[MASWE-0007] Sensitive Data Stored Unencrypted in Shared Storage Requiring No User Interaction

risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-external/android-data-unencrypted-external-frida/example-1/example.md

@@ -0,0 +1,30 @@
+---
+platform: android
+title: File Tracing
+tools: [frida]
+code: [kotlin]
+---
+
+### Sample
+
+The snippet below shows sample code that creates a file in external storage. You can put this code into your app and follow the steps below to identify a potential data leak.
+
+{{ snippet.kt }}
+
+### Steps
+
+1. Update the Package ID of your app inside `run.sh`
+2. Execute `run.sh` against the sample app to trace all usage of file IO.
+3. Close the app once you finish testing
+
+{{ run.sh }}
+
+### Observation
+
+There is only one file written to the external storage - `/storage/emulated/0/Android/data/com.gs.owasp_storage_app1/files/secret.json`. Make sure you don't store unencrypted data there unintentionally.
+
+{{ output.txt }}
+
+### Evaluation
+
+Review each warning in the output file and make sure you intended to store this file in the external storage.

risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-external/android-data-unencrypted-external-frida/example-1/output.txt

@@ -0,0 +1,27 @@
+[WARNING] Opening a file from external storage at: /storage/emulated/0/Android/data/com.gs.owasp_storage_app1/files/secret.json
+Invoked from: java.lang.Exception
+ at libcore.io.Linux.open(Native Method)
+ at libcore.io.ForwardingOs.open(ForwardingOs.java:167)
+ at libcore.io.BlockGuardOs.open(BlockGuardOs.java:252)
+ at libcore.io.ForwardingOs.open(ForwardingOs.java:167)
+ at android.app.ActivityThread$AndroidOs.open(ActivityThread.java:7581)
+ at libcore.io.IoBridge.open(IoBridge.java:482)
+ at java.io.FileOutputStream.<init>(FileOutputStream.java:235)
+ at java.io.FileOutputStream.<init>(FileOutputStream.java:186)
+ at com.gs.owasp_storage_app1.MainActivity.runOwasp(MainActivity.kt:155)
+ at com.gs.owasp_storage_app1.MainActivity.onCreate$lambda$1(MainActivity.kt:36)
+ at com.gs.owasp_storage_app1.MainActivity.$r8$lambda$He9NTWO6dCDqltooAd5-9ovuSZ8(Unknown Source:0)
+ at com.gs.owasp_storage_app1.MainActivity$$ExternalSyntheticLambda1.onClick(Unknown Source:2)
+ at android.view.View.performClick(View.java:7201)
+ at com.google.android.material.button.MaterialButton.performClick(MaterialButton.java:1218)
+ at android.view.View.performClickInternal(View.java:7170)
+ at android.view.View.access$3500(View.java:806)
+ at android.view.View$PerformClick.run(View.java:27562)
+ at android.os.Handler.handleCallback(Handler.java:883)
+ at android.os.Handler.dispatchMessage(Handler.java:100)
+ at android.os.Looper.loop(Looper.java:214)
+ at android.app.ActivityThread.main(ActivityThread.java:7682)
+ at java.lang.reflect.Method.invoke(Native Method)
+ at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:516)
+ at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:950)
+

risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-external/android-data-unencrypted-external-frida/example-1/run.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# SUMMARY: This script uses frida to trace files that an app has opened since it spawned
+# The script filters the output of frida-trace to print only the paths belonging to external
+# storage but the the predefined list of external storage paths might not be complete.
+# A sample output is shown in "output.txt". If the output is empty, it indicates that no external
+# storage is used.
+
+frida \
+ -U \
+ -f com.gs.owasp_storage_app2 \
+ -l script.js \
+ -o output.txt

risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-external/android-data-unencrypted-external-frida/example-1/script.js

@@ -0,0 +1,15 @@
+// Intercept libc`open to make sure we cover all Java's APIs
+Interceptor.attach(Module.getExportByName(null, 'open'), {
+ onEnter(args) {
+ const external_paths = ['/sdcard', '/storage/emulated']
+ const path = Memory.readCString(ptr(args[0]));
+ external_paths.forEach(external_path => {
+ if(path.indexOf(external_path) == 0){
+ console.log('[WARNING] Opening a file from external storage at:', path)
+ Java.performNow(function() {
+ console.log("Invoked from: "+Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()))
+ });
+ }
+ });
+ }
+});

risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-external/android-data-unencrypted-external-frida/example-1/snippet.kt

@@ -0,0 +1,7 @@
+// On lower Android versions, you might need to add `WRITE_EXTERNAL_STORAGE` permission to the manifest to write to an external app-specific directory.
+
+val externalDirPath = getExternalFilesDir(null)!!.absolutePath
+val file: File = File("$externalDirPath/secret.json")
+FileOutputStream(file).use { fos ->
+ fos.write("password:123".toByteArray())
+}

risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-external/android-data-unencrypted-external-frida/test.md

@@ -0,0 +1,39 @@
+---
+platform: android
+title: Data Stored to External Locations on Runtime
+apis: [Environment#getExternalStorageDirectory, Environment#getExternalStorageDirectory, Environment#getExternalFilesDir, Environment#getExternalCacheDir, SharedPreferences, FileOutPutStream]
+type: [dynamic]
+---
+
+## Overview
+
+Android apps use a variety of APIs to obtain a file path and store a file. Collecting a comprehensive list of these APIs can be challenging, especially if an app uses a third-party framework, loads code at runtime, or includes native code. The most effective approach to testing applications that write to device storage is usually dynamic analysis, and specifically method tracing.
+
+## Steps
+
+1. Make sure you have Frida installed
+
+2. Install the app.
+
+3. Execute a `run.sh` to spawn an app with Frida and log all interactions with files.
+
+4. Navigate to the screen of the mobile app that you want to analyse. 
+
+5. Close the app to stop `frida`
+
+
+## Observation
+
+The **method trace output** contains a list of file locations that your app interacts with. You may need to use [adb shell](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0002/) to inspect these files manually.
+
+## Evaluation
+
+The test case fails if the files found above are not encrypted and leak sensitive data.
+
+For example, the following output shows sample files that should be manually inspected.
+
+```shell
+/storage/emulated/0/Android/data/com.example/keys.json
+/storage/emulated/0/Android/data/com.example/files/config.xml
+/sdcard/secret.txt"
+```

risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-external/android-data-unencrypted-external-static/example-1/example.md

@@ -0,0 +1,32 @@
+---
+platform: android
+title: Find common APIs that return paths to External Storage locations
+tools: [semgrep]
+code: [kotlin]
+---
+
+### Sample
+
+{{ use-of-external-store.kt }}
+
+### Steps
+
+Let's run our semgrep rule against the sample code.
+
+{{ ../rules/mastg-android-data-unencrypted-external.yml }}
+
+{{ run.sh }}
+
+### Observation
+
+The rule has identified 1 location in the code file where a path to external storage is retuened. Make sure you don't store unencrypted data there unintentionally.
+
+{{ output.txt }}
+
+### Evaluation
+
+Review each of the reported instances. In this case, it's only one instance. Line 9 shows the occurrence of API that returns external storage location. Make sure to either:
+- encrypt this file if necessary
+- move the file to the internal storage
+- keep the file in the same location if intended and secure
+

risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-external/android-data-unencrypted-external-static/example-1/output.sarif

@@ -0,0 +1,116 @@
+{
+ "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json",
+ "runs": [
+ {
+ "invocations": [
+ {
+ "executionSuccessful": true,
+ "toolExecutionNotifications": []
+ }
+ ],
+ "results": [
+ {
+ "fingerprints": {
+ "matchBasedId/v1": "86181ae035702aa50a67f6c5fcae0e9cd18f97887aa9e1ffcb70225f86d21062067e3925de964b722f4593b60fd959f1b9b0778f189a7183e0609be44faea0c5_0"
+ },
+ "locations": [
+ {
+ "physicalLocation": {
+ "artifactLocation": {
+ "uri": "use-of-external-store.kt",
+ "uriBaseId": "%SRCROOT%"
+ },
+ "region": {
+ "endColumn": 101,
+ "endLine": 26,
+ "snippet": {
+ "text": " val externalDirPath = getExternalStoragePublicDirectory(Environment.DIRECTORY_DOWNLOADS)"
+ },
+ "startColumn": 35,
+ "startLine": 26
+ }
+ }
+ }
+ ],
+ "message": {
+ "text": "[MASVS-STORAGE] Make sure to encrypt files at these locations if necessary"
+ },
+ "properties": {},
+ "ruleId": "rules.mastg-android-data-unencrypted-external-api"
+ }
+ ],
+ "tool": {
+ "driver": {
+ "name": "Semgrep OSS",
+ "rules": [
+ {
+ "defaultConfiguration": {
+ "level": "warning"
+ },
+ "fullDescription": {
+ "text": "[MASVS-STORAGE] Make sure to encrypt files in external storage if necessary"
+ },
+ "help": {
+ "markdown": "[MASVS-STORAGE] Make sure to encrypt files in external storage if necessary",
+ "text": "[MASVS-STORAGE] Make sure to encrypt files in external storage if necessary"
+ },
+ "id": "rules.mastg-android-data-unencrypted-external-manifest",
+ "name": "rules.mastg-android-data-unencrypted-external-manifest",
+ "properties": {
+ "precision": "very-high",
+ "tags": []
+ },
+ "shortDescription": {
+ "text": "Semgrep Finding: rules.mastg-android-data-unencrypted-external-manifest"
+ }
+ },
+ {
+ "defaultConfiguration": {
+ "level": "warning"
+ },
+ "fullDescription": {
+ "text": "[MASVS-STORAGE] Make sure to encrypt files at these locations if necessary"
+ },
+ "help": {
+ "markdown": "[MASVS-STORAGE] Make sure to encrypt files at these locations if necessary",
+ "text": "[MASVS-STORAGE] Make sure to encrypt files at these locations if necessary"
+ },
+ "id": "rules.mastg-android-data-unencrypted-external-api",
+ "name": "rules.mastg-android-data-unencrypted-external-api",
+ "properties": {
+ "precision": "very-high",
+ "tags": []
+ },
+ "shortDescription": {
+ "text": "Semgrep Finding: rules.mastg-android-data-unencrypted-external-api"
+ }
+ },
+ {
+ "defaultConfiguration": {
+ "level": "warning"
+ },
+ "fullDescription": {
+ "text": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps"
+ },
+ "help": {
+ "markdown": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps",
+ "text": "[MASVS-STORAGE] Make sure to want this data to be shared with other apps"
+ },
+ "id": "rules.mastg-android-data-unencrypted-external-mediastore",
+ "name": "rules.mastg-android-data-unencrypted-external-mediastore",
+ "properties": {
+ "precision": "very-high",
+ "tags": []
+ },
+ "shortDescription": {
+ "text": "Semgrep Finding: rules.mastg-android-data-unencrypted-external-mediastore"
+ }
+ }
+ ],
+ "semanticVersion": "1.63.0"
+ }
+ }
+ }
+ ],
+ "version": "2.1.0"
+}

risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-external/android-data-unencrypted-external-static/example-1/output.txt

@@ -0,0 +1,11 @@
+
+
+┌────────────────┐
+│ 1 Code Finding │
+└────────────────┘
+
+ use-of-external-store.kt
+ ❯❱ rules.mastg-android-data-unencrypted-external-api
+ [MASVS-STORAGE] Make sure to encrypt files at these locations if necessary
+
+ 26┆ val externalDirPath = getExternalStoragePublicDirectory(Environment.DIRECTORY_DOWNLOADS)

risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-external/android-data-unencrypted-external-static/example-1/run.sh

@@ -0,0 +1,2 @@
+NO_COLOR=true semgrep -c ../rules/mastg-android-data-unencrypted-external.yml ./use-of-external-store.kt --text -o output.txt
+NO_COLOR=true semgrep -c ../rules/mastg-android-data-unencrypted-external.yml ./use-of-external-store.kt --sarif -o output.sarif

risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-external/android-data-unencrypted-external-static/example-1/use-of-external-store.kt

@@ -0,0 +1,35 @@
+package com.example
+
+import android.content.Intent
+import android.os.Bundle
+import android.os.Environment
+import android.os.Environment.getDownloadCacheDirectory
+import android.os.Environment.getExternalStorageDirectory
+import android.os.Environment.getExternalStoragePublicDirectory
+import android.view.View
+import android.widget.Button
+import androidx.appcompat.app.AppCompatActivity
+import java.io.File
+import java.io.FileOutputStream
+import java.io.IOException
+
+class MainActivity : AppCompatActivity() {
+ override fun onCreate(savedInstanceState: Bundle?) {
+ super.onCreate(savedInstanceState)
+
+ setContentView(R.layout.activity_main)
+ saveDatabase()
+ }
+
+ fun saveDatabase(){
+ try {
+ val externalDirPath = getExternalStoragePublicDirectory(Environment.DIRECTORY_DOWNLOADS)
+ val file: File = File("$externalDirPath/download.json")
+ FileOutputStream(file).use { fos ->
+ fos.write("password:12345".toByteArray())
+ }
+ } catch (e: IOException) {
+ e.printStackTrace()
+ }
+ }
+}

risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-external/android-data-unencrypted-external-static/example-2/AndroidManifest.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http:https://schemas.android.com/apk/res/android"
+ xmlns:tools="http:https://schemas.android.com/tools">
+
+ <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
+
+ <application
+ android:allowBackup="true"
+ android:dataExtractionRules="@xml/data_extraction_rules"
+ android:fullBackupContent="@xml/backup_rules"
+ android:icon="@mipmap/ic_launcher"
+ android:label="@string/app_name"
+ android:roundIcon="@mipmap/ic_launcher_round"
+ android:supportsRtl="true"
+ android:theme="@style/Theme.MyKotlin"
+ tools:targetApi="31">
+ <activity
+ android:name=".MainActivity"
+ android:exported="true">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+ </application>
+
+</manifest>

risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-external/android-data-unencrypted-external-static/example-2/example.md

@@ -0,0 +1,29 @@
+---
+platform: android
+title: Find permissions that allows an app to write to locations shared with other apps
+tools: [semgrep]
+code: [kotlin]
+---
+
+### Sample
+
+{{ use-of-external-store.kt }}
+
+### Steps
+
+Let's run our semgrep rule against the sample manifest file.
+
+{{ ../rules/mastg-android-data-unencrypted-external-manifest.yml }}
+
+{{ run.sh }}
+
+### Observation
+
+The rule has identified that the manifest file declares `WRITE_EXTERNAL_STORAGE` permission at line 9.
+
+{{ output.txt }}
+
+### Evaluation
+
+Review your code to make sure you don't store sensitive unencrypted data in the external storage unintentionally.
+