Port MASTG test 0019 (by @guardsquare)

tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-1.md

@@ -0,0 +1,30 @@
+---
+title: HTTP URLs
+platform: android
+id: MASTG-TEST-0x19-1
+type: [static]
+weakness: MASWE-0050
+---
+
+## Overview
+
+An app may have hardcoded HTTP URLs in the app binary, in libs binaries and other places within the APK.
+
+Those URLs are not necessarily used for communication, but can indicate locations where a server is contacted without TLS.
+
+!!! warning Limitations
+    If such URLs are actually insecure can depend on other factors. For example if HTTP traffic is disabled in the AndroidManifest, trying to access such URLs will result in an exception, and no insecure connection is made.
+
+## Steps
+
+1. Reverse engineer the app (@MASTG-TECH-0017).
+2. Run a static analysis (@MASTG-TECH-0014) tool and look for any `http://` URLs.
+3. Verify the found URLs are actually used for communication by inspecting all locations where these URLs are used.
+
+## Observation
+
+The output contains a list of URLs which are used for communication.
+
+## Evaluation
+
+The test case fails if any HTTP URLs are used for communication.

tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-2.md

@@ -0,0 +1,29 @@
+---
+title: SSLSockets not Properly Verifying Hostnames
+platform: android
+id: MASTG-TEST-0x19-2
+type: [static]
+weakness: MASWE-0052
+---
+
+## Overview
+
+`SSLSocket` does not perform hostname verification (see ["Android documentation"](https://developer.android.com/privacy-and-security/security-ssl#WarningsSslSocket)) by default. This needs to be implemented securely by the app itself.
+
+A secure way isto implement an own `HostnameVerifier` which forwards the hostname verification to the `verify()` method of the `DefaultHostnameVerifier()`Be aware that `HostnameVerifier.verify()` does not throw an exception on error. Instead, it returns a boolean result that must explicitly check by the app.
+
+See ["Unsafe HostnameVerifier"](https://developer.android.com/privacy-and-security/risks/unsafe-hostname) for more information about insecure `HostnameVerifiers`.
+
+## Steps
+
+1. Reverse engineer the app (@MASTG-TECH-0017).
+2. Run a static analysis (@MASTG-TECH-0014) tool and look for all usages of `SSLSocket`.
+3. Verify each `SSLSocket` attaches a `HostnameVerifier` and verify the implementation of the HostnameVerifier is secure.
+
+## Observation
+
+The output contains a list of locations where `SSLSocket` is used and does not perform hostname verification or does so incorrectly.
+
+## Evaluation
+
+The test case fails if any hostname verification is missing, or implemented insecurely.

tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-3.md

@@ -0,0 +1,28 @@
+---
+title: Cleartext traffic permitted
+platform: android
+id: MASTG-TEST-0x19-3
+type: [static]
+weakness: MASWE-0050
+---
+
+## Overview
+
+Since Android 9 (API level 28) cleartext HTTP traffic is blocked by default (thanks to the [default Network Security Configuration](../../../Document/0x05g-Testing-Network-Communication.md#default-configurations)) but there are multiple ways in which an application can still send it:
+
+- Setting the [`android:usesCleartextTraffic`](https://developer.android.com/guide/topics/manifest/application-element#usesCleartextTraffic "Android documentation - usesCleartextTraffic flag") attribute of the `<application>` tag in the AndroidManifest.xml file. Note that this flag is ignored in case the Network Security Configuration is configured.
+- Configuring the [Network Security Configuration to enable cleartext traffic](https://developer.android.com/privacy-and-security/security-config#CleartextTrafficPermitted) by setting the `cleartextTrafficPermitted` attribute to true on `<domain-config>` elements.
+
+## Steps
+
+1. Reverse engineer the app (@MASTG-TECH-0017).
+2. Verify `usesCleartextTraffic` is not set to `true` in the AndroidManifest.xml
+3. Inspect the AndroidManifest.xml, and check if a `networkSecurityConfig` is set in the `<application>` tag. If yes, inspect the referenced file, and make sure that `cleartextTrafficPermitted` is not set to `true` globally in the `<base-config>` element, or for specific domains in their `<domain-config>` elements.
+
+## Observation
+
+The output contains a list of configurations allowing for cleartext traffic.
+
+## Evaluation
+
+The test case fails if any cleartext traffic is permitted.

tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-4.md

@@ -0,0 +1,8 @@
+---
+title: Cleartext traffic is allowed for cross-platform frameworks
+platform: android
+id: MASTG-TEST-0x19-4
+type: [static]
+weakness: MASWE-0050
+status: draft
+note: Cross-platform frameworks (e.g. Flutter, React native, ...), typically have their own implementations for HTTP libraries, where cleartext traffic can be allowed.

tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md

@@ -0,0 +1,34 @@
+---
+title: Cleartext Traffic Observed on the Network
+platform: network
+id: MASTG-TEST-0x19-5
+type: [dynamic]
+weakness: MASWE-0050
+---
+
+## Overview
+
+This test intercepts the app's incoming and outgoing network traffic, and checks for any cleartext communication.
+Whilst the static checks can only show _potential_ cleartext traffic, this dynamic test shows all communication the application definitely makes.
+
+!!! warning Limitation
+    - Intercepting traffic on a network level will show all traffic _the device_ performs, not only the single app. Linking the traffic back to a specific app can be difficult, especially when more apps are installed on the device.
+    - Linking the intercepted traffic back to specific locations in the app can be difficult and requires manual analysis of the code.
+    - Dynamic analysis works best when you interact extensively with the app. But even then there could be corner cases which are difficult or impossible to execute on every device. The results from this test therefore are likely not exhaustive.
+
+## Steps
+
+You can use one of the following approaches:
+
+- Set up @MASTG-TECH-0010 (for Android) or @MASTG-TECH-0062 (for iOS) to capture all traffic and make sure no communication is done in cleartext.
+- Capture all traffic with an interception proxy like @MASTG-TOOL-0077, @MASTG-TOOL-0079, or @MASTG-TOOL-0097 and make sure no request is done in cleartext. Interception proxies like Burp and OWASP ZAP will show HTTP(S) traffic only. You can, however, use a Burp plugin such as [Burp-non-HTTP-Extension](https://github.com/summitt/Burp-Non-HTTP-Extension) or the tool [mitm-relay](https://github.com/jrmdev/mitm_relay) to decode and visualize communication via XMPP and other protocols.
+
+Note: Some applications may not function correctly with proxies like Burp and OWASP ZAP because of Certificate Pinning. In such a scenario, you can still use the other technique.
+
+## Observation
+
+The output contains a list of cleartext network requests.
+
+## Evaluation
+
+The test case fails if any cleartext requests are logged.

tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-6.md

@@ -0,0 +1,8 @@
+---
+title: Using low-level APIs (e.g. Socket) to set up a custom HTTP connection
+platform: android
+id: MASTG-TEST-0x19-6
+type: [static]
+weakness: MASWE-0050
+status: draft
+note: new test

tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-7.md

@@ -0,0 +1,8 @@
+---
+title: Cleartext Traffic Observed on the Network
+platform: android
+id: MASTG-TEST-0x19-7
+type: [static]
+weakness: MASWE-0050
+status: draft
+note: Using Frida, you can trace all traffic of the app, mitigating the limitation of the dynamic analysis that you do not know which app, or which location is responsible for the traffic. Using Frida (and `.backtrace()`), you can be sure this is from the analyzed app, and know the exact location. A new limitation is then that all relevant networking APIs need to be instrumented.

tests/android/MASVS-NETWORK/MASTG-TEST-0019.md

@@ -8,6 +8,9 @@ title: Testing Data Encryption on the Network
 masvs_v1_levels:
 - L1
 - L2
+status: deprecated
+covered_by: [MASTG-TEST-0x19-1,MASTG-TEST-0x19-2,,MASTG-TEST-0x19-3,MASTG-TEST-0x19-4,MASTG-TEST-0x19-5,MASTG-TEST-0x19-6,MASTG-TEST-0x19-7]
+deprecation_note: New version available in MASTG V2
 ---
 
 ## Overview