MASTG-TEST-0005: Determining Whether Sensitive Data Is Shared with Third Parties via Notifications

This test will be updated soon

The test can be used in its current form, but it will receive a complete overhaul as part of the new OWASP MASTG v2 guidelines.

Help us out by submitting a PR for: MASTG v1->v2 MASTG-TEST-0005: Determining Whether Sensitive Data Is Shared with Third Parties via Notifications (android)

Send Feedback

Overview

Static Analysis

Search for any usage of the NotificationManager class which might be an indication of some form of notification management. If the class is being used, the next step would be to understand how the application is generating the notifications and which data ends up being shown.

Dynamic Analysis

Run the application and start tracing all calls to functions related to the notifications creation, e.g. setContentTitle or setContentText from NotificationCompat.Builder. Observe the trace in the end and evaluate if it contains any sensitive information which another app might have eavesdropped.