Add MASTG-TEST-0264, MASTG-TEST-0265, MASTG-DEMO-0038, MASTG-DEMO-0039

demos/android/MASVS-RESILIENCE/MASTG-DEMO-0038/MASTG-DEMO-0038.md

@@ -4,6 +4,34 @@ title: Detecting StrictMode Uses with Frida
 id: MASTG-DEMO-0038
 code: [kotlin]
 test: MASTG-TEST-0264
-status: draft
-note: This demo shows how to detect the use of StrictMode at runtime using Frida.
+status: new
 ---
+
+### Sample
+
+This sample demonstrates the detection of `StrictMode` uses at runtime using Frida. The app enables a `StrictMode` policy to detect leaked SQLite objects and intentionally leaves a cursor unclosed to trigger the policy.
+
+{{ ../MASTG-DEMO-0037/MastgTest.kt }}
+
+### Steps
+
+1. Install the app on a device (@MASTG-TECH-0005)
+2. Make sure you have @MASTG-TOOL-0001 installed on your machine and the frida-server running on the device
+3. Run `run.sh` to spawn the app with Frida
+4. Click the **Start** button
+5. Stop the script by pressing `Ctrl+C`
+
+{{ run.sh # script.js }}
+
+### Observation
+
+The Frida script output reveals the runtime usage of `StrictMode`.
+
+{{ output.txt }}
+
+### Evaluation
+
+The test fails because the Frida script output shows the runtime usage of `StrictMode`, specifically:
+
+- `StrictMode.VmPolicy.Builder.penaltyLog`
+- `StrictMode.setVmPolicy`

demos/android/MASVS-RESILIENCE/MASTG-DEMO-0038/output.txt

@@ -0,0 +1,30 @@
+
+[+] Frida script loaded to detect StrictMode usage and penaltyLog calls.
+
+
+[*] StrictMode.VmPolicy.Builder.penaltyLog() called
+
+
+Backtrace:
+android.os.StrictMode$VmPolicy$Builder.penaltyLog(Native Method)
+android.os.StrictMode$VmPolicy$Builder.build(StrictMode.java:1226)
+android.os.StrictMode.initVmDefaults(StrictMode.java:1522)
+android.app.ActivityThread.handleBindApplication(ActivityThread.java:6844)
+android.app.ActivityThread.handleBindApplication(Native Method)
+android.app.ActivityThread.-$$Nest$mhandleBindApplication(Unknown Source:0)
+android.app.ActivityThread$H.handleMessage(ActivityThread.java:2236)
+android.os.Handler.dispatchMessage(Handler.java:106)
+
+[*] StrictMode.setVmPolicy() called
+
+
+Backtrace:
+android.os.StrictMode.setVmPolicy(Native Method)
+android.os.StrictMode.initVmDefaults(StrictMode.java:1522)
+android.app.ActivityThread.handleBindApplication(ActivityThread.java:6844)
+android.app.ActivityThread.handleBindApplication(Native Method)
+android.app.ActivityThread.-$$Nest$mhandleBindApplication(Unknown Source:0)
+android.app.ActivityThread$H.handleMessage(ActivityThread.java:2236)
+android.os.Handler.dispatchMessage(Handler.java:106)
+android.os.Looper.loopOnce(Looper.java:205)
+Policy: [StrictMode.VmPolicy; mask=1082130464]

demos/android/MASVS-RESILIENCE/MASTG-DEMO-0038/run.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+frida -U -f org.owasp.mastestapp -l ./script.js -o output.txt

demos/android/MASVS-RESILIENCE/MASTG-DEMO-0038/script.js

@@ -0,0 +1,40 @@
+Java.perform(() => {
+
+    // Function to print backtrace with a configurable number of lines (default: 8)
+    function printBacktrace(maxLines = 8) {
+        let Exception = Java.use("java.lang.Exception");
+        let stackTrace = Exception.$new().getStackTrace().toString().split(",");
+
+        console.log("\nBacktrace:");
+        for (let i = 0; i < Math.min(maxLines, stackTrace.length); i++) {
+            console.log(stackTrace[i]);
+        }
+    }
+
+    // Hook StrictMode.setVmPolicy
+    let StrictMode = Java.use('android.os.StrictMode');
+
+    StrictMode.setVmPolicy.implementation = function (policy) {
+        console.log("\n[*] StrictMode.setVmPolicy() called\n");
+
+        // Java stack trace
+        printBacktrace();
+
+        console.log("Policy: " + policy);
+        this.setVmPolicy(policy);
+    };
+
+    // Hook StrictMode.VmPolicy.Builder.penaltyLog
+    let VmPolicyBuilder = Java.use('android.os.StrictMode$VmPolicy$Builder');
+
+    VmPolicyBuilder.penaltyLog.implementation = function () {
+        console.log("\n[*] StrictMode.VmPolicy.Builder.penaltyLog() called\n");
+
+        // Java stack trace
+        printBacktrace();
+
+        return this.penaltyLog();
+    };
+
+    console.log("\n[+] Frida script loaded to detect StrictMode usage and penaltyLog calls.\n");
+});

demos/android/MASVS-RESILIENCE/MASTG-DEMO-0039/MASTG-DEMO-0039.md

@@ -4,6 +4,31 @@ title: Detecting StrictMode PenaltyLog Usage with Semgrep
 id: MASTG-DEMO-0039
 code: [kotlin]
 test: MASTG-TEST-0265
-status: draft
-note: This demo shows how to detect the use of StrictMode in the codebase using Semgrep.
+status: new
 ---
+
+### Sample
+
+This sample demonstrates the detection of `StrictMode` uses at runtime using Frida. The app enables a `StrictMode` policy to detect leaked SQLite objects and intentionally leaves a cursor unclosed to trigger the policy.
+
+{{ ../MASTG-DEMO-0037/MastgTest.kt # MastgTest_reversed.java }}
+
+### Steps
+
+Let's run @MASTG-TOOL-0110 rules against the sample code.
+
+{{ ../../../../rules/mastg-android-strictmode.yml }}
+
+{{ run.sh }}
+
+### Observation
+
+The output shows all usages of APIs related to `StrictMode.setVmPolicy`.
+
+{{ output.txt }}
+
+### Evaluation
+
+The test fails because the output shows usages of `StrictMode` APIs, specifically:
+
+- `StrictMode.setVmPolicy`

demos/android/MASVS-RESILIENCE/MASTG-DEMO-0039/MastgTest_reversed.java

@@ -0,0 +1,39 @@
+package org.owasp.mastestapp;
+
+import android.content.Context;
+import android.database.sqlite.SQLiteDatabase;
+import android.os.StrictMode;
+import kotlin.Metadata;
+import kotlin.jvm.internal.Intrinsics;
+
+/* compiled from: MastgTest.kt */
+@Metadata(d1 = {"\u0000 \n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u0002\n\u0000\n\u0002\u0010\u000e\n\u0002\b\u0002\b\u0007\u0018\u00002\u00020\u0001B\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\b\u0010\u0005\u001a\u00020\u0006H\u0002J\u0006\u0010\u0007\u001a\u00020\bJ\b\u0010\t\u001a\u00020\u0006H\u0002R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\n"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "(Landroid/content/Context;)V", "enableStrictMode", "", "mastgTest", "", "triggerSqliteCursorLeak", "app_debug"}, k = 1, mv = {1, 9, 0}, xi = 48)
+/* loaded from: classes4.dex */
+public final class MastgTest {
+    public static final int $stable = 8;
+    private final Context context;
+
+    public MastgTest(Context context) {
+        Intrinsics.checkNotNullParameter(context, "context");
+        this.context = context;
+    }
+
+    public final String mastgTest() {
+        enableStrictMode();
+        triggerSqliteCursorLeak();
+        System.gc();
+        return "SUCCESS!!\n\nSQL Cursor leaked.";
+    }
+
+    private final void enableStrictMode() {
+        StrictMode.setVmPolicy(new StrictMode.VmPolicy.Builder().detectLeakedClosableObjects().penaltyLog().build());
+    }
+
+    private final void triggerSqliteCursorLeak() {
+        SQLiteDatabase db = this.context.openOrCreateDatabase("test.db", 0, null);
+        Intrinsics.checkNotNullExpressionValue(db, "openOrCreateDatabase(...)");
+        db.execSQL("CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY, name TEXT)");
+        db.execSQL("INSERT INTO users (name) VALUES ('Alice'), ('Bob')");
+        db.rawQuery("SELECT * FROM users", null);
+    }
+}

demos/android/MASVS-RESILIENCE/MASTG-DEMO-0039/output.txt

@@ -0,0 +1,13 @@
+
+
+┌────────────────┐
+│ 1 Code Finding │
+└────────────────┘
+
+    MastgTest_reversed.java
+    ❯❱ rules.mastg-android-strictmode
+          [MASVS-RESILIENCE] Detected usage of StrictMode
+
+           29┆ StrictMode.setVmPolicy(new                                                        
+               StrictMode.VmPolicy.Builder().detectLeakedClosableObjects().penaltyLog().build());
+

demos/android/MASVS-RESILIENCE/MASTG-DEMO-0039/run.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+NO_COLOR=true semgrep -c ../../../../rules/mastg-android-strictmode.yml ./MastgTest_reversed.java > output.txt

rules/mastg-android-strictmode.yml

@@ -0,0 +1,10 @@
+rules:
+  - id: mastg-android-strictmode
+    severity: WARNING
+    languages:
+      - java
+    metadata:
+      summary: This rule scans uses of StrictMode.
+    message: "[MASVS-RESILIENCE] Detected usage of StrictMode"
+    patterns:
+      - pattern: StrictMode.setVmPolicy(...)

tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0264.md

@@ -5,6 +5,23 @@ id: MASTG-TEST-0264
 type: [dynamic]
 weakness: MASWE-0094
 best-practices: []
-status: draft
-note: This test checks whether the app uses StrictMode by placing relevant hooks to detect the use of StrictMode APIs, such as StrictMode.setVmPolicy and StrictMode.VmPolicy.Builder.penaltyLog().
+status: new
 ---
+
+## Overview
+
+This test checks whether the app uses `StrictMode` by dynamically analyzing the app's behavior and placing relevant hooks to detect the use of `StrictMode` APIs, such as `StrictMode.setVmPolicy` and `StrictMode.VmPolicy.Builder.penaltyLog`.
+
+While `StrictMode` is useful for developers to log policy violations such as disk I/O or network operations in production apps, it can expose sensitive implementation details in the logs that could be exploited by attackers.
+
+## Steps
+
+1. Run a dynamic analysis tool like @MASTG-TOOL-0039 and look for uses of `StrictMode` APIs.
+
+## Observation
+
+The output should show the runtime usage of `StrictMode` APIs.
+
+## Evaluation
+
+The test fails if the Frida script output shows the runtime usage of `StrictMode` APIs.

tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0265.md

@@ -5,6 +5,22 @@ id: MASTG-TEST-0265
 type: [static]
 weakness: MASWE-0094
 best-practices: []
-status: draft
-note: This test checks whether the app uses StrictMode APIs, which can expose sensitive implementation details in the logs.
+status: new
 ---
+
+## Overview
+
+This test checks whether the app uses `StrictMode`, which while useful for developers to log policy violations such as disk I/O or network operations in production apps, can expose sensitive implementation details in the logs that could be exploited by attackers.
+
+## Steps
+
+1. Use @MASTG-TOOL-0110 to identify all instances of `StrictMode`
+   APIs.
+
+## Observation
+
+The output should identify all instances of `StrictMode` usage in the app.
+
+## Evaluation
+
+The test fails if the app uses `StrictMode` APIs.