More accurate MSTG-STORAGE-11

[Sparrrgh]

This rule is described in the documentation for MASTG as the enforcement of checks through Device Administration API and by querying Settings.Secure.
The current rule only checks the example in the documentation where an old Android version is used.

My rule does not search for Settings.Secure checks in the code, but it now checks at least for the usage of Device Administration API which is a bit more accurate to the documentation from OWASP.

[gand3lf]

Hi @Sparrrgh,
thank you for the attempt to contribute to this project. The rule you have proposed opens an interesting discussion about the MSTG-STORAGE-11. From the OWASP documentation, it is clear that the rule could be infeasible to implement due to this sentence:
To test the device-access-security policy that the app enforces, a written copy of the policy must be provided.
Clearly, it is not feasible to have "a written copy of the policy", but it is possible to think about a rule with "tentative" categorization.
The rule I have proposed is very general and is a generic policy that sensitive apps should respect. In other words, I thought that all device-access-security policies contain this constrain: Android SDK version >= 23.

What you are proposing is interesting, but it is strictly related to administrator devices. There is not a direct correlation between L2 applications and administrator devices, they are two different categories. For this reason, it is not possible to accept your pull request as is.

However, the idea to include a specific test for administrator devices in this rule is not bad. Here is what I propose::
To implement one distinct rule ("mstg-storage-11.2.yaml") to check both if the app is destined to administrative devices [1] and if specific checks are implemented [2].
(Android Device Admin documentation)
To do this we need a join mode rule that put together these two constraints:
[1] -> The manifest must include the BIND_DEVICE_ADMIN permission and the ACTION_DEVICE_ADMIN_ENABLED intent filter.
[2] -> Verify the XML file specified in the android:resource tag of the device admin receiver should declare some important security policies. For example:

<device-admin xmlns:android="http://schemas.android.com/apk/res/android">
  <uses-policies>
      <limit-password />
      <watch-login />
      <reset-password />
      <force-lock />
      <wipe-data />
      <expire-password />
      <encrypted-storage />
      <disable-camera />
  </uses-policies>
</device-admin>

Please let me know if you would like to implement the aforementioned rule. If so, I will wait about a month before attempting to implement the rule myself.

Thank you for your interest in contributing to this project,
Riccardo