Merge branch 'master' of https://github.com/OWASP/owasp-mastg into pr…

…/sk3l10x1ng/3073

.gitignore

@@ -29,4 +29,5 @@ docs/assets/Images
 OWASP_MASVS.yaml
 cross_references.yaml
 drafts/
-Payload/
+Payload/
+.vscode/settings.json

Document/0x02a-Frontispiece.md

@@ -58,7 +58,7 @@ All our Changelogs are available online at the OWASP MASTG GitHub repository, se
 
 Please consult the laws in your country before executing any tests against mobile apps by utilizing the MASTG materials. Refrain from violating the laws with anything described in the MASTG.
 
-Our [Code of Conduct] has further details: <https://github.com/OWASP/owasp-mastg/blob/master/.github/CODE_OF_CONDUCT.md>
+Our [Code of Conduct](https://github.com/OWASP/owasp-mastg/blob/master/.github/CODE_OF_CONDUCT.md) has further details.
 
 OWASP thanks the many authors, reviewers, and editors for their hard work in developing this guide. If you have any comments or suggestions, please connect with us: <https://mas.owasp.org/contact>
 

Document/0x05h-Testing-Platform-Interaction.md

@@ -48,6 +48,9 @@ Independently from the assigned Protection Level, it is important to consider th
 | **CRITICAL**     | `android.permission.MOUNT_UNMOUNT_FILESYSTEMS`                  | signature         |
 | **CRITICAL**     | `android.permission.PROVIDE_DEFAULT_ENABLED_CREDENTIAL_SERVICE` | signature         |
 | **CRITICAL**     | `android.permission.PROVIDE_REMOTE_CREDENTIALS`                 | signature         |
+| **CRITICAL**     | `android.permission.THREAD_NETWORK_PRIVILEGED`                  | signature         |
+| **CRITICAL**     | `android.permission.RECORD_SENSITIVE_CONTENT`                   | signature         |
+| **CRITICAL**     | `android.permission.RECEIVE_SENSITIVE_NOTIFICATIONS`            | signature         |
 | **HIGH**         | `android.permission.INSTALL_GRANT_RUNTIME_PERMISSIONS`          | signature         |
 | **HIGH**         | `android.permission.READ_SMS`                                   | dangerous         |
 | **HIGH**         | `android.permission.WRITE_SMS`                                  | normal            |
@@ -72,6 +75,9 @@ Independently from the assigned Protection Level, it is important to consider th
 | **HIGH**         | `android.permission.MANAGE_ONGOING_CALLS`                       | signature         |
 | **HIGH**         | `android.permission.READ_RESTRICTED_STATS`                      | internal          |
 | **HIGH**         | `android.permission.BIND_AUTOFILL_SERVICE`                      | signature         |
+| **HIGH**         | `android.permission.WRITE_VERIFICATION_STATE_E2EE_CONTACT_KEYS` | signature         |
+| **HIGH**         | `android.permission.READ_DROPBOX_DATA`                          | signature         |
+| **HIGH**         | `android.permission.WRITE_FLAGS`                                | signature         |
 | **MEDIUM**       | `android.permission.ACCESS_COARSE_LOCATION`                     | dangerous         |
 | **MEDIUM**       | `android.permission.CHANGE_COMPONENT_ENABLED_STATE`             | signature         |
 | **MEDIUM**       | `android.permission.READ_CONTACTS`                              | dangerous         |
@@ -94,6 +100,9 @@ Independently from the assigned Protection Level, it is important to consider th
 | **MEDIUM**       | `android.permission.READ_MEDIA_AUDIO`                           | dangerous         |
 | **MEDIUM**       | `android.permission.READ_MEDIA_IMAGES`                          | dangerous         |
 | **MEDIUM**       | `android.permission.READ_MEDIA_VIDEO`                           | dangerous         |
+| **MEDIUM**       | `android.permission.REGISTER_NSD_OFFLOAD_ENGINE`                | signature         |
+| **MEDIUM**       | `android.permission.ACCESS_LAST_KNOWN_CELL_ID`                  | signature         |
+| **MEDIUM**       | `android.permission.USE_COMPANION_TRANSPORTS`                   | signature         |
 | **LOW**          | `android.permission.DOWNLOAD_WITHOUT_NOTIFICATION`              | normal            |
 | **LOW**          | `android.permission.PACKAGE_USAGE_STATS`                        | signature         |
 | **LOW**          | `android.permission.MASTER_CLEAR`                               | signature         |
@@ -105,6 +114,11 @@ Independently from the assigned Protection Level, it is important to consider th
 | **LOW**          | `android.permission.LOG_FOREGROUND_RESOURCE_USE`                | signature         |
 | **LOW**          | `android.permission.MANAGE_DEFAULT_APPLICATIONS`                | signature         |
 | **LOW**          | `android.permission.MANAGE_FACE`                                | signature         |
+| **LOW**          | `android.permission.REPORT_USAGE_STATS`                         | signature         |
+| **LOW**          | `android.permission.MANAGE_DISPLAYS`                            | signature         |
+| **LOW**          | `android.permission.RESTRICT_DISPLAY_MODES`                     | signature         |
+| **LOW**          | `android.permission.ACCESS_HIDDEN_PROFILES_FULL`                | signature         |
+| **LOW**          | `android.permission.GET_BACKGROUND_INSTALLED_PACKAGES`          | signature         |
 | **NONE**         | `android.permission.ACCESS_NETWORK_STATE`                       | normal            |
 | **NONE**         | `android.permission.RECEIVE_BOOT_COMPLETED`                     | normal            |
 | **NONE**         | `android.permission.WAKE_LOCK`                                  | normal            |

Document/0x06i-Testing-Code-Quality-and-Build-Settings.md

@@ -51,7 +51,7 @@ Detecting the presence of [binary protection mechanisms](0x04h-Testing-Code-Qual
 Although Xcode enables all binary security features by default, it may be relevant to verify this for old applications or to check for compiler flag misconfigurations. The following features are applicable:
 
 - [**PIE (Position Independent Executable)**](0x04h-Testing-Code-Quality.md#position-independent-code):
-    - PIE applies to executable binaries (Mach-O type `MH_EXECUTE`).
+    - PIE applies to executable binaries (Mach-O type `MH_EXECUTE`) [source](https://web.archive.org/web/20230328221404/https://opensource.apple.com/source/cctools/cctools-921/include/mach-o/loader.h.auto.html).
     - However it's not applicable for libraries (Mach-O type `MH_DYLIB`).
 - [**Memory management**](0x04h-Testing-Code-Quality.md#memory-management):
     - Both pure Objective-C, Swift and hybrid binaries should have ARC (Automatic Reference Counting) enabled.

Document/index.md

@@ -25,6 +25,7 @@ Start exploring the MASTG:
 <a href="/MASTG/demos/" class="md-button md-button--primary" style="margin: 5px; min-width: 12em; text-align: center;">:material-flask-outline:  Demos</a>
 <a href="/MASTG/tools/" class="md-button md-button--primary" style="margin: 5px; min-width: 12em; text-align: center;">:octicons-tools-24:  Tools</a>
 <a href="/MASTG/apps/" class="md-button md-button--primary" style="margin: 5px; min-width: 12em; text-align: center;">:octicons-code-square-24:  Apps</a>
+<a href="/MASTG/best-practices/" class="md-button md-button--primary" style="margin: 5px; min-width: 12em; text-align: center;">:material-shield-check:  Best Practices (v2 Beta)</a>
 
 <span style="color: darkgray; font-size: small"> :blue_heart:{ .pump } Support the project by purchasing the [OWASP MASTG on leanpub.com](https://leanpub.com/owasp-mastg). All funds raised through sales of this book go directly into the project budget and will be used to for technical editing and designing the book and fund production of future releases.</span>
 

mitigations/android-use-secure-random.md → best-practices/MASTG-BEST-0001.md

@@ -1,5 +1,7 @@
 ---
-title: Use Secure Random Number Generators APIs
+title: Use Secure Random Number Generator APIs
+alias: android-use-secure-random
+id: MASTG-BEST-0001
 platform: android
 ---
 

mitigations/use-proguard.md → best-practices/MASTG-BEST-0002.md

@@ -1,8 +1,14 @@
 ---
-title: Use ProGuard to Remove Logging Code
+title: Remove Logging Code
+alias: remove-logging-code
+id: MASTG-BEST-0002
 platform: android
 ---
 
+Ideally, a release build shouldn't use any logging functions, making it easier to assess sensitive data exposure.
+
+## Using ProGuard
+
 While preparing the production release, you can use tools like @MASTG-TOOL-0022 (included in Android Studio). To determine whether all logging functions from the `android.util.Log` class have been removed, check the ProGuard configuration file (proguard-rules.pro) for the following options (according to this [example of removing logging code](https://www.guardsquare.com/en/products/proguard/manual/examples#logging "ProGuard\'s example of removing logging code") and this article about [enabling ProGuard in an Android Studio project](https://developer.android.com/studio/build/shrink-code#enable "Android Developer - Enable shrinking, obfuscation, and optimization")):
 
 ```default
@@ -57,3 +63,7 @@ SecureLog.v("Private key [byte format]: ", key);
 ```
 
 Then configure ProGuard to strip its calls.
+
+## Custom Logging
+
+You can implement a custom logging facility and disable it at once only for the release builds.

mitigations/comply-with-privacy-regulations.md → best-practices/MASTG-BEST-0003.md

@@ -1,5 +1,7 @@
 ---
 title: Comply with Privacy Regulations and Best Practices
+alias: comply-with-privacy-regulations
+id: MASTG-BEST-0003
 platform: android
 ---
 

best-practices/MASTG-BEST-0004.md

@@ -0,0 +1,11 @@
+---
+title: Exclude Sensitive Data from Backups
+alias: exclude-sensitive-data-from-backups
+id: MASTG-BEST-0004
+platform: android
+---
+
+For the sensitive files found, instruct the system to exclude them from the backup:
+
+- If you are using Auto Backup, mark them with the `exclude` tag in `backup_rules.xml` (for Android 11 or lower using `android:fullBackupContent`) or `data_extraction_rules.xml` (for Android 12 and higher using `android:dataExtractionRules`), depending on the target API. Make sure to use both the `cloud-backup` and `device-transfer` parameters.
+- If you are using the key-value approach, set up your [BackupAgent](https://developer.android.com/identity/data/keyvaluebackup#BackupAgent) accordingly.

best-practices/MASTG-BEST-0005.md

@@ -0,0 +1,12 @@
+---
+title: Use Secure Encryption Modes
+alias: use-secure-encryption-modes
+id: MASTG-BEST-0005
+platform: android
+---
+
+Replace insecure encryption modes with secure block cipher modes such as [AES-GCM or AES-CCM](https://csrc.nist.gov/pubs/sp/800/38/d/final) which are authenticated encryption modes that provide confidentiality, integrity, and authenticity.
+
+We recommend avoiding CBC, which while being more secure than ECB, improper implementation, especially incorrect padding, can lead to vulnerabilities such as padding oracle attacks.
+
+For comprehensive guidance on implementing secure encryption modes in Android, refer to the official Android Developers documentation on [Cryptography](https://developer.android.com/privacy-and-security/cryptography).

best-practices/MASTG-BEST-0006.md

@@ -0,0 +1,26 @@
+---
+title: Use Up-to-Date APK Signing Schemes
+alias: use-up-to-date-apk-signing-schemes
+id: MASTG-BEST-0006
+platform: android
+---
+
+Ensure that the app is signed with at least the v2 or v3 APK signing scheme, as these provide comprehensive integrity checks and protect the entire APK from tampering. For optimal security and compatibility, consider using v3, which also supports key rotation.
+
+Optionally, you can add v4 signing to enable faster [incremental updates](https://developer.android.com/about/versions/11/features#incremental) in Android 11 and above, but v4 alone does not provide security protections and should be used alongside v2 or v3.
+
+The signing configuration can be managed through Android Studio or the `signingConfigs` section in `build.gradle` or `build.gradle.kts`. To activate both the v3 and v4 schemes, the following values must be set:
+
+```default
+// build.gradle
+android {
+  ...
+  signingConfigs {
+    config {
+        ...
+        enableV3Signing true
+        enableV4Signing true
+    }
+  }
+}
+```

best-practices/MASTG-BEST-0007.md

@@ -0,0 +1,10 @@
+---
+title: Debuggable Flag Disabled in the AndroidManifest
+alias: debuggable-flag-disabled
+id: MASTG-BEST-0007
+platform: android
+---
+
+Ensure the debuggable flag in the AndroidManifest.xml is set to `false` for all release builds.
+
+**Note:** Disabling debugging via the `debuggable` flag is an important first step but does not fully protect the app from advanced attacks. Skilled attackers can enable debugging through various means, such as binary patching (see @MASTG-TECH-0038) to allow attachment of a debugger or the use of binary instrumentation tools like @MASTG-TOOL-0001 to achieve similar capabilities. For apps requiring a higher level of security, consider implementing anti-debugging techniques as an additional layer of defense. Refer to @MASWE-0101 for detailed guidance.

best-practices/MASTG-BEST-0008.md

@@ -0,0 +1,29 @@
+---
+title: Debugging Disabled for WebViews
+alias: debugging-disabled-webviews
+id: MASTG-BEST-0008
+platform: android
+---
+
+Ensure that WebView debugging is disabled in production builds to prevent attackers from exploiting this feature to eavesdrop, modify, or debug communication within WebViews.
+
+- Set `WebView.setWebContentsDebuggingEnabled` to `false` in production, or remove the calls entirely if they are unnecessary.
+- If WebView debugging is required during development, ensure it is enabled only when the app is in a debuggable state by [checking the `ApplicationInfo.FLAG_DEBUGGABLE` flag at runtime](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/#configure_webviews_for_debugging).
+
+For example:
+
+```kotlin
+if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {
+    if (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE))
+    { WebView.setWebContentsDebuggingEnabled(true); }
+}
+```
+
+**Note:** Disabling WebView debugging this way helps protect an app already running on a device. For an attacker to exploit WebView debugging, they must have physical access to the device (e.g., a stolen or test device) or remote access through malware or other malicious means. Additionally, the device must typically be unlocked, and the attacker would need to know the device PIN, password, or biometric authentication to gain full control and connect debugging tools like `adb` or Chrome DevTools.
+
+However, disabling WebView debugging does not eliminate all attack vectors. An attacker could:
+
+1. Patch the app to add calls to these APIs (see @MASTG-TECH-0038), then repackage and re-sign it (see @MASTG-TECH-0039).
+2. Use runtime method hooking (see @MASTG-TECH-0043) to enable WebView debugging dynamically at runtime.
+
+Disabling WebView debugging serves as one layer of defense to reduce risks but should be combined with other security measures.

best-practices/index.md

@@ -0,0 +1,11 @@
+---
+hide: toc
+title: Best Practices (v2 Beta)
+status: new
+---
+
+??? info "About the MASTG Best Practices"
+
+    The MASTG Best Practices are a collection of specific strategies and practices that can be used to prevent or mitigate security and privacy risks in mobile apps. 
+
+    Each Best Practices is designed to be simple and focused and may apply to one or multiple tests in the MASTG.

demos/index.md

@@ -1,6 +1,6 @@
 ---
 hide: toc
-title: MASTG Demos
+title: MASTG Demos (v2 Beta)
 status: new
 ---
 

demos/ios/MASVS-CRYPTO/MASTG-DEMO-0011/security_keysize.r2

@@ -1,23 +1,22 @@
-!printf "\n\n"
+?e;?e
 
-!printf "Uses of SecKeyCreateRandomKey:\n"
+?e Uses of SecKeyCreateRandomKey:
 afl~SecKeyCreateRandomKey
 
-!printf "\n"
+?e
 
-!printf "xrefs to SecKeyCreateRandomKey:\n"
+?e xrefs to SecKeyCreateRandomKey:
 axt @ 0x1000078ac
 
-!printf "\n"
+?e
 
-!printf "Use of reloc.kSecAttrKeySizeInBits as input for SecKeyCreateRandomKey:\n"
+?e Use of reloc.kSecAttrKeySizeInBits as input for SecKeyCreateRandomKey:
 pd 1 @ sym.func.1000046f8
 
-!printf "...\n"
+?e ...
 
 pd 9 @ 0x10000484c
 
-!printf "...\n"
+?e ...
 
 pd-- 2 @ 0x1000049a0
-

demos/ios/MASVS-CRYPTO/MASTG-DEMO-0013/sec_hardcoded_rsa.r2

@@ -1,17 +1,17 @@
-e asm.bytes = false
+e asm.bytes=false
 e scr.color=false
 e asm.var=false
 
-!printf "Uses of SecKeyCreateWithData:\n"
+?e Uses of SecKeyCreateWithData:
 afl~SecKeyCreateWithData
 
-!printf "\n"
+?e
 
-!printf "xrefs to SecKeyCreateWithData:\n"
+?e xrefs to SecKeyCreateWithData:
 axt @ 0x100007904
 
-!printf "\n"
+?e
 
 pdf @ sym.func.10000491c > function.asm
 
-px 607 @ 0x1000100c8 > key.asm
+px 607 @ 0x1000100c8 > key.asm

demos/ios/MASVS-CRYPTO/MASTG-DEMO-0014/cryptokit_hardcoded_ecdsa.r2

@@ -1,21 +1,21 @@
-e asm.bytes = false
+e asm.bytes=false
 e scr.color=false
 e asm.var=false
 
-!printf "Uses of CryptoKit.P256.Signing.PrivateKey:\n"
+?e Uses of CryptoKit.P256.Signing.PrivateKey:
 afl~CryptoKit.P256.Signing.PrivateKey
 
-!printf "\n"
+?e
 
-!printf "xrefs to CryptoKit.P256.Signing.PrivateKey.rawRepresentation:\n"
+?e xrefs to CryptoKit.P256.Signing.PrivateKey.rawRepresentation:
 axt @ 0x100007388
 
-!printf "\n"
+?e
 
-!printf "Use of CryptoKit.P256.Signing.PrivateKey.rawRepresentation:\n"
+?e Use of CryptoKit.P256.Signing.PrivateKey.rawRepresentation:
 
 pd-- 9 @ 0x1000048d4
 
 pdf @ sym.func.1000046dc > function.asm
 
-px 32 @ 0x1000100c8 > key.asm
+px 32 @ 0x1000100c8 > key.asm

demos/ios/MASVS-CRYPTO/MASTG-DEMO-0015/cchash.r2

@@ -1,22 +1,22 @@
-!printf "\n\n"
+?e;?e
 
-!printf "Uses of CommonCrypto hash function:\n"
+?e Uses of CommonCrypto hash function:
 afl~CC_
 
-!printf "\n"
+?e
 
-!printf "xrefs to CC_MD5:\n"
+?e xrefs to CC_MD5:
 axt @ 0x1000071a8
 
-!printf "xrefs to CC_SHA1:\n"
+?e xrefs to CC_SHA1:
 axt @ 0x1000071b4
 
-!printf "\n"
+?e
 
-!printf "Use of MD5:\n"
+?e Use of MD5:
 pd-- 5 @ 0x1000048c4
 
-!printf "\n"
+?e
 
-!printf "Use of SHA1:\n"
+?e Use of SHA1:
 pd-- 5 @ 0x10000456c

demos/ios/MASVS-CRYPTO/MASTG-DEMO-0016/cryptokit_hash.r2

@@ -1,24 +1,24 @@
-!printf "\n\n"
+?e;?e
 
-!printf "Uses of CryptoKit.Insecure functions:\n"
+?e Uses of CryptoKit.Insecure functions:
 afl~Insecure.
 
-!printf "\n"
+?e
 
-!printf "xrefs to CryptoKit.Insecure.MD5:\n"
+?e xrefs to CryptoKit.Insecure.MD5:
 axt @ 0x100007280
 
-!printf "\n"
+?e
 
-!printf "xrefs to CryptoKit.Insecure.SHA1:\n"
+?e xrefs to CryptoKit.Insecure.SHA1:
 axt @ 0x10000728c
 
-!printf "\n"
+?e
 
-!printf "Use of MD5:\n"
+?e Use of MD5:
 pd-- 5 @ 0x1000046d8
 
-!printf "\n"
+?e
 
-!printf "Use of SHA1:\n"
+?e Use of SHA1:
 pd-- 5 @ 0x100004214