π These study notes serve as a concise reference, capturing the essential insights, guidelines, and best practices for securing mobile applications, based on the OWASP MASTG (Mobile Application Security Testing) Standard - Tests.
Check for log related source code and files, and analyze them for any sensitive data
Logging should be removed from production releases.
Static
Check the source code for logging classes.
Dynamic
Use all the app functions at least once. Look for logs inside the app's data directory /data/data/<package-name
Check system and application logs with Logcat or pidcat for unintended data leakage
pidcat
MASTG-TEST-0004 Determining Whether Sensitive Data Is Shared with Third Parties via Embedded Services
Static
Review third-party libraries source code, requested permissions and vulnerabilities
Prevent PII exposure
Dynamic
Launch a man-in-the-middle (MITM) attack by routing the traffic through BurpSuite or ZAP proxy and sniffing the traffic between the app and the server.
Check for sensitive information (PII), specially in ads or tracking services
MASTG-TEST-0005 Determining Whether Sensitive Data Is Shared with Third Parties via Notifications
Static
Understand if notification management classes (e.g. NotificationManager) are used, how the application works and which data is shown in the generated notifications.
Dynamic
Trace calls to functions related to notifications creation and check if it contains any sensitive information.
use Frida scripts
MASTG-TEST-0006 Determining Whether the Keyboard Cache Is Disabled for Text Input Fields
Static
Check for the android:inputType XML attribute and its constants like
Check for data disclosure via process memory, by creating a memory dump or real-time memory analysis (debugger).
Static
Identify and map data usage across application components.
Minimize the number of components handling sensitive data.
Ensure prompt removal of object references when sensitive data is no longer needed.
Request garbage collection after removing references.
Overwrite sensitive data immediately when it becomes unnecessary.
Follow best practices and coding recommendations (SecureSecretKey class, etc) to make sure that sensitive data in memory is cleared out at logout and during onPause events for example, managing user's authentication experience.
Applications dealing with sensitive data should run in a secure and trusted environment. To establish this environment, the app can verify the device for:
Device lock with PIN or password protection
Up-to-date Android OS version
Activated USB Debugging
Device encryption
Device rooting
Static
Check the source code for functions implementing a device-access-security policy (e.g. App runs only on Android 9.0+) and determine if it can be bypassed.
system preferences Settings.Secure
Dynamic
Validate the bypassed security enforcing checks if present.
adb backup -apk -nosystem <package-name>
# backup.ab saved in current dir
wget https://github.com/nelenkov/android-backup-extractor/releases/download/master-20221109063121-8fdfc5e/abe.jar
java -jar abe.jar unpack backup.ab backup.tar
tar xvf backup.tar
cat sp/*
# Use ugrep to check for sensitive data
ugrep --pretty --hidden -Qria
# Fridump
python3 fridump.py -U -r -s "App's Name"
# it outputs a strings.txt file
ugrep --pretty --hidden -Qria dump/strings.txt
# Objection (not working sometimes)
memory dump all <local destination>
# Install r2frida
r2pm -ci r2frida
# Usage
r2 'frida://?'
r2 frida://[action]/[link]/[device]/[target]
* action = list | apps | attach | spawn | launch
* link = local | usb | remote host:port
* device = '' | host:port | device-id
* target = pid | appname | process-name | program-in-path | abspath
Local:
* frida://? # show this help
* frida:// # list local processes
* frida://0 # attach to frida-helper (no spawn needed)
* frida:///usr/local/bin/rax2 # abspath to spawn
* frida://rax2 # same as above, considering local/bin is in PATH
* frida://spawn/$(program) # spawn a new process in the current system
* frida://attach/(target) # attach to target PID in current host
USB:
* frida://list/usb// # list processes in the first usb device
* frida://apps/usb// # list apps in the first usb device
* frida://attach/usb//12345 # attach to given pid in the first usb device
* frida://spawn/usb//appname # spawn an app in the first resolved usb device
* frida://launch/usb//appname # spawn+resume an app in the first usb device
Remote:
* frida://attach/remote/10.0.0.3:9999/558 # attach to pid 558 on tcp remote frida-server
Environment: (Use the `%` command to change the environment at runtime)
R2FRIDA_SCRIPTS_DIR=/usr/local/share/r2frida/scripts
R2FRIDA_SCRIPTS_DIR=~/.local/share/radare2/r2frida/scripts
R2FRIDA_SAFE_IO=0|1 # Workaround a Frida bug on Android/thumb
R2FRIDA_DEBUG=0|1 # Used to trace internal r2frida C and JS calls
R2FRIDA_RUNTIME=qjs|v8 # Select the javascript engine to use in the agent side (v8 is default)
R2FRIDA_DEBUG_URI=0|1 # Trace uri parsing code and exit before doing any action
R2FRIDA_COMPILER_DISABLE=0|1 # Disable the new frida typescript compiler (`:. foo.ts`)
R2FRIDA_AGENT_SCRIPT=[file] # path to file of the r2frida agent
