MASTG-TEST-0040: Testing for Debugging Symbols
This test will be updated soon
The test can be used in its current form, but it will receive a complete overhaul as part of the new OWASP MASTG v2 guidelines.
Help us out by submitting a PR for: MASTG v1->v2 MASTG-TEST-0040: Testing for Debugging Symbols (android)
Overview¶
Static Analysis¶
Symbols are usually stripped during the build process, so you need the compiled bytecode and libraries to make sure that unnecessary metadata has been discarded.
First, find the nm
binary in your Android NDK and export it (or create an alias).
export NM = $ANDROID_NDK_DIR/toolchains/arm-linux-androideabi-4.9/prebuilt/darwin-x86_64/bin/arm-linux-androideabi-nm
To display debug symbols:
$NM -a libfoo.so
/tmp/toolchains/arm-linux-androideabi-4.9/prebuilt/darwin-x86_64/bin/arm-linux-androideabi-nm: libfoo.so: no symbols
To display dynamic symbols:
$NM -D libfoo.so
Alternatively, open the file in your favorite disassembler and check the symbol tables manually.
Dynamic symbols can be stripped via the visibility
compiler flag. Adding this flag causes gcc to discard the function names while preserving the names of functions declared as JNIEXPORT
.
Make sure that the following has been added to build.gradle:
externalNativeBuild {
cmake {
cppFlags "-fvisibility=hidden"
}
}
Dynamic Analysis¶
Static analysis should be used to verify debugging symbols.