Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port MASTG-TEST-0012: Testing the Device-Access-Security Policy (android) (by @guardsquare) #3113

Merged
merged 117 commits into from
Mar 7, 2025
Merged

Port MASTG-TEST-0012: Testing the Device-Access-Security Policy (android) (by @guardsquare) #3113

merged 117 commits into from
Mar 7, 2025

Conversation

serek8
Copy link
Collaborator

@serek8 serek8 commented Jan 14, 2025
edited
Loading

This PR closes #2937

  • I removed USB Debugging and Root detection from this test. It should be considered as a part or MASVS-RESILIENCE
  • MASVSv1 used Settings.Secure and Device Administration APIs to verify Device-Access-Security. These APIs seem to be either deprecated or unrelated. Therefore, MASVSv2 introduces the use of KeyguardManager to provide an easy way to verify passcode presence.

@serek8 serek8 marked this pull request as ready for review February 6, 2025 08:49
@serek8 serek8 requested a review from cpholguera February 6, 2025 08:49
cpholguera
cpholguera requested changes Feb 6, 2025
View reviewed changes
@cpholguera
Copy link
Collaborator

Using the new .kt file:

Emulator

image

Physical Pixel

image

cpholguera
cpholguera reviewed Feb 7, 2025
View reviewed changes
tests-beta/ios/MASVS-STORAGE/MASTG-TEST-2043.md Outdated

## Overview

This test verifies that an application is running on a device with a set passcode. A set passcode ensures that data on the device is encrypted and access to the device is restricted.
Copy link
Collaborator

@cpholguera cpholguera Feb 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also include this?

From the weakness draft:

to make sure that biometrics can be used, verify that the kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly or the kSecAttrAccessibleWhenPasscodeSet protection class is set when the SecAccessControlCreateWithFlags method is called

To use Optic ID, Face ID, or Touch ID, the user must set up their device so that a passcode or password is required to unlock it.

https://support.apple.com/en-ph/guide/security/sec9479035f1/web

@cpholguera cpholguera changed the title Port MASTG-TEST-0012 (by @guardsquare) Port MASTG-TEST-0012: Testing the Device-Access-Security Policy (android) (by @guardsquare) Feb 24, 2025
@cpholguera cpholguera mentioned this pull request Mar 6, 2025
Open
cpholguera added 15 commits March 7, 2025 08:55
@cpholguera
Update output for MASTG-DEMO-0026
3b63a8f
@cpholguera
Refine terminology for secure screen lock in demos and tests
1b22e98
@cpholguera
Enhance biometric checks in MastgTest to include strong biometric sta…
c72e6fc 
…tus and improve passcode reporting
@cpholguera
Enhance MASTG-DEMO-0027 frida script to log detailed backtrace and bi…
44fc1bc 
…ometric authentication status messages
@cpholguera
Enhance MASTG-DEMO-0026 frida script to include configurable backtrac…
575e100 
…e logging with a default of 8 lines
@cpholguera
Add links to secure screen lock in MASTG-TEST-0247 and MASTG-TEST-0248
bf46fd0
@cpholguera
Update output for MASTG-DEMO-0027
2a1e699
@cpholguera
Add AndroidManifest.xml for MASTG-DEMO-0027 with necessary permission…
7131edd 
…s and application configuration
@cpholguera
Add AndroidManifest.xml and reversed version for MASTG-DEMO-0028 with…
da50a57 
… necessary permissions and application configuration
@cpholguera
Update severity level and patterns for passcode presence rule in YAML…
61ca98e 
… configuration
@cpholguera
Update output MASTG-DEMO-0028
a56c8cc
@cpholguera
Update Frida command to target the correct application identifier for…
e1e76d7 
… MASTG-DEMO-0026
@cpholguera
Update output for MASTG-DEMO-0026
34abae2
@cpholguera
Fix bug when logging backtrace in MASTG-DEMO-0026 script
d5d64cc
@cpholguera
Update MASTG-DEMO-0026, MASTG-DEMO-0027 and MASTG-DEMO-0028 content
770156a
@cpholguera cpholguera merged commit fd7ccc3 into OWASP:master Mar 7, 2025
34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpholguera cpholguera cpholguera approved these changes

Assignees
No one assigned
Labels
Android MASTG Refactor MASVS-RESILIENCE
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

MASTG v1->v2 MASTG-TEST-0012: Testing the Device-Access-Security Policy (android)