diff --git a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/MASTG-DEMO-0058.md b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/MASTG-DEMO-0058.md index ae13e5d703b..2f0a4216619 100644 --- a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/MASTG-DEMO-0058.md +++ b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/MASTG-DEMO-0058.md @@ -1,6 +1,6 @@ --- platform: android -title: Use of Insecure ECB Block Mode in KeyGenParameterSpec +title: Using KeyGenParameterSpec with a Broken ECB Block Mode id: MASTG-DEMO-0058 code: [kotlin] test: MASTG-TEST-0232 @@ -8,19 +8,22 @@ test: MASTG-TEST-0232 ### Sample -The code below generates symmetric encryption keys meant to be stored in the Android KeyStore, but it does so using the ECB block mode, which is considered broken due to practical known-plaintext attacks and is disallowed by NIST for data encryption. The method used to set the block modes is [`KeyGenParameterSpec.Builder#setBlockModes(...)`](https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setBlockModes(java.lang.String[])): +This code demonstrates the risks of using AES in ECB mode (which is a broken mode of operation) using three scenarios: -```kotlin -public KeyGenParameterSpec.Builder setBlockModes (String... blockModes) -``` +1. Importing a raw AES key into AndroidKeyStore with the purpose "decrypt" and mode "ECB" +2. Importing a raw AES key into AndroidKeyStore with the purpose "encrypt" and mode "ECB" +3. Generating an AES key in AndroidKeyStore with the purpose "encrypt" or "decrypt" and mode "ECB" -Current versions of Android prohibit the usage of keys with for ECB in some cases. For example, it is not possible to use the key to encrypt data by the default. Nevertheless, there are some case, where ECB can still be used: - -- Decrypt data -- Encrypt data with a key given `setRandomizedEncryptionRequired` is set to `false` +Current versions of Android prohibit the use of keys with ECB in some cases. For example, it is possible to use such a key for decryption but not to encrypt data by default, unless randomized encryption is explicitly disabled (bad practice). {{ MastgTest.kt }} +When executing the code, you will see the following results for each of the three scenarios: + +1. Decryption succeeds because that's always allowed. +2. Encryption succeeds. The import succeeds in this case because we explicitly disable randomized encryption (bad practice). Otherwise, `KeyStore.setEntry` would fail with an error similar to the one for scenario 3. +3. Encryption cannot even happen because the generation fails (`KeyGenerator.init` specifically) due to randomized encryption not being disabled. The error says `"Randomized encryption (IND-CPA) required but may be violated by block mode: ECB. See android.security.keystore.KeyGenParameterSpec documentation"`. + ### Steps 1. Install the app on a device (@MASTG-TECH-0005) @@ -29,22 +32,27 @@ Current versions of Android prohibit the usage of keys with for ECB in some case 4. Click the **Start** button 5. Stop the script by pressing `Ctrl+C` and/or `q` to quit the Frida CLI +These are the relevant methods we are hooking to detect the use of ECB and whether randomized encryption is disabled: + +- Setting block modes: + - [`KeyGenParameterSpec.Builder#setBlockModes(...)`](https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setBlockModes(java.lang.String[])) + - [`KeyProtection.Builder#setBlockModes(...)`](https://developer.android.com/reference/android/security/keystore/KeyProtection.Builder#setBlockModes(java.lang.String[])). +- Enabling/disabling randomized encryption: + - [`KeyGenParameterSpec.Builder#setRandomizedEncryptionRequired`](https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setRandomizedEncryptionRequired(boolean)) + - [`KeyProtection.Builder#setRandomizedEncryptionRequired`](https://developer.android.com/reference/android/security/keystore/KeyProtection.Builder#setRandomizedEncryptionRequired(boolean)) + {{ hooks.js # run.sh }} ### Observation -The output shows all instances of block modes mode that were found at runtime. A backtrace is also provided to help identify the location in the code. +The output shows all instances of block modes that were found at runtime. A backtrace is also provided to help identify the location in the code. If randomized encryption is disabled, that is also indicated in the output. {{ output.json }} ### Evaluation -The method `setBlockModes` has now been called three times with ECB as one of the block modes. - -The test fails, as key used with these `KeyGenParameterSpec` can now be used used to insecurely encrypt data. - -You can automatically evaluate the output using tools like `jq` as demonstrated in `evaluation.sh`. +The test fails because the `KeyGenParameterSpec.Builder#setBlockModes(...)` and `KeyProtection.Builder#setBlockModes(...)` methods have been called with ECB. -{{ evaluate.sh }} +{{ evaluation.txt # evaluate.sh }} -See @MASTG-TEST-0232 for more information. +Regardless of whether the encryption succeeds or not, ECB should never be used in security-sensitive apps. Also, being present in the app may indicate issues in other parts of the app ecosystem (e.g., backend services). diff --git a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/MastgTest.kt b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/MastgTest.kt index 9ce160e2ad2..67ff8a7d5ad 100644 --- a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/MastgTest.kt +++ b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/MastgTest.kt @@ -20,9 +20,6 @@ class MastgTest(private val context: Context) { var encryptedData: ByteArray? = null var decryptedData: ByteArray? = null - // Suppose we received a raw key from a secure source and we want to use it for decryption. - // The following commented-out code is an example of generating a raw key and encrypting data with it. - // We obtained the raw key and encrypted data from the logs and added them to the code for demonstration purposes. try { // Suppose we received the raw key from a secure source and we want to use it for decryption. val rawKeyString = "43ede5660e82123ee091d6b4c8f7d150" @@ -53,7 +50,8 @@ class MastgTest(private val context: Context) { results.add("\n[!] Keystore-imported AES ECB key decryption error:\n\n${e.message}") } - // import the raw key into AndroidKeyStore for encryption which would fail unless randomized encryption is disabled (bad practice) + // Import the raw key into AndroidKeyStore with the purpose "encrypt" and mode "ECB" + // The import succeeds in this case because we explicitly disable randomized encryption (bad practice) try { if (rawKey == null || encryptedData == null) { throw IllegalStateException("Key or data missing for encryption") @@ -79,7 +77,8 @@ class MastgTest(private val context: Context) { results.add("\n\n[!] Keystore-imported AES ECB key encryption error:\n\n${e.message}") } - // keystore key generation and encryption + // Generate a raw key in the AndroidKeyStore with the purpose "encrypt" or "decrypt" and and mode "ECB" + // The generation fails in this case because we don't disable randomized encryption try { val keyAlias = "testKeyGenParameter" val keyStore = KeyStore.getInstance("AndroidKeyStore").apply { load(null) } diff --git a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/evaluate.sh b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/evaluate.sh index 0611e4ba796..fd240947d34 100755 --- a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/evaluate.sh +++ b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/evaluate.sh @@ -1,9 +1,11 @@ #!/bin/bash -jq ' - select( - .class=="android.security.keystore.KeyGenParameterSpec$Builder" - and .method=="setBlockModes" - and (.inputParameters[0].value | contains(["ECB"])) - ) -' output.json \ No newline at end of file +jq -r -s ' + flatten + | .[] + | select( + .method=="setBlockModes" + and any(.inputParameters[]?.value[]?; . == "ECB") + ) + | "Class: \(.class), Method: \(.method), Block modes: \([.inputParameters[]?.value[]?] | join(", "))" +' output.json > evaluation.txt \ No newline at end of file diff --git a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/evaluation.txt b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/evaluation.txt new file mode 100644 index 00000000000..b264630efba --- /dev/null +++ b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/evaluation.txt @@ -0,0 +1,3 @@ +Class: android.security.keystore.KeyProtection$Builder, Method: setBlockModes, Block modes: ECB +Class: android.security.keystore.KeyProtection$Builder, Method: setBlockModes, Block modes: ECB +Class: android.security.keystore.KeyGenParameterSpec$Builder, Method: setBlockModes, Block modes: ECB diff --git a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/output.json b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/output.json index 126f2a701c5..99f98cdec31 100644 --- a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/output.json +++ b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/output.json @@ -1,18 +1,16 @@ { - "id": "523e8eb7-e155-4792-bdae-6c2a728c87ac", + "id": "a0a0815c-fa2c-43a5-ad35-10c2a3d097cd", "category": "CRYPTO", - "time": "2025-08-01T09:00:07.277Z", + "time": "2025-09-12T16:45:55.639Z", "class": "android.security.keystore.KeyProtection$Builder", "method": "setBlockModes", "stackTrace": [ "android.security.keystore.KeyProtection$Builder.setBlockModes(Native Method)", "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:41)", - "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$7(MainActivity.kt:53)", - "org.owasp.mastestapp.MainActivityKt.$r8$lambda$JVJO2MsmWvFAgk27L17N1ocLpI0(Unknown Source:0)", - "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda0.invoke(D8$$SyntheticClass:0)", - "androidx.compose.foundation.ClickableNode$clickPointerInput$3.invoke-k-4lQ0M(Clickable.kt:639)", - "androidx.compose.foundation.ClickableNode$clickPointerInput$3.invoke(Clickable.kt:633)", - "androidx.compose.foundation.gestures.TapGestureDetectorKt$detectTapAndPress$2$1.invokeSuspend(TapGestureDetector.kt:255)" + "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$6$lambda$5(MainActivity.kt:55)", + "org.owasp.mastestapp.MainActivityKt.$r8$lambda$PtKdgqcXvbS9cMNZVWq3K3GGQKQ(Unknown Source:0)", + "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda3.run(D8$$SyntheticClass:0)", + "java.lang.Thread.run(Thread.java:1012)" ], "inputParameters": [ { @@ -30,20 +28,18 @@ ] } { - "id": "a162bca9-454e-4d48-a737-0ac6e73983c7", + "id": "1ade0c02-74c8-4629-bbd4-5f51c9616b68", "category": "CRYPTO", - "time": "2025-08-01T09:00:07.288Z", + "time": "2025-09-12T16:45:55.671Z", "class": "android.security.keystore.KeyProtection$Builder", "method": "setBlockModes", "stackTrace": [ "android.security.keystore.KeyProtection$Builder.setBlockModes(Native Method)", "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:65)", - "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$7(MainActivity.kt:53)", - "org.owasp.mastestapp.MainActivityKt.$r8$lambda$JVJO2MsmWvFAgk27L17N1ocLpI0(Unknown Source:0)", - "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda0.invoke(D8$$SyntheticClass:0)", - "androidx.compose.foundation.ClickableNode$clickPointerInput$3.invoke-k-4lQ0M(Clickable.kt:639)", - "androidx.compose.foundation.ClickableNode$clickPointerInput$3.invoke(Clickable.kt:633)", - "androidx.compose.foundation.gestures.TapGestureDetectorKt$detectTapAndPress$2$1.invokeSuspend(TapGestureDetector.kt:255)" + "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$6$lambda$5(MainActivity.kt:55)", + "org.owasp.mastestapp.MainActivityKt.$r8$lambda$PtKdgqcXvbS9cMNZVWq3K3GGQKQ(Unknown Source:0)", + "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda3.run(D8$$SyntheticClass:0)", + "java.lang.Thread.run(Thread.java:1012)" ], "inputParameters": [ { @@ -61,20 +57,18 @@ ] } { - "id": "8dd8050c-dbc0-4662-804a-8bfb2151ca34", + "id": "48a8aa46-4ada-470e-bb5e-47ceefb53e1b", "category": "CRYPTO", - "time": "2025-08-01T09:00:07.291Z", + "time": "2025-09-12T16:45:55.673Z", "class": "android.security.keystore.KeyProtection$Builder", "method": "setRandomizedEncryptionRequired", "stackTrace": [ "android.security.keystore.KeyProtection$Builder.setRandomizedEncryptionRequired(Native Method)", "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:67)", - "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$7(MainActivity.kt:53)", - "org.owasp.mastestapp.MainActivityKt.$r8$lambda$JVJO2MsmWvFAgk27L17N1ocLpI0(Unknown Source:0)", - "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda0.invoke(D8$$SyntheticClass:0)", - "androidx.compose.foundation.ClickableNode$clickPointerInput$3.invoke-k-4lQ0M(Clickable.kt:639)", - "androidx.compose.foundation.ClickableNode$clickPointerInput$3.invoke(Clickable.kt:633)", - "androidx.compose.foundation.gestures.TapGestureDetectorKt$detectTapAndPress$2$1.invokeSuspend(TapGestureDetector.kt:255)" + "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$6$lambda$5(MainActivity.kt:55)", + "org.owasp.mastestapp.MainActivityKt.$r8$lambda$PtKdgqcXvbS9cMNZVWq3K3GGQKQ(Unknown Source:0)", + "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda3.run(D8$$SyntheticClass:0)", + "java.lang.Thread.run(Thread.java:1012)" ], "inputParameters": [ { @@ -90,20 +84,18 @@ ] } { - "id": "394de339-b6c6-485e-babc-672ff5df315f", + "id": "fe6e69b6-2764-473e-80d2-5a242b56947e", "category": "CRYPTO", - "time": "2025-08-01T09:00:07.300Z", + "time": "2025-09-12T16:45:55.683Z", "class": "android.security.keystore.KeyGenParameterSpec$Builder", "method": "setBlockModes", "stackTrace": [ "android.security.keystore.KeyGenParameterSpec$Builder.setBlockModes(Native Method)", "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:90)", - "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$7(MainActivity.kt:53)", - "org.owasp.mastestapp.MainActivityKt.$r8$lambda$JVJO2MsmWvFAgk27L17N1ocLpI0(Unknown Source:0)", - "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda0.invoke(D8$$SyntheticClass:0)", - "androidx.compose.foundation.ClickableNode$clickPointerInput$3.invoke-k-4lQ0M(Clickable.kt:639)", - "androidx.compose.foundation.ClickableNode$clickPointerInput$3.invoke(Clickable.kt:633)", - "androidx.compose.foundation.gestures.TapGestureDetectorKt$detectTapAndPress$2$1.invokeSuspend(TapGestureDetector.kt:255)" + "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$6$lambda$5(MainActivity.kt:55)", + "org.owasp.mastestapp.MainActivityKt.$r8$lambda$PtKdgqcXvbS9cMNZVWq3K3GGQKQ(Unknown Source:0)", + "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda3.run(D8$$SyntheticClass:0)", + "java.lang.Thread.run(Thread.java:1012)" ], "inputParameters": [ { diff --git a/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/MASTG-DEMO-0059.md b/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/MASTG-DEMO-0059.md index b9a88f56980..fc81170f616 100644 --- a/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/MASTG-DEMO-0059.md +++ b/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/MASTG-DEMO-0059.md @@ -1,6 +1,6 @@ --- platform: android -title: App Writing Sensitive Data to Sandbox using SharedPreferences +title: Using SharedPreferences to Write Sensitive Data Unencrypted to the App Sandbox id: MASTG-DEMO-0059 code: [kotlin] test: MASTG-TEST-0207 @@ -8,10 +8,28 @@ test: MASTG-TEST-0207 ### Sample -The code snippet below shows sample code which stores sensitive data using `SharedPreferences`. It stores sensitive data using `String` and `StringSet`. +The code below stores sensitive data using the `SharedPreferences` API, both with and without encryption: + +- An AWS key is stored encrypted +- A GitHub token is stored unencrypted +- A set of binary pre-shared keys is stored unencrypted + +When encryption is performed, it uses a securely generated key stored in the Android KeyStore. {{ MastgTest.kt }} +When executing the code, you will be able to inspect the shared preferences file created in the app sandbox. For example, run the following command: + +```sh +adb shell cat /data/data/org.owasp.mastestapp/shared_prefs/MasSharedPref_Sensitive_Data.xml +``` + +Which returns: + +{{ MasSharedPref_Sensitive_Data.xml }} + +All unencrypted entries can be leveraged by an attacker. + ### Steps 1. Install the app on a device (@MASTG-TECH-0005) @@ -20,51 +38,87 @@ The code snippet below shows sample code which stores sensitive data using `Shar 4. Click the **Start** button 5. Stop the script by pressing `Ctrl+C` and/or `q` to quit the Frida CLI +These are the relevant methods we are hooking to detect the use of `SharedPreferences` to write strings: + - [`SharedPreferences.Editor.putString(...)`](https://developer.android.com/reference/android/content/SharedPreferences.Editor#putString(java.lang.String,%20java.lang.String)) + - [`SharedPreferences.Editor.putStringSet(...)`](https://developer.android.com/reference/android/content/SharedPreferences.Editor#putStringSet(java.lang.String,%20java.util.Set)) + +Our hooks also trace calls to cryptographic methods to help determine whether the written values are encrypted or not; whether the Android KeyStore is used; and whether Base64 encoding is used to convert binary data to strings: + - [`javax.crypto.Cipher.*(...)`](https://developer.android.com/reference/javax/crypto/Cipher) + - [`java.security.KeyStore.*(...)`](https://developer.android.com/reference/java/security/KeyStore) + - [`javax.crypto.KeyGenerator.*(...)`](https://developer.android.com/reference/javax/crypto/KeyGenerator) + - [`android.util.Base64.*(...)`](https://developer.android.com/reference/android/util/Base64) + {{ hooks.js # run.sh }} ### Observation -The output shows all instances of strings written via `SharedPreferences` that were found at runtime. A backtrace is also provided to help identify the location in the code. +The output shows all instances of strings written via `SharedPreferences` that were found at runtime. A backtrace is also provided to help identify the corresponding locations in the code. {{ output.json }} ### Evaluation -In output.json we can identify several entries that use the `SharedPreferences` API write strings to the app's local sandbox. In this case to `/data/data/org.owasp.mastestapp/shared_prefs/MasSharedPref_Sensitive_Data.xml`: +The test fails because secrets are written to SharedPreferences without encryption. + +In `output.json` we can identify several entries that use the `SharedPreferences` API to write strings to the app's local sandbox—in this case, to `/data/data/org.owasp.mastestapp/shared_prefs/MasSharedPref_Sensitive_Data.xml`. -- `putString` is used to write an unencrypted `UnencryptedGitHubToken` of value `ghp_1234567890a...` -- `putString` is used to write an encrypted `EncryptedAwsKey` of value `V1QyXhGV88RQLmMjoTLLl...` -- `putStringSet` is used to write an unencrypted `UnencryptedPreSharedKeys` set with values `MIIEvAIBADAN...` and `gJXS9EwpuzK8...` +Determining if a string is encrypted or not, especially with crypto keys can be challenging. -We can use the values and try to trace them back to crypto method calls and check if they are encrypted. For example, let's analyze the `EncryptedAwsKey` of value `V1QyXhGV88RQLmMjoTLLl...`: +#### Option 1: High level trace inspection -- `V1QyXhGV88RQLmMjoTLLl...` is the return value of `Base64.encodeToString` for the input `0x5754325e1195f3c45...` -- `0xa132cb95022985be` is the return value of `Cipher.doFinal` for the input `AKIAIOSFODNN7EXAMPLE` +After slightly processing the output using `jq`, we can get a high level view of the relevant calls, which can help us identify unencrypted secrets. -However, we cannot find any calls to `Base64.encodeToString` or `Cipher.***` for the `preSharedKeys` values written by `putStringSet` (`MIIEvAIBADAN...` and `gJXS9EwpuzK8...`). +{{ evaluation.txt # evaluate.sh }} -You can confirm this by reverse engineering the app and inspecting the code. Inspect the `stackTrace` of the `putString` and `putStringSet` entries, then go to the corresponding locations in the code. For example, go to the `org.owasp.mastestapp.MastgTest.mastgTest` method and try to trace back the input parameters to determine whether they are encrypted. +Here we can see that: -The test **fails** due because we found some entries that aren't encrypted. +- the value `ghp_1234567890a...` is not preceded by any Cipher calls when written via `putString`. +- the value `V1QyXhGV88RQLmMjoTLLl...` has several calls to Cipher and then a `putString`. +- the set of values `MIIEvAIBADAN...` and `gJXS9EwpuzK8...` are also not preceded by any Cipher calls when written via `putStringSet`. -Any data in the app sandbox can be extracted using backups or root access on a compromised phone. For example, run the following command: +#### Option 2: Pattern matching + +At this point you could use a secrets detection tool such as @MASTG-TOOL-0144 to try to detect any secrets present in cleartext or encoded. ```sh -adb shell cat /data/data/org.owasp.mastestapp/shared_prefs/MasSharedPref_Sensitive_Data.xml +cat ./output.json | gitleaks -v stdin + + ○ + │╲ + │ ○ + ○ ░ + ░ gitleaks + +Finding: "value": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALfX7kbfFv3pc3JjOHQ=\n-...,-----BEGIN PRIVATE ... +Secret: -----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALfX7kbfFv3pc3JjOHQ=\n-... +RuleID: private-key +Entropy: 4.884846 + +Finding: ...ND PRIVATE KEY-----,-----BEGIN PRIVATE KEY-----\ngJXS9EwpuzK8U1TOgfplwfKEVngCE2D5FNBQWvNmuHHbigmTCabsA=\n-----END PRIVAT... +Secret: -----BEGIN PRIVATE KEY-----\ngJXS9EwpuzK8U1TOgfplwfKEVngCE2D5FNBQWvNmuHHbigmTCabsA=\n-----END PRIVAT... +RuleID: private-key +Entropy: 4.945110 + +Finding: "value": "AKIAABCDEFGHIJKLMNOP +Secret: AKIAABCDEFGHIJKLMNOP +RuleID: aws-access-token +Entropy: 3.884184 + +Finding: "value": "ghp_1234567890abcdefghijklmnopqrstuvABCD +Secret: ghp_1234567890abcdefghijklmnopqrstuvABCD +RuleID: github-pat +Entropy: 5.171928 ``` -Which returns: +#### Option 3: Detailed trace inspection -```xml - - - V1QyXhGV88RQLmMjoTLLlQIphb6SKf4CBqx+PqhH/TTPFtCh9RPTAYezWW5RPhPP - - gJXS9EwpuzK8U1TOgfplwfKEVngCE2D5FNBQWvNmuHHbigmTCabsA= - MIIEvAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALfX7kbfFv3pc3JjOHQ= - - ghp_1234567890abcdefghijklmnOPQRSTUV - -``` +The provided `output.json` in this case allows you to trace the written values back to cryptographic method calls and this way find out whether they are encrypted. For example, let's analyze the `EncryptedAwsKey` with value `V1QyXhGV88RQLmMjoTLLl...`: + +- `V1QyXhGV88RQLmMjoTLLl...` is the return value of `Base64.encodeToString` for the input `0x5754325e1195f3c45...`. +- `0xa132cb95022985be` is the return value of `Cipher.doFinal` for the input `AKIAABCDEFGHIJKLMNOP`. + +However, we cannot find any calls to `Base64.encodeToString` or `Cipher.*` for the `preSharedKeys` values written by `putStringSet` (`MIIEvAIBADAN...` and `gJXS9EwpuzK8...`). + +#### Option 4: Manual reverse engineering -All entries that aren't encrypted can be leveraged by an attacker. +You can confirm this by reverse engineering the app and inspecting the code. Review the `stackTrace` of the `putString` and `putStringSet` entries, then navigate to the corresponding locations in the code. For example, open the `org.owasp.mastestapp.MastgTest.mastgTest` method and try to trace back the input parameters to determine whether they are encrypted. diff --git a/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/MasSharedPref_Sensitive_Data.xml b/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/MasSharedPref_Sensitive_Data.xml new file mode 100644 index 00000000000..4143bdfe654 --- /dev/null +++ b/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/MasSharedPref_Sensitive_Data.xml @@ -0,0 +1,9 @@ + + + V1QyXhGV88RQLmMjoTLLlQIphb6SKf4CBqx+PqhH/TTPFtCh9RPTAYezWW5RPhPP + + -----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALfX7kbfFv3pc3JjOHQ=\n-----END PRIVATE KEY----- + -----BEGIN PRIVATE KEY-----\ngJXS9EwpuzK8U1TOgfplwfKEVngCE2D5FNBQWvNmuHHbigmTCabsA=\n-----END PRIVATE KEY----- + + ghp_1234567890abcdefghijklmnopqrstuvABCD + \ No newline at end of file diff --git a/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/MastgTest.kt b/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/MastgTest.kt index b29ce0a2372..27ff842ce20 100644 --- a/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/MastgTest.kt +++ b/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/MastgTest.kt @@ -11,11 +11,12 @@ import javax.crypto.SecretKey import androidx.core.content.edit class MastgTest(private val context: Context) { - private val awsKey = "AKIAIOSFODNN7EXAMPLE" - private val githubToken = "ghp_1234567890abcdefghijklmnOPQRSTUV" + private val awsKey = "AKIAABCDEFGHIJKLMNOP" + private val githubToken = "ghp_1234567890abcdefghijklmnopqrstuvABCD" private val preSharedKeys = hashSetOf( - "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALfX7kbfFv3pc3JjOHQ=", - "gJXS9EwpuzK8U1TOgfplwfKEVngCE2D5FNBQWvNmuHHbigmTCabsA=") + "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALfX7kbfFv3pc3JjOHQ=\n-----END PRIVATE KEY-----", + "-----BEGIN PRIVATE KEY-----\ngJXS9EwpuzK8U1TOgfplwfKEVngCE2D5FNBQWvNmuHHbigmTCabsA=\n-----END PRIVATE KEY-----" + ) private val keyAlias = "mastgKey" private fun getOrCreateSecretKey(): SecretKey { @@ -58,9 +59,9 @@ class MastgTest(private val context: Context) { ) sharedPref.edit { putString("UnencryptedGitHubToken", githubToken) - returnStatus += "[FAIL]: Stored sensitive data (Github Token) using putString.\n\n" + returnStatus += "[FAIL]: Stored unencrypted sensitive data (Github Token) using putString.\n\n" - putString("EncryptedGitHubToken", encrypt(awsKey)) + putString("EncryptedAwsKey", encrypt(awsKey)) returnStatus += "[OK]: Stored encrypted sensitive data (AWS key) using putString.\n\n" putStringSet("UnencryptedPreSharedKeys", preSharedKeys) diff --git a/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/evaluate.sh b/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/evaluate.sh new file mode 100755 index 00000000000..47272b8b33f --- /dev/null +++ b/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/evaluate.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +jq -r -s ' + flatten + | .[] + | "Class: \(.class), Method: \(.method), Params: \([.inputParameters[]?.value?] | join(", "))" +' output.json > evaluation.txt \ No newline at end of file diff --git a/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/evaluation.txt b/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/evaluation.txt new file mode 100644 index 00000000000..fc782db4be4 --- /dev/null +++ b/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/evaluation.txt @@ -0,0 +1,14 @@ +Class: android.app.SharedPreferencesImpl$EditorImpl, Method: putString, Params: UnencryptedGitHubToken, ghp_1234567890abcdefghijklmnopqrstuvABCD +Class: javax.crypto.Cipher, Method: getInstance, Params: AES/GCM/NoPadding +Class: java.security.KeyStore, Method: getEntry, Params: mastgKey, void +Class: javax.crypto.Cipher, Method: init, Params: 1, , +Class: javax.crypto.Cipher, Method: init, Params: 1, +Class: javax.crypto.Cipher, Method: doFinal, Params: AKIAABCDEFGHIJKLMNOP +Class: android.util.Base64, Method: encodeToString, Params: 0x53e09f5c462870a214466544f752de9dab78e423147bbf8274f34f81c28e6474b3725fe8457be0cddc5b4330fc75ed6b..., 0 +Class: android.app.SharedPreferencesImpl$EditorImpl, Method: putString, Params: EncryptedAwsKey, U+CfXEYocKIURmVE91Lenat45CMUe7+CdPNPgcKOZHSzcl/oRXvgzdxbQzD8de1r + +Class: android.app.SharedPreferencesImpl$EditorImpl, Method: putStringSet, Params: UnencryptedPreSharedKeys, -----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALfX7kbfFv3pc3JjOHQ= +-----END PRIVATE KEY-----,-----BEGIN PRIVATE KEY----- +gJXS9EwpuzK8U1TOgfplwfKEVngCE2D5FNBQWvNmuHHbigmTCabsA= +-----END PRIVATE KEY----- diff --git a/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/output.json b/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/output.json index 741aade8edf..33497fdade2 100644 --- a/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/output.json +++ b/demos/android/MASVS-STORAGE/MASTG-DEMO-0059/output.json @@ -1,16 +1,16 @@ { - "id": "048be862-005c-45e2-b504-9ab6fa280784", + "id": "d1cb86ee-9900-4829-8161-77e18324b574", "category": "STORAGE", - "time": "2025-09-01T06:36:43.565Z", + "time": "2025-09-13T10:41:09.890Z", "class": "android.app.SharedPreferencesImpl$EditorImpl", "method": "putString", "stackTrace": [ "android.app.SharedPreferencesImpl$EditorImpl.putString(Native Method)", - "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:60)", - "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$10$lambda$9(MainActivity.kt:88)", - "org.owasp.mastestapp.MainActivityKt.$r8$lambda$q7zJ11jwoN73NSP2ckY8XHAEb68(Unknown Source:0)", - "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda2.run(D8$$SyntheticClass:0)", - "java.lang.Thread.run(Thread.java:920)" + "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:61)", + "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$6$lambda$5(MainActivity.kt:55)", + "org.owasp.mastestapp.MainActivityKt.$r8$lambda$PtKdgqcXvbS9cMNZVWq3K3GGQKQ(Unknown Source:0)", + "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda3.run(D8$$SyntheticClass:0)", + "java.lang.Thread.run(Thread.java:1012)" ], "inputParameters": [ { @@ -19,7 +19,7 @@ }, { "type": "java.lang.String", - "value": "ghp_1234567890abcdefghijklmnOPQRSTUV" + "value": "ghp_1234567890abcdefghijklmnopqrstuvABCD" } ], "returnValue": [ @@ -30,19 +30,19 @@ ] } { - "id": "36886813-56aa-4085-b677-42da89a30df5", + "id": "0c314619-4159-4e05-88d1-5bae3a0f9c6f", "category": "STORAGE", - "time": "2025-09-01T06:36:43.567Z", + "time": "2025-09-13T10:41:09.893Z", "class": "javax.crypto.Cipher", "method": "getInstance", "stackTrace": [ "javax.crypto.Cipher.getInstance(Native Method)", - "org.owasp.mastestapp.MastgTest.encrypt(MastgTest.kt:44)", - "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:63)", - "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$10$lambda$9(MainActivity.kt:88)", - "org.owasp.mastestapp.MainActivityKt.$r8$lambda$q7zJ11jwoN73NSP2ckY8XHAEb68(Unknown Source:0)", - "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda2.run(D8$$SyntheticClass:0)", - "java.lang.Thread.run(Thread.java:920)" + "org.owasp.mastestapp.MastgTest.encrypt(MastgTest.kt:45)", + "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:64)", + "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$6$lambda$5(MainActivity.kt:55)", + "org.owasp.mastestapp.MainActivityKt.$r8$lambda$PtKdgqcXvbS9cMNZVWq3K3GGQKQ(Unknown Source:0)", + "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda3.run(D8$$SyntheticClass:0)", + "java.lang.Thread.run(Thread.java:1012)" ], "inputParameters": [ { @@ -58,77 +58,53 @@ ] } { - "id": "8afa596d-e749-4184-8c84-aea3c00244f9", + "id": "530769c9-f6bb-4a20-a4d1-05650f039913", "category": "STORAGE", - "time": "2025-09-01T06:36:43.572Z", - "class": "javax.crypto.KeyGenerator", - "method": "getInstance", + "time": "2025-09-13T10:41:09.907Z", + "class": "java.security.KeyStore", + "method": "getEntry", "stackTrace": [ - "javax.crypto.KeyGenerator.getInstance(Native Method)", - "org.owasp.mastestapp.MastgTest.getOrCreateSecretKey(MastgTest.kt:26)", - "org.owasp.mastestapp.MastgTest.encrypt(MastgTest.kt:45)", - "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:63)", - "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$10$lambda$9(MainActivity.kt:88)", - "org.owasp.mastestapp.MainActivityKt.$r8$lambda$q7zJ11jwoN73NSP2ckY8XHAEb68(Unknown Source:0)", - "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda2.run(D8$$SyntheticClass:0)", - "java.lang.Thread.run(Thread.java:920)" + "java.security.KeyStore.getEntry(Native Method)", + "org.owasp.mastestapp.MastgTest.getOrCreateSecretKey(MastgTest.kt:25)", + "org.owasp.mastestapp.MastgTest.encrypt(MastgTest.kt:46)", + "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:64)", + "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$6$lambda$5(MainActivity.kt:55)", + "org.owasp.mastestapp.MainActivityKt.$r8$lambda$PtKdgqcXvbS9cMNZVWq3K3GGQKQ(Unknown Source:0)", + "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda3.run(D8$$SyntheticClass:0)", + "java.lang.Thread.run(Thread.java:1012)" ], "inputParameters": [ { "type": "java.lang.String", - "value": "AES" + "value": "mastgKey" }, { - "type": "java.lang.String", - "value": "AndroidKeyStore" + "type": "java.security.KeyStore$ProtectionParameter", + "value": "void" } ], "returnValue": [ { - "type": "javax.crypto.KeyGenerator", - "value": "" + "type": "java.security.KeyStore$Entry", + "value": "" } ] } { - "id": "3e97f8ba-1d93-4321-bfe8-394ccd6829c8", + "id": "afd5682f-6521-4406-b60e-0ee67ff409db", "category": "STORAGE", - "time": "2025-09-01T06:36:43.575Z", - "class": "javax.crypto.KeyGenerator", - "method": "generateKey", - "stackTrace": [ - "javax.crypto.KeyGenerator.generateKey(Native Method)", - "org.owasp.mastestapp.MastgTest.getOrCreateSecretKey(MastgTest.kt:39)", - "org.owasp.mastestapp.MastgTest.encrypt(MastgTest.kt:45)", - "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:63)", - "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$10$lambda$9(MainActivity.kt:88)", - "org.owasp.mastestapp.MainActivityKt.$r8$lambda$q7zJ11jwoN73NSP2ckY8XHAEb68(Unknown Source:0)", - "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda2.run(D8$$SyntheticClass:0)", - "java.lang.Thread.run(Thread.java:920)" - ], - "inputParameters": [], - "returnValue": [ - { - "type": "javax.crypto.SecretKey", - "value": "" - } - ] -} -{ - "id": "865e4b9f-1f64-47ff-bd7b-b8f0dd769120", - "category": "STORAGE", - "time": "2025-09-01T06:36:43.586Z", + "time": "2025-09-13T10:41:09.922Z", "class": "javax.crypto.Cipher", "method": "init", "stackTrace": [ "javax.crypto.Cipher.init(Native Method)", - "javax.crypto.Cipher.init(Cipher.java:1084)", + "javax.crypto.Cipher.init(Cipher.java:1085)", "javax.crypto.Cipher.init(Native Method)", - "org.owasp.mastestapp.MastgTest.encrypt(MastgTest.kt:45)", - "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:63)", - "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$10$lambda$9(MainActivity.kt:88)", - "org.owasp.mastestapp.MainActivityKt.$r8$lambda$q7zJ11jwoN73NSP2ckY8XHAEb68(Unknown Source:0)", - "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda2.run(D8$$SyntheticClass:0)" + "org.owasp.mastestapp.MastgTest.encrypt(MastgTest.kt:46)", + "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:64)", + "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$6$lambda$5(MainActivity.kt:55)", + "org.owasp.mastestapp.MainActivityKt.$r8$lambda$PtKdgqcXvbS9cMNZVWq3K3GGQKQ(Unknown Source:0)", + "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda3.run(D8$$SyntheticClass:0)" ], "inputParameters": [ { @@ -152,19 +128,19 @@ ] } { - "id": "cc62db52-46aa-4e94-a0be-7a812bb3043a", + "id": "3cc2ea7d-f67e-4576-99b9-0d6908b8ce24", "category": "STORAGE", - "time": "2025-09-01T06:36:43.585Z", + "time": "2025-09-13T10:41:09.919Z", "class": "javax.crypto.Cipher", "method": "init", "stackTrace": [ "javax.crypto.Cipher.init(Native Method)", - "org.owasp.mastestapp.MastgTest.encrypt(MastgTest.kt:45)", - "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:63)", - "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$10$lambda$9(MainActivity.kt:88)", - "org.owasp.mastestapp.MainActivityKt.$r8$lambda$q7zJ11jwoN73NSP2ckY8XHAEb68(Unknown Source:0)", - "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda2.run(D8$$SyntheticClass:0)", - "java.lang.Thread.run(Thread.java:920)" + "org.owasp.mastestapp.MastgTest.encrypt(MastgTest.kt:46)", + "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:64)", + "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$6$lambda$5(MainActivity.kt:55)", + "org.owasp.mastestapp.MainActivityKt.$r8$lambda$PtKdgqcXvbS9cMNZVWq3K3GGQKQ(Unknown Source:0)", + "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda3.run(D8$$SyntheticClass:0)", + "java.lang.Thread.run(Thread.java:1012)" ], "inputParameters": [ { @@ -184,52 +160,52 @@ ] } { - "id": "6294b01b-661c-4652-8db5-ddd797a5b722", + "id": "6200a4e6-607f-46b3-9b70-f57ea8ba80af", "category": "STORAGE", - "time": "2025-09-01T06:36:43.592Z", + "time": "2025-09-13T10:41:09.936Z", "class": "javax.crypto.Cipher", "method": "doFinal", "stackTrace": [ "javax.crypto.Cipher.doFinal(Native Method)", - "org.owasp.mastestapp.MastgTest.encrypt(MastgTest.kt:47)", - "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:63)", - "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$10$lambda$9(MainActivity.kt:88)", - "org.owasp.mastestapp.MainActivityKt.$r8$lambda$q7zJ11jwoN73NSP2ckY8XHAEb68(Unknown Source:0)", - "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda2.run(D8$$SyntheticClass:0)", - "java.lang.Thread.run(Thread.java:920)" + "org.owasp.mastestapp.MastgTest.encrypt(MastgTest.kt:48)", + "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:64)", + "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$6$lambda$5(MainActivity.kt:55)", + "org.owasp.mastestapp.MainActivityKt.$r8$lambda$PtKdgqcXvbS9cMNZVWq3K3GGQKQ(Unknown Source:0)", + "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda3.run(D8$$SyntheticClass:0)", + "java.lang.Thread.run(Thread.java:1012)" ], "inputParameters": [ { "type": "[B", - "value": "AKIAIOSFODNN7EXAMPLE" + "value": "AKIAABCDEFGHIJKLMNOP" } ], "returnValue": [ { "type": "[B", - "value": "0xa132cb95022985be9229fe0206ac7e3ea847fd34cf16d0a1f513d30187b3596e513e13cf..." + "value": "0xf752de9dab78e423147bbf8274f34f81c28e6474b3725fe8457be0cddc5b4330fc75ed6b..." } ] } { - "id": "e5172a5f-e38e-4506-b42b-e8ab634b299b", + "id": "9a519c23-77fd-4f5a-9b2b-ea80d5cd5be8", "category": "STORAGE", - "time": "2025-09-01T06:36:43.595Z", + "time": "2025-09-13T10:41:09.941Z", "class": "android.util.Base64", "method": "encodeToString", "stackTrace": [ "android.util.Base64.encodeToString(Native Method)", - "org.owasp.mastestapp.MastgTest.encrypt(MastgTest.kt:49)", - "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:63)", - "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$10$lambda$9(MainActivity.kt:88)", - "org.owasp.mastestapp.MainActivityKt.$r8$lambda$q7zJ11jwoN73NSP2ckY8XHAEb68(Unknown Source:0)", - "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda2.run(D8$$SyntheticClass:0)", - "java.lang.Thread.run(Thread.java:920)" + "org.owasp.mastestapp.MastgTest.encrypt(MastgTest.kt:50)", + "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:64)", + "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$6$lambda$5(MainActivity.kt:55)", + "org.owasp.mastestapp.MainActivityKt.$r8$lambda$PtKdgqcXvbS9cMNZVWq3K3GGQKQ(Unknown Source:0)", + "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda3.run(D8$$SyntheticClass:0)", + "java.lang.Thread.run(Thread.java:1012)" ], "inputParameters": [ { "type": "[B", - "value": "0x5754325e1195f3c4502e6323a132cb95022985be9229fe0206ac7e3ea847fd34cf16d0a1f513d30187b3596e513e13cf..." + "value": "0x53e09f5c462870a214466544f752de9dab78e423147bbf8274f34f81c28e6474b3725fe8457be0cddc5b4330fc75ed6b..." }, { "type": "int", @@ -239,23 +215,23 @@ "returnValue": [ { "type": "java.lang.String", - "value": "V1QyXhGV88RQLmMjoTLLlQIphb6SKf4CBqx+PqhH/TTPFtCh9RPTAYezWW5RPhPP\n" + "value": "U+CfXEYocKIURmVE91Lenat45CMUe7+CdPNPgcKOZHSzcl/oRXvgzdxbQzD8de1r\n" } ] } { - "id": "eb1fc822-6245-45dd-b245-e01bd93b536b", + "id": "926d8968-dc8b-4d23-b1f1-657b6410957a", "category": "STORAGE", - "time": "2025-09-01T06:36:43.597Z", + "time": "2025-09-13T10:41:09.945Z", "class": "android.app.SharedPreferencesImpl$EditorImpl", "method": "putString", "stackTrace": [ "android.app.SharedPreferencesImpl$EditorImpl.putString(Native Method)", - "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:63)", - "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$10$lambda$9(MainActivity.kt:88)", - "org.owasp.mastestapp.MainActivityKt.$r8$lambda$q7zJ11jwoN73NSP2ckY8XHAEb68(Unknown Source:0)", - "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda2.run(D8$$SyntheticClass:0)", - "java.lang.Thread.run(Thread.java:920)" + "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:64)", + "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$6$lambda$5(MainActivity.kt:55)", + "org.owasp.mastestapp.MainActivityKt.$r8$lambda$PtKdgqcXvbS9cMNZVWq3K3GGQKQ(Unknown Source:0)", + "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda3.run(D8$$SyntheticClass:0)", + "java.lang.Thread.run(Thread.java:1012)" ], "inputParameters": [ { @@ -264,7 +240,7 @@ }, { "type": "java.lang.String", - "value": "V1QyXhGV88RQLmMjoTLLlQIphb6SKf4CBqx+PqhH/TTPFtCh9RPTAYezWW5RPhPP\n" + "value": "U+CfXEYocKIURmVE91Lenat45CMUe7+CdPNPgcKOZHSzcl/oRXvgzdxbQzD8de1r\n" } ], "returnValue": [ @@ -275,18 +251,18 @@ ] } { - "id": "9995b7ce-7c7a-45d1-a83d-3d4de76b8bbd", + "id": "f2b7501a-b08a-4280-86a4-4f9e17a2f4f6", "category": "STORAGE", - "time": "2025-09-01T06:36:43.598Z", + "time": "2025-09-13T10:41:09.949Z", "class": "android.app.SharedPreferencesImpl$EditorImpl", "method": "putStringSet", "stackTrace": [ "android.app.SharedPreferencesImpl$EditorImpl.putStringSet(Native Method)", - "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:66)", - "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$10$lambda$9(MainActivity.kt:88)", - "org.owasp.mastestapp.MainActivityKt.$r8$lambda$q7zJ11jwoN73NSP2ckY8XHAEb68(Unknown Source:0)", - "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda2.run(D8$$SyntheticClass:0)", - "java.lang.Thread.run(Thread.java:920)" + "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:67)", + "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$6$lambda$5(MainActivity.kt:55)", + "org.owasp.mastestapp.MainActivityKt.$r8$lambda$PtKdgqcXvbS9cMNZVWq3K3GGQKQ(Unknown Source:0)", + "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda3.run(D8$$SyntheticClass:0)", + "java.lang.Thread.run(Thread.java:1012)" ], "inputParameters": [ { @@ -295,7 +271,7 @@ }, { "type": "java.util.Set", - "value": "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALfX7kbfFv3pc3JjOHQ=,gJXS9EwpuzK8U1TOgfplwfKEVngCE2D5FNBQWvNmuHHbigmTCabsA=" + "value": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALfX7kbfFv3pc3JjOHQ=\n-----END PRIVATE KEY-----,-----BEGIN PRIVATE KEY-----\ngJXS9EwpuzK8U1TOgfplwfKEVngCE2D5FNBQWvNmuHHbigmTCabsA=\n-----END PRIVATE KEY-----" } ], "returnValue": [