Add MASTG-TEST-0264, MASTG-TEST-0265, MASTG-DEMO-0038, MASTG-DEMO-0039 #3246
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cpholguera
changed the title
There was a problem hiding this comment.
Copilot reviewed 7 out of 11 changed files in this pull request and generated 1 comment.
Files not reviewed (4)
- demos/android/MASVS-RESILIENCE/MASTG-DEMO-0038/output.txt: Language not supported
- demos/android/MASVS-RESILIENCE/MASTG-DEMO-0038/run.sh: Language not supported
- demos/android/MASVS-RESILIENCE/MASTG-DEMO-0039/output.txt: Language not supported
- demos/android/MASVS-RESILIENCE/MASTG-DEMO-0039/run.sh: Language not supported
Comments suppressed due to low confidence (1)
rules/mastg-android-strictmode.yml:10
- [nitpick] The pattern 'StrictMode.setVmPolicy(...)' may be too generic and might not catch all variants of StrictMode usage (e.g., chained calls or alternative configurations such as penaltyLog). Consider expanding the pattern or adding an additional rule to ensure comprehensive detection.
- pattern: StrictMode.setVmPolicy(...)
…d-demos-38-and-39
titze
reviewed
Apr 7, 2025
| ### Steps | ||
|
|
||
| 1. Install the app on a device (@MASTG-TECH-0005) | ||
| 2. Make sure you have @MASTG-TOOL-0001 installed on your machine and the frida-server running on the device |
There was a problem hiding this comment.
Suggested change
| 2. Make sure you have @MASTG-TOOL-0001 installed on your machine and the frida-server running on the device | |
| 2. Make sure you have @MASTG-TOOL-0031 installed on your machine and the frida-server running on the device |
There was a problem hiding this comment.
Also: shouldn't this (eventually?) be a Technique?
| 1. Install the app on a device (@MASTG-TECH-0005) | ||
| 2. Make sure you have @MASTG-TOOL-0001 installed on your machine and the frida-server running on the device | ||
| 3. Run `run.sh` to spawn the app with Frida | ||
| 4. Click the **Start** button |
There was a problem hiding this comment.
Suggested change
| 4. Click the **Start** button | |
| 4. Click the **Start** button in the app |
|
|
||
| ### Sample | ||
|
|
||
| This sample demonstrates the detection of `StrictMode` uses at runtime using Frida. The app enables a `StrictMode` policy to detect leaked SQLite objects and intentionally leaves a cursor unclosed to trigger the policy. |
There was a problem hiding this comment.
Suggested change
| This sample demonstrates the detection of `StrictMode` uses at runtime using Frida. The app enables a `StrictMode` policy to detect leaked SQLite objects and intentionally leaves a cursor unclosed to trigger the policy. | |
| This sample demonstrates the static detection of `StrictMode` in the app using Semgrep. The app enables a `StrictMode` policy to detect leaked SQLite objects and intentionally leaves a cursor unclosed to trigger the policy. |
|
|
||
| ### Evaluation | ||
|
|
||
| The test fails because the output shows usages of `StrictMode` APIs, specifically: |
There was a problem hiding this comment.
Since we were only looking for the setVmPolicy, the text sounds a bit off?
Comment on lines
+18
to
+22
| Let's run @MASTG-TOOL-0110 rules against the sample code. | ||
|
|
||
| {{ ../../../../rules/mastg-android-strictmode.yml }} | ||
|
|
||
| {{ run.sh }} |
There was a problem hiding this comment.
Isn't there a step missing? Since you run the semgrep rule against java code, I guess the app needs to be decompiled?
But since decompiling does not work so reliably, why not run a semgrep rule against the smali code?
|
|
||
| This test checks whether the app uses `StrictMode` by dynamically analyzing the app's behavior and placing relevant hooks to detect the use of `StrictMode` APIs, such as `StrictMode.setVmPolicy` and `StrictMode.VmPolicy.Builder.penaltyLog`. | ||
|
|
||
| While `StrictMode` is useful for developers to log policy violations such as disk I/O or network operations in production apps, it can expose sensitive implementation details in the logs that could be exploited by attackers. |
There was a problem hiding this comment.
Suggested change
| While `StrictMode` is useful for developers to log policy violations such as disk I/O or network operations in production apps, it can expose sensitive implementation details in the logs that could be exploited by attackers. | |
| While `StrictMode` is useful for developers to log policy violations such as disk I/O or network operations during development, it can expose sensitive implementation details in the logs that could be exploited by attackers. |
I know we have the same text in the existing test, but I think it sounds a bit confusing.
|
|
||
| ## Steps | ||
|
|
||
| 1. Run a dynamic analysis tool like @MASTG-TOOL-0039 and look for uses of `StrictMode` APIs. |
There was a problem hiding this comment.
Suggested change
| 1. Run a dynamic analysis tool like @MASTG-TOOL-0039 and look for uses of `StrictMode` APIs. | |
| 1. Run a dynamic analysis tool like @MASTG-TOOL-0031 and look for uses of `StrictMode` APIs. |
|
|
||
| ## Overview | ||
|
|
||
| This test checks whether the app uses `StrictMode`, which while useful for developers to log policy violations such as disk I/O or network operations in production apps, can expose sensitive implementation details in the logs that could be exploited by attackers. |
There was a problem hiding this comment.
Suggested change
| This test checks whether the app uses `StrictMode`, which while useful for developers to log policy violations such as disk I/O or network operations in production apps, can expose sensitive implementation details in the logs that could be exploited by attackers. | |
| This test checks whether the app uses `StrictMode`. While useful for developers to log policy violations such as disk I/O or network operations during development, it can expose sensitive implementation details in the logs that could be exploited by attackers. |
Comment on lines
+17
to
+18
| 1. Use @MASTG-TOOL-0110 to identify all instances of `StrictMode` | ||
| APIs. |
There was a problem hiding this comment.
Wouldn't it be better to reference a technique here?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request introduces two new demo tests for detecting
StrictModeusage in Android applications, using both dynamic and static analysis techniques.New demos
demos/android/MASVS-RESILIENCE/MASTG-DEMO-0038/MASTG-DEMO-0038.md: Added a demo for detectingStrictModeusage at runtime using Frida.demos/android/MASVS-RESILIENCE/MASTG-DEMO-0039/MASTG-DEMO-0039.md: Added a demo for detectingStrictModepenalty log usage in the codebase using Semgrep.New Tests
tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0264.md: Added documentation for a dynamic test to check runtime use ofStrictModeAPIs.tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0265.md: Added documentation for a static test to identify references toStrictModeAPIs.