Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MASWE-0007] Sensitive Data Stored Unencrypted in Shared Storage Requiring No User Interaction #2594

Merged
merged 39 commits into from
Jul 3, 2024
Merged

[MASWE-0007] Sensitive Data Stored Unencrypted in Shared Storage Requiring No User Interaction #2594

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
0bc19a7
Add Risk and Tests for: Sensitive Data Stored Unencrypted in External…
serek8 Mar 5, 2024
af50568
Update risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unenc…
serek8 May 6, 2024
dc5a465
Fix spellings
serek8 Mar 5, 2024
e0ba4e1
Update tests and examples
serek8 May 7, 2024
7d23021
Update the title of a static test
serek8 May 7, 2024
d2df0de
Update examples and fix spellings
serek8 May 7, 2024
cc126f0
Added rules from Olivier
serek8 May 7, 2024
3cb96d2
Apply suggestions from code review
serek8 Jun 3, 2024
dfb01ff
Rename Sample to Demo
serek8 Jun 3, 2024
badad99
Update demo-2 with a reversed manifest file
serek8 Jun 3, 2024
5e5c8dc
Mention iOS in Risks
serek8 Jun 4, 2024
ac00a36
Update Demos with the MASTestApp
serek8 Jun 4, 2024
44b625b
Update demo-1
serek8 Jun 4, 2024
bdcea87
Add a new demo and refactor existing demos
serek8 Jun 5, 2024
1d0dbb6
Add a demo with listing all files
serek8 Jun 5, 2024
9ad1169
Fix the spelling errors
serek8 Jun 5, 2024
e8fab33
fix md lint issues
cpholguera Jun 7, 2024
e8093a9
fix md lint issues
cpholguera Jun 7, 2024
d79b2d8
update rules to remove false positive separating manifest from apis. …
cpholguera Jun 15, 2024
e17a638
minor corrections in android-data-unencrypted-shared-storage-no-user-…
cpholguera Jun 15, 2024
e7c2902
merge demo-4 into demo-1
cpholguera Jun 21, 2024
769257c
updated kotlin samples to include a password-like and API key-like st…
cpholguera Jun 21, 2024
709bfd4
Minor update to the risk mitigations paragraph.
cpholguera Jun 21, 2024
77ddf31
Updated tests titles and consolidated content. Additional content reg…
cpholguera Jun 21, 2024
247a928
Consolidated tests sections and linked to relevant techniques.
cpholguera Jun 21, 2024
858b4bd
Consolidated demos sections and titles. Added more details to the obs…
cpholguera Jun 21, 2024
81610ae
Remove SARIF support for now
cpholguera Jun 21, 2024
665171e
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into pr…
cpholguera Jun 22, 2024
252ac64
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into pr…
cpholguera Jun 23, 2024
7f4809c
fix paths to snippets
cpholguera Jun 23, 2024
dff1834
added one CWE and android risk maaping, some additional clarification…
cpholguera Jun 24, 2024
f68d567
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into pr…
cpholguera Jun 24, 2024
d61e867
fix links to tools and tech
cpholguera Jun 24, 2024
99d0776
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into pr…
cpholguera Jun 24, 2024
e373dcc
rename risk to weakness
cpholguera Jun 24, 2024
d44da95
move all to the weaknesses folder
cpholguera Jun 24, 2024
b8ad87d
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into pr…
cpholguera Jun 24, 2024
b582669
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into pr…
cpholguera Jun 24, 2024
edeee04
include link to frida and remove ref to run.sh from test
cpholguera Jun 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Consolidated demos sections and titles. Added more details to the obs… 
…ervation in android-data-unencrypted-shared-storage-no-user-interaction-dynamic-frida/demo-1/demo.md
  • Loading branch information
@cpholguera
cpholguera committed Jun 21, 2024
commit 858b4bdf24186138da2bf81f28591bbdec08b986
28 changes: 19 additions & 9 deletions ...unencrypted-shared-storage-no-user-interaction-dynamic-file-diff/demo-1/demo.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,32 +1,42 @@
---
platform: android
title: Listing files inside External Storage
title: File System Snapshots from External Storage
tools: [adb]
code: [kotlin]
---

### Sample

The snippet below shows sample code that creates a file in external storage.
The snippet below shows sample code that creates two files in the external storage using the `getExternalFilesDir` method and the `MediaStore` API.

{{ MastgTest.kt }}

### Steps

1. Install an app on your device
2. Execute `run_before.sh`
3. Open an app and exercise it to trigger file creations
4. Execute `run_after.sh`
5. Close the app once you finish testing
1. Install an app on your device.
2. Execute `run_before.sh`.
3. Open an app and exercise it to trigger file creations.
4. Execute `run_after.sh`.
5. Close the app once you finish testing.

{{ run.sh }}

### Observation

There is a list of all created files inside `output.txt`. Their content is inside the `./new_files/` directory.
There is a list of all created files inside `output.txt`.

{{ output.txt }}

Their content is inside the `./new_files/` directory and contains:

A password:

{{ secret.txt }}

And an API key:

{{ secretFile75.txt }}

### Evaluation

This test fails because the file contains a secretFile.txt.
This test fails because the files are not encrypted and contain sensitive data (a password and an API key). You can further confirm this by reverse engineering the app and inspecting the code.
27 changes: 20 additions & 7 deletions ...ata-unencrypted-shared-storage-no-user-interaction-dynamic-frida/demo-1/demo.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,30 +1,43 @@
---
platform: android
title: File Tracing with Frida
title: External Storage APIs Tracing with Frida
tools: [frida]
code: [kotlin]
---

### Sample

The snippet below shows sample code that creates a file in external storage.
The snippet below shows sample code that creates two files in the external storage using the `getExternalFilesDir` method and the `MediaStore` API.

{{ MastgTest.kt }}

### Steps

1. Update the Package ID of your app inside `run.sh`
2. Execute `run.sh` against the sample app to trace all usage of file IO.
3. Close the app once you finish testing
1. Ensure the app is running on the target device.
2. Execute `run.sh`.
3. Close the app once you finish testing.

The `run.sh` script will inject a Frida script called `script.js`.

{{ run.sh }}

The Frida script will hook and log calls to `open` and `android.content.ContentResolver.insert`.

{{ script.js }}

### Observation

There is only one file written to the external storage - `/storage/emulated/0/Android/data/org.owasp.mastestapp/files/secret.json`.
In the output you can see the paths and the relevant stack trace which helps to identify the actual APIs used to write to external storage and their respective callers.

{{ output.txt }}

There are two files written to the external storage:

- `/storage/emulated/0/Android/data/org.owasp.mastestapp/files/secret.txt` written using `java.io.FileOutputStream` from `org.owasp.mastestapp.MastgTest.mastgTestApi(MastgTest.kt:26)`
- `content:https://media/external/downloads/27` written using `android.content.ContentResolver.insert` from `org.owasp.mastestapp.MastgTest.mastgTestMediaStore(MastgTest.kt:44)`

Note that the calls via `ContentResolver.insert` do not write directly to the file system, but to the `MediaStore` content provider, and therefore we can't see the actual file path, instead we see the `content:https://` URI.

### Evaluation

This test fails since the file contains a password.
This test fails because the files are not encrypted and contain sensitive data (a password and an API key). You can further confirm this by reverse engineering the app and inspecting the code as well as retrieving the files from the device.
10 changes: 7 additions & 3 deletions ...droid-data-unencrypted-shared-storage-no-user-interaction-static/demo-1/demo.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,21 @@
---
platform: android
title: Find common APIs that return paths to Public External Storage locations
title: App Writing to External Storage without Scoped Storage Restrictions
tools: [semgrep]
code: [kotlin, xml]
---

### Sample

The snippet below shows sample code that creates a file in external storage.
The snippet below shows sample code that creates a file in external storage without using scoped storage APIs. The `getExternalStorageDirectory` API returns a path to the root of the shared external storage (e.g. `/storage/emulated/0`).

{{ MastgTest.kt }}

{{ MastgTest_reversed.java }}

This requires special app access called ["All files access"](https://developer.android.com/preview/privacy/storage#all-files-access), so the following permission must be declared in the manifest file.
This requires special app access called ["All files access"](https://developer.android.com/preview/privacy/storage#all-files-access), so the `MANAGE_EXTERNAL_STORAGE` permission must be declared in the manifest file.

{{ AndroidManifest.xml }}

{{ AndroidManifest_reversed.xml }}

Expand Down
10 changes: 7 additions & 3 deletions ...droid-data-unencrypted-shared-storage-no-user-interaction-static/demo-2/demo.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,16 @@
---
platform: android
title: Find common APIs that return paths to Scoped External Storage locations
title: App Writing to External Storage with Scoped Storage Restrictions
tools: [semgrep]
code: [kotlin]
---

### Sample

The snippet below shows sample code that creates a file in external storage using the `getExternalFilesDir` API which returns a path to the app's external files directory (e.g. `/storage/emulated/0/Android/data/org.owasp.mastestapp/files`) and does not require any permissions to access. Scoped storage applies since the app targets Android 12 (API level 31) which is higher than Android 10 (API level 29).

{{ MastgTest.kt }}

{{ MastgTest_reversed.java }}

### Steps
Expand All @@ -19,10 +23,10 @@ Let's run our semgrep rule against the reversed java code.

### Observation

The rule has identified one location in the code file where a path to scoped external storage is returned.
The rule has identified one location in the code file where an API, `getExternalFilesDir`, is used to write to external storage with scoped storage restrictions.

{{ output.txt }}

### Evaluation

Review the decompiled code at the location specified in the output (file and line number). This test fails because the file written by this instance contains sensitive data, specifically a password.
After reviewing the decompiled code at the location specified in the output (file and line number) we can conclude that the test fails because the file written by this instance contains sensitive data, specifically a password.
13 changes: 8 additions & 5 deletions ...droid-data-unencrypted-shared-storage-no-user-interaction-static/demo-3/demo.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,16 @@
---
platform: android
title: Find MediaStore APIs that writes data to locations shared with other apps
title: App Writing to External Storage via the MediaStore API
tools: [semgrep]
code: [kotlin]
---

### Sample

The snippet below shows sample code that uses the `MediaStore` API to write a file to shared storage in a path like `/storage/emulated/0/Download/` which does not require any permissions to access and is shared with other apps.

{{ MastgTest.kt }}

{{ MastgTest_reversed.java }}

### Steps
Expand All @@ -23,9 +27,8 @@ The rule has identified 2 locations that indicate a use of MediaStore API.

{{ output.txt }}

### Evaluation
The first location is the import statement for the `MediaStore` API and the second location is where the `MediaStore` API is used to write to shared storage.

Review the reported instances and make sure to either:
### Evaluation

- confirm you intended to make this data public
- store this data in a more strict storage type
After reviewing the decompiled code at the locations specified in the output (file and line number) we can conclude that the test fails because the file written by this instance contains sensitive data, specifically a API key.