Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MASWE-0007] Sensitive Data Stored Unencrypted in Shared Storage Requiring No User Interaction #2594

Merged
merged 39 commits into from
Jul 3, 2024
Merged

[MASWE-0007] Sensitive Data Stored Unencrypted in Shared Storage Requiring No User Interaction #2594

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
0bc19a7
Add Risk and Tests for: Sensitive Data Stored Unencrypted in External…
serek8 Mar 5, 2024
af50568
Update risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unenc…
serek8 May 6, 2024
dc5a465
Fix spellings
serek8 Mar 5, 2024
e0ba4e1
Update tests and examples
serek8 May 7, 2024
7d23021
Update the title of a static test
serek8 May 7, 2024
d2df0de
Update examples and fix spellings
serek8 May 7, 2024
cc126f0
Added rules from Olivier
serek8 May 7, 2024
3cb96d2
Apply suggestions from code review
serek8 Jun 3, 2024
dfb01ff
Rename Sample to Demo
serek8 Jun 3, 2024
badad99
Update demo-2 with a reversed manifest file
serek8 Jun 3, 2024
5e5c8dc
Mention iOS in Risks
serek8 Jun 4, 2024
ac00a36
Update Demos with the MASTestApp
serek8 Jun 4, 2024
44b625b
Update demo-1
serek8 Jun 4, 2024
bdcea87
Add a new demo and refactor existing demos
serek8 Jun 5, 2024
1d0dbb6
Add a demo with listing all files
serek8 Jun 5, 2024
9ad1169
Fix the spelling errors
serek8 Jun 5, 2024
e8fab33
fix md lint issues
cpholguera Jun 7, 2024
e8093a9
fix md lint issues
cpholguera Jun 7, 2024
d79b2d8
update rules to remove false positive separating manifest from apis. …
cpholguera Jun 15, 2024
e17a638
minor corrections in android-data-unencrypted-shared-storage-no-user-…
cpholguera Jun 15, 2024
e7c2902
merge demo-4 into demo-1
cpholguera Jun 21, 2024
769257c
updated kotlin samples to include a password-like and API key-like st…
cpholguera Jun 21, 2024
709bfd4
Minor update to the risk mitigations paragraph.
cpholguera Jun 21, 2024
77ddf31
Updated tests titles and consolidated content. Additional content reg…
cpholguera Jun 21, 2024
247a928
Consolidated tests sections and linked to relevant techniques.
cpholguera Jun 21, 2024
858b4bd
Consolidated demos sections and titles. Added more details to the obs…
cpholguera Jun 21, 2024
81610ae
Remove SARIF support for now
cpholguera Jun 21, 2024
665171e
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into pr…
cpholguera Jun 22, 2024
252ac64
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into pr…
cpholguera Jun 23, 2024
7f4809c
fix paths to snippets
cpholguera Jun 23, 2024
dff1834
added one CWE and android risk maaping, some additional clarification…
cpholguera Jun 24, 2024
f68d567
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into pr…
cpholguera Jun 24, 2024
d61e867
fix links to tools and tech
cpholguera Jun 24, 2024
99d0776
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into pr…
cpholguera Jun 24, 2024
e373dcc
rename risk to weakness
cpholguera Jun 24, 2024
d44da95
move all to the weaknesses folder
cpholguera Jun 24, 2024
b8ad87d
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into pr…
cpholguera Jun 24, 2024
b582669
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into pr…
cpholguera Jun 24, 2024
edeee04
include link to frida and remove ref to run.sh from test
cpholguera Jun 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
update rules to remove false positive separating manifest from apis. … 
…re-run with NO_COLOR to avoid bad characters
  • Loading branch information
@cpholguera
cpholguera committed Jun 15, 2024
commit d79b2d84110c892f86a8351d3e03b9ba26393c4f
2 changes: 1 addition & 1 deletion ...droid-data-unencrypted-shared-storage-no-user-interaction-static/demo-1/demo.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ code: [kotlin]

Let's run our semgrep rule against the reversed java code.

{{ ../rules/mastg-android-data-unencrypted-shared-storage-no-user-interaction.yml }}
{{ ../rules/mastg-android-data-unencrypted-shared-storage-no-user-interaction-apis.yml }}

{{ run.sh }}

Expand Down
76 changes: 13 additions & 63 deletions ...on/android-data-unencrypted-shared-storage-no-user-interaction-static/demo-1/output.sarif
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,62 +37,12 @@
},
"properties": {},
"ruleId": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api-public"
},
{
"fingerprints": {
"matchBasedId/v1": "01f2f74dc636d3094cd1abf9dbe8ebc57a4cd0a35a2cd5c851659dcd3c0693019211e4dcf3d8803b1a9a99dcf44401fdc9a739b10960c965f0262d2495ba5b1f_0"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "MastgTest_reversed.java",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 100,
"endLine": 43,
"snippet": {
"text": " return \"Error writing file to external storage. Do you have the MANAGE_EXTERNAL_STORAGE permission in the manifest and it's granted?\";"
},
"startColumn": 77,
"startLine": 43
}
}
}
],
"message": {
"text": "[MASVS-STORAGE] Make sure to encrypt files in external storage if necessary"
},
"properties": {},
"ruleId": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-manifest"
}
],
"tool": {
"driver": {
"name": "Semgrep OSS",
"rules": [
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "[MASVS-STORAGE] These locations might be accessible to other apps on Android 10 and below given relevant permissions"
},
"help": {
"markdown": "[MASVS-STORAGE] These locations might be accessible to other apps on Android 10 and below given relevant permissions",
"text": "[MASVS-STORAGE] These locations might be accessible to other apps on Android 10 and below given relevant permissions"
},
"id": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api-scoped",
"name": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api-scoped",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api-scoped"
}
},
{
"defaultConfiguration": {
"level": "warning"
Expand All @@ -119,45 +69,45 @@
"level": "warning"
},
"fullDescription": {
"text": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps"
"text": "[MASVS-STORAGE] These locations might be accessible to other apps on Android 10 and below given relevant permissions"
},
"help": {
"markdown": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps",
"text": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps"
"markdown": "[MASVS-STORAGE] These locations might be accessible to other apps on Android 10 and below given relevant permissions",
"text": "[MASVS-STORAGE] These locations might be accessible to other apps on Android 10 and below given relevant permissions"
},
"id": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-mediastore",
"name": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-mediastore",
"id": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api-scoped",
"name": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api-scoped",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-mediastore"
"text": "Semgrep Finding: rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api-scoped"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "[MASVS-STORAGE] Make sure to encrypt files in external storage if necessary"
"text": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps"
},
"help": {
"markdown": "[MASVS-STORAGE] Make sure to encrypt files in external storage if necessary",
"text": "[MASVS-STORAGE] Make sure to encrypt files in external storage if necessary"
"markdown": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps",
"text": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps"
},
"id": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-manifest",
"name": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-manifest",
"id": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-mediastore",
"name": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-mediastore",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-manifest"
"text": "Semgrep Finding: rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-mediastore"
}
}
],
"semanticVersion": "1.63.0"
"semanticVersion": "1.56.0"
}
}
}
Expand Down
26 changes: 10 additions & 16 deletions ...tion/android-data-unencrypted-shared-storage-no-user-interaction-static/demo-1/output.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,11 @@
┌────────────────
2 Code Findings
└────────────────

MastgTest_reversed.java
❯❱ rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api-public
[MASVS-STORAGE] Make sure to encrypt files at these locations if necessary



┌────────────────┐
1 Code Finding
└────────────────┘
MastgTest_reversed.java
rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api-public
[MASVS-STORAGE] Make sure to encrypt files at these locations if necessary
27┆ File externalStorageDir = Environment.getExternalStorageDirectory();

❯❱ rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-manifest
[MASVS-STORAGE] Make sure to encrypt files in external storage if necessary

43┆ return "Error writing file to external storage. Do you have the MANAGE_EXTERNAL_STORAGE
permission in the manifest and it's granted?";
4 changes: 2 additions & 2 deletions ...eraction/android-data-unencrypted-shared-storage-no-user-interaction-static/demo-1/run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
NO_COLOR=true semgrep -c ../rules/mastg-android-data-unencrypted-shared-storage-no-user-interaction.yml ./MastgTest_reversed.java --text -o output.txt
NO_COLOR=true semgrep -c ../rules/mastg-android-data-unencrypted-shared-storage-no-user-interaction.yml ./MastgTest_reversed.java --sarif -o output.sarif
NO_COLOR=true semgrep -c ../rules/mastg-android-data-unencrypted-shared-storage-no-user-interaction-apis.yml ./MastgTest_reversed.java --text -o output.txt
NO_COLOR=true semgrep -c ../rules/mastg-android-data-unencrypted-shared-storage-no-user-interaction-apis.yml ./MastgTest_reversed.java --sarif -o output.sarif
2 changes: 1 addition & 1 deletion ...droid-data-unencrypted-shared-storage-no-user-interaction-static/demo-2/demo.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ code: [kotlin]

Let's run our semgrep rule against the reversed java code.

{{ ../rules/mastg-android-data-unencrypted-shared-storage-no-user-interaction.yml }}
{{ ../rules/mastg-android-data-unencrypted-shared-storage-no-user-interaction-apis.yml }}

{{ run.sh }}

Expand Down
35 changes: 7 additions & 28 deletions ...on/android-data-unencrypted-shared-storage-no-user-interaction-static/demo-2/output.sarif
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,27 +43,6 @@
"driver": {
"name": "Semgrep OSS",
"rules": [
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps"
},
"help": {
"markdown": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps",
"text": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps"
},
"id": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-mediastore",
"name": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-mediastore",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-mediastore"
}
},
{
"defaultConfiguration": {
"level": "warning"
Expand Down Expand Up @@ -111,24 +90,24 @@
"level": "warning"
},
"fullDescription": {
"text": "[MASVS-STORAGE] Make sure to encrypt files in external storage if necessary"
"text": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps"
},
"help": {
"markdown": "[MASVS-STORAGE] Make sure to encrypt files in external storage if necessary",
"text": "[MASVS-STORAGE] Make sure to encrypt files in external storage if necessary"
"markdown": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps",
"text": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps"
},
"id": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-manifest",
"name": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-manifest",
"id": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-mediastore",
"name": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-mediastore",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-manifest"
"text": "Semgrep Finding: rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-mediastore"
}
}
],
"semanticVersion": "1.63.0"
"semanticVersion": "1.56.0"
}
}
}
Expand Down
12 changes: 6 additions & 6 deletions ...tion/android-data-unencrypted-shared-storage-no-user-interaction-static/demo-2/output.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@
┌────────────────┐
│ 1 Code Finding │
└────────────────┘

MastgTest_reversed.java
❯❱ rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api-scoped
[MASVS-STORAGE] These locations might be accessible to other apps on Android 10 and below given
relevant permissions
MastgTest_reversed.java
rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api-scoped
[MASVS-STORAGE] These locations might be accessible to other apps on Android 10 and below
given relevant permissions

25┆ File externalStorageDir = this.context.getExternalFilesDir(null);
4 changes: 2 additions & 2 deletions ...eraction/android-data-unencrypted-shared-storage-no-user-interaction-static/demo-2/run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
NO_COLOR=true semgrep -c ../rules/mastg-android-data-unencrypted-shared-storage-no-user-interaction.yml ./MastgTest_reversed.java --text -o output.txt
NO_COLOR=true semgrep -c ../rules/mastg-android-data-unencrypted-shared-storage-no-user-interaction.yml ./MastgTest_reversed.java --sarif -o output.sarif
NO_COLOR=true semgrep -c ../rules/mastg-android-data-unencrypted-shared-storage-no-user-interaction-apis.yml ./MastgTest_reversed.java --text -o output.txt
NO_COLOR=true semgrep -c ../rules/mastg-android-data-unencrypted-shared-storage-no-user-interaction-apis.yml ./MastgTest_reversed.java --sarif -o output.sarif
2 changes: 1 addition & 1 deletion ...droid-data-unencrypted-shared-storage-no-user-interaction-static/demo-3/demo.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ code: [kotlin]

Let's run our semgrep rule against the sample code.

{{ ../rules/mastg-android-data-unencrypted-shared-storage-no-user-interaction.yml }}
{{ ../rules/mastg-android-data-unencrypted-shared-storage-no-user-interaction-apis.yml }}

{{ run.sh }}

Expand Down
38 changes: 19 additions & 19 deletions ...on/android-data-unencrypted-shared-storage-no-user-interaction-static/demo-3/output.sarif
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,66 +77,66 @@
"level": "warning"
},
"fullDescription": {
"text": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps"
"text": "[MASVS-STORAGE] Make sure to encrypt files at these locations if necessary"
},
"help": {
"markdown": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps",
"text": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps"
"markdown": "[MASVS-STORAGE] Make sure to encrypt files at these locations if necessary",
"text": "[MASVS-STORAGE] Make sure to encrypt files at these locations if necessary"
},
"id": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-mediastore",
"name": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-mediastore",
"id": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api-public",
"name": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api-public",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-mediastore"
"text": "Semgrep Finding: rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api-public"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "[MASVS-STORAGE] Make sure to encrypt files in external storage if necessary"
"text": "[MASVS-STORAGE] These locations might be accessible to other apps on Android 10 and below given relevant permissions"
},
"help": {
"markdown": "[MASVS-STORAGE] Make sure to encrypt files in external storage if necessary",
"text": "[MASVS-STORAGE] Make sure to encrypt files in external storage if necessary"
"markdown": "[MASVS-STORAGE] These locations might be accessible to other apps on Android 10 and below given relevant permissions",
"text": "[MASVS-STORAGE] These locations might be accessible to other apps on Android 10 and below given relevant permissions"
},
"id": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-manifest",
"name": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-manifest",
"id": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api-scoped",
"name": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api-scoped",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-manifest"
"text": "Semgrep Finding: rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api-scoped"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "[MASVS-STORAGE] Make sure to encrypt files at these locations if necessary"
"text": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps"
},
"help": {
"markdown": "[MASVS-STORAGE] Make sure to encrypt files at these locations if necessary",
"text": "[MASVS-STORAGE] Make sure to encrypt files at these locations if necessary"
"markdown": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps",
"text": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps"
},
"id": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api",
"name": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api",
"id": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-mediastore",
"name": "rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-mediastore",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Semgrep Finding: rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-external-api"
"text": "Semgrep Finding: rules.mastg-android-data-unencrypted-shared-storage-no-user-interaction-mediastore"
}
}
],
"semanticVersion": "1.63.0"
"semanticVersion": "1.56.0"
}
}
}
Expand Down
Loading