MASTG-TEST-0201: Runtime Use of APIs to Access External Storage
Overview¶
Android apps use a variety of APIs to access the external storage ( External Storage). Collecting a comprehensive list of these APIs can be challenging, especially if an app uses a third-party framework, loads code at runtime, or includes native code.
The most effective approach to testing applications that write to device storage is usually dynamic analysis, and specifically method hooking. You can use it to hook into the relevant APIs such as getExternalStorageDirectory, getExternalStoragePublicDirectory, getExternalFilesDir or FileOutPutStream. You could also use open as a catch-all for file interactions. However, this won't catch all file interactions, such as those that use the MediaStore API and should be done with additional filtering as it can generate a lot of noise.
Steps¶
- Use Installing Apps to install the app.
- Use Method Hooking to hook the relevant API calls.
- Exercise the app extensively to trigger as many flows as possible and enter sensitive data wherever you can.
Observation¶
The output should contain a list of files that the app wrote to the external storage during execution and the APIs used to write them including function names and backtraces.
Evaluation¶
The test case fails if the files found above are not encrypted and leak sensitive data.
Further Validation Required:
Inspect the content of each reported file to determine whether the data is sensitive:
- Determine whether the file contains sensitive information (e.g., personal data, credentials, or tokens).
- Determine whether the data is stored without encryption.
Use Reviewing Decompiled Java Code to inspect the code locations from the backtraces if you want to determine the exact code paths that lead to the file creation and whether they are security-relevant.