MASTG-DEMO-0061: Uses of FLAG_SECURE with semgrep

Download MASTG-DEMO-0061 APK Open MASTG-DEMO-0061 Folder Build MASTG-DEMO-0061 APK

Sample

The sample uses the addFlags method to set the FLAG_SECURE window flag on an activity that displays sensitive data.

MastgTest.ktMastgTest_reversed.java

package org.owasp.mastestapp

import android.app.Activity
import android.content.Context
import android.view.WindowManager.LayoutParams

class MastgTest (private val context: Context){

    var shouldRunInMainThread: Boolean = true

    fun mastgTest(): String {
        if (context is Activity) {
            context.window.addFlags(LayoutParams.FLAG_SECURE)

            return "SUCCESS!!\n\nThe FLAG_SECURE has been set"
        } else {
            return "ERROR: Context is not an Activity"
        }
    }
}

package org.owasp.mastestapp;

import android.app.Activity;
import android.content.Context;
import kotlin.Metadata;
import kotlin.jvm.internal.Intrinsics;

/* compiled from: MastgTest.kt */
@Metadata(d1 = {"\u0000 \n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u000b\n\u0002\b\u0005\n\u0002\u0010\u000e\n\u0000\b\u0007\u0018\u00002\u00020\u0001B\u000f\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0004\b\u0004\u0010\u0005J\u0006\u0010\f\u001a\u00020\rR\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000R\u001a\u0010\u0006\u001a\u00020\u0007X\u0086\u000e¢\u0006\u000e\n\u0000\u001a\u0004\b\b\u0010\t\"\u0004\b\n\u0010\u000b¨\u0006\u000e"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "<init>", "(Landroid/content/Context;)V", "shouldRunInMainThread", "", "getShouldRunInMainThread", "()Z", "setShouldRunInMainThread", "(Z)V", "mastgTest", "", "app_debug"}, k = 1, mv = {2, 0, 0}, xi = 48)
/* loaded from: classes3.dex */
public final class MastgTest {
    public static final int $stable = 8;
    private final Context context;
    private boolean shouldRunInMainThread;

    public MastgTest(Context context) {
        Intrinsics.checkNotNullParameter(context, "context");
        this.context = context;
        this.shouldRunInMainThread = true;
    }

    public final boolean getShouldRunInMainThread() {
        return this.shouldRunInMainThread;
    }

    public final void setShouldRunInMainThread(boolean z) {
        this.shouldRunInMainThread = z;
    }

    public final String mastgTest() {
        if (this.context instanceof Activity) {
            ((Activity) this.context).getWindow().addFlags(8192);
            return "SUCCESS!!\n\nThe FLAG_SECURE has been set";
        }
        return "ERROR: Context is not an Activity";
    }
}

Steps

Let's run our semgrep rule against the reversed java code.

rules:
  - id: mastg-android-flag-secure-enable-flags
    severity: INFO
    languages: [java]
    metadata:
      summary: Window uses FLAG_SECURE to block screenshots.
    message: "[MASVS-PLATFORM] Make sure you use this flag for all screens with sensitive data"
    pattern-either:
      - patterns:
          - pattern: $W.addFlags($F)
          - metavariable-regex:
              metavariable: $F
              regex: ^(FLAG_SECURE|8192|0x2000)$
      - patterns:
          - pattern: $W.setFlags($FLAGS, $FLAGS)
          - metavariable-regex:
              metavariable: $FLAGS
              regex: ^(FLAG_SECURE|8192|0x2000)$

NO_COLOR=true semgrep -c ../../../../rules/mastg-android-sensitive-data-in-screenshot.yml ./MastgTest_reversed.java > output.txt

Observation

The rule has identified one location in the code file where the app has set the FLAG_SECURE window flag using the addFlags method.

┌────────────────┐
│ 1 Code Finding │
└────────────────┘

    MastgTest_reversed.java
     ❱ rules.mastg-android-flag-secure-enable-flags
          [MASVS-PLATFORM] Make sure you use this flag for all screens with sensitive data

           32┆ ((Activity) this.context).getWindow().addFlags(8192);

Evaluation

This test passes because the app used the addFlags method to set the FLAG_SECURE window flag on an activity that displays sensitive data.