MASTG-TEST-0202: References to APIs and Permissions for Accessing External Storage
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Overview¶
This test uses static analysis to look for uses of APIs allowing an app to write to locations that are shared with other apps ( Testing Local Storage for Sensitive Data) such as the external storage APIs or the MediaStore
API as well as the relevant Android manifest storage-related permissions.
This static test is great for identifying all code locations where the app is writing data to shared storage. However, it does not provide the actual data being written, and in some cases, the actual path in the device storage where the data is being written. Therefore, it is recommended to combine this test with others that take a dynamic approach, as this will provide a more complete view of the data being written to shared storage.
Steps¶
- Reverse engineer the app ( Decompiling Java Code).
- Run a static analysis ( Static Analysis on Android) tool on the reverse engineered app targeting calls to any external storage APIs and Android manifest storage permissions.
The static analysis tool should be able to identify all possible APIs and permissions used to write to shared storage, such as getExternalStoragePublicDirectory
, getExternalStorageDirectory
, getExternalFilesDir
, MediaStore
, WRITE_EXTERNAL_STORAGE
, and MANAGE_EXTERNAL_STORAGE
. See the Android documentation for more information on these APIs and permissions.
Observation¶
The output should contain a list of APIs and storage-related permissions used to write to shared storage and their code locations.
Evaluation¶
The test case fails if:
- the app has the proper permissions declared in the Android manifest (e.g.
WRITE_EXTERNAL_STORAGE
,MANAGE_EXTERNAL_STORAGE
, etc.) - and the data being written to shared storage is sensitive and not encrypted.
To determine the latter, you may need to carefully review the reversed code ( Reviewing Decompiled Java Code) and/or combine this test with others that take a dynamic approach, as this will provide a more complete view of the data being written to shared storage.
References¶
Demos¶
MASTG-DEMO-0005: App Writing to External Storage via the MediaStore API MASTG-DEMO-0003: App Writing to External Storage without Scoped Storage Restrictions MASTG-DEMO-0004: App Writing to External Storage with Scoped Storage Restrictions