MASTG-TEST-0202: References to APIs and Permissions for Accessing External Storage

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

This test uses static analysis to look for uses of APIs allowing an app to write to locations that are shared with other apps ( Testing Local Storage for Sensitive Data) such as the external storage APIs or the MediaStore API as well as the relevant Android manifest storage-related permissions.

This static test is great for identifying all code locations where the app is writing data to shared storage. However, it does not provide the actual data being written, and in some cases, the actual path in the device storage where the data is being written. Therefore, it is recommended to combine this test with others that take a dynamic approach, as this will provide a more complete view of the data being written to shared storage.

Steps

1. Reverse engineer the app ( Decompiling Java Code).
2. Run a static analysis ( Static Analysis on Android) tool on the reverse engineered app targeting calls to any external storage APIs and Android manifest storage permissions.

The static analysis tool should be able to identify all possible APIs and permissions used to write to shared storage, such as getExternalStoragePublicDirectory, getExternalStorageDirectory, getExternalFilesDir, MediaStore, WRITE_EXTERNAL_STORAGE, and MANAGE_EXTERNAL_STORAGE. See the Android documentation for more information on these APIs and permissions.

Observation

The output should contain a list of APIs and storage-related permissions used to write to shared storage and their code locations.

Evaluation

The test case fails if:

• the app has the proper permissions declared in the Android manifest (e.g. WRITE_EXTERNAL_STORAGE, MANAGE_EXTERNAL_STORAGE, etc.)
• and the data being written to shared storage is sensitive and not encrypted.

To determine the latter, you may need to carefully review the reversed code ( Reviewing Decompiled Java Code) and/or combine this test with others that take a dynamic approach, as this will provide a more complete view of the data being written to shared storage.

References

• Manage all files on a storage device
• Access media files from shared storage

Demos

MASTG-DEMO-0003: App Writing to External Storage without Scoped Storage Restrictions MASTG-DEMO-0005: App Writing to External Storage via the MediaStore API MASTG-DEMO-0004: App Writing to External Storage with Scoped Storage Restrictions