Merge pull request #15 from mindedsecurity/development

Merge with Development

Author: gand3lf

LICENSE

@@ -1,8 +1,7 @@
 # Semgrep Rules for Android Application Security
 
 [![Owasp-MASTG](https://img.shields.io/badge/OWASP_MASTG-v1.5.0-blue)](https://github.com/OWASP/owasp-mastg/tree/v1.5.0)
-[![Semgrep](https://img.shields.io/badge/Semgrep-v1.27.0-green)](https://semgrep.dev/)
-[![License](https://img.shields.io/badge/License-GPL3.0-orange)](https://www.gnu.org/licenses/gpl-3.0.html)
+[![Semgrep](https://img.shields.io/badge/Semgrep-v1.55.0-orange)](https://semgrep.dev/)
 
 This project is a compilation of [Semgrep](https://semgrep.dev/) rules derived from the OWASP Mobile Application Security Testing Guide ([MASTG](https://mas.owasp.org/MASTG/)) specifically for Android applications.  
 The aim is to enhance and support Mobile Application Penetration Testing (MAPT) activities conducted by the ethical hacker community.
@@ -40,7 +39,7 @@ Performance tips:
 
 >_2. Make sure to launch the scan from the project folder in order to use the provided ".semgrepignore" file. This prevents scanning well-known libraries that could generate a high number of false positives._
 
-### Project Status
+### Project Status :checkered_flag:
 The rules are aligned with the version [1.5.0](https://github.com/OWASP/owasp-mastg/tree/v1.5.0) of the OWASP MASTG. While complete coverage of all tests cannot be guaranteed, the authors have made significant efforts to provide a comprehensive overview of the status of each implemented rule.  
 The presence of False Positives (FP) is expected but limited and efforts have been done to reduce the potential occurrence of False Negatives (FN).
 
@@ -63,7 +62,11 @@ Moreover, the rules that requires a specific knowledge of the application contex
 ### Authors & Contributors :beers: :it:  
 The project was started in March 2023 by the [**IMQ Minded Security**](https://mindedsecurity.com/) team with the purpose to contribute to the ethical hacking and mobile development communities. The company has an ongoing commitment to make customers aware of cyber risks supporting businesses and organizations to build secure products and services.  
 The contribution to this project is totally open with the recommendation to be careful in submitting rules that respect the proposed format.
-- Supervisor: Stefano Di Paola (@WisecWisec)
-- Project leader: Riccardo Cardelli (@gand3lf)
-- Contributors: Andrea Agnello, Christian Cotignola (@b4dsheep), Federico Dotta (@apps3c), Giacomo Zorzin (@gellge), Giovanni Fazi (@giovifazi), Martino Lessio (@mlessio), Maurizio Siddu (@akabe1), Michele Di Bonaventura (@cyberaz0r), Michele Tumolo (@zer0s0urce), Riccardo Granata
+- Supervisor: Stefano Di Paola ([@WisecWisec](https://twitter.com/WisecWisec))
+- Project leader: Riccardo Cardelli ([@gand3lf](https://github.com/gand3lf))
+- Contributors: Andrea Agnello (@AndreNoli), Christian Cotignola (@b4dsheep), Federico Dotta (@apps3c), Giacomo Zorzin (@gellge), Giovanni Fazi (@giovifazi), Martino Lessio (@mlessio), Maurizio Siddu (@akabe1), Michele Di Bonaventura (@cyberaz0r), Michele Tumolo (@zer0s0urce), Riccardo Granata (@riccardogranata)
 
+### Talks & More :microphone:
+- 23 Oct 2023: IMQ Minded Security Blog ([Project's Official Article](https://blog.mindedsecurity.com/2023/10/semgrep-rules-for-android-application.html))  
+- 11 Sep 2023: OWASP Italy Day ([Slides](https://github.com/OWASP/www-chapter-italy/blob/96201991fdfef280a67d3b41b85e7715d53115d8/assets/images/Riccardo%20Cardelli%20-%20OWASP%20Italy%20Day%202023%20-%2011th%20Sept%20PoliMi.pdf))
+- 03 Ago 2023: DevSecCon - Introduzione a SAST e Mobile Security Testing ([YouTube Live](https://youtu.be/ZsZMzGD9-6E))  

README.md

@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:versionCode="1" android:versionName="1.0" package="com.mindedsecurity.secureandroid" platformBuildVersionCode="1" platformBuildVersionName="1">
+    <!-- ruleid: MSTG-NETWORK-1.1 -->
+    <uses-sdk android:minSdkVersion="29" android:targetSdkVersion="11"/>
+    <uses-permission android:name="android.permission.INTERNET"/>
+    <permission android:name="com.mindedsecurity.secureandroid.VIEW_CREDENTIALS" android:protectionLevel="signature"/>
+    <application android:theme="@style/AppTheme" android:label="@string/app_name" android:icon="@mipmap/ic_launcher" android:debuggable="true" android:allowBackup="true" android:supportsRtl="true" android:networkSecurityConfig="@xml/network_security_config">
+        <activity android:name="com.mindedsecurity.secureandroid.MainActivity">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN"/>
+                <category android:name="android.intent.category.LAUNCHER"/>
+            </intent-filter>
+        </activity>
+        <activity android:name="com.mindedsecurity.secureandroid.RootCheckActivity"/>
+        <activity android:name="com.mindedsecurity.secureandroid.EmulatorCheckActivity"/>
+        <activity android:name="com.mindedsecurity.secureandroid.InstallationCheckActivity"/>
+        <activity android:name="com.mindedsecurity.secureandroid.SignatureCheckActivity"/>
+        <activity android:name="com.mindedsecurity.secureandroid.DisablingScreenshotActivity"/>
+        <activity android:name="com.mindedsecurity.secureandroid.DisablingClipboardActivity"/>
+        <activity android:name="com.mindedsecurity.secureandroid.KeychainActivity"/>
+        <activity android:name="com.mindedsecurity.secureandroid.SQLIteActivity"/>
+        <activity android:name="com.mindedsecurity.secureandroid.FileStorageActivity"/>
+        <activity android:name="com.mindedsecurity.secureandroid.URIValidationActivity"/>
+        <activity android:name="com.mindedsecurity.secureandroid.CredentialsActivity" android:permission="com.mindedsecurity.secureandroid.VIEW_CREDENTIALS" android:exported="true"/>
+        <activity android:name="com.mindedsecurity.secureandroid.CustomPermissionsActivity"/>
+        <activity android:name="com.mindedsecurity.secureandroid.SecureCommunicationActivity"/>
+    </application>
+</manifest>

rules/network/mstg-network-1.1.xml

@@ -0,0 +1,29 @@
+rules:
+  - id: MSTG-NETWORK-1.1
+    severity: WARNING
+    languages: 
+      - xml
+    metadata:
+      authors:
+        - Andrea Agnello (IMQ Minded Security)
+        - Riccardo Granata (IMQ Minded Security)
+      owasp-mobile: M1
+      category: security
+      area: storage
+      verification-level: 
+        - L1
+        - L2
+      references:
+        - https://github.com/OWASP/owasp-mastg/blob/v1.5.0/Document/0x05g-Testing-Network-Communication.md#testing-data-encryption-on-the-network-mstg-network-1
+    message: The application transmits information over insecure channels through the use of HttpURLConnection. It is recommended to verify if the Network Security Configuration is appropriately configured to prevent such insecure transmissions.
+    paths:
+      include:
+        - "**/AndroidManifest.xml"
+    pattern-either:
+        - patterns:
+            - pattern: <uses-sdk ... android:targetSdkVersion="$VE" .../>
+            - metavariable-comparison:
+                comparison: int($VE) < 28
+                metavariable: $VE
+        - patterns:
+            - pattern: <application ... android:usesCleartextTraffic="true" ... />

rules/network/mstg-network-1.1.yaml

@@ -0,0 +1,22 @@
+// ruleid: MSTG-NETWORK-1.1
+
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSession;
+import java.io.IOException;
+import java.net.InetSocketAddress;
+
+public class SSLSocketExample {
+
+    public static void main(String[] args) throws IOException {
+        SSLSocket sslSocket = createSSLSocket("example.com", 443);
+        SSLSession sslSession = sslSocket.getSession();
+        String hostname = sslSession.getPeerHost();
+        sslSocket.close();
+    }
+
+    private static SSLSocket createSSLSocket(String host, int port) throws IOException {
+        SSLSocket sslSocket = (SSLSocket) SSLSocketFactory.getDefault().createSocket();
+        sslSocket.connect(new InetSocketAddress(host, port));
+        return sslSocket;
+    }
+}

rules/network/mstg-network-1.2.java

@@ -0,0 +1,49 @@
+rules:
+  - id: MSTG-NETWORK-1.2
+    severity: WARNING
+    languages:
+      - java
+    metadata:
+      authors: 
+        - Riccardo Granata (IMQ Minded Security) 
+        - Andrea Agnello (IMQ Minded Security)
+      owasp-mobile: M1
+      category: security
+      area: storage
+      verification-level:
+        - L1 
+        - L2
+      references:
+        - https://github.com/OWASP/owasp-mastg/blob/v1.5.0/Document/0x05g-Testing-Network-Communication.md#testing-data-encryption-on-the-network-mstg-network-1
+    message: The application could send information over insecure channels or not use the getDefaultHostnameVerifier method for SSLSocket
+    paths:
+      exclude:
+        - "**/okhttp3/**"
+        - "**/volley/**"
+        - "**/okio/**"
+        - "**/retrofit2/**"
+        - "**/Ion/**"
+        - "**/asynchttpclient/**"
+        - "**/fuel/**"
+        - "**/android-async-http/**"
+    pattern-either:
+        - patterns:
+          - pattern-inside: | 
+              $METHOD(...){...}
+          - pattern: Socket $SOCKET = new Socket(...);
+        - patterns:
+          - pattern-inside: |
+              $METHOD(...){...}
+          - pattern: $CONNECTION = (HttpURLConnection) $URI.openConnection();
+        - patterns:     
+            - pattern-either:     
+                - patterns:
+                    - pattern-inside: |
+                        import java.net.Socket;
+                        ...
+                    - pattern-not-regex: .*\.getDefaultHostnameVerifier().* 
+                - patterns:    
+                    - pattern-inside: |
+                        import javax.net.ssl.SSLSocket;
+                        ...
+                    - pattern-not-regex: .*\.getDefaultHostnameVerifier().*         

rules/network/mstg-network-1.2.yaml

@@ -33,7 +33,7 @@ The grade of maturity and the reliability of each rule has been classified accor
 | MSTG-CRYPTO-6      | All random values are generated using a sufficiently secure random number generator.                                                                                                                                                     | L1      | Partial    | :broken_heart:|
 | MSTG-AUTH-1        | If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint.                                                                        | L1      | Infeasible    | :x:|
 | MSTG-AUTH-8        | Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain/keystore.                                                                 | L2      | Good    | :thumbsup:|
-| MSTG-NETWORK-1     | Data is encrypted on the network using TLS. The secure channel is used consistently throughout the app.                                                                                                                                  | L1      | Soon...    | :clock4:|
+| MSTG-NETWORK-1     | Data is encrypted on the network using TLS. The secure channel is used consistently throughout the app.                                                                                                                                  | L1      | Partial    | :broken_heart:|
 | MSTG-NETWORK-2     | The TLS settings are in line with current best practices, or as close as possible if the mobile operating system does not support the recommended standards.                                                                             | L1      | Complete    | :heavy_check_mark:|
 | MSTG-NETWORK-3     | The app verifies the X.509 certificate of the remote endpoint when the secure channel is established. Only certificates signed by a trusted CA are accepted.                                                                             | L1      | Soon...    | :clock4:|
 | MSTG-NETWORK-4     | The app either uses its own certificate store, or pins the endpoint certificate or public key, and subsequently does not establish connections with endpoints that offer a different certificate or key, even if signed by a trusted CA. | L2      | Partial    | :broken_heart:|