diff --git a/tests-beta/android/MASVS-STORAGE/MASTG-TEST-0203.md b/tests-beta/android/MASVS-STORAGE/MASTG-TEST-0203.md index 81976d7b02..3636bf70a9 100644 --- a/tests-beta/android/MASVS-STORAGE/MASTG-TEST-0203.md +++ b/tests-beta/android/MASVS-STORAGE/MASTG-TEST-0203.md @@ -1,6 +1,6 @@ --- platform: android -title: Leakage of Sensitive Data via Logging APIs +title: Runtime Use of Logging APIs id: MASTG-TEST-0203 apis: [Log, Logger, System.out.print, System.err.print, java.lang.Throwable#printStackTrace] type: [dynamic] diff --git a/tests-beta/android/MASVS-STORAGE/MASTG-TEST-0231.md b/tests-beta/android/MASVS-STORAGE/MASTG-TEST-0231.md new file mode 100644 index 0000000000..d8265b6aac --- /dev/null +++ b/tests-beta/android/MASVS-STORAGE/MASTG-TEST-0231.md @@ -0,0 +1,45 @@ +--- +platform: android +title: References to Logging APIs +id: MASTG-TEST-0231 +apis: [Log, Logger, System.out.print, System.err.print, java.lang.Throwable#printStackTrace, android.util.Log] +type: [static] +weakness: MASWE-0001 +--- + +## Overview + +This test verifies if an app uses logging APIs like `android.util.Log`, `Log`, `Logger`, `System.out.print`, `System.err.print`, and `java.lang.Throwable#printStackTrace`. + +## Steps + +1. Use either @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 to identify all logging APIs. + +## Observation + +The output should contain a list of locations where logging APIs are used. + +## Evaluation + +The test fails if an app logs sensitive information from any of the listed locations. Ideally, a release build shouldn't use any logging functions, making it easier to assess sensitive data exposure. + +## Mitigation + +While preparing the production release, you can use tools like @MASTG-TOOL-0022 (included in Android Studio). To determine whether all logging functions from the `android.util.Log` class have been removed, check the ProGuard configuration file (proguard-rules.pro) for the following options (according to this [example of removing logging code](https://www.guardsquare.com/en/products/proguard/manual/examples#logging "ProGuard\'s example of removing logging code") and this article about [enabling ProGuard in an Android Studio project](https://developer.android.com/studio/build/shrink-code#enable "Android Developer - Enable shrinking, obfuscation, and optimization")): + +```default +-assumenosideeffects class android.util.Log +{ + public static boolean isLoggable(java.lang.String, int); + public static int v(...); + public static int i(...); + public static int w(...); + public static int d(...); + public static int e(...); + public static int wtf(...); +} +``` + +Note that the example above only ensures that calls to the Log class' methods will be removed. If the string that will be logged is dynamically constructed, the code that constructs the string may remain in the bytecode. + +Alternatively, you can implement a custom logging facility and disable it at once only for the release builds. diff --git a/tests/android/MASVS-STORAGE/MASTG-TEST-0003.md b/tests/android/MASVS-STORAGE/MASTG-TEST-0003.md index 72614587f0..14ed58ca89 100644 --- a/tests/android/MASVS-STORAGE/MASTG-TEST-0003.md +++ b/tests/android/MASVS-STORAGE/MASTG-TEST-0003.md @@ -8,6 +8,8 @@ title: Testing Logs for Sensitive Data masvs_v1_levels: - L1 - L2 +status: deprecated +covered_by: [MASTG-TEST-0203, MASTG-TEST-0231] --- ## Overview