-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Port MASTG-TEST-0024 (by @appknox) #3076
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
--- | ||
platform: android | ||
title: Testing for App Permissions | ||
id: MASTG-TEST-0x24 | ||
--- | ||
|
||
## Overview | ||
|
||
Testing for app permissions in Android involves evaluating how an application requests, uses, and manages permissions to ensure they do not lead to security vulnerabilities. Proper permission management should protect sensitive user data and ensure that the application complies with Android's security model. The test aims to detect misconfigurations and unnecessary permissions. | ||
|
||
## Steps | ||
|
||
### Static analysis | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We do not use these sections anymore but rather one unique list of steps. In this case you can easily create a MASTG-TECH for "Obtaining App Permissions" and there use one ## section per tool. Example:
See the latest MASTG-TECH and MASTG-TEST (V2 beta) for reference (you can go to the page and sort the IDs to see the recent ones). FOR THIS TEST: as you'll see in the other ones this will become one step about using the technique by referencing it with @ |
||
|
||
1. Decompile the APK using tools like @MASTG-TOOL-0011. | ||
2. Examine the `AndroidManifest.xml` file for declared permissions by searching for `<uses-permission` tags. | ||
3. Review the permissions with the developer to identify the purpose of each permission set and remove unnecessary or dangerous permissions. | ||
|
||
### Dynamic analysis | ||
|
||
1. Permissions for installed applications can be retrieved with @MASTG-TOOL-0004. | ||
2. Use the @MASTG-TOOL-0004 with the following command : | ||
`$ adb shell dumpsys package sg.vp.owasp_mobile.omtg_android` | ||
|
||
Please refer to this [permissions overview ↗](https://developer.android.com/guide/topics/permissions/overview#permission-groups "Table 1. Dangerous permissions and permission groups.") for descriptions of the listed permissions that are considered dangerous. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This would be better for the evaluation. Be careful not to include that arrow right before the closing bracket |
||
|
||
## Observation | ||
|
||
The output shows the list of permissions used by the application. | ||
|
||
## Evaluation | ||
|
||
The test will fail if the correct permissions are used. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check other recently added V2 tests for missing fields such as MASWE ID