Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

More accurate MSTG-STORAGE-11 #18

Open
wants to merge 4 commits into
base: development
Choose a base branch
from

Conversation

Sparrrgh
Copy link

This rule is described in the documentation for MASTG as the enforcement of checks through Device Administration API and by querying Settings.Secure.
The current rule only checks the example in the documentation where an old Android version is used.

My rule does not search for Settings.Secure checks in the code, but it now checks at least for the usage of Device Administration API which is a bit more accurate to the documentation from OWASP.

@gand3lf
Copy link
Collaborator

gand3lf commented May 31, 2024

Hi @Sparrrgh,
thank you for the attempt to contribute to this project. The rule you have proposed opens an interesting discussion about the MSTG-STORAGE-11. From the OWASP documentation, it is clear that the rule could be infeasible to implement due to this sentence:
To test the device-access-security policy that the app enforces, a written copy of the policy must be provided.
Clearly, it is not feasible to have "a written copy of the policy", but it is possible to think about a rule with "tentative" categorization.
The rule I have proposed is very general and is a generic policy that sensitive apps should respect. In other words, I thought that all device-access-security policies contain this constrain: Android SDK version >= 23.

What you are proposing is interesting, but it is strictly related to administrator devices. There is not a direct correlation between L2 applications and administrator devices, they are two different categories. For this reason, it is not possible to accept your pull request as is.

However, the idea to include a specific test for administrator devices in this rule is not bad. Here is what I propose::
To implement one distinct rule ("mstg-storage-11.2.yaml") to check both if the app is destined to administrative devices [1] and if specific checks are implemented [2].
(Android Device Admin documentation)
To do this we need a join mode rule that put together these two constraints:
[1] -> The manifest must include the BIND_DEVICE_ADMIN permission and the ACTION_DEVICE_ADMIN_ENABLED intent filter.
[2] -> Verify the XML file specified in the android:resource tag of the device admin receiver should declare some important security policies. For example:

<device-admin xmlns:android="http://schemas.android.com/apk/res/android">
  <uses-policies>
      <limit-password />
      <watch-login />
      <reset-password />
      <force-lock />
      <wipe-data />
      <expire-password />
      <encrypted-storage />
      <disable-camera />
  </uses-policies>
</device-admin>

Please let me know if you would like to implement the aforementioned rule. If so, I will wait about a month before attempting to implement the rule myself.

Thank you for your interest in contributing to this project,
Riccardo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants