Skip to content

MASTG-TECH-0014: Static Analysis on Android

Static analysis is a technique used to examine and evaluate the source code of a mobile application without executing it. This method is instrumental in identifying potential security vulnerabilities, coding errors, and compliance issues. Static analysis tools can scan the entire codebase automatically, making them a valuable asset for developers and security auditors.

Two good examples of static analysis tools are grep and semgrep. However, there are many other tools available, and you should choose the one that best fits your needs.

Example: Using grep for Manifest Analysis in Android Apps

One simple yet effective use of static analysis is using the grep command-line tool to inspect the AndroidManifest.xml file of an Android app. For example, you can extract the minimum SDK version (which indicates the lowest version of Android the app supports) with the following grep command:

grep 'android:minSdkVersion' AndroidManifest.xml

This command searches for the android:minSdkVersion attribute within the manifest file. Ensuring a higher minSdkVersion can reduce security risks, as older versions of Android may not include the latest security features and fixes.

Example: Using semgrep for Identifying Seeds With Insufficient Entropy

semgrep is a more advanced tool that can be used for pattern matching in code. It's particularly useful for identifying complex coding patterns that might lead to security vulnerabilities. For example, to find instances where a deterministic seed is used with the SecureRandom class (which can compromise the randomness and thus the security), you can use a semgrep rule like:

rules:
  - id: insecure-securerandom-seed
    patterns:
      - pattern: new SecureRandom($SEED)
      - pattern-not: $SEED = null
    message: "Using a deterministic seed with SecureRandom. Consider using a more secure seed."
    languages: [java]
    severity: WARNING

This rule will flag any instances in the code where SecureRandom is initialized with a specific seed, excluding cases where the seed is null (which implies a secure random seed).

Tests

MASTG-TEST-0283: Incorrect Implementation of Server Hostname Verification MASTG-TEST-0295: GMS Security Provider Not Updated MASTG-TEST-0284: Incorrect SSL Error Handling in WebViews MASTG-TEST-0282: Unsafe Custom Trust Evaluation MASTG-TEST-0217: Insecure TLS Protocols Explicitly Allowed in Code MASTG-TEST-0234: Missing Implementation of Server Hostname Verification with SSLSockets MASTG-TEST-0205: Non-random Sources Usage MASTG-TEST-0212: Use of Hardcoded Cryptographic Keys in Code MASTG-TEST-0208: Insufficient Key Sizes MASTG-TEST-0221: Broken Symmetric Encryption Algorithms MASTG-TEST-0204: Insecure Random API Usage MASTG-TEST-0307: References to Asymmetric Key Pairs Used For Multiple Purposes MASTG-TEST-0312: References to Explicit Security Provider in Cryptographic APIs MASTG-TEST-0232: Broken Symmetric Encryption Modes MASTG-TEST-0338: Integrity and Authenticity Validation of Local Storage Data MASTG-TEST-0337: References to Object Deserialization of Untrusted Data MASTG-TEST-0245: References to Platform Version APIs MASTG-TEST-0339: SQL Injection in Content Providers MASTG-TEST-0352: References to Debugging Detection APIs MASTG-TEST-0324: References to Root Detection Mechanisms MASTG-TEST-0265: References to StrictMode APIs MASTG-TEST-0247: References to APIs for Detecting Secure Screen Lock MASTG-TEST-0227: Debugging Enabled for WebViews MASTG-TEST-0330: References to APIs for Keys used in Biometric Authentication with Extended Validity Duration MASTG-TEST-0329: References to APIs Enforcing Authentication without Explicit User Action MASTG-TEST-0326: References to APIs Allowing Fallback to Non-Biometric Authentication MASTG-TEST-0328: References to APIs Detecting Biometric Enrollment Changes MASTG-TEST-0327: References to APIs for Event-Bound Biometric Authentication MASTG-TEST-0206: Undeclared PII in Network Traffic Capture MASTG-TEST-0318: References to SDK APIs Known to Handle Sensitive User Data MASTG-TEST-0250: References to Content Provider Access in WebViews MASTG-TEST-0291: References to Screen Capturing Prevention APIs MASTG-TEST-0315: Sensitive Data Exposed via Notifications MASTG-TEST-0334: Native Code Exposed Through WebViews MASTG-TEST-0340: References to Overlay Attack Protections MASTG-TEST-0258: References to Keyboard Caching Attributes in UI Elements MASTG-TEST-0316: App Exposing User Authentication Data in Text Input Fields MASTG-TEST-0252: References to Local File Access in WebViews MASTG-TEST-0231: References to Logging APIs MASTG-TEST-0202: References to APIs and Permissions for Accessing External Storage

Demos

MASTG-DEMO-0049: SSLSocket Connection to Wrong Host Server Blocked by HostnameVerifier MASTG-DEMO-0048: SSLSocket Connection to Wrong Host Server Allowed by Lack of HostnameVerifier