Merge pull request #1410 from OWASP/style-guide-enhancements

Style guide enhancements

Document/0x04c-Tampering-and-Reverse-Engineering.md

@@ -109,7 +109,7 @@ Reverse engineering is the process of reconstructing the semantics of a compiled
 
 #### Using Disassemblers and Decompilers
 
-Disassemblers and decompilers allow you to translate an app's binary code or bytecode back into a more or less understandable format. By using these tools on native binaries, you can obtain assembler code that matches the architecture the app was compiled for. Android Java apps can be disassembled to smali, which is an assembly language for the dex format used by Dalvik, Android's Java VM. smali assembly is also quite easily decompiled back to Java code.
+Disassemblers and decompilers allow you to translate an app's binary code or bytecode back into a more or less understandable format. By using these tools on native binaries, you can obtain assembler code that matches the architecture the app was compiled for. Android Java apps can be disassembled to smali, which is an assembly language for the DEX format used by Dalvik, Android's Java VM. smali assembly is also quite easily decompiled back to Java code.
 
 A wide range of tools and frameworks is available: expensive but convenient GUI tools, open source disassembling engines, reverse engineering frameworks, etc. Advanced usage instructions for any of these tools often easily fill a book of their own. The best way to get started is to simply pick a tool that fits your needs and budget and buy a well-reviewed user guide. We'll list some of the most popular tools in the OS-specific "Reverse Engineering and Tampering" chapters.
 

Document/0x05a-Platform-Overview.md

@@ -563,7 +563,7 @@ Apps can be installed on an Android device from a variety of sources: locally vi
 
 Whereas other vendors may review and approve apps before they are actually published, Google will simply scan for known malware signatures; this minimizes the time between the beginning of the publishing process and public app availability.
 
-Publishing an app is quite straightforward; the main operation is making the signed .apk file downloadable. On Google Play, publishing starts with account creation and is followed by app delivery through a dedicated interface. Details are available at [the official Android documentation](https://developer.android.com/distribute/googleplay/start.html "Review the checklists to plan your launch").
+Publishing an app is quite straightforward; the main operation is making the signed APK file downloadable. On Google Play, publishing starts with account creation and is followed by app delivery through a dedicated interface. Details are available at [the official Android documentation](https://developer.android.com/distribute/googleplay/start.html "Review the checklists to plan your launch").
 
 ### Android Application Attack surface
 

Document/0x05b-Basic-Security_Testing.md

@@ -312,7 +312,7 @@ You can also use apktool to repackage decoded resources back to binary APK/JAR.
 
 ##### Apkx
 
-`Apkx` is a Python wrapper to popular free dex converters and Java decompilers. It automates the extraction, conversion, and decompilation of APKs. Install it as follows:
+`Apkx` is a Python wrapper to popular free DEX converters and Java decompilers. It automates the extraction, conversion, and decompilation of APKs. Install it as follows:
 
 ```shell
 $ git clone https://github.com/b-mueller/apkx
@@ -1677,7 +1677,7 @@ FCM can use either XMPP or HTTP to communicate with the Google backend.
 
 FCM uses the ports 5228, 5229, and 5230 for HTTP communication. Usually, only port 5228 is used.
 
-- Configure local port forwarding for the ports used by FCM. The following example applies to Mac OS X:
+- Configure local port forwarding for the ports used by FCM. The following example applies to macOS:
 
 ```shell
 $ echo "
@@ -1693,7 +1693,7 @@ rdr pass inet proto tcp from any to any port 5230 -> 127.0.0.1 port 8080
 
 For XMPP communication, [FCM uses ports](https://firebase.google.com/docs/cloud-messaging/xmpp-server-ref "Firebase via XMPP") 5235 (Production) and 5236 (Testing).
 
-- Configure local port forwarding for the ports used by FCM. The following example applies to Mac OS X:
+- Configure local port forwarding for the ports used by FCM. The following example applies to macOS:
 
 ```shell
 $ echo "
@@ -2056,7 +2056,7 @@ For information on disabling SSL Pinning both statically and dynamically, refer
 - AssetManager - <https://developer.android.com/reference/android/content/res/AssetManager>
 - SharedPreferences APIs - <https://developer.android.com/training/basics/data-storage/shared-preferences.html>
 - Debugging with Logcat - <https://developer.android.com/tools/debugging/debugging-log.html>
-- Android's .apk format - <https://en.wikipedia.org/wiki/Android_application_package>
+- Android's APK format - <https://en.wikipedia.org/wiki/Android_application_package>
 - Android remote sniffing using Tcpdump, nc and Wireshark - <https://blog.dornea.nu/2015/02/20/android-remote-sniffing-using-tcpdump-nc-and-wireshark/>
 - Wireless Client Isolation - <https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation>
 

Document/0x05c-Reverse-Engineering-and-Tampering.md

@@ -283,7 +283,7 @@ If you own an IDA Pro license, open the file and once in the "Load new file" dia
 
 For white-box source code testing, you'll need a setup similar to the developer's setup, including a test environment that includes the Android SDK and an IDE. Access to either a physical device or an emulator (for debugging the app) is recommended.
 
-During **black-box testing**, you won't have access to the original form of the source code. You'll usually have the application package in [Android's .apk format](https://en.wikipedia.org/wiki/Android_application_package "Android application package"), which can be installed on an Android device or reverse engineered as explained in the section "Disassembling and Decompiling".
+During **black-box testing**, you won't have access to the original form of the source code. You'll usually have the application package in [Android's APK format](https://en.wikipedia.org/wiki/Android_application_package "Android application package"), which can be installed on an Android device or reverse engineered as explained in the section "Disassembling and Decompiling".
 
 #### Manual (Reversed) Code Review
 

Document/0x05i-Testing-Code-Quality-and-Build-Settings.md

@@ -327,7 +327,7 @@ When a library is found to contain vulnerabilities, then the following reasoning
 - Is the library packaged with the application? Then check whether the library has a version in which the vulnerability is patched. If not, check whether the vulnerability actually affects the application. If that is the case or might be the case in the future, then look for an alternative which provides similar functionality, but without the vulnerabilities.
 - Is the library not packaged with the application? See if there is a patched version in which the vulnerability is fixed. If this is not the case, check if the implications of the vulnerability for the build-process. Could the vulnerability impede a build or weaken the security of the build-pipeline? Then try looking for an alternative in which the vulnerability is fixed.
 
-When the sources are not available, one can decompile the app and check the jar files. When Dexguard or Proguard are applied properly, then version information about the library is often obfuscated and therefore gone. Otherwise you can still find the information very often in the comments of the Java files of given libraries. Tools such as MobSF can help in analyzing the possible libraries packed with the application. If you can retrieve the version of the library, either via comments, or via specific methods used in certain versions, you can look them up for CVEs by hand.
+When the sources are not available, one can decompile the app and check the JAR files. When Dexguard or Proguard are applied properly, then version information about the library is often obfuscated and therefore gone. Otherwise you can still find the information very often in the comments of the Java files of given libraries. Tools such as MobSF can help in analyzing the possible libraries packed with the application. If you can retrieve the version of the library, either via comments, or via specific methods used in certain versions, you can look them up for CVEs by hand.
 
 ##### Detecting the licenses used by the libraries of the application
 
@@ -358,7 +358,7 @@ When a library contains a license in which the application IP needs to be open-s
 
 Note: In case of a hybrid app, please check the build tools used: most of them do have a license enumeration plugin to find the licenses being used.
 
-When the sources are not available, one can decompile the app and check the jar files. When Dexguard or Proguard are applied properly, then version information about the library is often gone. Otherwise you can still find it very often in the comments of the Java files of given libraries. Tools such as MobSF can help in analyzing the possible libraries packed with the application. If you can retrieve the version of the library, either via comments, or via specific methods used in certain versions, you can look them up for their licenses being used by hand.
+When the sources are not available, one can decompile the app and check the JAR files. When Dexguard or Proguard are applied properly, then version information about the library is often gone. Otherwise you can still find it very often in the comments of the Java files of given libraries. Tools such as MobSF can help in analyzing the possible libraries packed with the application. If you can retrieve the version of the library, either via comments, or via specific methods used in certain versions, you can look them up for their licenses being used by hand.
 
 #### Dynamic Analysis
 
@@ -515,7 +515,7 @@ proguard-rules.pro
 
 #### Dynamic Analysis
 
-If source code has not been provided, an APK can be decompiled to determine whether the codebase has been obfuscated. Several tools are available for converting dex code to a jar file (e.g., dex2jar). The jar file can be opened with tools (such as JD-GUI) that can be used to make sure that class, method, and variable names are not human-readable.
+If source code has not been provided, an APK can be decompiled to determine whether the codebase has been obfuscated. Several tools are available for converting DEX code to a JAR file (e.g., dex2jar). The JAR file can be opened with tools (such as JD-GUI) that can be used to make sure that class, method, and variable names are not human-readable.
 
 Sample obfuscated code block:
 

Document/0x06b-Basic-Security-Testing.md

@@ -143,7 +143,7 @@ After adding all the suggested repositories above you can install the following
 - IPA Installer Console: Tool for installing IPA application packages from the command line. After installing two commands will be available `installipa` and `ipainstaller` which are both the same.
 - Frida: An app you can use for dynamic instrumentation. Please note that Frida has changed its implementation of its APIs over time, which means that some scripts might only work with specific versions of the Frida-server (which forces you to update/downgrade the version also on macOS). Running Frida Server installed via APT or Cydia is recommended. Upgrading/downgrading afterwards can be done, by following the instructions of [this Github issue](https://github.com/AloneMonkey/frida-ios-dump/issues/65#issuecomment-490790602 "Resolving Frida version").
 - Grep: Handy tool to filter lines.
-- Gzip: A well known zip utility.
+- Gzip: A well known ZIP utility.
 - Needle-Agent: This agent is part of the Needle framework and need to be installed on the iOS device.
 - Open for iOS 11: Tool required to make Needle Agent function.
 - PreferenceLoader: A Substrate-based utility that allows developers to add entries to the Settings application, similar to the SettingsBundles that App Store apps use.
@@ -852,7 +852,7 @@ You can also directly open passionfruit and after selecting your iOS device you'
 
 Once you have collected the package name of the application you want to target, you'll want to start gathering information about it. First, retrieve the IPA as explained in "Basic Testing Operations - Obtaining and Extracting Apps".
 
-You can unzip the IPA using the standard `unzip` or any other zip utility. Inside you'll find a `Payload` folder contaning the so-called Application Bundle (.app). The following is an example in the following output, note that it was truncated for better readability and overview:
+You can unzip the IPA using the standard `unzip` or any other ZIP utility. Inside you'll find a `Payload` folder contaning the so-called Application Bundle (.app). The following is an example in the following output, note that it was truncated for better readability and overview:
 
 ```shell
 $ ls -1 Payload/iGoat-Swift.app

Document/0x06c-Reverse-Engineering-and-Tampering.md

@@ -315,7 +315,7 @@ Next, navigate to a new website in Safari. You should see traced function calls
 
 #### Patching, Repackaging, and Re-Signing
 
-Time to get serious! As you already know, IPA files are actually ZIP archives, so you can use any zip tool to unpack the archive.
+Time to get serious! As you already know, IPA files are actually ZIP archives, so you can use any ZIP tool to unpack the archive.
 
 ```shell
 $ unzip UnCrackable_Level1.ipa

Document/0x06d-Testing-Data-Storage.md

@@ -275,7 +275,7 @@ You can analyze the app's data directory on a non-jailbroken iOS device by using
 2. Connect the iOS device to your workstation and launch iMazing.
 3. Select "Apps", right-click the desired iOS application, and select "Extract App".
 4. Navigate to the output directory and locate $APP_NAME.imazing. Rename it `$APP_NAME.zip`.
-5. Unpack the zip file. You can then analyze the application data.
+5. Unpack the ZIP file. You can then analyze the application data.
 
 > Note that tools like iMazing don't copy data directly from the device. They try to extract data from the backups they create. Therefore, getting all the app data that's stored on the iOS device is impossible: not all folders are included in backups. Use a jailbroken device or repackage the app with Frida and use a tool like objection to access all the data and files.
 

Document/0x06f-Testing-Local-Authentication.md

@@ -228,7 +228,7 @@ If vulnerable, the module will automatically bypass the login form.
 
 ### Note regarding temporariness of keys in the Keychain
 
-Unlike MacOSX and Android, iOS currently (at iOS 12) does not support temporariness of an entry's accessibility in the Keychain: when there is no additional security check when entering the Keychain (E.g. `kSecAccessControlUserPresence` or similar is set), then once the device is unlocked, a key will be accessible.
+Unlike macOS and Android, iOS currently (at iOS 12) does not support temporariness of an entry's accessibility in the Keychain: when there is no additional security check when entering the Keychain (e.g. `kSecAccessControlUserPresence` or similar is set), then once the device is unlocked, a key will be accessible.
 
 ### References
 

Document/0x06i-Testing-Code-Quality-and-Build-Settings.md

@@ -8,7 +8,7 @@ Code signing your app assures users that the app has a known source and hasn't b
 
 You can retrieve the signing certificate information from the application's .app file with [codesign](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html "Code Signing Tasks"). Codesign is used to create, check, and display code signatures, as well as inquire into the dynamic status of signed code in the system.
 
-After you get the application's .ipa file, re-save it as a ZIP file and decompress the ZIP file. Navigate to the Payload directory, where the application's .app file will be.
+After you get the application's IPA file, re-save it as a ZIP file and decompress the ZIP file. Navigate to the Payload directory, where the application's .app file will be.
 
 Execute the following `codesign` command to display the signing information:
 

Document/0x08-Testing-Tools.md

@@ -50,12 +50,12 @@ To perform security testing different tools are available in order to be able to
 - ByteCodeViewer: Java 8 Jar and Android APK Reverse Engineering Suite (e.g. Decompiler, Editor and Debugger) - <https://bytecodeviewer.com/>
 - ClassNameDeobfuscator: Simple script to parse through the .smali files produced by apktool and extract the .source annotation lines - <https://github.com/HamiltonianCycle/ClassNameDeobfuscator>
 - FindSecurityBugs: FindSecurityBugs is a extension for SpotBugs which includes security rules for Java applications - <https://find-sec-bugs.github.io>
-- Jadx (Dex to Java Decompiler): Command line and GUI tools for producing Java source code from Android Dex and Apk files - <https://github.com/skylot/jadx>
+- Jadx (Dex to Java Decompiler): Command line and GUI tools for producing Java source code from Android DEX and APK files - <https://github.com/skylot/jadx>
 - Oat2dex: A tool for converting .oat file to .dex files - <https://github.com/testwhat/SmaliEx>
 - Qark: A tool designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs - <https://github.com/linkedin/qark>
-- Sign: A Java JAR executable (Sign.jar) which automatically signs an apk with the Android test certificate - <https://github.com/appium/sign>
-- Simplify: A tool for de-obfuscating android package into Classes.dex which can be use Dex2jar and JD-GUI to extract contents of dex file - <https://github.com/CalebFenton/simplify>
-- SUPER: A command-line application that can be used in Windows, macOS and Linux, that analyzes .apk files in search for vulnerabilities - <https://github.com/SUPERAndroidAnalyzer/super>
+- Sign: A Java JAR executable (Sign.jar) which automatically signs an APK with the Android test certificate - <https://github.com/appium/sign>
+- Simplify: A tool for de-obfuscating android package into Classes.dex which can be use Dex2jar and JD-GUI to extract contents of DEX file - <https://github.com/CalebFenton/simplify>
+- SUPER: A command-line application that can be used in Windows, macOS and Linux, that analyzes APK files in search for vulnerabilities - <https://github.com/SUPERAndroidAnalyzer/super>
 - SpotBugs: Static analysis tool for Java - <https://spotbugs.github.io/>
 
 #### Dynamic and Runtime Analysis
@@ -91,7 +91,7 @@ Once you are able to SSH into your jailbroken iPhone you can use an FTP client l
 #### Reverse Engineering and Static Analysis
 
 - class-dump: A command-line utility for examining the Objective-C runtime information stored in Mach-O files - <http://stevenygard.com/projects/class-dump/>
-- Clutch: Decrypt the application and dump specified bundleID into binary or .ipa file - <https://github.com/KJCracks/Clutch>
+- Clutch: Decrypt the application and dump specified bundleID into binary or IPA file - <https://github.com/KJCracks/Clutch>
 - Dumpdecrypted: Dumps decrypted mach-o files from encrypted iPhone applications from memory to disk - <https://github.com/stefanesser/dumpdecrypted>
 - hopperscripts: Collection of scripts that can be used to demangle Swift function names in HopperApp - <https://github.com/Januzellij/hopperscripts>
 - otool: A tool that displays specified parts of object files or libraries - <https://www.unix.com/man-page/osx/1/otool/>