Port MASTG-TEST-0005: Determining Whether Sensitive Data Is Shared with Third Parties via Notifications (android)

demos/android/MASVS-STORAGE/MASTG-DEMO-xxx/AndroidManifest.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools">
+
+    <uses-permission android:name="android.permission.INTERNET" />
+
+    <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
+
+    <application
+        android:allowBackup="true"
+        android:dataExtractionRules="@xml/data_extraction_rules"
+        android:fullBackupContent="@xml/backup_rules"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:supportsRtl="true"
+        android:theme="@style/Theme.MASTestApp"
+        tools:targetApi="31">
+        <activity
+            android:name=".MainActivity"
+            android:exported="true"
+            android:windowSoftInputMode="adjustResize"
+            android:theme="@style/Theme.MASTestApp">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application>
+
+</manifest>

demos/android/MASVS-STORAGE/MASTG-DEMO-xxx/AndroidManifest_reversed.xml

@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    android:versionCode="1"
+    android:versionName="1.0"
+    android:compileSdkVersion="35"
+    android:compileSdkVersionCodename="15"
+    package="org.owasp.mastestapp"
+    platformBuildVersionCode="35"
+    platformBuildVersionName="15">
+    <uses-sdk
+        android:minSdkVersion="29"
+        android:targetSdkVersion="35"/>
+    <uses-permission android:name="android.permission.INTERNET"/>
+    <uses-permission android:name="android.permission.POST_NOTIFICATIONS"/>
+    <permission
+        android:name="org.owasp.mastestapp.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION"
+        android:protectionLevel="signature"/>
+    <uses-permission android:name="org.owasp.mastestapp.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION"/>
+    <application
+        android:theme="@style/Theme.MASTestApp"
+        android:label="@string/app_name"
+        android:icon="@mipmap/ic_launcher"
+        android:debuggable="true"
+        android:testOnly="true"
+        android:allowBackup="true"
+        android:supportsRtl="true"
+        android:extractNativeLibs="false"
+        android:fullBackupContent="@xml/backup_rules"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:appComponentFactory="androidx.core.app.CoreComponentFactory"
+        android:dataExtractionRules="@xml/data_extraction_rules">
+        <activity
+            android:theme="@style/Theme.MASTestApp"
+            android:name="org.owasp.mastestapp.MainActivity"
+            android:exported="true"
+            android:windowSoftInputMode="adjustResize">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN"/>
+                <category android:name="android.intent.category.LAUNCHER"/>
+            </intent-filter>
+        </activity>
+        <activity
+            android:name="androidx.compose.ui.tooling.PreviewActivity"
+            android:exported="true"/>
+        <activity
+            android:name="androidx.activity.ComponentActivity"
+            android:exported="true"/>
+        <provider
+            android:name="androidx.startup.InitializationProvider"
+            android:exported="false"
+            android:authorities="org.owasp.mastestapp.androidx-startup">
+            <meta-data
+                android:name="androidx.emoji2.text.EmojiCompatInitializer"
+                android:value="androidx.startup"/>
+            <meta-data
+                android:name="androidx.lifecycle.ProcessLifecycleInitializer"
+                android:value="androidx.startup"/>
+            <meta-data
+                android:name="androidx.profileinstaller.ProfileInstallerInitializer"
+                android:value="androidx.startup"/>
+        </provider>
+        <receiver
+            android:name="androidx.profileinstaller.ProfileInstallReceiver"
+            android:permission="android.permission.DUMP"
+            android:enabled="true"
+            android:exported="true"
+            android:directBootAware="false">
+            <intent-filter>
+                <action android:name="androidx.profileinstaller.action.INSTALL_PROFILE"/>
+            </intent-filter>
+            <intent-filter>
+                <action android:name="androidx.profileinstaller.action.SKIP_FILE"/>
+            </intent-filter>
+            <intent-filter>
+                <action android:name="androidx.profileinstaller.action.SAVE_PROFILE"/>
+            </intent-filter>
+            <intent-filter>
+                <action android:name="androidx.profileinstaller.action.BENCHMARK_OPERATION"/>
+            </intent-filter>
+        </receiver>
+    </application>
+</manifest>

demos/android/MASVS-STORAGE/MASTG-DEMO-xxx/MASTG-DEMO-xxx.md

@@ -0,0 +1,39 @@
+---
+platform: android
+title: App Leaking Sensitive Data via Notifications
+id: MASTG-DEMO-xxx // TODO replace with real ID
+code: [kotlin]
+test: MASTG-TEST-00x05 // TODO replace with real ID
+tools: [MASTG-TOOL-0110]
+---
+
+### Sample
+
+The following samples contain:
+
+- the Kotlin code that creates a notification with sensitive data.
+- the AndroidManifest.xml with a `POST_NOTIFICATIONS` permission to post notifications (for above Android API 33).
+
+{{ MastgTest.kt # AndroidManifest.xml }}
+
+### Steps
+
+Let's run our @MASTG-TOOL-0110 rule against the reversed java code.
+
+{{ ../../../../rules/mastg-android-sensitive-data-in-notifications.yml }}
+
+And another one against the sample manifest file.
+
+{{ ../../../../rules/mastg-android-sensitive-data-in-notifications-manifest.yml }}
+
+{{ run.sh }}
+
+### Observation
+
+The rule detected 2 instances in the code where the `setContentTitle` API is used to set the notification title, and 2 instances where the `setContentText` API is used to set the notification text. It also identified the location in the manifest file where the POST_NOTIFICATIONS permission is declared.
+
+{{ output.txt # output2.txt }}
+
+### Evaluation
+
+After reviewing the decompiled code at the location specified in the output (file and line number) we can conclude that the test fails because the file written by this instance contains sensitive data, specifically a first and a last name (PII).

demos/android/MASVS-STORAGE/MASTG-DEMO-xxx/MastgTest.kt

@@ -0,0 +1,61 @@
+package org.owasp.mastestapp
+
+//noinspection SuspiciousImport
+import android.R
+import android.app.Notification
+import android.app.NotificationChannel
+import android.app.NotificationManager
+import android.content.Context
+import androidx.core.app.NotificationCompat
+
+class MastgTest(private val context: Context) {
+
+    val notificationManager =
+        (context.getSystemService(Context.NOTIFICATION_SERVICE) as NotificationManager).apply {
+            createNotificationChannel(
+                NotificationChannel(
+                    "TEST_CHANNEL_ID",
+                    "Test Channel",
+                    NotificationManager.IMPORTANCE_DEFAULT
+                )
+            )
+        }
+
+    val sensitiveTitle = "Hi John Doe"
+    val sensitiveText = "Hi John Doe <- This is a sensitive string containing PII"
+    fun mastgTest(): String {
+
+        notificationManager.notify(1, createNotification())
+        notificationManager.notify(2, createNotificationOnChannel())
+        notificationManager.notify(3, createNotificationCompat())
+        notificationManager.notify(4, createNotificationCompatOnChannel())
+
+        return sensitiveText
+    }
+
+    private fun createNotification() = Notification.Builder(context)
+        .setContentTitle(sensitiveTitle)
+        .setContentText(sensitiveText)
+        .setSmallIcon(R.drawable.ic_menu_info_details)
+        .build()
+
+    private fun createNotificationOnChannel() = Notification.Builder(context, "TEST_CHANNEL_ID")
+        .setContentTitle(sensitiveTitle)
+        .setContentText(sensitiveText)
+        .setSmallIcon(R.drawable.ic_menu_info_details)
+        .build()
+
+    private fun createNotificationCompat() = NotificationCompat.Builder(context)
+        .setContentTitle(sensitiveTitle)
+        .setContentText(sensitiveText)
+        .setSmallIcon(R.drawable.ic_menu_info_details)
+        .build()
+
+    private fun createNotificationCompatOnChannel() =
+        NotificationCompat.Builder(context, "TEST_CHANNEL_ID")
+            .setContentTitle(sensitiveTitle)
+            .setContentText(sensitiveText)
+            .setSmallIcon(R.drawable.ic_menu_info_details)
+            .build()
+
+}

demos/android/MASVS-STORAGE/MASTG-DEMO-xxx/MastgTest_reversed.java

@@ -0,0 +1,52 @@
+package org.owasp.mastestapp;
+
+import android.app.Notification;
+import android.app.NotificationManager;
+import android.content.Context;
+import android.util.Log;
+import kotlin.Metadata;
+import kotlin.jvm.internal.Intrinsics;
+
+/* compiled from: MastgTest.kt */
+@Metadata(d1 = {"\u0000(\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u000e\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\b\u0007\u0018\u00002\u00020\u0001B\u000f\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0004\b\u0004\u0010\u0005J\u0006\u0010\n\u001a\u00020\u000bJ\u000e\u0010\f\u001a\u00020\r2\u0006\u0010\u000e\u001a\u00020\u000bJ\u000e\u0010\u000f\u001a\u00020\r2\u0006\u0010\u000e\u001a\u00020\u000bR\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000R\u0011\u0010\u0006\u001a\u00020\u0007¢\u0006\b\n\u0000\u001a\u0004\b\b\u0010\t¨\u0006\u0010"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "<init>", "(Landroid/content/Context;)V", "notificationManager", "Landroid/app/NotificationManager;", "getNotificationManager", "()Landroid/app/NotificationManager;", "mastgTest", "", "createNotification", "Landroid/app/Notification;", "sensitiveString", "createNotificationOnChannel", "app_debug"}, k = 1, mv = {2, 0, 0}, xi = 48)
+/* loaded from: classes3.dex */
+public final class MastgTest {
+    public static final int $stable = 8;
+    private final Context context;
+    private final NotificationManager notificationManager;
+
+    public MastgTest(Context context) {
+        Intrinsics.checkNotNullParameter(context, "context");
+        this.context = context;
+        Object systemService = this.context.getSystemService("notification");
+        Intrinsics.checkNotNull(systemService, "null cannot be cast to non-null type android.app.NotificationManager");
+        this.notificationManager = (NotificationManager) systemService;
+    }
+
+    public final NotificationManager getNotificationManager() {
+        return this.notificationManager;
+    }
+
+    public final String mastgTest() {
+        Log.d("MASTG-TEST", "Hello from the OWASP MASTG Test app.");
+        Notification it = createNotification("Hello from the OWASP MASTG Test app.");
+        this.notificationManager.notify(1, it);
+        Notification it2 = createNotificationOnChannel("Hello from the OWASP MASTG Test app.");
+        this.notificationManager.notify(2, it2);
+        return "Hello from the OWASP MASTG Test app.";
+    }
+
+    public final Notification createNotification(String sensitiveString) {
+        Intrinsics.checkNotNullParameter(sensitiveString, "sensitiveString");
+        Notification notificationBuild = new Notification.Builder(this.context).setContentTitle("MASTG Test").setContentText(sensitiveString).build();
+        Intrinsics.checkNotNullExpressionValue(notificationBuild, "build(...)");
+        return notificationBuild;
+    }
+
+    public final Notification createNotificationOnChannel(String sensitiveString) {
+        Intrinsics.checkNotNullParameter(sensitiveString, "sensitiveString");
+        Notification notificationBuild = new Notification.Builder(this.context, "TEST_CHANNEL_ID").setContentTitle("MASTG Test").setContentText(sensitiveString).build();
+        Intrinsics.checkNotNullExpressionValue(notificationBuild, "build(...)");
+        return notificationBuild;
+    }
+}

demos/android/MASVS-STORAGE/MASTG-DEMO-xxx/output.txt

@@ -0,0 +1,23 @@
+
+
+┌─────────────────┐
+│ 4 Code Findings │
+└─────────────────┘
+
+    MastgTest_reversed.java
+    ❯❱ rules.mastg-android-sensitive-data-in-notifications
+          [MASVS-STORAGE-2] Ensure that notifications do not contain sensitive information
+
+           41┆ Notification notificationBuild = new                     
+               Notification.Builder(this.context).setContentTitle("MASTG
+               Test").setContentText(sensitiveString).build();          
+            ⋮┆----------------------------------------
+           41┆ Notification notificationBuild = new                     
+               Notification.Builder(this.context).setContentTitle("MASTG
+               Test").setContentText(sensitiveString).build();          
+            ⋮┆----------------------------------------
+           48┆ Notification notificationBuild = new Notification.Builder(this.context,                  
+               "TEST_CHANNEL_ID").setContentTitle("MASTG Test").setContentText(sensitiveString).build();
+            ⋮┆----------------------------------------
+           48┆ Notification notificationBuild = new Notification.Builder(this.context,                  
+               "TEST_CHANNEL_ID").setContentTitle("MASTG Test").setContentText(sensitiveString).build();

demos/android/MASVS-STORAGE/MASTG-DEMO-xxx/output2.txt

@@ -0,0 +1,11 @@
+
+
+┌────────────────┐
+│ 1 Code Finding │
+└────────────────┘
+
+    AndroidManifest_reversed.xml
+    ❯❱ rules.mastg-android-sensitive-data-in-notifications-manifest
+          [MASVS-STORAGE-2] Ensure that notifications do not contain sensitive information
+
+           14┆ <uses-permission android:name="android.permission.POST_NOTIFICATIONS"/>

demos/android/MASVS-STORAGE/MASTG-DEMO-xxx/run.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+NO_COLOR=true semgrep -c ../../../../rules/mastg-android-sensitive-data-in-notifications.yml ./MastgTest_reversed.java --text -o output.txt
+
+NO_COLOR=true semgrep -c ../../../../rules/mastg-android-sensitive-data-in-notifications-manifest.yml ./AndroidManifest_reversed.xml --text -o output2.txt

demos/android/MASVS-STORAGE/MASTG-DEMO-xxx/run_after.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+adb shell pm revoke org.owasp.mastestapp android.permission.POST_NOTIFICATIONS

demos/android/MASVS-STORAGE/MASTG-DEMO-xxx/run_before.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+adb shell pm grant org.owasp.mastestapp android.permission.POST_NOTIFICATIONS

rules/mastg-android-sensitive-data-in-notifications-manifest.yml

@@ -0,0 +1,9 @@
+rules:
+  - id: mastg-android-sensitive-data-in-notifications-manifest
+    languages:
+      - xml
+    severity: WARNING
+    metadata:
+      summary: This rule inpects AndroidManifest.xml for notification post permission. Notification may contain sensitive data.
+    message: "[MASVS-STORAGE-2] Ensure that notifications do not contain sensitive information"
+    pattern: android:name="android.permission.POST_NOTIFICATIONS"

rules/mastg-android-sensitive-data-in-notifications.yml

@@ -0,0 +1,11 @@
+rules:
+  - id: mastg-android-sensitive-data-in-notifications
+    languages:
+      - java
+    severity: WARNING
+    metadata:
+      summary: This rule looks for notifications that may contain sensitive data.
+    message: "[MASVS-STORAGE-2] Ensure that notifications do not contain sensitive information"
+    pattern-either:
+      - pattern: $X.setContentTitle(...)
+      - pattern: $X.setContentText(...)

tests-beta/android/MASVS-STORAGE/MASTG-TEST-00x05.md

@@ -0,0 +1,28 @@
+---
+platform: android
+title: Sensitive Data Leaked via Notifications
+id: MASTG-TEST-00x05 // TODO replace with real ID
+apis: [NotificationManager]
+type: [static, dynamic]
+weakness: MASWE-0054
+prerequisites:
+- identify-sensitive-data
+profiles: [L1, L2]
+---
+
+## Overview
+
+This test case checks if the application leaks sensitive data via notifications to third parties.
+
+## Steps
+
+1. Run a static analysis tool such as @MASTG-TOOL-0110 on the app source to identify if the `POST_NOTIFICATIONS` permission is declared in the manifest file (for above Android API 33). That would be an indication that the app creates notifications.
+2. Run a static analysis tool such as @MASTG-TOOL-0110 on the app source, or run the app and use a dynamic analysis with @MASTG-TECH-0033 and a tool like @MASTG-TOOL-0001 and start tracing all calls to functions related to the notifications creation, e.g. `setContentTitle` or `setContentText` from [`Notification.Builder`](https://developer.android.com/reference/android/app/Notification.Builder) or[`NotificationCompat.Builder`](https://developer.android.com/reference/androidx/core/app/NotificationCompat.Builder).
+
+## Observation
+
+The output should contain a list of trace points where notifications are created.
+
+## Evaluation
+
+The test case fails if sensitive data is found to be contained in any notification created by the app.

tests/android/MASVS-STORAGE/MASTG-TEST-0005.md

@@ -9,6 +9,9 @@ masvs_v1_levels:
 - L1
 - L2
 profiles: [L1, L2]
+status: deprecated
+covered_by: [MASWE-00x05]
+deprecation_note: New version available in MASTG V2
 ---
 
 ## Overview