Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Port MASTG-TEST-0003 (by @guardsquare) #3059

Merged
merged 4 commits into from
Nov 29, 2024
Merged

Port MASTG-TEST-0003 (by @guardsquare) #3059

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4e53c65
Port a static test
serek8 Nov 7, 2024
b99f624
Add a deprecation note
serek8 Nov 7, 2024
ed58295
fix IDs and titles
cpholguera Nov 29, 2024
9afc817
Refine logging API test content for clarity and accuracy
cpholguera Nov 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions tests-beta/android/MASVS-STORAGE/MASTG-TEST-0x03.md
View file
Open in desktop
cpholguera marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
platform: android
title: References to Logging APIs
id: MASTG-TEST-0x03
apis: [Log, Logger, System.out.print, System.err.print, java.lang.Throwable#printStackTrace, android.util.Log]
type: [static]
weakness: MASWE-0001
---

## Overview

This test verifies if an app uses API like `android.util.Log`, `Log`, `Logger`, `System.out.print`, `System.err.print`, and `java.lang.Throwable#printStackTrace`.

## Steps

1. Run static analysis tool @MASTG-TEST-0018 to find all logging APIs.

## Observation

The output should contain a list of locations where logging APIs is used.

## Evaluation

The test fails if an app logs sensitive information from any of the listed locations. Ideally, a release build shouldn’t use any logging functions, making it easier to assess sensitive data exposure

## Mitigation

While preparing the production release, you can use tools like @MASTG-TOOL-0022 (included in Android Studio). To determine whether all logging functions from the `android.util.Log` class have been removed, check the ProGuard configuration file (proguard-rules.pro) for the following options (according to this [example of removing logging code](https://www.guardsquare.com/en/products/proguard/manual/examples#logging "ProGuard\'s example of removing logging code") and this article about [enabling ProGuard in an Android Studio project](https://developer.android.com/studio/build/shrink-code#enable "Android Developer - Enable shrinking, obfuscation, and optimization")):

```default
-assumenosideeffects class android.util.Log
{
public static boolean isLoggable(java.lang.String, int);
public static int v(...);
public static int i(...);
public static int w(...);
public static int d(...);
public static int e(...);
public static int wtf(...);
}
```

Note that the example above only ensures that calls to the Log class' methods will be removed. If the string that will be logged is dynamically constructed, the code that constructs the string may remain in the bytecode.

Alternatively, you can implement a custom logging facility and disable it at once only for the release builds.
2 changes: 2 additions & 0 deletions tests/android/MASVS-STORAGE/MASTG-TEST-0003.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ title: Testing Logs for Sensitive Data
masvs_v1_levels:
- L1
- L2
status: deprecated
covered_by: [MASTG-TEST-0203, MASTG-TEST-0x03]
---

## Overview
Expand Down
Loading