Update tests and examples

OWASP · cpholguera · Jul 3, 2024 · Mar 5, 2024 · May 6, 2024 · Mar 5, 2024
commit e0ba4e1655874936578d6e85fef6b9017a70d1fd
diff --git a/...encrypted-external/android-data-unencrypted-external-frida/example-1/example.md b/...encrypted-external/android-data-unencrypted-external-frida/example-1/example.md
@@ -1,30 +1,30 @@
 ---
 platform: android
 title: File Tracing
-tools: [frida-trace]
+tools: [frida]
 code: [kotlin]
 ---
 
 ### Sample
 
-The snippet below shows sample code that creates a file in external storage. You can put this code into your app and follow the steps to see a sample usage of `frida-trace` to identify a potential data leak.
+The snippet below shows sample code that creates a file in external storage. You can put this code into your app and follow the steps below to identify a potential data leak.
 
 {{ snippet.kt }}
 
 ### Steps
 
-Execute `frida-trace` against the sample app to trace all usage of file IO.
+1. Update the Package ID of your app inside `run.sh`
+2. Execute `run.sh` against the sample app to trace all usage of file IO.
+3. Close the app once you finish testing
 
 {{ run.sh }}
 
 ### Observation
 
-`frida-trace` has identified one file path in the external storage that the app opened.
+The script will output the findings into `output.txt`
 
 {{ output.txt }}
 
 ### Evaluation
 
-Review each of the reported instances by manually opening a file and inspecting its content.
-
-NOTE: If you want to test more file locations than only the file locations inside the external storage, remove `grep` from the script.
+Review each warning in the output file and make sure you intended to store this file in the external storage.
diff --git a/...ly/data-unencrypted-external/android-data-unencrypted-external-frida/example-1/output.txt b/...ly/data-unencrypted-external/android-data-unencrypted-external-frida/example-1/output.txt
@@ -1 +1,27 @@
-638 ms open(path="/storage/emulated/0/Android/data/com.example/files/secret.json", oflag=0x241)
+[WARNING] Opening a file from external storage at: /storage/emulated/0/Android/data/com.gs.owasp_storage_app1/files/secret.json
+Invoked from: java.lang.Exception
+ at libcore.io.Linux.open(Native Method)
+ at libcore.io.ForwardingOs.open(ForwardingOs.java:167)
+ at libcore.io.BlockGuardOs.open(BlockGuardOs.java:252)
+ at libcore.io.ForwardingOs.open(ForwardingOs.java:167)
+ at android.app.ActivityThread$AndroidOs.open(ActivityThread.java:7581)
+ at libcore.io.IoBridge.open(IoBridge.java:482)
+ at java.io.FileOutputStream.<init>(FileOutputStream.java:235)
+ at java.io.FileOutputStream.<init>(FileOutputStream.java:186)
+ at com.gs.owasp_storage_app1.MainActivity.runOwasp(MainActivity.kt:155)
+ at com.gs.owasp_storage_app1.MainActivity.onCreate$lambda$1(MainActivity.kt:36)
+ at com.gs.owasp_storage_app1.MainActivity.$r8$lambda$He9NTWO6dCDqltooAd5-9ovuSZ8(Unknown Source:0)
+ at com.gs.owasp_storage_app1.MainActivity$$ExternalSyntheticLambda1.onClick(Unknown Source:2)
+ at android.view.View.performClick(View.java:7201)
+ at com.google.android.material.button.MaterialButton.performClick(MaterialButton.java:1218)
+ at android.view.View.performClickInternal(View.java:7170)
+ at android.view.View.access$3500(View.java:806)
+ at android.view.View$PerformClick.run(View.java:27562)
+ at android.os.Handler.handleCallback(Handler.java:883)
+ at android.os.Handler.dispatchMessage(Handler.java:100)
+ at android.os.Looper.loop(Looper.java:214)
+ at android.app.ActivityThread.main(ActivityThread.java:7682)
+ at java.lang.reflect.Method.invoke(Native Method)
+ at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:516)
+ at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:950)
+
diff --git a/...curely/data-unencrypted-external/android-data-unencrypted-external-frida/example-1/run.sh b/...curely/data-unencrypted-external/android-data-unencrypted-external-frida/example-1/run.sh
@@ -1,13 +1,13 @@
 #!/bin/bash
 
-# SUMMARY: This script uses frida-trace to trace files that an app has opened since it spawned
+# SUMMARY: This script uses frida to trace files that an app has opened since it spawned
 # The script filters the output of frida-trace to print only the paths belonging to external
 # storage but the the predefined list of external storage paths might not be complete.
 # A sample output is shown in "output.txt". If the output is empty, it indicates that no external
 # storage is used.
 
-frida-trace \
+frida \
  -U \
- -f com.example \
- -i "open" \
- | grep -E "(/sdcard|/storage)"
+ -f com.gs.owasp_storage_app2 \
+ -l script.js \
+ -o output.txt
diff --git a/...ely/data-unencrypted-external/android-data-unencrypted-external-frida/example-1/script.js b/...ely/data-unencrypted-external/android-data-unencrypted-external-frida/example-1/script.js
@@ -0,0 +1,15 @@
+// Intercept libc`open to make sure we cover all Java's APIs
+Interceptor.attach(Module.getExportByName(null, 'open'), {
+ onEnter(args) {
+ const external_paths = ['/sdcard', '/storage/emulated']
+ const path = Memory.readCString(ptr(args[0]));
+ external_paths.forEach(external_path => {
+ if(path.indexOf(external_path) == 0){
+ console.log('[WARNING] Opening a file from external storage at:', path)
+ Java.performNow(function() {
+ console.log("Invoked from: "+Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()))
+ });
+ }
+ });
+ }
+});
diff --git a/...urely/data-unencrypted-external/android-data-unencrypted-external-frida/test.md b/...urely/data-unencrypted-external/android-data-unencrypted-external-frida/test.md
@@ -1,6 +1,6 @@
 ---
 platform: android
-title: Storing Data in External Locations
+title: Data Stored to External Locations on Runtime
 apis: [Environment#getExternalStorageDirectory, Environment#getExternalStorageDirectory, Environment#getExternalFilesDir, Environment#getExternalCacheDir, SharedPreferences, FileOutPutStream]
 type: [dynamic]
 ---

diff --git a/...crypted-external/android-data-unencrypted-external-static-manifest/example-1/output.sarif b/...crypted-external/android-data-unencrypted-external-static-manifest/example-1/output.sarif
diff --git a/...a-unencrypted-external/android-data-unencrypted-external-static-manifest/example-1/run.sh b/...a-unencrypted-external/android-data-unencrypted-external-static-manifest/example-1/run.sh
diff --git a/...ypted-external-static-manifest/rules/mastg-android-data-unencrypted-external-manifest.yml b/...ypted-external-static-manifest/rules/mastg-android-data-unencrypted-external-manifest.yml
diff --git a/...-unencrypted-external/android-data-unencrypted-external-static-manifest/test.md b/...-unencrypted-external/android-data-unencrypted-external-static-manifest/test.md
diff --git a/...ncrypted-external/android-data-unencrypted-external-static/example-1/example.md b/...ncrypted-external/android-data-unencrypted-external-static/example-1/example.md
@@ -2,7 +2,7 @@
 platform: android
 title: Find common APIs that return paths to External Storage locations
 tools: [semgrep]
-code: [java]
+code: [kotlin]
 ---
 
 ### Sample

diff --git a/...data-unencrypted-external/android-data-unencrypted-external-static/example-1/output.sarif b/...data-unencrypted-external/android-data-unencrypted-external-static/example-1/output.sarif
@@ -11,7 +11,7 @@
  "results": [
  {
  "fingerprints": {
- "matchBasedId/v1": "7fff0cca477ae1b0a93a5b8e265d8a7471c4144464dcbbd55d7256be707b55568882a55bbac36d334816deb905d562cb7f9c4cee168fb02f8ca6f31936c62fb7_0"
+ "matchBasedId/v1": "86181ae035702aa50a67f6c5fcae0e9cd18f97887aa9e1ffcb70225f86d21062067e3925de964b722f4593b60fd959f1b9b0778f189a7183e0609be44faea0c5_0"
  },
  "locations": [
  {
@@ -33,10 +33,10 @@
  }
  ],
  "message": {
- "text": "[MASVS-STORAGE] Make sure you encrypt files at these locations if necessary"
+ "text": "[MASVS-STORAGE] Make sure to encrypt files at these locations if necessary"
  },
  "properties": {},
- "ruleId": "rules.mastg-android-data-unencrypted-external"
+ "ruleId": "rules.mastg-android-data-unencrypted-external-api"
  }
  ],
  "tool": {
@@ -48,20 +48,62 @@
  "level": "warning"
  },
  "fullDescription": {
- "text": "[MASVS-STORAGE] Make sure you encrypt files at these locations if necessary"
+ "text": "[MASVS-STORAGE] Make sure to encrypt files in external storage if necessary"
  },
  "help": {
- "markdown": "[MASVS-STORAGE] Make sure you encrypt files at these locations if necessary",
- "text": "[MASVS-STORAGE] Make sure you encrypt files at these locations if necessary"
+ "markdown": "[MASVS-STORAGE] Make sure to encrypt files in external storage if necessary",
+ "text": "[MASVS-STORAGE] Make sure to encrypt files in external storage if necessary"
  },
- "id": "rules.mastg-android-data-unencrypted-external",
- "name": "rules.mastg-android-data-unencrypted-external",
+ "id": "rules.mastg-android-data-unencrypted-external-manifest",
+ "name": "rules.mastg-android-data-unencrypted-external-manifest",
  "properties": {
  "precision": "very-high",
  "tags": []
  },
  "shortDescription": {
- "text": "Semgrep Finding: rules.mastg-android-data-unencrypted-external"
+ "text": "Semgrep Finding: rules.mastg-android-data-unencrypted-external-manifest"
+ }
+ },
+ {
+ "defaultConfiguration": {
+ "level": "warning"
+ },
+ "fullDescription": {
+ "text": "[MASVS-STORAGE] Make sure to encrypt files at these locations if necessary"
+ },
+ "help": {
+ "markdown": "[MASVS-STORAGE] Make sure to encrypt files at these locations if necessary",
+ "text": "[MASVS-STORAGE] Make sure to encrypt files at these locations if necessary"
+ },
+ "id": "rules.mastg-android-data-unencrypted-external-api",
+ "name": "rules.mastg-android-data-unencrypted-external-api",
+ "properties": {
+ "precision": "very-high",
+ "tags": []
+ },
+ "shortDescription": {
+ "text": "Semgrep Finding: rules.mastg-android-data-unencrypted-external-api"
+ }
+ },
+ {
+ "defaultConfiguration": {
+ "level": "warning"
+ },
+ "fullDescription": {
+ "text": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps"
+ },
+ "help": {
+ "markdown": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps",
+ "text": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps"
+ },
+ "id": "rules.mastg-android-data-unencrypted-external-mediastore",
+ "name": "rules.mastg-android-data-unencrypted-external-mediastore",
+ "properties": {
+ "precision": "very-high",
+ "tags": []
+ },
+ "shortDescription": {
+ "text": "Semgrep Finding: rules.mastg-android-data-unencrypted-external-mediastore"
  }
  }
  ],
@@ -71,4 +113,4 @@
  }
  ],
  "version": "2.1.0"
-}
+}
diff --git a/...y/data-unencrypted-external/android-data-unencrypted-external-static/example-1/output.txt b/...y/data-unencrypted-external/android-data-unencrypted-external-static/example-1/output.txt
@@ -1,9 +1,11 @@
+
+
 ┌────────────────┐
 │ 1 Code Finding │
 └────────────────┘
 
  use-of-external-store.kt
- rules.mastg-android-data-unencrypted-external 0m
- [MASVS-STORAGE] Make sure you encrypt files at these locations if necessary
-  
+ ❯❱ [1mrules.mastg-android-data-unencrypted-external-api[0m
+ [MASVS-STORAGE] Make sure to encrypt files at these locations if necessary
+
  26┆ val externalDirPath = getExternalStoragePublicDirectory(Environment.DIRECTORY_DOWNLOADS)
diff --git a/...urely/data-unencrypted-external/android-data-unencrypted-external-static/example-1/run.sh b/...urely/data-unencrypted-external/android-data-unencrypted-external-static/example-1/run.sh
diff --git a/...ic-manifest/example-1/AndroidManifest.xml → ...rnal-static/example-2/AndroidManifest.xml b/...ic-manifest/example-1/AndroidManifest.xml → ...rnal-static/example-2/AndroidManifest.xml
diff --git a/...rnal-static-manifest/example-1/example.md → ...pted-external-static/example-2/example.md b/...rnal-static-manifest/example-1/example.md → ...pted-external-static/example-2/example.md
@@ -1,8 +1,8 @@
 ---
 platform: android
-title: Common APIs to return paths to External Storage
+title: Find permissions that allows an app to write to locations shared with other apps
 tools: [semgrep]
-code: [java]
+code: [kotlin]
 ---
 
 ### Sample