Add MASTG-TEST-0262, MASTG-DEMO-0034 and MASTG-DEMO-0035 using adb backup and semgrep #3217
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
There was a problem hiding this comment.
Pull Request Overview
This pull request adds new demos for backup and restore operations, updates evaluation scripts, and improves documentation on Android backup functionalities.
- Introduces a Python evaluation script to check backup configurations.
- Adds/updates markdown demos and technique documentation for backup, restore, and data inspection.
- Introduces a new YML rule to verify backup-related attributes in AndroidManifest.xml.
Reviewed Changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| demos/android/MASVS-STORAGE/MASTG-DEMO-0034/evaluate.py | Adds a Python evaluation script for verifying Android backup configuration. |
| techniques/android/MASTG-TECH-0126.md | Updates documentation for using ADB backup and backup extraction techniques. |
| demos/android/MASVS-STORAGE/MASTG-DEMO-0033/MASTG-DEMO-0033.md | Updates demo metadata and content to align with new backup evaluation methods. |
| rules/mastg-android-backup-manifest.yml | Adds a new rule to inspect AndroidManifest.xml for backup-related configurations. |
| demos/android/MASVS-STORAGE/MASTG-DEMO-0034/MASTG-DEMO-0034.md | Updates the demo documentation to showcase semgrep-based backup configuration evaluation. |
| techniques/android/MASTG-TECH-0127.md | Adds technique documentation for inspecting the contents of Android backup data. |
| Document/0x05d-Testing-Data-Storage.md | Updates backup documentation to reflect the current Android backup restrictions and usage. |
| tests-beta/android/MASVS-STORAGE/MASTG-TEST-0216.md | Revises test steps to better reflect the new backup and restore workflow. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
cpholguera
changed the title
…d-android-backup-demos
cpholguera
changed the title
serek8
suggested changes
Mar 17, 2025
cpholguera
commented
Mar 17, 2025
…d-android-backup-demos
… remove evaluate.py and evaluation.txt
…to MASTG-TEST-0262 for static analysis of backup exclusions
Contributor
There was a problem hiding this comment.
Pull Request Overview
The PR introduces new demos, tests, techniques, and documentation updates focused on Android app backup verification using adb backup and semgrep. Key changes include:
- Addition of two new demo files (MASTG-DEMO-0034 and MASTG-DEMO-0035) demonstrating backup verification approaches.
- New and updated test files to validate backup configurations and file exclusions.
- Updates to documentation and techniques, along with a new semgrep rule for inspecting AndroidManifest.xml backup-related attributes.
Reviewed Changes
Copilot reviewed 9 out of 15 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests-beta/android/MASVS-STORAGE/MASTG-TEST-0262.md | Introduces a new test verifying exclusion of sensitive data from backups. |
| demos/android/MASVS-STORAGE/MASTG-DEMO-0035/MASTG-DEMO-0035.md | Adds a demo using adb backup to demonstrate backup file evaluation. |
| techniques/android/MASTG-TECH-0128.md | Provides instructions on performing a backup and restore using ADB and Backup Manager. |
| rules/mastg-android-backup-manifest.yml | Introduces a semgrep rule to inspect AndroidManifest.xml for backup-related configurations. |
| techniques/android/MASTG-TECH-0127.md | Details the process to inspect backup data post restoration. |
| demos/android/MASVS-STORAGE/MASTG-DEMO-0034/MASTG-DEMO-0034.md | Adds a demo showcasing semgrep analysis of backup configurations in AndroidManifest.xml. |
| Document/0x05d-Testing-Data-Storage.md | Updates documentation with details on Android backups and related restrictions. |
| tests-beta/android/MASVS-STORAGE/MASTG-TEST-0216.md | Revises an existing test to better verify backup restoration behavior. |
Files not reviewed (6)
- demos/android/MASVS-STORAGE/MASTG-DEMO-0034/output.txt: Language not supported
- demos/android/MASVS-STORAGE/MASTG-DEMO-0034/run.sh: Language not supported
- demos/android/MASVS-STORAGE/MASTG-DEMO-0035/apps/org.owasp.mastestapp/f/secret.txt: Language not supported
- demos/android/MASVS-STORAGE/MASTG-DEMO-0035/output.txt: Language not supported
- demos/android/MASVS-STORAGE/MASTG-DEMO-0035/run.sh: Language not supported
- utils/mastg-android-backup-adb.sh: Language not supported
… enhance output formatting
…d-android-backup-demos
cpholguera
changed the title
serek8
approved these changes
Mar 27, 2025
Collaborator
serek8
left a comment
serek8
left a comment
There was a problem hiding this comment.
Thanks for splitting the tests into dynamic and static, and adding the demo. I just have minor remarks about the titles but the content is great
| weakness: MASWE-0004 | ||
| best-practices: [MASTG-BEST-0004] | ||
| --- | ||
|
|
Collaborator
There was a problem hiding this comment.
Since it's solely a dynamic test now, shouldn't we start this title with "Runtime use ..."? Not sure if we can find a good title with this prefix but how about "Runtime Testing for Presence of Sensitive Files in Backups"
Collaborator
Author
There was a problem hiding this comment.
Good point, and I thought about it. However, I began to see a pattern of tests that did not fit our very well-intentioned naming rule.
This is another dynamic test where it would be weird to start it with "Runtime ...". I propose we keep it consistent for the typical static (semgrep/r2) and dynamic (frida) and let's see how this other kind evolves and if we come up with a good convention.
cpholguera
commented
Mar 27, 2025
cpholguera
commented
Mar 27, 2025
cpholguera
commented
Mar 27, 2025
cpholguera
commented
Mar 27, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR focuses adds MASTG-DEMO-0034 and MASTG-DEMO-0035 related to Android app backups.
Documentation Updates
Document/0x05d-Testing-Data-Storage.md: Updated the information on Android backups to include restrictions introduced in Android 12 and provided relevant links.New Tests
tests-beta/android/MASVS-STORAGE/MASTG-TEST-0262.md: Created a new test verifying exclusion of sensitive data from backups.New Demos
demos/android/MASVS-STORAGE/MASTG-DEMO-0034/MASTG-DEMO-0034.md: Created a new demo usingsemgrepto analyze theAndroidManifest.xmlfor backup-related attributes and evaluate the results.demos/android/MASVS-STORAGE/MASTG-DEMO-0033/MASTG-DEMO-0035.md: Added a detailed demo with steps to back up and restore app data usingadb backup, including the evaluation of backup content.New Techniques
techniques/android/MASTG-TECH-0126.md: Added a new technique for performing backups and restores using ADB and Backup Manager.techniques/android/MASTG-TECH-0127.md: Added a new technique for inspecting an app's backup data.