Port MASTG-TEST-0005: Determining Whether Sensitive Data Is Shared with Third Parties via Notifications (android)

demos/android/MASVS-PRIVACY/MASTG-DEMO-0065/AndroidManifest.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools">
+
+    <uses-permission android:name="android.permission.INTERNET" />
+
+    <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
+
+    <application
+        android:allowBackup="true"
+        android:dataExtractionRules="@xml/data_extraction_rules"
+        android:fullBackupContent="@xml/backup_rules"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:supportsRtl="true"
+        android:theme="@style/Theme.MASTestApp"
+        tools:targetApi="31">
+        <activity
+            android:name=".MainActivity"
+            android:exported="true"
+            android:windowSoftInputMode="adjustResize"
+            android:theme="@style/Theme.MASTestApp">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application>
+
+</manifest>

demos/android/MASVS-PRIVACY/MASTG-DEMO-0065/AndroidManifest_reversed.xml

@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    android:versionCode="1"
+    android:versionName="1.0"
+    android:compileSdkVersion="35"
+    android:compileSdkVersionCodename="15"
+    package="org.owasp.mastestapp"
+    platformBuildVersionCode="35"
+    platformBuildVersionName="15">
+    <uses-sdk
+        android:minSdkVersion="29"
+        android:targetSdkVersion="35"/>
+    <uses-permission android:name="android.permission.INTERNET"/>
+    <uses-permission android:name="android.permission.POST_NOTIFICATIONS"/>
+    <permission
+        android:name="org.owasp.mastestapp.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION"
+        android:protectionLevel="signature"/>
+    <uses-permission android:name="org.owasp.mastestapp.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION"/>
+    <application
+        android:theme="@style/Theme.MASTestApp"
+        android:label="@string/app_name"
+        android:icon="@mipmap/ic_launcher"
+        android:debuggable="true"
+        android:testOnly="true"
+        android:allowBackup="true"
+        android:supportsRtl="true"
+        android:extractNativeLibs="false"
+        android:fullBackupContent="@xml/backup_rules"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:appComponentFactory="androidx.core.app.CoreComponentFactory"
+        android:dataExtractionRules="@xml/data_extraction_rules">
+        <activity
+            android:theme="@style/Theme.MASTestApp"
+            android:name="org.owasp.mastestapp.MainActivity"
+            android:exported="true"
+            android:windowSoftInputMode="adjustResize">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN"/>
+                <category android:name="android.intent.category.LAUNCHER"/>
+            </intent-filter>
+        </activity>
+        <activity
+            android:name="androidx.compose.ui.tooling.PreviewActivity"
+            android:exported="true"/>
+        <activity
+            android:name="androidx.activity.ComponentActivity"
+            android:exported="true"/>
+        <provider
+            android:name="androidx.startup.InitializationProvider"
+            android:exported="false"
+            android:authorities="org.owasp.mastestapp.androidx-startup">
+            <meta-data
+                android:name="androidx.emoji2.text.EmojiCompatInitializer"
+                android:value="androidx.startup"/>
+            <meta-data
+                android:name="androidx.lifecycle.ProcessLifecycleInitializer"
+                android:value="androidx.startup"/>
+            <meta-data
+                android:name="androidx.profileinstaller.ProfileInstallerInitializer"
+                android:value="androidx.startup"/>
+        </provider>
+        <receiver
+            android:name="androidx.profileinstaller.ProfileInstallReceiver"
+            android:permission="android.permission.DUMP"
+            android:enabled="true"
+            android:exported="true"
+            android:directBootAware="false">
+            <intent-filter>
+                <action android:name="androidx.profileinstaller.action.INSTALL_PROFILE"/>
+            </intent-filter>
+            <intent-filter>
+                <action android:name="androidx.profileinstaller.action.SKIP_FILE"/>
+            </intent-filter>
+            <intent-filter>
+                <action android:name="androidx.profileinstaller.action.SAVE_PROFILE"/>
+            </intent-filter>
+            <intent-filter>
+                <action android:name="androidx.profileinstaller.action.BENCHMARK_OPERATION"/>
+            </intent-filter>
+        </receiver>
+    </application>
+</manifest>

demos/android/MASVS-PRIVACY/MASTG-DEMO-0065/MASTG-DEMO-0065.md

@@ -0,0 +1,41 @@
+---
+platform: android
+title: App Leaking Sensitive Data via Notifications
+id: MASTG-DEMO-0065
+code: [kotlin]
+test: MASTG-TEST-0296
+tools: [MASTG-TOOL-0110]
+---
+
+### Sample
+
+The following sample code contains:
+
+- the Kotlin code that creates a notification with the `NotificationManager` class and exposes sensitive data.
+- the AndroidManifest.xml that declares the runtime permission `POST_NOTIFICATIONS` permission that allows the app to post notifications (Android API 33 and higher).
+
+Note: To execute the test on a device, we must ensure that the app has the `POST_NOTIFICATIONS` permission granted. This can be done either via the @MASTG-TOOL-0004 command, such as `adb shell pm grant org.owasp.mastestapp android.permission.POST_NOTIFICATIONS` or by navigating to the app settings on the device and manually enabling the permission.
+
+{{ MastgTest.kt # AndroidManifest.xml }}
+
+### Steps
+
+Let's run our @MASTG-TOOL-0110 rule against the reversed Java code.
+
+{{ ../../../../rules/mastg-android-sensitive-data-in-notifications.yml }}
+
+And another one against the sample manifest file.
+
+{{ ../../../../rules/mastg-android-sensitive-data-in-notifications-manifest.yml }}
+
+{{ run.sh }}
+
+### Observation
+
+The rule detected two instances in the code where the `setContentTitle` API is used to set the notification title, and 2 cases where the `setContentText` API is used to set the notification text. It also identified the location in the manifest file where the POST_NOTIFICATIONS permission is declared.
+
+{{ output.txt # output2.txt }}
+
+### Evaluation
+
+After reviewing the decompiled code at the location specified in the output (file and line number), we can conclude that the test fails because the file written by this instance contains sensitive data, specifically a first and a last name (PII).

demos/android/MASVS-PRIVACY/MASTG-DEMO-0065/MastgTest.kt

@@ -0,0 +1,61 @@
+package org.owasp.mastestapp
+
+//noinspection SuspiciousImport
+import android.R
+import android.app.Notification
+import android.app.NotificationChannel
+import android.app.NotificationManager
+import android.content.Context
+import androidx.core.app.NotificationCompat
+
+class MastgTest(private val context: Context) {
+
+    val notificationManager =
+        (context.getSystemService(Context.NOTIFICATION_SERVICE) as NotificationManager).apply {
+            createNotificationChannel(
+                NotificationChannel(
+                    "TEST_CHANNEL_ID",
+                    "Test Channel",
+                    NotificationManager.IMPORTANCE_DEFAULT
+                )
+            )
+        }
+
+    val sensitiveTitle = "Hi John Doe"
+    val sensitiveText = "Hi John Doe <- This is a sensitive string containing PII"
+    fun mastgTest(): String {
+
+        notificationManager.notify(1, createNotification())
+        notificationManager.notify(2, createNotificationOnChannel())
+        notificationManager.notify(3, createNotificationCompat())
+        notificationManager.notify(4, createNotificationCompatOnChannel())
+
+        return sensitiveText
+    }
+
+    private fun createNotification() = Notification.Builder(context)
+        .setContentTitle(sensitiveTitle)
+        .setContentText(sensitiveText)
+        .setSmallIcon(R.drawable.ic_menu_info_details)
+        .build()
+
+    private fun createNotificationOnChannel() = Notification.Builder(context, "TEST_CHANNEL_ID")
+        .setContentTitle(sensitiveTitle)
+        .setContentText(sensitiveText)
+        .setSmallIcon(R.drawable.ic_menu_info_details)
+        .build()
+
+    private fun createNotificationCompat() = NotificationCompat.Builder(context)
+        .setContentTitle(sensitiveTitle)
+        .setContentText(sensitiveText)
+        .setSmallIcon(R.drawable.ic_menu_info_details)
+        .build()
+
+    private fun createNotificationCompatOnChannel() =
+        NotificationCompat.Builder(context, "TEST_CHANNEL_ID")
+            .setContentTitle(sensitiveTitle)
+            .setContentText(sensitiveText)
+            .setSmallIcon(R.drawable.ic_menu_info_details)
+            .build()
+
+}

demos/android/MASVS-PRIVACY/MASTG-DEMO-0065/MastgTest_reversed.java

@@ -0,0 +1,52 @@
+package org.owasp.mastestapp;
+
+import android.app.Notification;
+import android.app.NotificationManager;
+import android.content.Context;
+import android.util.Log;
+import kotlin.Metadata;
+import kotlin.jvm.internal.Intrinsics;
+
+/* compiled from: MastgTest.kt */
+@Metadata(d1 = {"\u0000(\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u000e\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\b\u0007\u0018\u00002\u00020\u0001B\u000f\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0004\b\u0004\u0010\u0005J\u0006\u0010\n\u001a\u00020\u000bJ\u000e\u0010\f\u001a\u00020\r2\u0006\u0010\u000e\u001a\u00020\u000bJ\u000e\u0010\u000f\u001a\u00020\r2\u0006\u0010\u000e\u001a\u00020\u000bR\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000R\u0011\u0010\u0006\u001a\u00020\u0007¢\u0006\b\n\u0000\u001a\u0004\b\b\u0010\t¨\u0006\u0010"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "<init>", "(Landroid/content/Context;)V", "notificationManager", "Landroid/app/NotificationManager;", "getNotificationManager", "()Landroid/app/NotificationManager;", "mastgTest", "", "createNotification", "Landroid/app/Notification;", "sensitiveString", "createNotificationOnChannel", "app_debug"}, k = 1, mv = {2, 0, 0}, xi = 48)
+/* loaded from: classes3.dex */
+public final class MastgTest {
+    public static final int $stable = 8;
+    private final Context context;
+    private final NotificationManager notificationManager;
+
+    public MastgTest(Context context) {
+        Intrinsics.checkNotNullParameter(context, "context");
+        this.context = context;
+        Object systemService = this.context.getSystemService("notification");
+        Intrinsics.checkNotNull(systemService, "null cannot be cast to non-null type android.app.NotificationManager");
+        this.notificationManager = (NotificationManager) systemService;
+    }
+
+    public final NotificationManager getNotificationManager() {
+        return this.notificationManager;
+    }
+
+    public final String mastgTest() {
+        Log.d("MASTG-TEST", "Hello from the OWASP MASTG Test app.");
+        Notification it = createNotification("Hello from the OWASP MASTG Test app.");
+        this.notificationManager.notify(1, it);
+        Notification it2 = createNotificationOnChannel("Hello from the OWASP MASTG Test app.");
+        this.notificationManager.notify(2, it2);
+        return "Hello from the OWASP MASTG Test app.";
+    }
+
+    public final Notification createNotification(String sensitiveString) {
+        Intrinsics.checkNotNullParameter(sensitiveString, "sensitiveString");
+        Notification notificationBuild = new Notification.Builder(this.context).setContentTitle("MASTG Test").setContentText(sensitiveString).build();
+        Intrinsics.checkNotNullExpressionValue(notificationBuild, "build(...)");
+        return notificationBuild;
+    }
+
+    public final Notification createNotificationOnChannel(String sensitiveString) {
+        Intrinsics.checkNotNullParameter(sensitiveString, "sensitiveString");
+        Notification notificationBuild = new Notification.Builder(this.context, "TEST_CHANNEL_ID").setContentTitle("MASTG Test").setContentText(sensitiveString).build();
+        Intrinsics.checkNotNullExpressionValue(notificationBuild, "build(...)");
+        return notificationBuild;
+    }
+}

demos/android/MASVS-PRIVACY/MASTG-DEMO-0065/output.txt

@@ -0,0 +1,24 @@
+
+
+┌─────────────────┐
+│ 4 Code Findings │
+└─────────────────┘
+
+    MastgTest_reversed.java
+    ❯❱ rules.mastg-android-sensitive-data-in-notifications
+          [MASVS-PLATFORM-3] Ensure that notifications do not contain sensitive information
+
+           41┆ Notification notificationBuild = new                     
+               Notification.Builder(this.context).setContentTitle("MASTG
+               Test").setContentText(sensitiveString).build();          
+            ⋮┆----------------------------------------
+           41┆ Notification notificationBuild = new                     
+               Notification.Builder(this.context).setContentTitle("MASTG
+               Test").setContentText(sensitiveString).build();          
+            ⋮┆----------------------------------------
+           48┆ Notification notificationBuild = new Notification.Builder(this.context,                  
+               "TEST_CHANNEL_ID").setContentTitle("MASTG Test").setContentText(sensitiveString).build();
+            ⋮┆----------------------------------------
+           48┆ Notification notificationBuild = new Notification.Builder(this.context,                  
+               "TEST_CHANNEL_ID").setContentTitle("MASTG Test").setContentText(sensitiveString).build();
+

demos/android/MASVS-PRIVACY/MASTG-DEMO-0065/output2.txt

@@ -0,0 +1,12 @@
+
+
+┌────────────────┐
+│ 1 Code Finding │
+└────────────────┘
+
+    AndroidManifest_reversed.xml
+    ❯❱ rules.mastg-android-sensitive-data-in-notifications-manifest
+          [MASVS-PLATFORM-3] Ensure that notifications do not contain sensitive information
+
+           14┆ <uses-permission android:name="android.permission.POST_NOTIFICATIONS"/>
+

demos/android/MASVS-PRIVACY/MASTG-DEMO-0065/run.sh

@@ -0,0 +1,3 @@
+NO_COLOR=true semgrep -c ../../../../rules/mastg-android-sensitive-data-in-notifications.yml ./MastgTest_reversed.java --text > output.txt
+
+NO_COLOR=true semgrep -c ../../../../rules/mastg-android-sensitive-data-in-notifications-manifest.yml ./AndroidManifest_reversed.xml --text > output2.txt

rules/mastg-android-sensitive-data-in-notifications-manifest.yml

@@ -0,0 +1,9 @@
+rules:
+  - id: mastg-android-sensitive-data-in-notifications-manifest
+    languages:
+      - xml
+    severity: WARNING
+    metadata:
+      summary: This rule inpects AndroidManifest.xml for notification post permission. Notification may contain sensitive data.
+    message: "[MASVS-PLATFORM-3] Ensure that notifications do not contain sensitive information"
+    pattern: android:name="android.permission.POST_NOTIFICATIONS"

rules/mastg-android-sensitive-data-in-notifications.yml

@@ -0,0 +1,11 @@
+rules:
+  - id: mastg-android-sensitive-data-in-notifications
+    languages:
+      - java
+    severity: WARNING
+    metadata:
+      summary: This rule looks for notifications that may contain sensitive data.
+    message: "[MASVS-PLATFORM-3] Ensure that notifications do not contain sensitive information"
+    pattern-either:
+      - pattern: $X.setContentTitle(...)
+      - pattern: $X.setContentText(...)

tests-beta/android/MASVS-PRIVACY/MASTG-TEST-0296.md

@@ -0,0 +1,34 @@
+---
+platform: android
+title: App Exposing Sensitive Data via Notifications
+id: MASTG-TEST-0296
+apis: [NotificationManager]
+type: [static, dynamic]
+weakness: MASWE-0054
+prerequisites:
+- identify-sensitive-data
+profiles: [P]
+---
+
+## Overview
+
+This test verifies that the app handles notifications correctly, ensuring that sensitive information—such as personally identifiable information (PII), one-time passwords (OTPs), or other sensitive data like health or financial details—is not exposed. On Android, developers typically request the runtime permission `POST_NOTIFICATIONS` that allows the app to send notifications. The creation of notifications can be handled through [`NotificationCompat.Builder`](https://developer.android.com/reference/androidx/core/app/NotificationCompat.Builder) or `setContentTitle` or `setContentText` from [`Notification.Builder`](https://developer.android.com/reference/android/app/Notification.Builder).
+
+The usage of notifications shouldn't expose sensitive information that might otherwise be accidentally disclosed via e.g. shoulder surfing or sharing the device with another person.
+
+## Steps
+
+1. Reverse engineer the app (@MASTG-TECH-0017).
+2. Run a static analysis tool such as @MASTG-TOOL-0110 on the reverse-engineered app to identify if the `POST_NOTIFICATIONS` permission is declared in the manifest file (for the above Android API 33). This would indicate that the app generates notifications.
+3. Run a static analysis tool such as @MASTG-TOOL-0110 on the reverse-engineered app's source code to identify the usage of the notification APIs, or run the app and use @MASTG-TECH-0033 and a tool like @MASTG-TOOL-0001 and start tracing all calls to functions related to the notifications creation.
+
+## Observation
+
+The output should contain:
+
+- the `POST_NOTIFICATIONS` permission, if declared in the manifest file, and
+- a list of locations where notification APIs are used.
+
+## Evaluation
+
+The test case fails if sensitive data is found in any notification created by the app.

tests/android/MASVS-STORAGE/MASTG-TEST-0005.md

@@ -9,6 +9,9 @@ masvs_v1_levels:
 - L1
 - L2
 profiles: [L1, L2]
+status: deprecated
+covered_by: [MASWE-0296]
+deprecation_note: New version available in MASTG V2
 ---
 
 ## Overview