Add a demo with listing all files

OWASP · cpholguera · Jul 3, 2024 · Mar 5, 2024 · May 6, 2024 · Mar 5, 2024
commit 1d0dbb6e2980ae2703ce9e0e14aaea507eab0d46
diff --git a/...ser-interaction-frida/demo-1/MastgTest.kt → ...ion-dynamic-file-diff/demo-1/MastgTest.kt b/...ser-interaction-frida/demo-1/MastgTest.kt → ...ion-dynamic-file-diff/demo-1/MastgTest.kt
diff --git a/...unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/demo.md b/...unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/demo.md
@@ -0,0 +1,32 @@
+---
+platform: android
+title: Listing files inside External Storage 
+tools: [adb]
+code: [kotlin]
+---
+
+### Sample
+
+The snippet below shows sample code that creates a file in external storage.
+
+{{ MastgTest.kt }}
+
+### Steps
+
+1. Install an app on your device
+2. Execute `run_before.sh`
+3. Open an app and excercise it to trigger file creations
+4. Execute `run_after.sh`
+5. Close the app once you finish testing
+
+{{ run.sh }}
+
+### Observation
+
+There is a list of all created files inside `new_files.txt`. Their content is inside `./new_files/` directory.
+
+{{ output.txt }}
+
+### Evaluation
+
+This test fails because the file contains a secretFile.txt.
diff --git a/...ata-unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/new_files.txt b/...ata-unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/new_files.txt
@@ -0,0 +1,2 @@
+/sdcard/Android/data/org.owasp.mastestapp/files/secret.txt
+/sdcard/Download/secretFile75.txt
diff --git a/...ncrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/new_files/secret.txt b/...ncrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/new_files/secret.txt
@@ -0,0 +1 @@
+Secret may use scoped storage depending on Android version
diff --git a/...ed-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/new_files/secretFile75.txt b/...ed-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/new_files/secretFile75.txt
@@ -0,0 +1 @@
+Secret data
diff --git a/...data-unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/run_after.sh b/...data-unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/run_after.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# SUMMARY: List all files created after the creation date of a file created in run_before
+
+adb shell "find /sdcard/ -type f -newer /data/local/tmp/test_start" > new_files.txt
+adb shell "rm /data/local/tmp/test_start"
+mkdir -p new_files
+while read -r line; do
+ adb pull "$line" ./new_files/
+done < new_files.txt
diff --git a/...ata-unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/run_before.sh b/...ata-unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/run_before.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# SUMMARY: This script creates a dummy file to mark a timestamp that we can use later
+# on to identify files created during the app excercising
+
+adb shell "touch /data/local/tmp/test_start"
diff --git a/...d-data-unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/test.md b/...d-data-unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/test.md
@@ -0,0 +1,39 @@
+---
+platform: android
+title: Listing Files Stored to External Locations on Runtime
+apis: [Environment#getExternalStorageDirectory, Environment#getExternalStorageDirectory, Environment#getExternalFilesDir, Environment#getExternalCacheDir, SharedPreferences, FileOutPutStream]
+type: [dynamic]
+---
+
+## Overview
+
+Comparing the list of all files in the shared and external storage before and after excersising the app may reveal sensitive files stored unintentionally.
+
+## Steps
+
+1. Make sure you have ADB installed
+
+2. Install the app.
+
+3. Execute `run_before.sh` before opening the app to mark the timestamp.
+
+4. Excercise the app
+
+5. Execute `run_after.sh` to list all the files created by the app in the external storage.
+
+
+## Observation
+
+The **output** contains a list of files that were created during the excersising the app app.
+
+## Evaluation
+
+The test case fails if the files found above are not encrypted and leak sensitive data.
+
+For example, the following output shows sample files that should be manually inspected.
+
+```shell
+/storage/emulated/0/Android/data/com.example/keys.json
+/storage/emulated/0/Android/data/com.example/files/config.xml
+/sdcard/secret.txt"
+```
diff --git a/...oid-data-unencrypted-shared-storage-no-user-interaction-dynamic-frida/demo-1/MastgTest.kt b/...oid-data-unencrypted-shared-storage-no-user-interaction-dynamic-frida/demo-1/MastgTest.kt
@@ -0,0 +1,61 @@
+package org.owasp.mastestapp
+
+import android.content.Context
+import android.util.Log
+import java.io.File
+import java.io.FileOutputStream
+import java.io.IOException
+import android.content.ContentValues
+import android.os.Environment
+import android.provider.MediaStore
+import java.io.OutputStream
+
+class MastgTest (private val context: Context){
+
+ fun mastgTest(): String {
+ mastgTestApi()
+ mastgTestMediaStore()
+ return "SUCCESS!!\n\nFiles have been written with API and MediaStore"
+ }
+ fun mastgTestApi() {
+ val externalStorageDir = context.getExternalFilesDir(null)
+ val fileName = File(externalStorageDir, "secret.txt")
+ val fileContent = "Secret may use scoped storage depending on Android version"
+
+ try {
+ FileOutputStream(fileName).use { output ->
+ output.write(fileContent.toByteArray())
+ Log.d("WriteExternalStorage", "File written to external storage successfully.")
+ }
+ } catch (e: IOException) {
+ Log.e("WriteExternalStorage", "Error writing file to external storage", e)
+ }
+ }
+
+ fun mastgTestMediaStore() {
+ try {
+ val resolver = context.contentResolver
+ var randomNum = (0..100).random().toString()
+ val contentValues = ContentValues().apply {
+ put(MediaStore.MediaColumns.DISPLAY_NAME, "secretFile$randomNum.txt")
+ put(MediaStore.MediaColumns.MIME_TYPE, "text/plain")
+ put(MediaStore.MediaColumns.RELATIVE_PATH, Environment.DIRECTORY_DOWNLOADS)
+ }
+ val textUri = resolver.insert(MediaStore.Downloads.EXTERNAL_CONTENT_URI, contentValues)
+
+ textUri?.let {
+ val outputStream: OutputStream? = resolver.openOutputStream(it)
+ outputStream?.use {
+ it.write("Secret data".toByteArray())
+ it.flush()
+ }
+ Log.d("MediaStore", "File written to external storage successfully.")
+ } ?: run {
+ Log.e("MediaStore", "Error inserting URI to MediaStore.")
+ }
+ } catch (exception: Exception) {
+ Log.e("MediaStore", "Error writing file to URI from MediaStore", exception)
+ }
+ }
+}
+
diff --git a/...-no-user-interaction-frida/demo-1/demo.md → ...-interaction-dynamic-frida/demo-1/demo.md b/...-no-user-interaction-frida/demo-1/demo.md → ...-interaction-dynamic-frida/demo-1/demo.md
@@ -1,6 +1,6 @@
 ---
 platform: android
-title: File Tracing
+title: File Tracing with Frida
 tools: [frida]
 code: [kotlin]
 ---

diff --git a/...-user-interaction-frida/demo-1/output.txt → ...teraction-dynamic-frida/demo-1/output.txt b/...-user-interaction-frida/demo-1/output.txt → ...teraction-dynamic-frida/demo-1/output.txt
diff --git a/...e-no-user-interaction-frida/demo-1/run.sh → ...r-interaction-dynamic-frida/demo-1/run.sh b/...e-no-user-interaction-frida/demo-1/run.sh → ...r-interaction-dynamic-frida/demo-1/run.sh
diff --git a/...o-user-interaction-frida/demo-1/script.js → ...nteraction-dynamic-frida/demo-1/script.js b/...o-user-interaction-frida/demo-1/script.js → ...nteraction-dynamic-frida/demo-1/script.js
diff --git a/...storage-no-user-interaction-frida/test.md → ...no-user-interaction-dynamic-frida/test.md b/...storage-no-user-interaction-frida/test.md → ...no-user-interaction-dynamic-frida/test.md