Port MASTG-TEST-0012 (by @guardsquare) #3113
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cpholguera
requested changes
Feb 6, 2025
|
|
||
| ### Evaluation | ||
|
|
||
| The test succeeds because the output files show references to Device-Access-Security APIs |
There was a problem hiding this comment.
Suggested change
| The test succeeds because the output files show references to Device-Access-Security APIs | |
| The test passes because the output show references to Device-Access-Security APIs. |
| - a recent OS version | ||
| - a OS build intended for the end users | ||
|
|
||
| {{ MastgTest.kt }} |
There was a problem hiding this comment.
Suggested change
| {{ MastgTest.kt }} | |
| {{ MastgTest.kt # MastgTest_reversed.java }} |
Comment on lines
+30
to
+31
| The third argument of `objc_msgSend(...)` is `LAPolicyDeviceOwnerAuthentication` because `w2` register at the time of the function invocation is set to `2` with a `mov` instruction at Line 9. `2` is an | ||
| [enum](https://developer.apple.com/documentation/localauthentication/lapolicy?language=objc) representation of `LAPolicyDeviceOwnerAuthentication`. |
There was a problem hiding this comment.
very nice!
Suggested change
| The third argument of `objc_msgSend(...)` is `LAPolicyDeviceOwnerAuthentication` because `w2` register at the time of the function invocation is set to `2` with a `mov` instruction at Line 9. `2` is an | |
| [enum](https://developer.apple.com/documentation/localauthentication/lapolicy?language=objc) representation of `LAPolicyDeviceOwnerAuthentication`. | |
| The third argument of `objc_msgSend(...)` is `LAPolicyDeviceOwnerAuthentication` because `w2` register at the time of the function invocation is set to `2` with a `mov` instruction at Line 9. `2` is an [enum](https://developer.apple.com/documentation/localauthentication/lapolicy?language=objc) representation of `LAPolicyDeviceOwnerAuthentication`. |
|
|
||
| ### Evaluation | ||
|
|
||
| The test succeeds because the output files show references to Device-Access-Security API, which indicates that a developer checks whether a passcode is set. |
There was a problem hiding this comment.
Suggested change
| The test succeeds because the output files show references to Device-Access-Security API, which indicates that a developer checks whether a passcode is set. | |
| The test passes because the output show references to Device-Access-Security APIs, which indicates that a developer checks whether a passcode is set. |
| --- | ||
| platform: ios | ||
| title: References to Device-Access-Security Policy APIs | ||
| id: MASTG-TEST-0243 |
There was a problem hiding this comment.
Please explain in the PR description why this was removed:
You can implement checks on the Android device by querying Settings.Secure for system preferences. Device Administration API offers techniques for creating applications that can enforce password policies and device encryption.
My understanding is that:
- Device Administration API
- is something that apps like Intune would use. Also it's deprecated. Instead, Android for enterprise should be used.
- requires device admin privileges so it's not apt for "regular apps" and we can ignore it for these tests.
- Settings.Secure seems to be unrelated and the right API is isDeviceSecure
|
|
||
| This test checks whether an application is running on a device with secure policies such as | ||
|
|
||
| - device passcode is set |
There was a problem hiding this comment.
What about including...?
biometricManager.canAuthenticate(BiometricManager.Authenticators.BIOMETRIC_STRONG)checks if the device supports strong biometric authentication and if the user has enrolled biometric credentials. The method returns one of the following constants:
- BIOMETRIC_SUCCESS: The device supports biometrics, and the user has enrolled at least one biometric credential.
- BIOMETRIC_ERROR_NO_HARDWARE: The device does not have biometric hardware.
- BIOMETRIC_ERROR_HW_UNAVAILABLE: The biometric hardware is currently unavailable.
- BIOMETRIC_ERROR_NONE_ENROLLED: The user has not enrolled any biometric credentials.
Requires Manifest.permission.USE_BIOMETRIC
Comment on lines
+1
to
+29
| package org.owasp.mastestapp | ||
|
|
||
| import android.app.KeyguardManager | ||
| import android.content.Context | ||
| import android.os.Build | ||
|
|
||
|
|
||
| class MastgTest (private val context: Context){ | ||
|
|
||
| fun mastgTest(): String { | ||
| val isLocked = isDeviceSecure(context) | ||
| val androidSdkVersion = getSystemSdkVersion() | ||
| val isSystemDebuggable = isSystemDebuggable() | ||
| return "Device has a passcode: $isLocked\nandroidSdkVersion:$androidSdkVersion\nisSystemDebuggable:$isSystemDebuggable" | ||
| } | ||
|
|
||
| fun isDeviceSecure(context: Context): Boolean { | ||
| val keyguardManager = context.getSystemService(Context.KEYGUARD_SERVICE) as KeyguardManager | ||
| return keyguardManager.isDeviceSecure | ||
| } | ||
|
|
||
| fun getSystemSdkVersion(): Int { | ||
| return android.os.Build.VERSION.SDK_INT | ||
| } | ||
|
|
||
| fun isSystemDebuggable(): Boolean { | ||
| return Build.TYPE == "eng" || Build.TYPE == "userdebug" | ||
| } | ||
| } |
There was a problem hiding this comment.
Suggested change
| package org.owasp.mastestapp | |
| import android.app.KeyguardManager | |
| import android.content.Context | |
| import android.os.Build | |
| class MastgTest (private val context: Context){ | |
| fun mastgTest(): String { | |
| val isLocked = isDeviceSecure(context) | |
| val androidSdkVersion = getSystemSdkVersion() | |
| val isSystemDebuggable = isSystemDebuggable() | |
| return "Device has a passcode: $isLocked\nandroidSdkVersion:$androidSdkVersion\nisSystemDebuggable:$isSystemDebuggable" | |
| } | |
| fun isDeviceSecure(context: Context): Boolean { | |
| val keyguardManager = context.getSystemService(Context.KEYGUARD_SERVICE) as KeyguardManager | |
| return keyguardManager.isDeviceSecure | |
| } | |
| fun getSystemSdkVersion(): Int { | |
| return android.os.Build.VERSION.SDK_INT | |
| } | |
| fun isSystemDebuggable(): Boolean { | |
| return Build.TYPE == "eng" || Build.TYPE == "userdebug" | |
| } | |
| } | |
| package org.owasp.mastestapp | |
| import android.app.KeyguardManager | |
| import android.content.Context | |
| import android.hardware.biometrics.BiometricManager | |
| import android.os.Build | |
| class MastgTest(private val context: Context) { | |
| fun mastgTest(): String { | |
| val isLocked = isDeviceSecure(context) | |
| val biometricStatus = checkStrongBiometricStatus() | |
| return "Device has a passcode: $isLocked\n\n" + | |
| "Biometric status: $biometricStatus" | |
| } | |
| fun isDeviceSecure(context: Context): Boolean { | |
| val keyguardManager = context.getSystemService(Context.KEYGUARD_SERVICE) as KeyguardManager | |
| return keyguardManager.isDeviceSecure | |
| } | |
| /** | |
| * Checks if the device supports strong biometric authentication (e.g., fingerprint, face, iris) | |
| * and if the user has enrolled biometric credentials. | |
| * | |
| * **Note:** This API is available on API level 30 (Android R) and above. | |
| * | |
| * @return A human-readable string describing the biometric status. | |
| */ | |
| fun checkStrongBiometricStatus(): String { | |
| if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) { | |
| val biometricManager = context.getSystemService(BiometricManager::class.java) | |
| val result = biometricManager.canAuthenticate(BiometricManager.Authenticators.BIOMETRIC_STRONG) | |
| return when (result) { | |
| BiometricManager.BIOMETRIC_SUCCESS -> | |
| "BIOMETRIC_SUCCESS - Strong biometric authentication is available." | |
| BiometricManager.BIOMETRIC_ERROR_NO_HARDWARE -> | |
| "BIOMETRIC_ERROR_NO_HARDWARE - No biometric hardware available." | |
| BiometricManager.BIOMETRIC_ERROR_HW_UNAVAILABLE -> | |
| "BIOMETRIC_ERROR_HW_UNAVAILABLE - Biometric hardware is currently unavailable." | |
| BiometricManager.BIOMETRIC_ERROR_NONE_ENROLLED -> | |
| "BIOMETRIC_ERROR_NONE_ENROLLED - No biometrics enrolled." | |
| else -> | |
| "Unknown biometric status: $result" | |
| } | |
| } else { | |
| return "Strong biometric authentication check is not supported on this API level." | |
| } | |
| } | |
| } |
There was a problem hiding this comment.
needs <uses-permission android:name="android.permission.USE_BIOMETRIC" /> in the AndroidManifest
|
Using the new .kt file: Emulator
Physical Pixel
|
cpholguera
reviewed
Feb 7, 2025
Comment on lines
+1
to
+15
| e asm.bytes=false | ||
| e scr.color=false | ||
| e asm.var=false | ||
|
|
||
| aao | ||
| e asm.emu=true | ||
|
|
||
| ?e Print xrefs to \'canEvaluatePolicy\" | ||
| f~str.canEvaluatePolicy:error: | ||
|
|
||
| ?e Print xrefs to 0x100008360 | ||
| axt 0x100008360 | ||
|
|
||
| ?e Print disassembly around \"canEvaluatePolicy\" in the function | ||
| pdf @ 0x100004f10 | grep -B 5 "canEvaluatePolicy:error:" |
There was a problem hiding this comment.
works with the latest r2 from git
Suggested change
| e asm.bytes=false | |
| e scr.color=false | |
| e asm.var=false | |
| aao | |
| e asm.emu=true | |
| ?e Print xrefs to \'canEvaluatePolicy\" | |
| f~str.canEvaluatePolicy:error: | |
| ?e Print xrefs to 0x100008360 | |
| axt 0x100008360 | |
| ?e Print disassembly around \"canEvaluatePolicy\" in the function | |
| pdf @ 0x100004f10 | grep -B 5 "canEvaluatePolicy:error:" | |
| e asm.bytes=false | |
| e scr.color=false | |
| e asm.var=false | |
| ?e Print xrefs to \'canEvaluatePolicy\" | |
| f~canEvaluatePolicy | |
| ?e | |
| ?e Print xrefs to 0x100008360 | |
| axt @ 0x100008360 | |
| ?e | |
| ?e Print xrefs to 0x1000100a0 | |
| axt @ 0x1000100a0 | |
| ?e | |
| ?e Print disassembly around \"canEvaluatePolicy\" in the function | |
| pdf @ 0x100004f10 | grep -C 5 "canEvaluatePolicy:error:" |
cpholguera
reviewed
Feb 7, 2025
| @@ -0,0 +1,2 @@ | |||
| #!/bin/bash | |||
| r2 -q -i isDevicePasscodeSet.r2 -A MASTestApp > output.asm | |||
There was a problem hiding this comment.
Suggested change
| r2 -q -i isDevicePasscodeSet.r2 -A MASTestApp > output.asm | |
| r2 -q -i isDevicePasscodeSet.r2 -e emu.str=true -A MASTestApp > output.asm |
cpholguera
reviewed
Feb 7, 2025
|
|
||
| ## Overview | ||
|
|
||
| This test verifies that an application is running on a device with a set passcode. A set passcode ensures that data on the device is encrypted and access to the device is restricted. |
There was a problem hiding this comment.
Should we also include this?
From the weakness draft:
to make sure that biometrics can be used, verify that the
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnlyor thekSecAttrAccessibleWhenPasscodeSetprotection class is set when theSecAccessControlCreateWithFlagsmethod is called
To use Optic ID, Face ID, or Touch ID, the user must set up their device so that a passcode or password is required to unlock it.
https://support.apple.com/en-ph/guide/security/sec9479035f1/web
…ice security enforcement
cpholguera
requested changes
Feb 7, 2025
| @@ -0,0 +1,35 @@ | |||
| --- | |||
| platform: ios | |||
| title: Uses of Device-Access-Security APIs | |||
There was a problem hiding this comment.
Suggested change
| title: Uses of Device-Access-Security APIs | |
| title: Uses of LAContext.canEvaluatePolicy with r2 |
| @@ -0,0 +1,39 @@ | |||
| --- | |||
| platform: android | |||
| title: Uses of Device-Access-Security APIs | |||
There was a problem hiding this comment.
Suggested change
| title: Uses of Device-Access-Security APIs | |
| title: Uses of KeyguardManager.isDeviceSecure with semgrep |
cpholguera
reviewed
Feb 7, 2025
Comment on lines
+16
to
+17
| - running on a recent version of Android OS | ||
| - running on a secure system build intended for the end users |
There was a problem hiding this comment.
As discussed in Slack, these two can be removed from here after the changes done in MASWE-0008. If anything, they'd belong in MASWE-0077 or other MASWEs related to MASVS-RESILIENCE-1
Suggested change
| - running on a recent version of Android OS | |
| - running on a secure system build intended for the end users |
cpholguera
reviewed
Feb 7, 2025
| @@ -1,29 +1,28 @@ | |||
| --- | |||
| title: Device Access Security Policy Not Enforced | |||
| title: Secured Device Detection Not Implemented | |||
There was a problem hiding this comment.
or "Missing Device Secure Lock Verification Implementation". Any other ideas?
cpholguera
reviewed
Feb 7, 2025
| @@ -0,0 +1,25 @@ | |||
| --- | |||
| platform: ios | |||
| title: References to Device-Access-Security Policy APIs | |||
There was a problem hiding this comment.
maybe?
Suggested change
| title: References to Device-Access-Security Policy APIs | |
| title: References to Secure Lock Verification APIs |
cpholguera
reviewed
Feb 7, 2025
| @@ -0,0 +1,31 @@ | |||
| --- | |||
| platform: android | |||
| title: References to Device-Access-Security Policy APIs | |||
There was a problem hiding this comment.
maybe?
Suggested change
| title: References to Device-Access-Security Policy APIs | |
| title: References to Secure Lock Verification APIs |
cpholguera
reviewed
Feb 8, 2025
cpholguera
reviewed
Feb 8, 2025
cpholguera
reviewed
Feb 8, 2025
Comment on lines
+2
to
+3
| NO_COLOR=true semgrep -c ../../../../rules/mastg-android-device-access-security-sdk-version.yml ./MastgTest_reversed.java --text -o output_version.txt | ||
| NO_COLOR=true semgrep -c ../../../../rules/mastg-android-device-access-security-debuggable-system.yml ./MastgTest_reversed.java --text -o output_debuggable_system.txt |
There was a problem hiding this comment.
Suggested change
| NO_COLOR=true semgrep -c ../../../../rules/mastg-android-device-access-security-sdk-version.yml ./MastgTest_reversed.java --text -o output_version.txt | |
| NO_COLOR=true semgrep -c ../../../../rules/mastg-android-device-access-security-debuggable-system.yml ./MastgTest_reversed.java --text -o output_debuggable_system.txt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR closes #2937