MASTG Tests

📌 These study notes serve as a concise reference, capturing the essential insights, guidelines, and best practices for securing mobile applications, based on the OWASP MASTG (Mobile Application Security Testing) Standard - Tests.

🌐 Resources 🔗

• (tests examples are made with those vulnerable apps)

Android

Testing Local Storage for Sensitive Data

1. Open the app and click everywhere possible to trigger all possible functionalities and ensure data generation

2. Check all app generated files (SharedPreferences, SQL, Realm dbs, Internal/External Storage, etc)

Data stored locally should be at least encrypted and stored within the app sandbox. If possible, sensitive data should not be stored at all.

Static

Input the apk into jadx-gui

• Check AndroidManifest.xml for uses-permission android:name="android.permission

• Check the source code for file permissions, classes and functions, and bad practices.

Dynamic

To manage all those tests, a full pull data from an Android device's local storage may be useful.

• Check internal and external local storage, dev files, backup files, old files

• Check permissions in the app folder /data/data/<package-name>

• Check SQLite databases stored in /data/data/<package-name>/databases (on device) for sensitive data and db encryption

• Check Shared Preferences in /data/data/<package-name>/shared_prefs

• Check for Firebase Real-time dbs in /data/data/<package-name>/files/

  • call https://_firebaseProjectName_.firebaseio.com/.json

• Check for log related source code and files, and analyze them for any sensitive data

Logging should be removed from production releases.

Static

• Check the source code for logging classes.

Dynamic

Use all the app functions at least once. Look for logs inside the app's data directory /data/data/<package-name

# Logcat
adb logcat | grep "$(adb shell ps | grep <package-name> | awk '{print $2}')"

adb logcat -d -b all -v long -e <package-name>

# Pidcat
pidcat.py <package-name>

Static

• Review third-party libraries source code, requested permissions and vulnerabilities

• Prevent PII exposure

Dynamic

Launch a man-in-the-middle (MITM) attack by routing the traffic through BurpSuite or ZAP proxy and sniffing the traffic between the app and the server.

• Check for sensitive information (PII), specially in ads or tracking services

Static

• Understand if notification management classes (e.g. NotificationManager) are used, how the application works and which data is shown in the generated notifications.

Dynamic

Trace calls to functions related to notifications creation and check if it contains any sensitive information.

• use Frida scripts

Static

• Check for the android:inputType XML attribute and its constants like

  • textPassword, textVisiblePassword, numberPassword, textWebPassword

  • Check the android:minSdkVersion in the AndroidManifest.xml file for the above constants support

Dynamic

Check for input fields that take sensitive data.

• Keyboard cache is enabled if strings are suggested

Static

• Check the AndroidManifest.xml for android:allowBackup

  • if true, check for sensitive data in the saved backup

• Pay attention to cloud (auto) backup, it may contain unencrypted sensitive data files

• Check the source code for BackupAgent, BackupAgentHelper classes

Dynamic

Use adb to backup the app and check the backup archive for sensitive data.

adb backup -apk -nosystem <package-name>

# backup.ab saved in current dir

• Approve the backup in the device

wget https://github.com/nelenkov/android-backup-extractor/releases/download/master-20221109063121-8fdfc5e/abe.jar

java -jar abe.jar unpack backup.ab backup.tar

tar xvf backup.tar

cat sp/*

# Use ugrep to check for sensitive data
ugrep --pretty --hidden -Qria

• Check for data disclosure via process memory, by creating a memory dump or real-time memory analysis (debugger).

Static

• Identify and map data usage across application components.

• Minimize the number of components handling sensitive data.

• Ensure prompt removal of object references when sensitive data is no longer needed.

• Request garbage collection after removing references.

• Overwrite sensitive data immediately when it becomes unnecessary.

Follow best practices and coding recommendations (SecureSecretKey class, etc) to make sure that sensitive data in memory is cleared out at logout and during onPause events for example, managing user's authentication experience.

Dynamic

• Check the memory dump for sensitive data, using strings command to extract strings from the dmp files

  • Indicative field names like "password", "pass", "pin", "secret", "private", etc.

  • Indicative patterns in strings, char arrays, byte arrays, etc.

  • Known secrets (credit card number, etc)

# Fridump
python3 fridump.py -U -r -s "App's Name"
# it outputs a strings.txt file
ugrep --pretty --hidden -Qria dump/strings.txt


# Objection (not working sometimes)
memory dump all <local destination>

# Install r2frida
r2pm -ci r2frida

# Usage
r2 'frida://?'

r2 frida://[action]/[link]/[device]/[target]
* action = list | apps | attach | spawn | launch
* link   = local | usb | remote host:port
* device = '' | host:port | device-id
* target = pid | appname | process-name | program-in-path | abspath
Local:
* frida://?                        # show this help
* frida://                         # list local processes
* frida://0                        # attach to frida-helper (no spawn needed)
* frida:///usr/local/bin/rax2      # abspath to spawn
* frida://rax2                     # same as above, considering local/bin is in PATH
* frida://spawn/$(program)         # spawn a new process in the current system
* frida://attach/(target)          # attach to target PID in current host
USB:
* frida://list/usb//               # list processes in the first usb device
* frida://apps/usb//               # list apps in the first usb device
* frida://attach/usb//12345        # attach to given pid in the first usb device
* frida://spawn/usb//appname       # spawn an app in the first resolved usb device
* frida://launch/usb//appname      # spawn+resume an app in the first usb device
Remote:
* frida://attach/remote/10.0.0.3:9999/558 # attach to pid 558 on tcp remote frida-server
Environment: (Use the `%` command to change the environment at runtime)
  R2FRIDA_SCRIPTS_DIR=/usr/local/share/r2frida/scripts
  R2FRIDA_SCRIPTS_DIR=~/.local/share/radare2/r2frida/scripts
  R2FRIDA_SAFE_IO=0|1              # Workaround a Frida bug on Android/thumb
  R2FRIDA_DEBUG=0|1                # Used to trace internal r2frida C and JS calls
  R2FRIDA_RUNTIME=qjs|v8           # Select the javascript engine to use in the agent side (v8 is default)
  R2FRIDA_DEBUG_URI=0|1            # Trace uri parsing code and exit before doing any action
  R2FRIDA_COMPILER_DISABLE=0|1     # Disable the new frida typescript compiler (`:. foo.ts`)
  R2FRIDA_AGENT_SCRIPT=[file]      # path to file of the r2frida agent

r2 'frida://launch/usb//owasp.sat.agoat'

Applications dealing with sensitive data should run in a secure and trusted environment. To establish this environment, the app can verify the device for:

• Device lock with PIN or password protection

• Up-to-date Android OS version

• Activated USB Debugging

• Device encryption

• Device rooting

Static

Check the source code for functions implementing a device-access-security policy (e.g. App runs only on Android 9.0+) and determine if it can be bypassed.

• system preferences Settings.Secure

Dynamic

Validate the bypassed security enforcing checks if present.