MASTG-DEMO-0024: Uses of Caching UI Elements with semgrep

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Download MASTG-DEMO-0024 APK Open MASTG-DEMO-0024 Folder Build MASTG-DEMO-0024 APK

Sample

The code sample defines a method that creates a popup dialog for user input where 3 text input fields (EditText) are instantiated. For each EditText, the inputType property is set to define the type of input expected:

• password: should not be cached due to TYPE_TEXT_VARIATION_PASSWORD
• passphrase: should be cached due to TYPE_CLASS_TEXT
• PIN: should be cached due to TYPE_CLASS_NUMBER, despite initially being set to TYPE_NUMBER_VARIATION_PASSWORD

A dialog is also created using AlertDialog.Builder, and it includes "Sign Up" and "Cancel" buttons.

Steps

Let's run semgrep rule against the sample code. The rule uses a pattern that captures every call to setInputType along with its argument.

rules:
  - id: mastg-android-non-caching-input-types
    severity: WARNING
    languages:
      - java
    metadata:
      summary: This rule scans all usages of setInputType().
    message: "[MASVS-STORAGE] Set input type detected ($OBJ) with $ARG"
    patterns:
      - pattern: $OBJ.setInputType($ARG)

NO_COLOR=true semgrep -c ../../../../rules/mastg-android-keyboard-cache-input-types.yml ./MastgTest_reversed.java > output.txt

Observation

The rule has detected several instances. For each one, the output shows:

• The line number.
• The object name in the reversed code (e.g. $this$showPopup_u24lambda_u241 or input3).
• The setInputType method itself.
• The argument including the input type value (e.g., 129).

┌─────────────────┐
│ 4 Code Findings │
└─────────────────┘

    MastgTest_reversed.java
    ❯❱ rules.mastg-android-keyboard-cache-input-types
          [MASVS-STORAGE] Set input type detected ($this$showPopup_u24lambda_u241) with 129

           35┆ $this$showPopup_u24lambda_u241.setInputType(129);
            ⋮┆----------------------------------------
    ❯❱ rules.mastg-android-keyboard-cache-input-types
          [MASVS-STORAGE] Set input type detected ($this$showPopup_u24lambda_u242) with 1

           38┆ $this$showPopup_u24lambda_u242.setInputType(1);
            ⋮┆----------------------------------------
    ❯❱ rules.mastg-android-keyboard-cache-input-types
          [MASVS-STORAGE] Set input type detected (input3) with 18

           41┆ input3.setInputType(18);
            ⋮┆----------------------------------------
    ❯❱ rules.mastg-android-keyboard-cache-input-types
          [MASVS-STORAGE] Set input type detected (input3) with 2

           42┆ input3.setInputType(2);

Evaluation

The test fails because the app doesn't use non-caching input types for some sensitive fields. Only the first input field (password) is configured correctly. The other two fields (passphrase and PIN) are set to caching input types.

See the Android InputType documentation for details about what each numeric value represents.

(PASS) Object showPopup_u24lambda_u241 is set as 129:

129 & 0x0000000F  #   1 (TYPE_CLASS_TEXT)
129 & 0x00000FF0  # 128 (TYPE_TEXT_VARIATION_PASSWORD)

This is correct because it prevents the password from being cached.

(FAIL) Object showPopup_u24lambda_u242 is set as 1 (TYPE_CLASS_TEXT).

1 & 0x0000000F  #   1 (TYPE_CLASS_TEXT)

This is incorrect because it allows the passphrase to be cached. The correct value should be 129 (TYPE_CLASS_TEXT | TYPE_TEXT_VARIATION_PASSWORD).

(FAIL) Object input3 is first set to 18:

18 & 0x0000000F  #   2 (TYPE_CLASS_NUMBER)
18 & 0x00000FF0  #  16 (TYPE_NUMBER_VARIATION_PASSWORD)

This would be correct, however, in the reversed code, there's a second setInputType call that sets the input type to 2 (TYPE_CLASS_NUMBER), which is a caching input type:

2 & 0x0000000F  #   2 (TYPE_CLASS_NUMBER)

This is incorrect because it allows the PIN to be cached. The correct value should be 18 (TYPE_CLASS_NUMBER | TYPE_NUMBER_VARIATION_PASSWORD).