MASTG-TEST-0295: GMS Security Provider Not Updated

Overview

This test checks whether the Android app ensures the Security Provider is updated to mitigate SSL/TLS vulnerabilities. The provider should be updated using Google Play Services APIs, and the implementation should handle exceptions properly.

Steps

1. Reverse engineer the app ( Decompiling Java Code).
2. Use static analysis ( Static Analysis on Android) to search for usage of ProviderInstaller.installIfNeeded or ProviderInstaller.installIfNeededAsync.

Observation

The output should list all locations where the Security Provider update is performed and how exceptions are handled (for installIfNeeded), or how the ProviderInstallListener handles errors (for installIfNeededAsync).

Evaluation

The test fails if the app does not update the provider, or it does not handle exceptions properly. Check that these calls occur before any network connections are made.

Mitigations

• Update the GMS Security Provider