Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port MASTG-TEST-0024 (by @appknox) #3076

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Port MASTG-TEST-0024 (by @appknox) #3076

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6c57f1e
port 0x24
ScreaMy7 Nov 26, 2024
eb5cdf7
markdown fix
ScreaMy7 Nov 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0x24.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
---
platform: android
title: Testing for App Permissions
id: MASTG-TEST-0x24
---
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Check other recently added V2 tests for missing fields such as MASWE ID


## Overview

Testing for app permissions in Android involves evaluating how an application requests, uses, and manages permissions to ensure they do not lead to security vulnerabilities. Proper permission management should protect sensitive user data and ensure that the application complies with Android's security model. The test aims to detect misconfigurations and unnecessary permissions.

## Steps

### Static analysis
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not use these sections anymore but rather one unique list of steps.

In this case you can easily create a MASTG-TECH for "Obtaining App Permissions" and there use one ## section per tool.

Example:

## @MASTG-TOOL-xxx

See the latest MASTG-TECH and MASTG-TEST (V2 beta) for reference (you can go to the page and sort the IDs to see the recent ones).

FOR THIS TEST:

as you'll see in the other ones this will become one step about using the technique by referencing it with @


1. Decompile the APK using tools like @MASTG-TOOL-0011.
2. Examine the `AndroidManifest.xml` file for declared permissions by searching for `<uses-permission` tags.
3. Review the permissions with the developer to identify the purpose of each permission set and remove unnecessary or dangerous permissions.

### Dynamic analysis

1. Permissions for installed applications can be retrieved with @MASTG-TOOL-0004.
2. Use the @MASTG-TOOL-0004 with the following command :
`$ adb shell dumpsys package sg.vp.owasp_mobile.omtg_android`

Please refer to this [permissions overview ↗](https://developer.android.com/guide/topics/permissions/overview#permission-groups "Table 1. Dangerous permissions and permission groups.") for descriptions of the listed permissions that are considered dangerous.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would be better for the evaluation. Be careful not to include that arrow right before the closing bracket


## Observation

The output shows the list of permissions used by the application.

## Evaluation

The test will fail if the correct permissions are used.
3 changes: 3 additions & 0 deletions tests/android/MASVS-PLATFORM/MASTG-TEST-0024.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ title: Testing for App Permissions
masvs_v1_levels:
- L1
- L2
status: deprecated
covered_by: [MASTG-TEST-0x24]
deprecation_note: New version available in MASTG V2
---

## Overview
Expand Down