OWASP · serek8 · Oct 25, 2024 · Oct 25, 2024 · Oct 25, 2024 · Oct 25, 2024
diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-0021/MASTG-DEMO-0021.md b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0021/MASTG-DEMO-0021.md
@@ -0,0 +1,29 @@
+---
+platform: android
+title: Sensitive Data Leaked via Screenshots
+id: MASTG-DEMO-0021
+code: [kotlin]
+test: MASTG-TEST-0216
+---
+
+### Sample
+
+The snippet below shows sample code that sets `FLAG_SECURE` on an activity that displays sensitive data.
+
+{{ MastgTest.kt }}
+
+### Steps
+
+Let's run our @MASTG-TOOL-0110 rule against the reversed java code.
+
+{{ ../../../../rules/mastg-android-data-unencrypted-shared-storage-no-user-interaction-apis.yml }}
+
+### Observation
+
+{{ output.txt }}
+
+The rule has identified one location in the code file where an API, `FLAG_SECURE`, is used to prevent capturing the screen.
+
+### Evaluation
+
+This test succeeds because the app used an API to prevent screen recording on a screen with confidential data.
diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-0021/MastgTest.kt b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0021/MastgTest.kt
@@ -0,0 +1,20 @@
+package org.owasp.mastestapp
+
+import android.app.Activity
+import android.content.Context
+import android.view.WindowManager.LayoutParams
+
+class MastgTest (private val context: Context){
+
+    fun mastgTest(): String {
+        if (context is Activity) {
+            context.window.setFlags(
+                LayoutParams.FLAG_SECURE,
+                LayoutParams.FLAG_SECURE
+            )
+            return "SUCCESS!!\n\nThe FLAG_SECURE has been set"
+        } else {
+            return "ERROR: Context is not an Activity"
+        }
+    }
+}
diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-0021/MastgTest_reversed.java b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0021/MastgTest_reversed.java
@@ -0,0 +1,27 @@
+package org.owasp.mastestapp;
+
+import android.app.Activity;
+import android.content.Context;
+import kotlin.Metadata;
+import kotlin.jvm.internal.Intrinsics;
+
+/* compiled from: MastgTest.kt */
+@Metadata(d1 = {"\u0000\u0018\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0000\b\u0007\u0018\u00002\u00020\u0001B\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0006\u0010\u0005\u001a\u00020\u0006R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\u0007"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "(Landroid/content/Context;)V", "mastgTest", "", "app_debug"}, k = 1, mv = {1, 9, 0}, xi = 48)
+/* loaded from: classes4.dex */
+public final class MastgTest {
+    public static final int $stable = 8;
+    private final Context context;
+
+    public MastgTest(Context context) {
+        Intrinsics.checkNotNullParameter(context, "context");
+        this.context = context;
+    }
+
+    public final String mastgTest() {
+        if (this.context instanceof Activity) {
+            ((Activity) this.context).getWindow().setFlags(8192, 8192);
+            return "SUCCESS!!\n\nThe FLAG_SECURE has been set";
+        }
+        return "ERROR: Context is not an Activity";
+    }
+}
diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-0021/output.txt b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0021/output.txt
@@ -0,0 +1,11 @@
+
+
+┌────────────────┐
+│ 1 Code Finding │
+└────────────────┘
+
+    MastgTest_reversed.java
+    ❯❱ [1mrules.flag_secure[0m
+          [MASVS-PLATFORM] Make sure you use this flag for all screens with sensitive data
+
+           22┆ ((Activity) this.context).getWindow().setFlags(8192, 8192);
diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-0021/run.sh b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0021/run.sh
@@ -0,0 +1 @@
+NO_COLOR=true semgrep -c ../../../../rules/mastg-android-sensitive-data-in-screenshot.yml ./MastgTest_reversed.java --text -o output.txt
diff --git a/rules/mastg-android-sensitive-data-in-screenshot.yml b/rules/mastg-android-sensitive-data-in-screenshot.yml
@@ -0,0 +1,10 @@
+rules:
+  - id: flag_secure
+    severity: WARNING
+    languages:
+      - java
+    metadata:
+      summary: This rule looks for a use of FLAG_SECURE.
+    message: "[MASVS-PLATFORM] Make sure you use this flag for all screens with sensitive data"
+    pattern: |
+            $X.setFlags(8192, 8192)
diff --git a/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0216.md b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0216.md
@@ -0,0 +1,26 @@
+---
+title: Sensitive Data Leaked via Screenshots
+platform: android
+id: MASTG-TEST-0216
+type: [static]
+weakness: MASWE-0055
+---
+
+## Overview
+
+This test verifies whether an app uses APIs to prevent or detect screen capturing. While prevention is preferable to detection, this test ensures that the app is aware of potential screenshot issues. On Android, several APIs allow developers to detect when screenshots are taken, such as:
+
+- [FLAG_SECURE](https://developer.android.com/security/fraud-prevention/activities#flag_secure) - prevents screen recording
+- [DETECT_SCREEN_CAPTURE](https://developer.android.com/about/versions/14/features/screenshot-detection#implementation) - detects when a screenshot is taken
+
+## Steps
+
+1. Run a static analysis tool, such as @MASTG-TOOL-0110, on the code to identify instances of relevant API usage.
+
+## Observation
+
+The output should include a list of locations where the relevant APIs are used.
+
+## Evaluation
+
+The test case fails if you cannot find the relevant APIs on the Activities that display sensitive data.
diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0055.md b/weaknesses/MASVS-PLATFORM/MASWE-0055.md
@@ -10,14 +10,20 @@ mappings:
 
 refs:
 - https://developer.android.com/about/versions/14/features/screenshot-detection
-draft:
-  description: no method is used to prevent specific content from being captured (e.g.
-    via FLAG_SECURE on Android and Secure Text Entry on iOS)
-  topics:
-  - Screenshots Not Prevented (e.g. via DETECT_SCREEN_CAPTURE on Android)
-  - Screenshots not deleted when backgrounding
-  - Auto-Generated Screenshots
 status: draft
 
 ---
 
+## Overview
+
+Mobile platforms allow users and third-party tools to record screens, which can expose sensitive data and increase the risk of data leakage.
+
+## Impact
+
+- **Loss of Confidentiality**: Under certain conditions, an attacker could access sensitive data previously displayed on the screen, potentially compromising confidentiality and enabling further attacks, such as identity theft or account takeover.
+
+## Modes of Introduction
+
+- **Third-party apps with a permission to recording record the screen**: Third-party apps may record the screen while sensitive content is displayed.
+- **Third-party apps with a permission to access the whole storage**: Third-party apps may access screenshots saved in storage after they are taken by the user or a tool.
+- **External tools may record the screen**: Tools such as [scrcpy](https://github.com/Genymobile/scrcpy) and [QuickTime](https://support.apple.com/guide/quicktime-player/welcome/mac) can record the device's screen via a USB connection.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		NO_COLOR=true semgrep -c ../../../../rules/mastg-android-sensitive-data-in-screenshot.yml ./MastgTest_reversed.java --text -o output.txt