.md +++ b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-3.md @@ -11,17 +11,17 @@ weakness: MASWE-0050 Since Android 9 (API level 28) cleartext HTTP traffic is blocked by default (thanks to the [default Network Security Configuration](../../../Document/0x05g-Testing-Network-Communication.md#default-configurations)) but there are multiple ways in which an application can still send it: - Setting the [`android:usesCleartextTraffic`](https://developer.android.com/guide/topics/manifest/application-element#usesCleartextTraffic "Android documentation - usesCleartextTraffic flag") attribute of the `` tag in the AndroidManifest.xml file. Note that this flag is ignored in case the Network Security Configuration is configured. -- Configuring the Network Security Configuration to enable cleartext traffic by setting the `cleartextTrafficPermitted` attribute to true on `` elements. +- Configuring the [Network Security Configuration to enable cleartext traffic](https://developer.android.com/privacy-and-security/security-config#CleartextTrafficPermitted) by setting the `cleartextTrafficPermitted` attribute to true on `` elements. ## Steps 1. Reverse engineer the app (@MASTG-TECH-0017). 2. Verify `usesCleartextTraffic` is not set to `true` in the AndroidManifest.xml -3. Inspect the AndroidManifest.xml, and check if a `networkSecurityConfig` is set in the `` tag. If yes, inspect the referenced file, and make sure `cleartextTrafficPermitted` is not set to `true` for any domain. +3. Inspect the AndroidManifest.xml, and check if a `networkSecurityConfig` is set in the `` tag. If yes, inspect the referenced file, and make sure that `cleartextTrafficPermitted` is not set to `true` globally in the `` element, or for specific domains in their `` elements. ## Observation -The output contains a list of domains for which cleartext traffic is enabled. +The output contains a list of configurations allowing for cleartext traffic. ## Evaluation diff --git a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-4.md b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-4.md index 51548f0db7..ea30065f5d 100644 --- a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-4.md +++ b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-4.md @@ -4,14 +4,5 @@ platform: android id: MASTG-TEST-0x19-4 type: [static] weakness: MASWE-0050 ---- - -## Overview - -Cross-platform frameworks (e.g. Flutter, React native, ...), typically have their own implementations for HTTP libraries, where cleartext traffic can be allowed. - -## Steps - -## Observation - -## Evaluation +status: draft +note: Cross-platform frameworks (e.g. Flutter, React native, ...), typically have their own implementations for HTTP libraries, where cleartext traffic can be allowed. diff --git a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md index 2ec1e39933..e17ba4ce6f 100644 --- a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md +++ b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md @@ -8,14 +8,20 @@ weakness: MASWE-0050 ## Overview -Intercept the tested app's incoming and outgoing network traffic and make sure that this traffic is encrypted. +This test intercepts the app's incoming and outgoing network traffic, and checks for any cleartext communication. +Whilst the static checks can only show _potential_ cleartext traffic, this dynamic test shows all communication the application definitely makes. + +!!! warning Limitation + - Intercepting traffic on a network level will show all traffic _the device_ performs, not only the single app. Linking the traffic back to a specific app can be difficult, especially when more apps are installed on the device. + - Linking the intercepted traffic back to specific locations in the app can be difficult and requires manual analysis of the code. + - Dynamic analysis works best when you interact extensively with the app. But even then there could be corner cases which are difficult or impossible to execute on every device. The results from this test therefore are likely not exhaustive. ## Steps You can use one of the following approaches: - Set up @MASTG-TECH-0010 (for Android) or @MASTG-TECH-0062 (for iOS) to capture all traffic and make sure no communication is done in cleartext. -- Capture all traffic with an interception proxy like @MASTG-TOOL-0077, @MASTG-TOOL-0079, or @MASTG-TOOL-0097 and make sure no request is done in cleartext. Interception proxies like Burp and OWASP ZAP will show HTTP(S) traffic only. You can, however, use a Burp plugin such as [Burp-non-HTTP-Extension](https://github.com/summitt/Burp-Non-HTTP-Extension "Burp-non-HTTP-Extension") or the tool [mitm-relay](https://github.com/jrmdev/mitm_relay "mitm-relay") to decode and visualize communication via XMPP and other protocols. +- Capture all traffic with an interception proxy like @MASTG-TOOL-0077, @MASTG-TOOL-0079, or @MASTG-TOOL-0097 and make sure no request is done in cleartext. Interception proxies like Burp and OWASP ZAP will show HTTP(S) traffic only. You can, however, use a Burp plugin such as [Burp-non-HTTP-Extension](https://github.com/summitt/Burp-Non-HTTP-Extension) or the tool [mitm-relay](https://github.com/jrmdev/mitm_relay) to decode and visualize communication via XMPP and other protocols. Note: Some applications may not function correctly with proxies like Burp and OWASP ZAP because of Certificate Pinning. In such a scenario, you can still use the other technique. diff --git a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-6.md b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-6.md new file mode 100644 index 0000000000..8e8f27a095 --- /dev/null +++ b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-6.md @@ -0,0 +1,8 @@ +--- +title: Using low-level APIs (e.g. Socket) to set up a custom HTTP connection +platform: android +id: MASTG-TEST-0x19-6 +type: [static] +weakness: MASWE-0050 +status: draft +note: new test diff --git a/tests/android/MASVS-NETWORK/MASTG-TEST-0019.md b/tests/android/MASVS-NETWORK/MASTG-TEST-0019.md index 0ce518994b..7289cfb984 100644 --- a/tests/android/MASVS-NETWORK/MASTG-TEST-0019.md +++ b/tests/android/MASVS-NETWORK/MASTG-TEST-0019.md @@ -9,7 +9,7 @@ masvs_v1_levels: - L1 - L2 status: deprecated -covered_by: [MASTG-TEST-0x19-1,MASTG-TEST-0x19-2,,MASTG-TEST-0x19-3,MASTG-TEST-0x19-4,MASTG-TEST-0x19-5] +covered_by: [MASTG-TEST-0x19-1,MASTG-TEST-0x19-2,,MASTG-TEST-0x19-3,MASTG-TEST-0x19-4,MASTG-TEST-0x19-5,MASTG-TEST-0x19-6] deprecation_note: New version available in MASTG V2 --- From 4127f2c5a1387a7d787fabfe698ed93c9643cefd Mon Sep 17 00:00:00 2001 From: Dennis Titze Date: Tue, 5 Nov 2024 18:11:40 +0000 Subject: [PATCH 4/4] Add Frida to trace traffic --- tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md | 2 +- tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-7.md | 8 ++++++++ tests/android/MASVS-NETWORK/MASTG-TEST-0019.md | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-7.md diff --git a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md index e17ba4ce6f..1b15ae311e 100644 --- a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md +++ b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md @@ -1,5 +1,5 @@ --- -title: Cleartext traffic observed +title: Cleartext Traffic Observed on the Network platform: network id: MASTG-TEST-0x19-5 type: [dynamic] diff --git a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-7.md b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-7.md new file mode 100644 index 0000000000..02f2e50aec --- /dev/null +++ b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-7.md @@ -0,0 +1,8 @@ +--- +title: Cleartext Traffic Observed on the Network +platform: android +id: MASTG-TEST-0x19-7 +type: [static] +weakness: MASWE-0050 +status: draft +note: Using Frida, you can trace all traffic of the app, mitigating the limitation of the dynamic analysis that you do not know which app, or which location is responsible for the traffic. Using Frida (and `.backtrace()`), you can be sure this is from the analyzed app, and know the exact location. A new limitation is then that all relevant networking APIs need to be instrumented. diff --git a/tests/android/MASVS-NETWORK/MASTG-TEST-0019.md b/tests/android/MASVS-NETWORK/MASTG-TEST-0019.md index 7289cfb984..2fb2c3d730 100644 --- a/tests/android/MASVS-NETWORK/MASTG-TEST-0019.md +++ b/tests/android/MASVS-NETWORK/MASTG-TEST-0019.md @@ -9,7 +9,7 @@ masvs_v1_levels: - L1 - L2 status: deprecated -covered_by: [MASTG-TEST-0x19-1,MASTG-TEST-0x19-2,,MASTG-TEST-0x19-3,MASTG-TEST-0x19-4,MASTG-TEST-0x19-5,MASTG-TEST-0x19-6] +covered_by: [MASTG-TEST-0x19-1,MASTG-TEST-0x19-2,,MASTG-TEST-0x19-3,MASTG-TEST-0x19-4,MASTG-TEST-0x19-5,MASTG-TEST-0x19-6,MASTG-TEST-0x19-7] deprecation_note: New version available in MASTG V2 ---