Minded Security S.r.l. The Software Security Company Blog Semgrep Rules for Android Application Security

IntroductionThe number of Android applications has been growing rapidly in recent years. In 2022, there were over 3.55 million Android apps available in the Google Play Store, and this number is expected to continue to grow in the years to come. The expansion of the Android app market is being driven by a number of factors, including the increasing popularity of smartphones, the growing demand for mobile apps, and the ease of developing and publishing Android apps. At the same time, the number of Android appdownloads is also growing rapidly. In 2022, there were over 255 billion Android app downloads worldwide.For this reason, introducing automatic security controls during Mobile Application Penetration Testing (MAPT) activity and the CI phase is necessary to ensure the security of Android apps by scanning for vulnerabilities before merging into the main repository.Decompiling Android PackagesThe compilation of Android applications is a multi-step process that involves different bytecodes, compilers, and execution engines. Generally speaking, a common compilation flow is divided into three phases:Precompilation: The Java source code(".java") is converted into Java bytecode(".class").Postcompilation: The Java bytecode is converted into Dalvik bytecode(".dex").Release: The ".dex" and resource files are packed, signed and compressed into the Android App Package (APK)Finally, the Dalvik bytecode is executed by the Android runtime (ART) environment.Generally, the target of a Mobile Application Penetration Testing (MAPT) activity is in the form of an APK file. The decompilation of the both aforementioned bytecodes is possible and can be performed through the use of tools such as Jadx.jadx -d ./out-dir target.apkOWASP MASThe OWASP MAS project is a valuable resource for mobile security professionals, providing a comprehensive set of resources to enhance the security of mobile apps. The project includes several key components:OWASP MASVS: This resource outlines requirements for software architects and developers who aim to create secure mobile applications. It establishes an industry standard that can be used as a benchmark in mobile app security assessments. Additionally, it clarifies the role of software protection mechanisms in mobile security and offers requirements to verify their effectiveness.OWASP MASTG: This comprehensive manual covers the processes, techniques, and tools used during mobile application security analysis. It also includes an exhaustive set of test cases for verifying the requirements outlined in the OWASP Mobile Application Security Verification Standard (MASVS). This serves as a foundational basis for conducting thorough and consistent security tests.OWASP MAS Checklist: This checklist aligns with the tests described in the MASTG and provides an output template for mobile security testing.https://mas.owasp.org/SemgrepSemgrep is a Static Application Security Testing (SAST) tool that performs intra-file analysis, allowing you to define code patterns for detecting misconfigurations or security issues by analyzing one file at a time in isolation. Some advantages of using Semgrep include:It does not require that the source code is uploaded to an external cloud.It does not require that the target source code is buildable and have all dependencies. It can work only with a single source file.It is exceptionally fast.It allows you to write your custom patterns very easily.Once Semgrep is integrated into your CI pipeline, it automatically scans your code for potential vulnerabilities every time you commit changes. This helps identify and address vulnerabilities early in the development process, improving your software's security.Key Insights on SemgrepFirst of all, install Semgrep with the following command:python3 -m pip install semgrepSemgrep accepts two fundamental input:Rules collection: A collection is composed by ".yaml" files, alternatively referred to as "rules". A rule includes a series of patterns designed to identify or exclude specific elements within the target source code.Target source code: This denotes the source code subject to analysis. It may also encompass partial code or code with certain dependencies omitted.The four main elements you can find inside a Semgrep rule yaml file are:...Match a sequence of zero or more items such as arguments, statements, parameters, fields, characters."..."Match any single hardcoded string.$AMatch variables, functions, arguments, classes, object methods, imports, exceptions, and more.<... e ...>Match an expression ("e") that could be deeply nested within another expression.Moreover, Semgrep provides several experimental modes that could be really useful in more difficult situations:taint: It enables the data-flow analysis feature allowing to specify sources and sinks.join: It allows to use multiple rules on more than one file and to join the results.extract: It allows work with source file that contains different programming languages.Suppose to have a rules collection in the directory "myrules/" and a target source code "mytarget/". To launch a Semgrep scan is very simple:semgrep -c ./myrules ./mytargetThe Project:Semgrep Rules for Android Application SecurityThe proposalIn March 2023, the IMQ Minded Security team, with the purpose of contributing to the ethical hacking and mobile development communities, began the "Semgrep Rules for Android Application Security" project. The primary objective of this project is to provide a collection of Semgrep rules that cover the static tests described in the OWASP Mobile Application Security Testing Guide (MASTG) for Android applications. The project has been publicly released on the IMQ Minded Security official GitHub page:https://github.com/mindedsecurity/semgrep-rules-android-securityCurrently, the project boasts more than 10 internal and external contributors with different degrees of seniority.Supervisor:Stefano Di Paola (Twitter: @WisecWisec)Project leader:Riccardo Cardelli (Twitter: @gand3lf)Contributors (In alphabetical order): Andrea Agnello (GitHub: @AndreNoli)Christian Cotignola (Twitter: @b4dsheep)Federico Dotta (Twitter: @apps3c)Giacomo Zorzin (Mastodon: @gellge)Giovanni Fazi (Github: @giovifazi)Martino Lessio (Twitter: @Martinolessio)Maurizio Siddu (Github: @akabe1)Michele Di Bonaventura (Twitter: @cyberaz0r)Michele Tumolo (Twitter: @0s0urce)Riccardo Granata (Github @riccardogranata)The "Semgrep Rules for Android Application Security" project does not cover the entire OWASP MASTG tests due to the intrinsic constraints of a mobile application SAST activity:The back-end source code is out of scope.The dynamic tests are out of scope.To use the project during an MAPT activity is very simple:# Download the target APK and the rules of the current project $ git clone https://github.com/mindedsecurity/semgrep-rules-android-security # Extract and decompile the source code from the target APK file $ jadx -d target_src target.apk # To use the .semgrepignore file launch the scan from the project folder $ cd semgrep-rules-android-security/# Run Semgrep with the new security rules $ semgrep -c ./rules/ ../target_src/ Some Implemented RulesThe rules implemented are more than 40 and this section contains a detailed description of four of the Semgrep rules included in the "Semgrep Rules for Android Application Security" project.MSTG-STORAGE-3The detailed description of the current test can be visited at the following MASTG 1.5.0 reference:https://github.com/OWASP/owasp-mastg/blob/v1.5.0/Document/0x05d-Testing-Data-Storage.md#testing-logs-for-sensitive-data-mstg-storage-3As stated in the MSTG-STORAGE-3 test, the purpose involves identifying any sensitive data within both system and application logs.For doing this, it is important to retrieve two information:The methods and classes that are delegated to perform logging operations.A regex that can be used to identify potentially sensitive data and attributes names.The first information can be partially retrieved in the MSTG-STORAGE-3 description. The identified methods are the following:Log.v | Log.i | Log.w | Log.e | Log.wtfSystem.out.print | System.err.print | System.out.println | System.err.printlnLogger.log | Logger.info | Logger.logp | Logger.logrb | Logger.severe | Logger.warningPlease note that the "Log.d" method is not included in the list because it prints log data only if the Android manifest contains the flag "android:debuggable" set to true. This requirement is verified by another implemented rule.About the second information, the regex used to identify secrets inside the source code is the following:.*(?i)(key|secret|password|pwd|passwd|token|salt|seed|salt|bearer|otp|crypt|auth(?-i)|IV).*The following snippet shows the result translated in Semgrep rule pattern language: message: The application writes sensitive data in application logs. patterns: - pattern-either: - pattern: Log.v(...); - pattern: Log.i(...); - pattern: Log.w(...); - pattern: Log.e(...); - pattern: Log.wtf(...); - pattern: System.$X.print(...); - pattern: System.$X.println(...); - pattern: (BufferedWriter $X).write(...); - pattern: (Logger $X).log(...); - pattern: (Logger $X).info(...); - pattern: (Logger $X).logp(...); - pattern: (Logger $X).logrb(...); - pattern: (Logger $X).severe(...); - pattern: (Logger $X).warning(...); - pattern-regex: .*(?i)(key|secret|password|pwd|...|bearer|otp|crypt|auth(?-i)|IV).*Patterns nested under a "patterns" node operate with a logical AND condition, whereas the "pattern-either" is used to represent a logical OR condition. The following pattern is equivalent to the logical condition (A OR B) AND C.patterns: - pattern-either: - pattern: A - pattern: B - pattern: CThe final version of the rule can be consulted here:https://github.com/mindedsecurity/semgrep-rules-android-secur