Skip to content

MASTG-TECH-0014: Static Analysis on Android

Static analysis is a technique used to examine and evaluate the source code of a mobile application without executing it. This method is instrumental in identifying potential security vulnerabilities, coding errors, and compliance issues. Static analysis tools can scan the entire codebase automatically, making them a valuable asset for developers and security auditors.

Two good examples of static analysis tools are grep and semgrep. However, there are many other tools available, and you should choose the one that best fits your needs.

Example: Using grep for Manifest Analysis in Android Apps

One simple yet effective use of static analysis is using the grep command-line tool to inspect the AndroidManifest.xml file of an Android app. For example, you can extract the minimum SDK version (which indicates the lowest version of Android the app supports) with the following grep command:

grep 'android:minSdkVersion' AndroidManifest.xml

This command searches for the android:minSdkVersion attribute within the manifest file. Ensuring a higher minSdkVersion can reduce security risks, as older versions of Android may not include the latest security features and fixes.

Example: Using semgrep for Identifying Seeds With Insufficient Entropy

semgrep is a more advanced tool that can be used for pattern matching in code. It's particularly useful for identifying complex coding patterns that might lead to security vulnerabilities. For example, to find instances where a deterministic seed is used with the SecureRandom class (which can compromise the randomness and thus the security), you can use a semgrep rule like:

rules:
  - id: insecure-securerandom-seed
    patterns:
      - pattern: new SecureRandom($SEED)
      - pattern-not: $SEED = null
    message: "Using a deterministic seed with SecureRandom. Consider using a more secure seed."
    languages: [java]
    severity: WARNING

This rule will flag any instances in the code where SecureRandom is initialized with a specific seed, excluding cases where the seed is null (which implies a secure random seed).

Tests

MASTG-TEST-0231: References to Logging APIs MASTG-TEST-0202: References to APIs and Permissions for Accessing External Storage MASTG-TEST-0318: References to SDK APIs Known to Handle Sensitive User Data MASTG-TEST-0291: References to Screen Capturing Prevention APIs MASTG-TEST-0315: Sensitive Data Exposed via Notifications MASTG-TEST-0316: App Exposing User Authentication Data in Text Input Fields MASTG-TEST-0258: References to Keyboard Caching Attributes in UI Elements MASTG-TEST-0245: References to Platform Version APIs MASTG-TEST-0283: Incorrect Implementation of Server Hostname Verification MASTG-TEST-0282: Unsafe Custom Trust Evaluation MASTG-TEST-0295: GMS Security Provider Not Updated MASTG-TEST-0217: Insecure TLS Protocols Explicitly Allowed in Code MASTG-TEST-0284: Incorrect SSL Error Handling in WebViews MASTG-TEST-0234: Missing Implementation of Server Hostname Verification with SSLSockets MASTG-TEST-0233: Hardcoded HTTP URLs MASTG-TEST-0227: Debugging Enabled for WebViews MASTG-TEST-0265: References to StrictMode APIs MASTG-TEST-0221: Broken Symmetric Encryption Algorithms MASTG-TEST-0212: Use of Hardcoded Cryptographic Keys in Code MASTG-TEST-0307: References to Asymmetric Key Pairs Used For Multiple Purposes MASTG-TEST-0312: References to Explicit Security Provider in Cryptographic APIs MASTG-TEST-0205: Non-random Sources Usage MASTG-TEST-0232: Broken Symmetric Encryption Modes MASTG-TEST-0204: Insecure Random API Usage

Demos

MASTG-DEMO-0048: SSLSocket Connection to Wrong Host Server Allowed by Lack of HostnameVerifier MASTG-DEMO-0049: SSLSocket Connection to Wrong Host Server Blocked by HostnameVerifier