From 0cdcd45cc8ea23212bda0126f2174f3e5afb5161 Mon Sep 17 00:00:00 2001 From: Dionysis Lorentzos Date: Wed, 24 Sep 2025 16:37:37 +0200 Subject: [PATCH 01/16] Deprecate old test --- tests/android/MASVS-STORAGE/MASTG-TEST-0004.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/android/MASVS-STORAGE/MASTG-TEST-0004.md b/tests/android/MASVS-STORAGE/MASTG-TEST-0004.md index 5ef713be316..c900122d43c 100644 --- a/tests/android/MASVS-STORAGE/MASTG-TEST-0004.md +++ b/tests/android/MASVS-STORAGE/MASTG-TEST-0004.md @@ -4,23 +4,25 @@ masvs_v1_id: masvs_v2_id: - MASVS-STORAGE-2 platform: android -title: Determining Whether Sensitive Data Is Shared with Third Parties via Embedded - Services +title: Determining Whether Sensitive Data Is Shared with Third Parties via Embedded Services masvs_v1_levels: - L1 - L2 profiles: [L1, L2] +status: deprecated +covered_by: [MASTG-TEST-xxxx] // TODO +deprecation_note: New version available in MASTG V2 --- ## Overview ## Static Analysis -To determine whether API calls and functions provided by the third-party library are used according to best practices, review their source code, requested permissions and check for any known vulnerabilities. +To determine whether API calls and functions provided by the third-party library are used according to best practices, review their source code, requested permissions, and check for any known vulnerabilities. All data that's sent to third-party services should be anonymized to prevent exposure of PII (Personal Identifiable Information) that would allow the third party to identify the user account. No other data (such as IDs that can be mapped to a user account or session) should be sent to a third party. ## Dynamic Analysis Check all requests to external services for embedded sensitive information. -To intercept traffic between the client and server, you can perform dynamic analysis by launching a [Machine-in-the-Middle (MITM)](../../../Document/0x04f-Testing-Network-Communication.md#intercepting-network-traffic-through-mitm) attack with @MASTG-TOOL-0077 or @MASTG-TOOL-0079. Once you route the traffic through the interception proxy, you can try to sniff the traffic that passes between the app and server. All app requests that aren't sent directly to the server on which the main function is hosted should be checked for sensitive information, such as PII in a tracker or ad service. +To intercept traffic between the client and server, you can perform dynamic analysis by launching a [Machine-in-the-Middle (MITM)](../../../Document/0x04f-Testing-Network-Communication.md#intercepting-network-traffic-through-mitm) attack with @MASTG-TOOL-0077 or @MASTG-TOOL-0079. Once you route the traffic through the interception proxy, you can try to sniff the traffic that passes between the app and server. All app requests that aren't sent directly to the server on which the main function is hosted should be checked for sensitive information, such as PII, in a tracker or ad service. From 536aacb6ecba3dd3d65026e01f847645305e7de8 Mon Sep 17 00:00:00 2001 From: Dionysis Lorentzos Date: Fri, 26 Sep 2025 16:10:27 +0200 Subject: [PATCH 02/16] Add mitmproxy in TECH-0108 --- techniques/android/MASTG-TECH-0108.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/techniques/android/MASTG-TECH-0108.md b/techniques/android/MASTG-TECH-0108.md index f60ef3a541f..c881b3515ee 100644 --- a/techniques/android/MASTG-TECH-0108.md +++ b/techniques/android/MASTG-TECH-0108.md @@ -9,13 +9,13 @@ In taint analysis, data flows from a "source" to a "sink". A source is where sen In large applications, manual information flow analysis can be very time-consuming and inaccurate. Taint analysis automates this, with two main methods: static and dynamic. The former examines code without running it, offering broad coverage but potentially yielding false positives. In contrast, dynamic analysis observes real-time application execution, providing actual context but possibly overlooking untriggered issues. A thorough comparison of these techniques is beyond this section's scope. -There are multiple tools which perform taint analysis on native code, including [Triton](https://github.com/jonathansalwan/Triton "Triton") and [bincat](https://github.com/airbus-seclab/bincat "bincat"). However, in this section, we'll primarily focus on Android Java code and utilize @MASTG-TOOL-0099 for the taint analysis. Another notable tool supporting taint analysis for Android apps is [GDA](https://github.com/charles2gan/GDA-android-reversing-Tool/wiki/GDA-Static-Taint-Analysis "GDA"). +There are multiple tools which perform taint analysis on native code, including [Triton](https://github.com/jonathansalwan/Triton "Triton"), [bincat](https://github.com/airbus-seclab/bincat "bincat"), and @MASTG-TOOL-0110. However, in this section, we'll primarily focus on Android Java code and utilize @MASTG-TOOL-0099 for the taint analysis. Another notable tool supporting taint analysis for Android apps is [GDA](https://github.com/charles2gan/GDA-android-reversing-Tool/wiki/GDA-Static-Taint-Analysis "GDA"). For our demonstration, we'll use the @MASTG-TOOL-0099 command line tool to perform taint analysis on the [InsecureShop v1.0](https://github.com/hax0rgb/InsecureShop/releases/tag/v1.0 "InsecureShop") application. The InsecureShop app accepts a username and password as input and stores them in the app's shared preferences. In our taint analysis, we're interested in how this stored username and password are used. In this context, the username and password are the sensitive information, and reading from shared preferences is the source. The sink in this analysis could be various operations, such as sending info over the network, transmitting info via an `Intent`, or storing info in an external file. -To use FlowDroid, firstly, we need to provide an input list of potential sources and sinks to evaluate for. In our case, _reading from shared preferences_ will be the source, while _adding parameters to an `Intent`_ will be the sink. The configuration file will look as follows (we'll name it "source_sink.txt"): +To use FlowDroid, firstly, we need to provide an input list of potential sources and sinks to evaluate. In our case, _reading from shared preferences_ will be the source, while _adding parameters to an `Intent`_ will be the sink. The configuration file will look as follows (we'll name it "source_sink.txt"): ```Jimple -> _SOURCE_ @@ -68,4 +68,4 @@ fun onSendData(view: View) { } ``` -Taint analysis is especially beneficial for automating data flow analysis in intricate applications. However, given the complexity of some apps, the accuracy of such tools can vary. Thus, it's essential for reviewers to find a balance between the accuracy of tools and the time spent on manual analysis. +Taint analysis is especially beneficial for automating data flow analysis in intricate applications. However, given the complexity of some apps, the accuracy of such tools can vary. Thus, reviewers need to find a balance between the accuracy of tools and the time spent on manual analysis. From 525a75e45c67bc99e1dbcacd7a01412bb7358101 Mon Sep 17 00:00:00 2001 From: Dionysis Lorentzos Date: Fri, 26 Sep 2025 16:10:47 +0200 Subject: [PATCH 03/16] Create the v2 TEST --- .../android/MASVS-PLATFORM/MASTG-TEST-xxxx.md | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md diff --git a/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md new file mode 100644 index 00000000000..e4bd5f7626e --- /dev/null +++ b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md @@ -0,0 +1,39 @@ +--- +platform: android +title: Sensitive Data Leaked via Embedded Libraries +id: MASTG-TEST-xxxx // TODO +type: [static, dynamic] +weakness: MASWE-xxxA // TODO see https://github.com/OWASP/maswe/pull/11 +prerequisites: + - identify-sensitive-data + - identify-embedded-libraries-with-network-access // TODO makes sense? get feedback +profiles: [L1, L2] +--- + +## Overview + +This test case focuses on identifying potentially sensitive data inadvertently leaked through embedded third-party libraries used by the application. For example, an app might use a third-party analytics SDK to track user behavior, but if the SDK is not properly configured, it could inadvertently send sensitive information (like PIIs - Personal Identifiable Information, or secrets) to that third-party service. + +## Steps + +1. Generate an SBOM. + - For black-box testing, you can use tools like @MASTG-TOOL-0130 or @MASTG-TOOL-0134 with @MASG-TECH-0130 or @MASTG-TECH-0131 to identify all embedded/3rd-party libraries used by the app. + - For grey/white-box testing, you can manually review the app's build files (like `build.gradle`) to identify dependencies. +2. Shortlist the embedded/3rd-party libraries’ APIs which have network functionality and that should not handle sensitive information. Look for permissions like `INTERNET` or `ACCESS_NETWORK_STATE`. + - For black-box testing, you can research those libraries online or their codebase to see if they have network functionality. + - For gray/white-box testing, you can manually review the app's merged manifest file in Android Studio or by manually generating with a command like `./gradlew app:processDebugManifest` and then inspecting the file in `app/build/intermediates/merged_manifests/debug/AndroidManifest.xml`. If possible, you can review the app's codebase. +3. Identify common APIs of those libraries that are used to send data to their servers. + - Use @MASTG-TECH-0110, potentially with @MASTG-TOOL-0108, to identify sensitive data pass to the APIs. + - Alternatively use you can perform dynamic analysis by intercepting traffic using @MASTG-TECH-0120 and @MASTG-TECH-0121. Once you route the traffic through the interception proxy, you can try to sniff the traffic that passes between the app and app's known servers. All app requests that aren't sent directly to the app's server on which the main function is hosted should be evaluated. + +## Observation + +The output should contain a list of locations where sensitive information is passed to embedded/3rd-party libraries or a list of network requests to third-party servers that contain sensitive information. + +## Evaluation + +The test case fails if sensitive data is found to be passed to embedded/3rd-party libraries that have network functionality or if network requests to third-party servers contain sensitive information. + + + + From ea8e1ed9e378a5a062f386ad58ddbd31aeab5f5b Mon Sep 17 00:00:00 2001 From: Dionysis Lorentzos Date: Fri, 26 Sep 2025 16:11:01 +0200 Subject: [PATCH 04/16] Create a demo based on the test --- .../MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md | 35 ++++++++++++++ .../MASTG-DEMO-yyyy/MastgTest.kt | 46 +++++++++++++++++++ .../MASTG-DEMO-yyyy/MastgTest_reversed.java | 37 +++++++++++++++ .../MASVS-PLATFORM/MASTG-DEMO-yyyy/output.txt | 26 +++++++++++ .../MASVS-PLATFORM/MASTG-DEMO-yyyy/run.sh | 1 + ...ve-data-to-embedded-firebase-analytics.yml | 43 +++++++++++++++++ 6 files changed, 188 insertions(+) create mode 100644 demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md create mode 100644 demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MastgTest.kt create mode 100644 demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MastgTest_reversed.java create mode 100644 demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/output.txt create mode 100755 demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/run.sh create mode 100644 rules/mastg-android-sensitive-data-to-embedded-firebase-analytics.yml diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md b/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md new file mode 100644 index 00000000000..c7a1ac330c3 --- /dev/null +++ b/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md @@ -0,0 +1,35 @@ +--- +platform: android +title: App leaking sensitive information to Firebase Analytics +id: MASTG-DEMO-yyyy +code: [kotlin] +test: MASTG-TEST-xxxx +--- + +## Sample + +This sample demonstrates an Android application that inadvertently leaks sensitive user information to Firebase Analytics. The app collects various types of sensitive data, such as user IDs, email addresses, and names, and sends this information to Firebase Analytics. + +> Note: To compile the test correctly, you need to include the Firebase Analytics library in the `build.gradle` file. i.e.`implementation("com.google.firebase:firebase-analytics:23.0.0")`. + +{{ MastgTest.kt }} + +## Steps + +Let's run our @MASTG-TOOL-0110 rule against the reversed Java code. + +{{ ../../../../rules/mastg-android-sensitive-data-to-embedded-firebase-analytics.yml }} + +{{ run.sh }} + +## Observation + +The rule detected 8 instances where sensitive data might be sent to Firebase Analytics. The findings include various types of sensitive information, such as user IDs, email addresses, and names, based on the rule's defined pattern. + +{{ output.txt }} + +## Evaluation + +After reviewing the decompiled code at the location specified in the output (file and line number), we can conclude that the test fails because the file written by this instance contains sensitive information, specifically a first and a last name, an email, a user ID, and a secret. + +{{ evaluation.txt }} \ No newline at end of file diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MastgTest.kt b/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MastgTest.kt new file mode 100644 index 00000000000..714a4e24ce1 --- /dev/null +++ b/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MastgTest.kt @@ -0,0 +1,46 @@ +package org.owasp.mastestapp + +import android.content.Context +import android.os.Bundle +import com.google.firebase.analytics.FirebaseAnalytics + +class MastgTest(private val context: Context) { + + fun mastgTest(): String { + val sensitiveString = "d3a447630194bd4b" + val email = "user@example.com" + val firstLast = "John Doe" + val arbitraryUserId = "user12345" + + val analytics = FirebaseAnalytics.getInstance(context) + + // Test 1: logEvent with bundle + val eventBundle = Bundle().apply { + putString("user_email", email) + putString("full_name", firstLast) + } + analytics.logEvent("event_name", eventBundle) + + // Test 2: setUserProperty + analytics.apply { + setUserProperty("name", firstLast) + setUserProperty("email", email) + } + + // Test 3: setUserId + analytics.setUserId(arbitraryUserId) + + // Test 4: setDefaultEventParameters + val defaultBundle = Bundle().apply { + putString("default_key", sensitiveString) + } + analytics.setDefaultEventParameters(defaultBundle) + + return """Sensitive data: + Email: $email + Full Name: $firstLast + User ID: $arbitraryUserId + Sensitive String: $sensitiveString + """.trimIndent() + } +} \ No newline at end of file diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MastgTest_reversed.java b/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MastgTest_reversed.java new file mode 100644 index 00000000000..41ca3e8d310 --- /dev/null +++ b/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MastgTest_reversed.java @@ -0,0 +1,37 @@ +package org.owasp.mastestapp; + +import android.content.Context; +import android.os.Bundle; +import com.google.firebase.analytics.FirebaseAnalytics; +import kotlin.Metadata; +import kotlin.jvm.internal.Intrinsics; +import kotlin.text.StringsKt; + +/* compiled from: MastgTest.kt */ +@Metadata(d1 = {"\u0000\u0018\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u000e\n\u0000\b\u0007\u0018\u00002\u00020\u0001B\u000f\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0004\b\u0004\u0010\u0005J\u0006\u0010\u0006\u001a\u00020\u0007R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\b"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "", "(Landroid/content/Context;)V", "mastgTest", "", "app_debug"}, k = 1, mv = {2, 0, 0}, xi = 48) +/* loaded from: classes3.dex */ +public final class MastgTest { + public static final int $stable = 8; + private final Context context; + + public MastgTest(Context context) { + Intrinsics.checkNotNullParameter(context, "context"); + this.context = context; + } + + public final String mastgTest() { + FirebaseAnalytics analytics = FirebaseAnalytics.getInstance(this.context); + Intrinsics.checkNotNullExpressionValue(analytics, "getInstance(...)"); + Bundle eventBundle = new Bundle(); + eventBundle.putString("user_email", "user@example.com"); + eventBundle.putString("full_name", "John Doe"); + analytics.logEvent("event_name", eventBundle); + analytics.setUserProperty("name", "John Doe"); + analytics.setUserProperty("email", "user@example.com"); + analytics.setUserId("user12345"); + Bundle defaultBundle = new Bundle(); + defaultBundle.putString("default_key", "d3a447630194bd4b"); + analytics.setDefaultEventParameters(defaultBundle); + return StringsKt.trimIndent("Sensitive data:\n\t\t\tEmail: user@example.com\n\t\t\tFull Name: John Doe\n\t\t\tUser ID: user12345\n\t\t\tSensitive String: d3a447630194bd4b\n\t\t\t"); + } +} diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/output.txt b/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/output.txt new file mode 100644 index 00000000000..4fc0c3b21f9 --- /dev/null +++ b/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/output.txt @@ -0,0 +1,26 @@ + + +┌─────────────────┐ +│ 8 Code Findings │ +└─────────────────┘ + + MastgTest_reversed.java + ❯❱ rules.mastg-android-sensitive-data-to-embedded-firebase-analytics + [MASVS-PLATFORM-2] Sensitive data is being sent to Firebase Analytics + + 26┆ eventBundle.putString("user_email", "user@example.com"); + ⋮┆---------------------------------------- + 27┆ eventBundle.putString("full_name", "John Doe"); + ⋮┆---------------------------------------- + 28┆ analytics.logEvent("event_name", eventBundle); + ⋮┆---------------------------------------- + 29┆ analytics.setUserProperty("name", "John Doe"); + ⋮┆---------------------------------------- + 30┆ analytics.setUserProperty("email", "user@example.com"); + ⋮┆---------------------------------------- + 31┆ analytics.setUserId("user12345"); + ⋮┆---------------------------------------- + 33┆ defaultBundle.putString("default_key", "d3a447630194bd4b"); + ⋮┆---------------------------------------- + 34┆ analytics.setDefaultEventParameters(defaultBundle); + diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/run.sh b/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/run.sh new file mode 100755 index 00000000000..e3c13da7f96 --- /dev/null +++ b/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/run.sh @@ -0,0 +1 @@ +NO_COLOR=true semgrep -c ../../../../rules/mastg-android-sensitive-data-to-embedded-firebase-analytics.yml ./MastgTest_reversed.java > output.txt diff --git a/rules/mastg-android-sensitive-data-to-embedded-firebase-analytics.yml b/rules/mastg-android-sensitive-data-to-embedded-firebase-analytics.yml new file mode 100644 index 00000000000..82acc3304b0 --- /dev/null +++ b/rules/mastg-android-sensitive-data-to-embedded-firebase-analytics.yml @@ -0,0 +1,43 @@ +rules: + - id: mastg-android-sensitive-data-to-embedded-firebase-analytics + severity: WARNING + languages: [java] + metadata: + summary: "Detects sensitive data being sent to Firebase Analytics." + message: "[MASVS-PLATFORM-2] Sensitive data is being sent to Firebase Analytics" + mode: taint + pattern-sources: + - patterns: + - pattern: '"$SECRET"' + - metavariable-analysis: + metavariable: $SECRET + analyzer: entropy + - patterns: + - pattern: '"$EMAIL"' + - metavariable-regex: + metavariable: $EMAIL + regex: (?i)[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,} + - patterns: + - pattern: '"$FULLNAME"' + - metavariable-regex: + metavariable: $FULLNAME + regex: (?i)[A-Z][a-z]+ [A-Z][a-z]+ + - patterns: + - pattern: '"$UID"' + - metavariable-regex: + metavariable: $UID + regex: (?i)user[0-9]+ + pattern-sinks: + - pattern: $FA.logEvent($EVT, $ARG) + - pattern: $FA.setUserProperty($NAME, $ARG) + - pattern: $FA.setUserId($ARG) + - pattern: $FA.setDefaultEventParameters($ARG) + - pattern: $BUNDLE.putString($K, $V) + pattern-inside: | + ...; + $FA.logEvent($EVT, $BUNDLE); + ...; + pattern-propagators: + - pattern: $BUNDLE.putString($K, $V) + from: $V + to: $BUNDLE \ No newline at end of file From 31d62096c7b92e7e786eac3fdbfba34cf280caba Mon Sep 17 00:00:00 2001 From: Dionysis Lorentzos Date: Fri, 26 Sep 2025 16:17:08 +0200 Subject: [PATCH 05/16] Fix lint --- demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md | 2 +- tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md b/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md index c7a1ac330c3..566cf2b4a7f 100644 --- a/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md +++ b/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md @@ -10,7 +10,7 @@ test: MASTG-TEST-xxxx This sample demonstrates an Android application that inadvertently leaks sensitive user information to Firebase Analytics. The app collects various types of sensitive data, such as user IDs, email addresses, and names, and sends this information to Firebase Analytics. -> Note: To compile the test correctly, you need to include the Firebase Analytics library in the `build.gradle` file. i.e.`implementation("com.google.firebase:firebase-analytics:23.0.0")`. +> Note: To compile the test correctly, you need to include the Firebase Analytics library in the `build.gradle` file. i.e.`implementation("com.google.firebase:firebase-analytics:23.0.0")`. {{ MastgTest.kt }} diff --git a/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md index e4bd5f7626e..b1dca9526aa 100644 --- a/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md +++ b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md @@ -16,7 +16,7 @@ This test case focuses on identifying potentially sensitive data inadvertently l ## Steps -1. Generate an SBOM. +1. Generate an SBOM. - For black-box testing, you can use tools like @MASTG-TOOL-0130 or @MASTG-TOOL-0134 with @MASG-TECH-0130 or @MASTG-TECH-0131 to identify all embedded/3rd-party libraries used by the app. - For grey/white-box testing, you can manually review the app's build files (like `build.gradle`) to identify dependencies. 2. Shortlist the embedded/3rd-party libraries’ APIs which have network functionality and that should not handle sensitive information. Look for permissions like `INTERNET` or `ACCESS_NETWORK_STATE`. From 52d06194bb6c34e99fc457a0c2ab786b51615c74 Mon Sep 17 00:00:00 2001 From: Dionysis Lorentzos Date: Fri, 26 Sep 2025 16:21:29 +0200 Subject: [PATCH 06/16] Fix lint --- .../android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md | 2 -- tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md | 4 ++-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md b/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md index 566cf2b4a7f..7b0be01ddf6 100644 --- a/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md +++ b/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md @@ -31,5 +31,3 @@ The rule detected 8 instances where sensitive data might be sent to Firebase Ana ## Evaluation After reviewing the decompiled code at the location specified in the output (file and line number), we can conclude that the test fails because the file written by this instance contains sensitive information, specifically a first and a last name, an email, a user ID, and a secret. - -{{ evaluation.txt }} \ No newline at end of file diff --git a/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md index b1dca9526aa..5ee8533ea17 100644 --- a/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md +++ b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md @@ -17,9 +17,9 @@ This test case focuses on identifying potentially sensitive data inadvertently l ## Steps 1. Generate an SBOM. - - For black-box testing, you can use tools like @MASTG-TOOL-0130 or @MASTG-TOOL-0134 with @MASG-TECH-0130 or @MASTG-TECH-0131 to identify all embedded/3rd-party libraries used by the app. + - For black-box testing, you can use tools like @MASTG-TOOL-0130 or @MASTG-TOOL-0134 with @MASG-TECH-0130 or @MASTG-TECH-0131 to identify all embedded/3rd-party libraries used by the app. - For grey/white-box testing, you can manually review the app's build files (like `build.gradle`) to identify dependencies. -2. Shortlist the embedded/3rd-party libraries’ APIs which have network functionality and that should not handle sensitive information. Look for permissions like `INTERNET` or `ACCESS_NETWORK_STATE`. +2. Shortlist the embedded/3rd-party libraries' APIs which have network functionality and that should not handle sensitive information. Look for permissions like `INTERNET` or `ACCESS_NETWORK_STATE`. - For black-box testing, you can research those libraries online or their codebase to see if they have network functionality. - For gray/white-box testing, you can manually review the app's merged manifest file in Android Studio or by manually generating with a command like `./gradlew app:processDebugManifest` and then inspecting the file in `app/build/intermediates/merged_manifests/debug/AndroidManifest.xml`. If possible, you can review the app's codebase. 3. Identify common APIs of those libraries that are used to send data to their servers. From 99e15f8b53af0c93937e7b7b959dbd15c7f6c990 Mon Sep 17 00:00:00 2001 From: Dionysis Lorentzos Date: Fri, 26 Sep 2025 16:21:48 +0200 Subject: [PATCH 07/16] Fix lint --- tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md index 5ee8533ea17..435037fd43b 100644 --- a/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md +++ b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md @@ -22,8 +22,8 @@ This test case focuses on identifying potentially sensitive data inadvertently l 2. Shortlist the embedded/3rd-party libraries' APIs which have network functionality and that should not handle sensitive information. Look for permissions like `INTERNET` or `ACCESS_NETWORK_STATE`. - For black-box testing, you can research those libraries online or their codebase to see if they have network functionality. - For gray/white-box testing, you can manually review the app's merged manifest file in Android Studio or by manually generating with a command like `./gradlew app:processDebugManifest` and then inspecting the file in `app/build/intermediates/merged_manifests/debug/AndroidManifest.xml`. If possible, you can review the app's codebase. -3. Identify common APIs of those libraries that are used to send data to their servers. - - Use @MASTG-TECH-0110, potentially with @MASTG-TOOL-0108, to identify sensitive data pass to the APIs. +3. Identify common APIs of those libraries that are used to send data to their servers. + - Use @MASTG-TECH-0110, potentially with @MASTG-TOOL-0108, to identify sensitive data pass to the APIs. - Alternatively use you can perform dynamic analysis by intercepting traffic using @MASTG-TECH-0120 and @MASTG-TECH-0121. Once you route the traffic through the interception proxy, you can try to sniff the traffic that passes between the app and app's known servers. All app requests that aren't sent directly to the app's server on which the main function is hosted should be evaluated. ## Observation From a12122af84ff9a26da6b45704b9e6369674938bf Mon Sep 17 00:00:00 2001 From: Dionysis Lorentzos Date: Fri, 26 Sep 2025 16:22:02 +0200 Subject: [PATCH 08/16] Fix lint --- tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md index 435037fd43b..40e2a0f8f83 100644 --- a/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md +++ b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md @@ -33,7 +33,3 @@ The output should contain a list of locations where sensitive information is pas ## Evaluation The test case fails if sensitive data is found to be passed to embedded/3rd-party libraries that have network functionality or if network requests to third-party servers contain sensitive information. - - - - From 4618723c4a2a156c3c598bb9bd3d096066451d41 Mon Sep 17 00:00:00 2001 From: Dionysis Lorentzos Date: Mon, 29 Sep 2025 10:34:17 +0200 Subject: [PATCH 09/16] Remove prerequisite --- tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md | 1 - 1 file changed, 1 deletion(-) diff --git a/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md index 40e2a0f8f83..65a4216485d 100644 --- a/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md +++ b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md @@ -6,7 +6,6 @@ type: [static, dynamic] weakness: MASWE-xxxA // TODO see https://github.com/OWASP/maswe/pull/11 prerequisites: - identify-sensitive-data - - identify-embedded-libraries-with-network-access // TODO makes sense? get feedback profiles: [L1, L2] --- From 13118f7e495e0846fb1b55f27ec2935737780fec Mon Sep 17 00:00:00 2001 From: Dionysis Lorentzos Date: Wed, 1 Oct 2025 16:41:21 +0200 Subject: [PATCH 10/16] Rewrite test to include frida --- .../android/MASVS-PLATFORM/MASTG-TEST-xxxx.md | 24 ++++++++++--------- .../android/MASVS-PRIVACY/MASTG-TEST-0206.md | 4 ++-- 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md index 65a4216485d..f4ea1e47014 100644 --- a/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md +++ b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md @@ -11,19 +11,21 @@ profiles: [L1, L2] ## Overview -This test case focuses on identifying potentially sensitive data inadvertently leaked through embedded third-party libraries used by the application. For example, an app might use a third-party analytics SDK to track user behavior, but if the SDK is not properly configured, it could inadvertently send sensitive information (like PIIs - Personal Identifiable Information, or secrets) to that third-party service. +This test case focuses on identifying potentially sensitive data that may have been inadvertently leaked through embedded third-party libraries used by the application. For example, an app might use a third-party analytics SDK to track user behavior. Still, if the SDK is not correctly configured, it could inadvertently send sensitive information (like PIIs - Personal Identifiable Information, or secrets) to that third-party service. ## Steps -1. Generate an SBOM. - - For black-box testing, you can use tools like @MASTG-TOOL-0130 or @MASTG-TOOL-0134 with @MASG-TECH-0130 or @MASTG-TECH-0131 to identify all embedded/3rd-party libraries used by the app. - - For grey/white-box testing, you can manually review the app's build files (like `build.gradle`) to identify dependencies. -2. Shortlist the embedded/3rd-party libraries' APIs which have network functionality and that should not handle sensitive information. Look for permissions like `INTERNET` or `ACCESS_NETWORK_STATE`. - - For black-box testing, you can research those libraries online or their codebase to see if they have network functionality. - - For gray/white-box testing, you can manually review the app's merged manifest file in Android Studio or by manually generating with a command like `./gradlew app:processDebugManifest` and then inspecting the file in `app/build/intermediates/merged_manifests/debug/AndroidManifest.xml`. If possible, you can review the app's codebase. -3. Identify common APIs of those libraries that are used to send data to their servers. - - Use @MASTG-TECH-0110, potentially with @MASTG-TOOL-0108, to identify sensitive data pass to the APIs. - - Alternatively use you can perform dynamic analysis by intercepting traffic using @MASTG-TECH-0120 and @MASTG-TECH-0121. Once you route the traffic through the interception proxy, you can try to sniff the traffic that passes between the app and app's known servers. All app requests that aren't sent directly to the app's server on which the main function is hosted should be evaluated. +To investigate this, you have two options: + +### Method 1 + +1. Use @MASTG-TOOL-0001 to hook all network functions (and try to detect PII or secrets in their calls). Use the backtraces to find out which component is sending what PII or secrets. This should also include the corresponding network domains. It should provide excellent coverage while staying sufficiently generic. + +### Method 2 + +1. Identify the package name of the embedded library you wish to run the test against, or the list of package names of embedded libraries, by generating an SBOM. + - (optional) To generate an SBOM, you can use tools like @MASTG-TOOL-0130 or @MASTG-TOOL-0134 with @MASTG-TECH-0130 or @MASTG-TECH-0131 to identify all embedded/3rd-party libraries used by the app. You may consult @MASTG-TECH-0130. Shortlist the embedded/3rd-party libraries' APIs that have network functionality and that should not handle sensitive information. You can research those libraries online or their codebase to see if they have network functionality. Look for permissions like `INTERNET` or `ACCESS_NETWORK_STATE` in their manifest files, or check their documentation for network-related features. +2. Identify common APIs of the library/these libraries that are used to send data to their servers. Use @MASTG-TECH-0110, potentially with @MASTG-TOOL-0108, to identify the entry points where sensitive data may be passed to the APIs. You can research those libraries online or their codebase for entry points. The entry points would be "package name" plus "method path and name". For example, if the library is `com.example.analytics` and it has a method `trackEvent(String eventName, Map properties)`, then the entry point would be `com.example.analytics.trackEvent`. ## Observation @@ -31,4 +33,4 @@ The output should contain a list of locations where sensitive information is pas ## Evaluation -The test case fails if sensitive data is found to be passed to embedded/3rd-party libraries that have network functionality or if network requests to third-party servers contain sensitive information. +The test case fails if sensitive data is passed to embedded/3rd-party libraries that have network functionality, or if network requests to third-party servers contain sensitive information. diff --git a/tests-beta/android/MASVS-PRIVACY/MASTG-TEST-0206.md b/tests-beta/android/MASVS-PRIVACY/MASTG-TEST-0206.md index 35d24c5e45b..42f2557194d 100644 --- a/tests-beta/android/MASVS-PRIVACY/MASTG-TEST-0206.md +++ b/tests-beta/android/MASVS-PRIVACY/MASTG-TEST-0206.md @@ -29,6 +29,6 @@ The output should contain a network traffic sensitive data log that includes the ## Evaluation -The test case fails if you can find the sensitive data you entered in the app that is not stated in the App Store Privacy declarations. +The test case fails if you can find the sensitive data you entered into the app that is not stated in the App Store Privacy declarations. -Note that this test does not provide any code locations where the sensitive data is being sent over the network. In order to identify the code locations, you can use static analysis tools like @MASTG-TOOL-0110 or dynamic analysis tools like @MASTG-TOOL-0031. +Note that this test does not provide any code locations where the sensitive data is being sent over the network. In order to identify the code locations, you can use static analysis tools like @MASTG-TOOL-0110 or dynamic analysis tools like @MASTG-TOOL-0031. Consult @MASTG-TEST-xxxx for more details. From ff3bf25b8266995bc7105fcebd2aed24cf179dd9 Mon Sep 17 00:00:00 2001 From: Dionysis Lorentzos Date: Thu, 2 Oct 2025 10:09:03 +0200 Subject: [PATCH 11/16] Move to Privacy --- .../MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md | 0 .../MASTG-DEMO-yyyy/MastgTest.kt | 0 .../MASTG-DEMO-yyyy/MastgTest_reversed.java | 0 .../MASTG-DEMO-yyyy/output.txt | 0 .../MASTG-DEMO-yyyy/run.sh | 0 .../{MASVS-PLATFORM => MASVS-PRIVACY}/MASTG-TEST-xxxx.md | 6 +++--- 6 files changed, 3 insertions(+), 3 deletions(-) rename demos/android/{MASVS-PLATFORM => MASVS-PRIVACY}/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md (100%) rename demos/android/{MASVS-PLATFORM => MASVS-PRIVACY}/MASTG-DEMO-yyyy/MastgTest.kt (100%) rename demos/android/{MASVS-PLATFORM => MASVS-PRIVACY}/MASTG-DEMO-yyyy/MastgTest_reversed.java (100%) rename demos/android/{MASVS-PLATFORM => MASVS-PRIVACY}/MASTG-DEMO-yyyy/output.txt (100%) rename demos/android/{MASVS-PLATFORM => MASVS-PRIVACY}/MASTG-DEMO-yyyy/run.sh (100%) rename tests-beta/android/{MASVS-PLATFORM => MASVS-PRIVACY}/MASTG-TEST-xxxx.md (82%) diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md b/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md similarity index 100% rename from demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md rename to demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MastgTest.kt b/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MastgTest.kt similarity index 100% rename from demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MastgTest.kt rename to demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MastgTest.kt diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MastgTest_reversed.java b/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MastgTest_reversed.java similarity index 100% rename from demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/MastgTest_reversed.java rename to demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MastgTest_reversed.java diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/output.txt b/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/output.txt similarity index 100% rename from demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/output.txt rename to demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/output.txt diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/run.sh b/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/run.sh similarity index 100% rename from demos/android/MASVS-PLATFORM/MASTG-DEMO-yyyy/run.sh rename to demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/run.sh diff --git a/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md b/tests-beta/android/MASVS-PRIVACY/MASTG-TEST-xxxx.md similarity index 82% rename from tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md rename to tests-beta/android/MASVS-PRIVACY/MASTG-TEST-xxxx.md index f4ea1e47014..3fecba0c3a9 100644 --- a/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-xxxx.md +++ b/tests-beta/android/MASVS-PRIVACY/MASTG-TEST-xxxx.md @@ -1,17 +1,17 @@ --- platform: android -title: Sensitive Data Leaked via Embedded Libraries +title: App Exposing Sensitive Data to Embedded Libraries id: MASTG-TEST-xxxx // TODO type: [static, dynamic] weakness: MASWE-xxxA // TODO see https://github.com/OWASP/maswe/pull/11 prerequisites: - identify-sensitive-data -profiles: [L1, L2] +profiles: [P] --- ## Overview -This test case focuses on identifying potentially sensitive data that may have been inadvertently leaked through embedded third-party libraries used by the application. For example, an app might use a third-party analytics SDK to track user behavior. Still, if the SDK is not correctly configured, it could inadvertently send sensitive information (like PIIs - Personal Identifiable Information, or secrets) to that third-party service. +This test case verifies the identification of potentially sensitive data that may have been inadvertently leaked through embedded third-party libraries used by the application. For example, an app might use a third-party analytics SDK to track user behavior. Still, if the SDK is not used correctly, it could inadvertently send sensitive information (like PIIs - Personal Identifiable Information, or secrets) to that third-party service. ## Steps From a45c42fc761767fde7f94142b4ed657221001baa Mon Sep 17 00:00:00 2001 From: Dionysis Lorentzos Date: Mon, 6 Oct 2025 13:17:27 +0200 Subject: [PATCH 12/16] Move Firebase Analytics dependency --- demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md | 2 -- .../android/MASVS-PRIVACY/MASTG-DEMO-yyyy/build.gradle.kts.libs | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) create mode 100644 demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/build.gradle.kts.libs diff --git a/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md b/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md index 7b0be01ddf6..3ecff70655e 100644 --- a/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md +++ b/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md @@ -10,8 +10,6 @@ test: MASTG-TEST-xxxx This sample demonstrates an Android application that inadvertently leaks sensitive user information to Firebase Analytics. The app collects various types of sensitive data, such as user IDs, email addresses, and names, and sends this information to Firebase Analytics. -> Note: To compile the test correctly, you need to include the Firebase Analytics library in the `build.gradle` file. i.e.`implementation("com.google.firebase:firebase-analytics:23.0.0")`. - {{ MastgTest.kt }} ## Steps diff --git a/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/build.gradle.kts.libs b/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/build.gradle.kts.libs new file mode 100644 index 00000000000..04a6e7c7779 --- /dev/null +++ b/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/build.gradle.kts.libs @@ -0,0 +1 @@ +implementation("com.google.firebase:firebase-analytics:23.0.0") \ No newline at end of file From ccb8c1c24940ad10c3d3bafbebf95218182e9899 Mon Sep 17 00:00:00 2001 From: Dionysis Lorentzos Date: Mon, 6 Oct 2025 13:17:27 +0200 Subject: [PATCH 13/16] Move Firebase Analytics dependency --- demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md b/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md index 3ecff70655e..2f92e44c561 100644 --- a/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md +++ b/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md @@ -10,7 +10,7 @@ test: MASTG-TEST-xxxx This sample demonstrates an Android application that inadvertently leaks sensitive user information to Firebase Analytics. The app collects various types of sensitive data, such as user IDs, email addresses, and names, and sends this information to Firebase Analytics. -{{ MastgTest.kt }} +{{ MastgTest.kt # build.gradle.kts.libs }} ## Steps From 20375851d43ace4e3614eb33f98eb5380012dc41 Mon Sep 17 00:00:00 2001 From: Dionysis Lorentzos Date: Mon, 6 Oct 2025 16:16:42 +0200 Subject: [PATCH 14/16] Update title to clarify sensitive information exposure in Firebase Analytics --- demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md b/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md index 2f92e44c561..9003f6fd916 100644 --- a/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md +++ b/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md @@ -1,6 +1,6 @@ --- platform: android -title: App leaking sensitive information to Firebase Analytics +title: App Exposing Sensitive Information to Firebase Analytics id: MASTG-DEMO-yyyy code: [kotlin] test: MASTG-TEST-xxxx From 7e4ecf2a6dedbd6ae82927415a96ce588e1dede3 Mon Sep 17 00:00:00 2001 From: Dionysis Lorentzos Date: Mon, 20 Oct 2025 12:01:02 +0200 Subject: [PATCH 15/16] Allocate IDs --- .../MASTG-DEMO-yyyy.md => MASTG-DEMO-0066/MASTG-DEMO-0066.md} | 4 ++-- .../{MASTG-DEMO-yyyy => MASTG-DEMO-0066}/MastgTest.kt | 0 .../MastgTest_reversed.java | 0 .../build.gradle.kts.libs | 0 .../{MASTG-DEMO-yyyy => MASTG-DEMO-0066}/output.txt | 0 .../MASVS-PRIVACY/{MASTG-DEMO-yyyy => MASTG-DEMO-0066}/run.sh | 0 .../MASVS-PRIVACY/{MASTG-TEST-xxxx.md => MASTG-TEST-0297.md} | 2 +- tests/android/MASVS-STORAGE/MASTG-TEST-0004.md | 2 +- 8 files changed, 4 insertions(+), 4 deletions(-) rename demos/android/MASVS-PRIVACY/{MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md => MASTG-DEMO-0066/MASTG-DEMO-0066.md} (96%) rename demos/android/MASVS-PRIVACY/{MASTG-DEMO-yyyy => MASTG-DEMO-0066}/MastgTest.kt (100%) rename demos/android/MASVS-PRIVACY/{MASTG-DEMO-yyyy => MASTG-DEMO-0066}/MastgTest_reversed.java (100%) rename demos/android/MASVS-PRIVACY/{MASTG-DEMO-yyyy => MASTG-DEMO-0066}/build.gradle.kts.libs (100%) rename demos/android/MASVS-PRIVACY/{MASTG-DEMO-yyyy => MASTG-DEMO-0066}/output.txt (100%) rename demos/android/MASVS-PRIVACY/{MASTG-DEMO-yyyy => MASTG-DEMO-0066}/run.sh (100%) rename tests-beta/android/MASVS-PRIVACY/{MASTG-TEST-xxxx.md => MASTG-TEST-0297.md} (99%) diff --git a/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md b/demos/android/MASVS-PRIVACY/MASTG-DEMO-0066/MASTG-DEMO-0066.md similarity index 96% rename from demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md rename to demos/android/MASVS-PRIVACY/MASTG-DEMO-0066/MASTG-DEMO-0066.md index 9003f6fd916..020194a8c95 100644 --- a/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MASTG-DEMO-yyyy.md +++ b/demos/android/MASVS-PRIVACY/MASTG-DEMO-0066/MASTG-DEMO-0066.md @@ -1,9 +1,9 @@ --- platform: android title: App Exposing Sensitive Information to Firebase Analytics -id: MASTG-DEMO-yyyy +id: MASTG-DEMO-0066 code: [kotlin] -test: MASTG-TEST-xxxx +test: MASTG-TEST-0297 --- ## Sample diff --git a/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MastgTest.kt b/demos/android/MASVS-PRIVACY/MASTG-DEMO-0066/MastgTest.kt similarity index 100% rename from demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MastgTest.kt rename to demos/android/MASVS-PRIVACY/MASTG-DEMO-0066/MastgTest.kt diff --git a/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MastgTest_reversed.java b/demos/android/MASVS-PRIVACY/MASTG-DEMO-0066/MastgTest_reversed.java similarity index 100% rename from demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/MastgTest_reversed.java rename to demos/android/MASVS-PRIVACY/MASTG-DEMO-0066/MastgTest_reversed.java diff --git a/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/build.gradle.kts.libs b/demos/android/MASVS-PRIVACY/MASTG-DEMO-0066/build.gradle.kts.libs similarity index 100% rename from demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/build.gradle.kts.libs rename to demos/android/MASVS-PRIVACY/MASTG-DEMO-0066/build.gradle.kts.libs diff --git a/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/output.txt b/demos/android/MASVS-PRIVACY/MASTG-DEMO-0066/output.txt similarity index 100% rename from demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/output.txt rename to demos/android/MASVS-PRIVACY/MASTG-DEMO-0066/output.txt diff --git a/demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/run.sh b/demos/android/MASVS-PRIVACY/MASTG-DEMO-0066/run.sh similarity index 100% rename from demos/android/MASVS-PRIVACY/MASTG-DEMO-yyyy/run.sh rename to demos/android/MASVS-PRIVACY/MASTG-DEMO-0066/run.sh diff --git a/tests-beta/android/MASVS-PRIVACY/MASTG-TEST-xxxx.md b/tests-beta/android/MASVS-PRIVACY/MASTG-TEST-0297.md similarity index 99% rename from tests-beta/android/MASVS-PRIVACY/MASTG-TEST-xxxx.md rename to tests-beta/android/MASVS-PRIVACY/MASTG-TEST-0297.md index 3fecba0c3a9..3fd1550d03a 100644 --- a/tests-beta/android/MASVS-PRIVACY/MASTG-TEST-xxxx.md +++ b/tests-beta/android/MASVS-PRIVACY/MASTG-TEST-0297.md @@ -1,7 +1,7 @@ --- platform: android title: App Exposing Sensitive Data to Embedded Libraries -id: MASTG-TEST-xxxx // TODO +id: MASTG-TEST-0297 type: [static, dynamic] weakness: MASWE-xxxA // TODO see https://github.com/OWASP/maswe/pull/11 prerequisites: diff --git a/tests/android/MASVS-STORAGE/MASTG-TEST-0004.md b/tests/android/MASVS-STORAGE/MASTG-TEST-0004.md index c900122d43c..fee6db25126 100644 --- a/tests/android/MASVS-STORAGE/MASTG-TEST-0004.md +++ b/tests/android/MASVS-STORAGE/MASTG-TEST-0004.md @@ -10,7 +10,7 @@ masvs_v1_levels: - L2 profiles: [L1, L2] status: deprecated -covered_by: [MASTG-TEST-xxxx] // TODO +covered_by: [MASTG-TEST-0297] deprecation_note: New version available in MASTG V2 --- From fab5deae23ede545017e8ad10be17affd6ff23ed Mon Sep 17 00:00:00 2001 From: Dionysis Lorentzos Date: Mon, 20 Oct 2025 12:03:57 +0200 Subject: [PATCH 16/16] Allocate IDs --- tests-beta/android/MASVS-PRIVACY/MASTG-TEST-0206.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests-beta/android/MASVS-PRIVACY/MASTG-TEST-0206.md b/tests-beta/android/MASVS-PRIVACY/MASTG-TEST-0206.md index 42f2557194d..88f88a42a6d 100644 --- a/tests-beta/android/MASVS-PRIVACY/MASTG-TEST-0206.md +++ b/tests-beta/android/MASVS-PRIVACY/MASTG-TEST-0206.md @@ -31,4 +31,4 @@ The output should contain a network traffic sensitive data log that includes the The test case fails if you can find the sensitive data you entered into the app that is not stated in the App Store Privacy declarations. -Note that this test does not provide any code locations where the sensitive data is being sent over the network. In order to identify the code locations, you can use static analysis tools like @MASTG-TOOL-0110 or dynamic analysis tools like @MASTG-TOOL-0031. Consult @MASTG-TEST-xxxx for more details. +Note that this test does not provide any code locations where the sensitive data is being sent over the network. In order to identify the code locations, you can use static analysis tools like @MASTG-TOOL-0110 or dynamic analysis tools like @MASTG-TOOL-0031. Consult @MASTG-TEST-0297 for more details.