MASTG-TEST-0044: Make Sure That Free Security Features Are Activated

Deprecated Test

This test is deprecated and should not be used anymore. Reason: New version available in MASTG V2

Please check the following MASTG v2 tests that cover this v1 test:

• Position Independent Code (PIC) Not Enabled
• Stack Canaries Not Enabled

Overview

Static Analysis

Test the app native libraries to determine if they have the PIE and stack smashing protections enabled.

You can use radare2 for Android to get the binary information. We'll use the Android UnCrackable L4 v1.0 APK as an example.

All native libraries must have canary and pic both set to true.

That's the case for libnative-lib.so:

rabin2 -I lib/x86_64/libnative-lib.so | grep -E "canary|pic"
canary   true
pic      true

But not for libtool-checker.so:

rabin2 -I lib/x86_64/libtool-checker.so | grep -E "canary|pic"
canary   false
pic      true

In this example, libtool-checker.so must be recompiled with stack smashing protection support.