Port MASTG test 0019 (by @guardsquare) #3030
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cpholguera
requested changes
Nov 5, 2024
| platform: android | ||
| id: MASTG-TEST-0x19-2 | ||
| type: [static] | ||
| weakness: MASWE-0050 |
There was a problem hiding this comment.
Wouldn't https://mas.owasp.org/MASWE/MASVS-NETWORK/MASWE-0052/ be a better fit?
Comment on lines
15
to
17
| 1. Reverse engineer the app (@MASTG-TECH-0017). | ||
| 2. Run a static analysis (@MASTG-TECH-0014) tool and look for all usages of `SSLSocket`. | ||
| 3. Verify each usage performans manual hostname verification correctly. |
There was a problem hiding this comment.
After changing the above, we should update the steps and be more specific. We can tell them to search for uses of SSLSocket that are not using HostnameVerifier, or that are using it but potentially incorrectly (as indicated above).
Examples (not for linking here, but maybe to use later for demos):
| Since Android 9 (API level 28) cleartext HTTP traffic is blocked by default (thanks to the [default Network Security Configuration](../../../Document/0x05g-Testing-Network-Communication.md#default-configurations)) but there are multiple ways in which an application can still send it: | ||
|
|
||
| - Setting the [`android:usesCleartextTraffic`](https://developer.android.com/guide/topics/manifest/application-element#usesCleartextTraffic "Android documentation - usesCleartextTraffic flag") attribute of the `<application>` tag in the AndroidManifest.xml file. Note that this flag is ignored in case the Network Security Configuration is configured. | ||
| - Configuring the Network Security Configuration to enable cleartext traffic by setting the `cleartextTrafficPermitted` attribute to true on `<domain-config>` elements. |
There was a problem hiding this comment.
Suggested change
| - Configuring the Network Security Configuration to enable cleartext traffic by setting the `cleartextTrafficPermitted` attribute to true on `<domain-config>` elements. | |
| - Configuring the [Network Security Configuration to enable cleartext traffic](https://developer.android.com/privacy-and-security/security-config#CleartextTrafficPermitted) by setting the `cleartextTrafficPermitted` attribute to true on `<domain-config>` elements. |
|
|
||
| 1. Reverse engineer the app (@MASTG-TECH-0017). | ||
| 2. Verify `usesCleartextTraffic` is not set to `true` in the AndroidManifest.xml | ||
| 3. Inspect the AndroidManifest.xml, and check if a `networkSecurityConfig` is set in the `<application>` tag. If yes, inspect the referenced file, and make sure `cleartextTrafficPermitted` is not set to `true` for any domain. |
There was a problem hiding this comment.
Suggested change
| 3. Inspect the AndroidManifest.xml, and check if a `networkSecurityConfig` is set in the `<application>` tag. If yes, inspect the referenced file, and make sure `cleartextTrafficPermitted` is not set to `true` for any domain. | |
| 3. Inspect the AndroidManifest.xml, and check if a `networkSecurityConfig` is set in the `<application>` tag. If yes, inspect the referenced file, and make sure that `cleartextTrafficPermitted` is not set to `true` | |
| - globally in the `<base-config>` element. | |
| - or for specific domains in their `<domain-config>` elements. |
|
|
||
| ## Observation | ||
|
|
||
| The output contains a list of domains for which cleartext traffic is enabled. |
There was a problem hiding this comment.
More accurate like this I think.
Suggested change
| The output contains a list of domains for which cleartext traffic is enabled. | |
| The output contains a list of configurations allowing for cleartext traffic. |
Comment on lines
6
to
17
| weakness: MASWE-0050 | ||
| --- | ||
|
|
||
| ## Overview | ||
|
|
||
| Cross-platform frameworks (e.g. Flutter, React native, ...), typically have their own implementations for HTTP libraries, where cleartext traffic can be allowed. | ||
|
|
||
| ## Steps | ||
|
|
||
| ## Observation | ||
|
|
||
| ## Evaluation |
There was a problem hiding this comment.
We can do this as long as there's a new Issue. Please mention the issue in the PR description.
Suggested change
| weakness: MASWE-0050 | |
| --- | |
| ## Overview | |
| Cross-platform frameworks (e.g. Flutter, React native, ...), typically have their own implementations for HTTP libraries, where cleartext traffic can be allowed. | |
| ## Steps | |
| ## Observation | |
| ## Evaluation | |
| weakness: MASWE-0050 | |
| status: draft | |
| note: Cross-platform frameworks (e.g. Flutter, React native, ...), typically have their own implementations for HTTP libraries, where cleartext traffic can be allowed. | |
| --- |
|
|
||
| ## Overview | ||
|
|
||
| Intercept the tested app's incoming and outgoing network traffic and make sure that this traffic is encrypted. |
There was a problem hiding this comment.
Rephrase to highlight more why we're doing this test, what's the value/benefit. For example, this are REAL cleartext connections not just potential ones (as it is the case if we just retrieve the hardcoded URLs).
Limitations:
- thanks to doing this we can know what domains are contacted in cleartext but we don't know which location in the code is producing this traffic, right? (we can add a note in the Evaluation)
- this depends on how much of the app you can exercise so you cannot expect full coverage
cpholguera
requested changes
Dec 7, 2024
|
|
||
| ## Evaluation | ||
|
|
||
| The test case fails if any HTTP URLs are used for communication. |
There was a problem hiding this comment.
See my new comment above, in the evaluation we can now use the output and explain how to discard false positives. This is not an easy task, but there are some things we can do to get a better list.
cpholguera
reviewed
Dec 7, 2024
…lated test references
cpholguera
approved these changes
Dec 7, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR closes #2959.
Adds new
drafttests: