MASTG-TEST-0295: GMS Security Provider Not Updated
Overview¶
This test checks whether the Android app ensures the Security Provider ( Security Provider) is updated to mitigate SSL/TLS vulnerabilities. The provider should be updated using Google Play Services APIs, and the implementation should handle exceptions properly (see Exception Handling).
Steps¶
- Reverse engineer the app ( Decompiling Java Code).
- Use static analysis ( Static Analysis on Android) to search for usage of
ProviderInstaller.installIfNeededorProviderInstaller.installIfNeededAsync.
Observation¶
The output should list all locations where the Security Provider update is performed and how exceptions are handled (for installIfNeeded), or how the ProviderInstallListener handles errors (for installIfNeededAsync).
Evaluation¶
The test fails if the app does not update the provider, or it does not handle exceptions properly. Check that these calls occur before any network connections are made.