From 293f6b40439cf85e018847d85cdd75ca8a7d90df Mon Sep 17 00:00:00 2001 From: ErebusZ Date: Wed, 24 Jan 2024 17:45:20 +0100 Subject: [PATCH 1/7] Add taint parameter and change rules --- .../java/co/ostorlab/insecure_app/BugRule.java | 2 +- .../co/ostorlab/insecure_app/BugRuleCaller.java | 8 ++++---- .../co/ostorlab/insecure_app/MainActivity.java | 14 ++++++++++---- .../insecure_app/bugs/calls/AESCipher.java | 5 ++++- .../insecure_app/bugs/calls/ArrayCall.java | 2 +- .../BiometricFingerprintManagerVulnerability.java | 2 +- .../BiometricFingerprintPromptVulnerability.java | 2 +- .../insecure_app/bugs/calls/ClearTextTraffic.java | 2 +- .../insecure_app/bugs/calls/CommandExec.java | 7 ++++++- .../bugs/calls/DexClassLoaderCall.java | 15 ++++++++++++++- .../insecure_app/bugs/calls/ECBModeCipher.java | 5 ++++- .../bugs/calls/HardcodedUrlInUrl.java | 10 +++++++++- .../insecure_app/bugs/calls/HashCall.java | 2 +- .../calls/ImplicitPendingIntentVulnerability.java | 2 +- .../insecure_app/bugs/calls/InsecureCommands.java | 5 ++++- .../bugs/calls/InsecureFilePermissions.java | 8 +++++++- .../insecure_app/bugs/calls/InsecureRandom.java | 2 +- .../bugs/calls/InsecureSharedPreferences.java | 2 +- .../insecure_app/bugs/calls/IntentCall.java | 2 +- .../insecure_app/bugs/calls/MemoryCorruption.java | 2 +- .../bugs/calls/MobileOnlyDownloadManager.java | 2 +- .../bugs/calls/PackageContextCall.java | 2 +- .../bugs/calls/ParcelableMemoryCorruption.java | 2 +- .../bugs/calls/PathClassLoaderCall.java | 10 +++++++++- .../bugs/calls/PathTraversalVulnerability.java | 11 ++++++++++- .../bugs/calls/RegisterReceiverExported.java | 2 +- .../bugs/calls/SQLiteDatabaseCall.java | 5 ++++- .../bugs/calls/SerializableMemoryCorruption.java | 9 ++++++++- .../insecure_app/bugs/calls/StaticIV.java | 2 +- .../insecure_app/bugs/calls/TLSTraffic.java | 2 +- .../bugs/calls/WebviewInsecureSettings.java | 12 +++++++++--- app/src/main/res/layout/activity_main.xml | 5 +++++ .../MyApplication/.gitignore | 15 +++++++++++++++ .../MyApplication/app/.gitignore | 1 + 34 files changed, 140 insertions(+), 39 deletions(-) create mode 100644 ostorlab_insecure_flutter_app/MyApplication/.gitignore create mode 100644 ostorlab_insecure_flutter_app/MyApplication/app/.gitignore diff --git a/app/src/main/java/co/ostorlab/insecure_app/BugRule.java b/app/src/main/java/co/ostorlab/insecure_app/BugRule.java index 1e92d10..bd99172 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/BugRule.java +++ b/app/src/main/java/co/ostorlab/insecure_app/BugRule.java @@ -8,7 +8,7 @@ abstract public class BugRule { public void setContext(Context context){ this.context = context;} public Context getContext(){ return context;} - abstract public void run() throws Exception; + abstract public void run(String input) throws Exception; abstract public String getDescription(); public String toString() { diff --git a/app/src/main/java/co/ostorlab/insecure_app/BugRuleCaller.java b/app/src/main/java/co/ostorlab/insecure_app/BugRuleCaller.java index 04415e9..eeba6d8 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/BugRuleCaller.java +++ b/app/src/main/java/co/ostorlab/insecure_app/BugRuleCaller.java @@ -35,9 +35,9 @@ void addRule(T rule){ rules.add(rule); } - void callRules() throws Exception{ + void callRules(String user_input) throws Exception{ for(final BugRule rule: rules){ - runInThread(rule); + runInThread(rule, user_input); } } @@ -50,11 +50,11 @@ String listBugRules() throws Exception{ return buffer.toString(); } - private void runInThread(final BugRule rule) throws Exception { + private void runInThread(final BugRule rule, String user_input) throws Exception { new Thread(new Runnable() { public void run() { try { - rule.run(); + rule.run(user_input); } catch (Exception e) { e.printStackTrace(); diff --git a/app/src/main/java/co/ostorlab/insecure_app/MainActivity.java b/app/src/main/java/co/ostorlab/insecure_app/MainActivity.java index 2d628ce..c5e9d51 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/MainActivity.java +++ b/app/src/main/java/co/ostorlab/insecure_app/MainActivity.java @@ -4,6 +4,7 @@ import android.view.View; import android.widget.Button; import android.widget.TextView; +import android.widget.EditText; import androidx.appcompat.app.AppCompatActivity; @@ -39,7 +40,8 @@ public class MainActivity extends AppCompatActivity { private TextView outputView; - private Button runAllButton ; + private Button runAllButton; + private EditText inputField; @Override protected void onCreate(Bundle savedInstanceState) { @@ -50,8 +52,10 @@ protected void onCreate(Bundle savedInstanceState) { // Trigger flutter directly when the app starts. triggerFlutter(); + final Button runAllButton = findViewById(R.id.runAllId); final Button runAllFlutterButton = findViewById(R.id.runAllFlutterId); + final EditText inputField = findViewById(R.id.editText); runAllFlutterButton.setOnClickListener(new View.OnClickListener() { @Override public void onClick(View view) { @@ -62,8 +66,10 @@ public void onClick(View view) { runAllButton.setOnClickListener(new View.OnClickListener() { @Override public void onClick(View view) { + String user_input = inputField.getText().toString(); outputView.setText("Running \n"); - executeAllRules(); + + executeAllRules(user_input); } }); @@ -73,7 +79,7 @@ private void triggerFlutter(){ FlutterActivity.createDefaultIntent(MainActivity.this) ); } - private void executeAllRules() { + private void executeAllRules(String user_input) { BugRuleCaller caller = new BugRuleCaller(getApplicationContext()); outputView.append("Adding rules ...\n"); caller.addRule(new ECBModeCipher()); @@ -106,7 +112,7 @@ private void executeAllRules() { caller.addRule(new RegisterReceiverExported(this)); try { - caller.callRules(); + caller.callRules(user_input); outputView.append(caller.listBugRules()); } catch (Exception e){ diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/AESCipher.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/AESCipher.java index 020c9c8..5e357ae 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/AESCipher.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/AESCipher.java @@ -19,8 +19,11 @@ public String getDescription() { } @Override - public void run() throws Exception{ + public void run(String user_input) throws Exception{ String clearText = "Jan van Eyck was here 1434"; + if (user_input.length() != 0){ + clearText = user_input; + } String key = "ThisIs128bitSize"; SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ArrayCall.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ArrayCall.java index 6cc7938..6a3126c 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ArrayCall.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ArrayCall.java @@ -13,7 +13,7 @@ public class ArrayCall extends BugRule { private static final String TAG = ArrayCall.class.toString(); @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { int[] ages = new int[5]; handle_array(ages, 5, 0); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/BiometricFingerprintManagerVulnerability.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/BiometricFingerprintManagerVulnerability.java index fd9e13c..8fd9a84 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/BiometricFingerprintManagerVulnerability.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/BiometricFingerprintManagerVulnerability.java @@ -12,7 +12,7 @@ public final class BiometricFingerprintManagerVulnerability extends BugRule { @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { Context context = getContext(); // The class FingerprintManager FingerprintManager fingerprintManager = (FingerprintManager) context.getSystemService(Context.FINGERPRINT_SERVICE); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/BiometricFingerprintPromptVulnerability.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/BiometricFingerprintPromptVulnerability.java index 6285e60..ce16860 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/BiometricFingerprintPromptVulnerability.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/BiometricFingerprintPromptVulnerability.java @@ -17,7 +17,7 @@ public BiometricFingerprintPromptVulnerability(FragmentActivity activity) { } @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { Context context = getContext(); BiometricPrompt.AuthenticationCallback authenticationCallback = new BiometricPrompt.AuthenticationCallback() { diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ClearTextTraffic.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ClearTextTraffic.java index d074acd..d86de2f 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ClearTextTraffic.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ClearTextTraffic.java @@ -13,7 +13,7 @@ public class ClearTextTraffic extends BugRule { private static final String TAG = ClearTextTraffic.class.toString(); @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { OkHttpClient client = new OkHttpClient.Builder() .build(); Request request = new Request.Builder() diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/CommandExec.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/CommandExec.java index 77e7d1c..3a9568f 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/CommandExec.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/CommandExec.java @@ -8,11 +8,16 @@ public class CommandExec extends BugRule { private static final String TAG = CommandExec.class.toString(); @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { String domainName = "google.com"; String command = ""; + // Tainted command. + if (user_input.length() != 0){ + executeCommand(command, null); + } + // command contains chmod command = "chmod 777" + domainName; executeCommand(command, null); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/DexClassLoaderCall.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/DexClassLoaderCall.java index d995c94..b3475ae 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/DexClassLoaderCall.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/DexClassLoaderCall.java @@ -21,7 +21,20 @@ public String getDescription() { } @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { + /* + Dex class loading from user input + */ + if (user_input.length() != 0){ + String apkFile = Environment.getExternalStorageDirectory().getAbsolutePath() + "/" + "user_input"; + DexClassLoader classLoader1 = new DexClassLoader( + apkFile, + apkFile, + apkFile, + ClassLoader.getSystemClassLoader()); + classLoader1.loadClass("a.b.c"); + } + /* Dex class loading from external storage */ diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ECBModeCipher.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ECBModeCipher.java index e81f051..178b0dc 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ECBModeCipher.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ECBModeCipher.java @@ -19,8 +19,11 @@ public String getDescription() { } @Override - public void run() throws Exception{ + public void run(String user_input) throws Exception{ String clearText = "Jan van Eyck was here 1434"; + if (user_input.length() != 0){ + clearText = user_input; + } String key = "ThisIs128bitSize"; SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5PADDING"); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/HardcodedUrlInUrl.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/HardcodedUrlInUrl.java index e8bb56b..1de6c4f 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/HardcodedUrlInUrl.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/HardcodedUrlInUrl.java @@ -19,7 +19,15 @@ public String get_url() { } @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { + if (user_input.length() != 0){ + ContextCompat.getMainExecutor(getContext()).execute(() -> { + Log.i(TAG, String.format("Message: %s", user_input)); + WebView webView = new WebView(getContext()); + webView.loadUrl(user_input); + }); + } + ContextCompat.getMainExecutor(getContext()).execute(() -> { Log.i(TAG, String.format("Message: %s", get_url())); WebView webView = new WebView(getContext()); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/HashCall.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/HashCall.java index b31dc9d..c6296f3 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/HashCall.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/HashCall.java @@ -9,7 +9,7 @@ public class HashCall extends BugRule { private static final String TAG = HashCall.class.toString(); @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { String monMessage = "Ostorlab hidden message"; diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ImplicitPendingIntentVulnerability.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ImplicitPendingIntentVulnerability.java index 102f4b1..21767e7 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ImplicitPendingIntentVulnerability.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ImplicitPendingIntentVulnerability.java @@ -7,7 +7,7 @@ public class ImplicitPendingIntentVulnerability extends BugRule { @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { // Create an implicit base Intent and wrap it in a PendingIntent Intent base = new Intent("ACTION_FOO"); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureCommands.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureCommands.java index 2ac1091..222bd82 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureCommands.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureCommands.java @@ -8,7 +8,10 @@ public class InsecureCommands extends BugRule { private static final String TAG = InsecureCommands.class.toString(); @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { + if (user_input.length() != 0){ + executeCommand(user_input, null); + } executeCommand("chmod 755 test_file", "/data/data/"); executeCommand("ping -c 3 www.ostorlab.co", "/sdcard/ostorlab"); } diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureFilePermissions.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureFilePermissions.java index adb7c2f..e6e55b6 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureFilePermissions.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureFilePermissions.java @@ -15,12 +15,18 @@ public String getDescription() { } @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { String filename = "test_filename"; openFileOutputWorldReadable(filename); openFileOutputWorldWritable(filename); setReadableAll(filename); setWritableAll(filename); + if (user_input.length() != 0){ + openFileOutputWorldReadable(user_input); + openFileOutputWorldWritable(user_input); + setReadableAll(user_input); + setWritableAll(user_input); + } } private void openFileOutputWorldReadable(String filename) throws Exception { diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureRandom.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureRandom.java index 95b6d0d..d2454dd 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureRandom.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureRandom.java @@ -8,7 +8,7 @@ public final class InsecureRandom extends BugRule { @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { SecureRandom secureRandom = new SecureRandom(); Random random = new Random(); random = new Random(12345); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureSharedPreferences.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureSharedPreferences.java index 21e2181..3111db2 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureSharedPreferences.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureSharedPreferences.java @@ -15,7 +15,7 @@ public String getDescription() { } @Override - public void run() throws Exception{ + public void run(String user_input) throws Exception{ String myPreference = "myPreference"; getContext().getSharedPreferences("PrivateOnly", Context.MODE_PRIVATE); getContext().getSharedPreferences("WorldReadableOnly", Context.MODE_WORLD_READABLE); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/IntentCall.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/IntentCall.java index cbd8aec..56428e6 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/IntentCall.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/IntentCall.java @@ -8,7 +8,7 @@ public class IntentCall extends BugRule { private static final String TAG = IntentCall.class.toString(); @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { Intent intent = new Intent("co.ostorlab"); intent.putExtra("token", "SuperSecretToken"); getContext().sendBroadcast(intent); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/MemoryCorruption.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/MemoryCorruption.java index 394f7fb..314112f 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/MemoryCorruption.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/MemoryCorruption.java @@ -22,7 +22,7 @@ public String getDescription() { } @Override - public void run() throws Exception{ + public void run(String user_input) throws Exception{ String input = String.join("", Collections.nCopies(200, "()")); triggerStackOverflow(input); } diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/MobileOnlyDownloadManager.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/MobileOnlyDownloadManager.java index f8865c9..ac0d7ae 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/MobileOnlyDownloadManager.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/MobileOnlyDownloadManager.java @@ -18,7 +18,7 @@ public final class MobileOnlyDownloadManager extends BugRule { private static final String TAG = co.ostorlab.insecure_app.bugs.calls.MobileOnlyDownloadManager.class.toString(); @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { // True Positive startDownloadManager(DownloadManager.Request.NETWORK_MOBILE); // False Positive diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PackageContextCall.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PackageContextCall.java index 13c40bb..37bbb4a 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PackageContextCall.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PackageContextCall.java @@ -25,7 +25,7 @@ public String getDescription() { } @Override - public void run() { + public void run(String user_input) { Context context = getContext(); PackageManager packageManager = context.getPackageManager(); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ParcelableMemoryCorruption.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ParcelableMemoryCorruption.java index 59567f4..e20023f 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ParcelableMemoryCorruption.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ParcelableMemoryCorruption.java @@ -52,7 +52,7 @@ public void writeToParcel(android.os.Parcel parcel, int i) { } @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { Parcel tmp = Parcel.obtain(); MemoryObjectParcelable var = new MemoryObjectParcelable(tmp); } diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathClassLoaderCall.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathClassLoaderCall.java index c1d9c84..3befab7 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathClassLoaderCall.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathClassLoaderCall.java @@ -18,7 +18,15 @@ public String getDescription() { } @Override - public void run() throws Exception{ + public void run(String user_input) throws Exception{ + /* + Path class loading from external storage + */ + if (user_input.length() != 0){ + String apkFile = Environment.getExternalStorageDirectory().getAbsolutePath() + "/" + user_input; + PathClassLoader classLoader1 = new PathClassLoader(apkFile, ClassLoader.getSystemClassLoader()); + classLoader1.loadClass("a.b.c"); + } /* Path class loading from external storage */ diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathTraversalVulnerability.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathTraversalVulnerability.java index 3e1c1cd..6346407 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathTraversalVulnerability.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathTraversalVulnerability.java @@ -62,7 +62,16 @@ public ParcelFileDescriptor openFile(Uri uri, @NonNull String mode) throws FileN } @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { + if (user_input.length() != 0){ + Provider taint_provider = new Provider(); + Uri.Builder taint_builder = new Uri.Builder(); + taint_builder.scheme("https"); + taint_builder.authority(user_input); + Uri uri = taint_builder.build(); + taint_provider.openFile(uri, "not used parameter"); + } + Provider provider = new Provider(); Uri.Builder builder = new Uri.Builder(); builder.scheme("https"); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/RegisterReceiverExported.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/RegisterReceiverExported.java index f65f549..9dfde3c 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/RegisterReceiverExported.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/RegisterReceiverExported.java @@ -34,7 +34,7 @@ public RegisterReceiverExported(FragmentActivity mActivity) { } @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { IntentFilter intentFilter = new IntentFilter(WifiManager.WIFI_STATE_CHANGED_ACTION); mActivity.registerReceiver(new WifiStateReceiver(), intentFilter, Context.RECEIVER_EXPORTED); } diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/SQLiteDatabaseCall.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/SQLiteDatabaseCall.java index 2ce960d..f6cf5cb 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/SQLiteDatabaseCall.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/SQLiteDatabaseCall.java @@ -9,13 +9,16 @@ public class SQLiteDatabaseCall extends BugRule { @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { MySQLiteOpenHelper mySQLiteOpenHelper = new MySQLiteOpenHelper(this.getContext()); SQLiteDatabase db = mySQLiteOpenHelper.getWritableDatabase(); mySQLiteOpenHelper.createTable(); String insert_query = "INSERT INTO accounts(name, amount) VALUES(?, ?)"; db.execSQL(insert_query, new Object[]{"Jack", 3000}); + if (user_input.length() != 0){ + db.execSQL(user_input, new Object[]{"Taint", 3001}); + } mySQLiteOpenHelper.dropTable(); db.close(); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/SerializableMemoryCorruption.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/SerializableMemoryCorruption.java index bc3fb72..9f5b1b1 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/SerializableMemoryCorruption.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/SerializableMemoryCorruption.java @@ -34,7 +34,14 @@ private void writeObject(ObjectOutputStream oos) throws IOException { } @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { + if (user_input.length() != 0){ + FileInputStream fileInputStream = new FileInputStream(user_input); + ObjectInputStream objectInputStream = new ObjectInputStream(fileInputStream); + SerializableObject serializableObject = new SerializableObject(); + serializableObject.readObject(objectInputStream); + } + String fileName = ""; FileInputStream fileInputStream = new FileInputStream(fileName); ObjectInputStream objectInputStream = new ObjectInputStream(fileInputStream); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/StaticIV.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/StaticIV.java index e2b17a4..5ff1ac4 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/StaticIV.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/StaticIV.java @@ -20,7 +20,7 @@ public String getDescription() { } @Override - public void run() throws Exception{ + public void run(String user_input) throws Exception{ byte[] IV = "0123456789abcdef".getBytes(); String clearText = "Jan van Eyck was here 1434"; String key = "ThisIs128bitSize"; diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/TLSTraffic.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/TLSTraffic.java index 5d1509f..d955531 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/TLSTraffic.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/TLSTraffic.java @@ -15,7 +15,7 @@ public final class TLSTraffic extends BugRule { private static final String TAG = TLSTraffic.class.toString(); @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { OkHttpClient client = new OkHttpClient.Builder() .hostnameVerifier(ALLOW_ALL_HOSTNAME_VERIFIER) .build(); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/WebviewInsecureSettings.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/WebviewInsecureSettings.java index d687f9d..db6fe8a 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/WebviewInsecureSettings.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/WebviewInsecureSettings.java @@ -16,14 +16,20 @@ public String getDescription() { } @Override - public void run() throws Exception { + public void run(String user_input) throws Exception { ContextCompat.getMainExecutor(getContext()).execute(() -> { WebView webView = new WebView(getContext()); webView.getSettings().setJavaScriptEnabled(true); webView.getSettings().setAllowUniversalAccessFromFileURLs(true); webView.getSettings().setAllowFileAccess(true); webView.setWebContentsDebuggingEnabled(true); - webView.loadUrl("http://www.ostorlab.co"); - }); + if (user_input.length() != 0){ + webView.loadUrl(user_input); + } + else{ + webView.loadUrl("http://www.ostorlab.co"); + } + }); + } } diff --git a/app/src/main/res/layout/activity_main.xml b/app/src/main/res/layout/activity_main.xml index 78d0df3..539c4d7 100644 --- a/app/src/main/res/layout/activity_main.xml +++ b/app/src/main/res/layout/activity_main.xml @@ -32,5 +32,10 @@ android:layout_height="517dp" android:singleLine="false" android:text="@string/output" /> + diff --git a/ostorlab_insecure_flutter_app/MyApplication/.gitignore b/ostorlab_insecure_flutter_app/MyApplication/.gitignore new file mode 100644 index 0000000..aa724b7 --- /dev/null +++ b/ostorlab_insecure_flutter_app/MyApplication/.gitignore @@ -0,0 +1,15 @@ +*.iml +.gradle +/local.properties +/.idea/caches +/.idea/libraries +/.idea/modules.xml +/.idea/workspace.xml +/.idea/navEditor.xml +/.idea/assetWizardSettings.xml +.DS_Store +/build +/captures +.externalNativeBuild +.cxx +local.properties diff --git a/ostorlab_insecure_flutter_app/MyApplication/app/.gitignore b/ostorlab_insecure_flutter_app/MyApplication/app/.gitignore new file mode 100644 index 0000000..42afabf --- /dev/null +++ b/ostorlab_insecure_flutter_app/MyApplication/app/.gitignore @@ -0,0 +1 @@ +/build \ No newline at end of file From 2ea3c871bed641eed81e3b2354ed60e1dd670356 Mon Sep 17 00:00:00 2001 From: mouhcine narhmouche Date: Wed, 24 Jan 2024 17:57:48 +0100 Subject: [PATCH 2/7] Remove sudo. --- .github/workflows/connectedAndroidTest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/connectedAndroidTest.yml b/.github/workflows/connectedAndroidTest.yml index 1d697a1..32c9cd6 100644 --- a/.github/workflows/connectedAndroidTest.yml +++ b/.github/workflows/connectedAndroidTest.yml @@ -17,7 +17,7 @@ jobs: - name: Install NDK if: steps.ndk-cache.outputs.cache-hit != 'true' - run: echo "y" | sudo /usr/local/lib/android/sdk/tools/bin/sdkmanager --install "ndk;25.1.8937393" + run: echo "y" | /usr/local/lib/android/sdk/tools/bin/sdkmanager --install "ndk;25.1.8937393" - uses: actions/setup-java@v3 with: From 6c9f66908fbe503a9ec990bce1a9d8b52c3ac7d3 Mon Sep 17 00:00:00 2001 From: Anas <129057829+ErebusZ@users.noreply.github.com> Date: Wed, 24 Jan 2024 18:11:22 +0100 Subject: [PATCH 3/7] Update connectedAndroidTest.yml --- .github/workflows/connectedAndroidTest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/connectedAndroidTest.yml b/.github/workflows/connectedAndroidTest.yml index 32c9cd6..0622ef2 100644 --- a/.github/workflows/connectedAndroidTest.yml +++ b/.github/workflows/connectedAndroidTest.yml @@ -17,7 +17,7 @@ jobs: - name: Install NDK if: steps.ndk-cache.outputs.cache-hit != 'true' - run: echo "y" | /usr/local/lib/android/sdk/tools/bin/sdkmanager --install "ndk;25.1.8937393" + run: echo "y" | ${ANDROID_SDK_ROOT}/cmdline-tools/latest/bin/sdkmanager --install "ndk;25.1.8937393" - uses: actions/setup-java@v3 with: From 0efb5f9fc6fa523822c533ba69a12823392e773c Mon Sep 17 00:00:00 2001 From: ErebusZ Date: Wed, 24 Jan 2024 18:26:39 +0100 Subject: [PATCH 4/7] update tests --- .../insecure_app/InstrumentedTest.java | 30 ++++++------ .../insecure_app/BugRuleCallerTest.java | 46 +++++++++---------- 2 files changed, 38 insertions(+), 38 deletions(-) diff --git a/app/src/androidTest/java/co/ostorlab/insecure_app/InstrumentedTest.java b/app/src/androidTest/java/co/ostorlab/insecure_app/InstrumentedTest.java index fd5668a..82b7b2f 100644 --- a/app/src/androidTest/java/co/ostorlab/insecure_app/InstrumentedTest.java +++ b/app/src/androidTest/java/co/ostorlab/insecure_app/InstrumentedTest.java @@ -54,7 +54,7 @@ public void useAppContext() throws Exception { @Test public void ruleCaller_callECBModeCipher_NoExceptionThrown() throws Exception{ caller.addRule(new ECBModeCipher()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -62,56 +62,56 @@ public void ruleCaller_callECBModeCipher_NoExceptionThrown() throws Exception{ @Test public void ruleCaller_callClearTextTraffic_NoExceptionThrown() throws Exception{ caller.addRule(new ClearTextTraffic()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @Test public void ruleCaller_callTLSTraffic_NoExceptionThrown() throws Exception{ caller.addRule(new TLSTraffic()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @Test public void ruleCaller_callAESCipher_NoExceptionThrown() throws Exception{ caller.addRule(new AESCipher()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @Test public void ruleCaller_callStaticIV_NoExceptionThrown() throws Exception{ caller.addRule(new StaticIV()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @Test public void ruleCaller_callHardcodedKeyInUrl_NoExceptionThrown() throws Exception{ caller.addRule(new HardcodedUrlInUrl()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @Test public void ruleCaller_callPathClassLoader_NoExceptionThrown() throws Exception{ caller.addRule(new PathClassLoaderCall()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @Test public void ruleCaller_callDexClassLoader_NoExceptionThrown() throws Exception{ caller.addRule(new DexClassLoaderCall()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @Test public void ruleCaller_callInsecureFilePermissions_NoExceptionThrown() throws Exception{ caller.addRule(new InsecureFilePermissions()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -119,7 +119,7 @@ public void ruleCaller_callInsecureFilePermissions_NoExceptionThrown() throws Ex @Test public void ruleCaller_callInsecureSharedPreferences_NoExceptionThrown() throws Exception{ caller.addRule(new InsecureSharedPreferences()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -127,7 +127,7 @@ public void ruleCaller_callInsecureSharedPreferences_NoExceptionThrown() throws @Test public void ruleCaller_callInsecureCommands_NoExceptionThrown() throws Exception{ caller.addRule(new InsecureCommands()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -135,7 +135,7 @@ public void ruleCaller_callInsecureCommands_NoExceptionThrown() throws Exception @Test public void ruleCaller_callWebviewInsecureSettings_NoExceptionThrown() throws Exception{ caller.addRule(new WebviewInsecureSettings()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -143,7 +143,7 @@ public void ruleCaller_callWebviewInsecureSettings_NoExceptionThrown() throws Ex @Test public void ruleCaller_callMobileOnlyDownloadManager_NoExceptionThrown() throws Exception{ caller.addRule(new MobileOnlyDownloadManager()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -151,7 +151,7 @@ public void ruleCaller_callMobileOnlyDownloadManager_NoExceptionThrown() throws @Test public void ruleCaller_callInsecureRandom_NoExceptionThrown() throws Exception{ caller.addRule(new InsecureRandom()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -159,7 +159,7 @@ public void ruleCaller_callInsecureRandom_NoExceptionThrown() throws Exception{ @Test public void ruleCaller_callIntent_NoExceptionThrown() throws Exception{ caller.addRule(new IntentCall()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } diff --git a/app/src/test/java/co/ostorlab/insecure_app/BugRuleCallerTest.java b/app/src/test/java/co/ostorlab/insecure_app/BugRuleCallerTest.java index 981a30c..79679fa 100644 --- a/app/src/test/java/co/ostorlab/insecure_app/BugRuleCallerTest.java +++ b/app/src/test/java/co/ostorlab/insecure_app/BugRuleCallerTest.java @@ -70,7 +70,7 @@ public void before() throws Exception{ // public void ruleCaller_whenCalled_rulesCalled() throws Exception{ // BugRule bugRule = Mockito.mock(BugRule.class); // caller.addRule(bugRule); -// caller.callRules(); +// caller.callRules(""); // // verify(bugRule, Mockito.times(1)).run(); // } @@ -78,7 +78,7 @@ public void before() throws Exception{ @Test public void ruleCaller_callECBModeCipher_NoExceptionThrown() throws Exception{ caller.addRule(new ECBModeCipher()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -86,56 +86,56 @@ public void ruleCaller_callECBModeCipher_NoExceptionThrown() throws Exception{ @Test public void ruleCaller_callClearTextTraffic_NoExceptionThrown() throws Exception{ caller.addRule(new ClearTextTraffic()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @Test public void ruleCaller_callTLSTraffic_NoExceptionThrown() throws Exception{ caller.addRule(new TLSTraffic()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @Test public void ruleCaller_callAESCipher_NoExceptionThrown() throws Exception{ caller.addRule(new AESCipher()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @Test public void ruleCaller_callStaticIV_NoExceptionThrown() throws Exception{ caller.addRule(new StaticIV()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @Test public void ruleCaller_callHardcodedKeyInUrl_NoExceptionThrown() throws Exception{ caller.addRule(new HardcodedUrlInUrl()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @Test public void ruleCaller_callPathClassLoader_NoExceptionThrown() throws Exception{ caller.addRule(new PathClassLoaderCall()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @Test public void ruleCaller_callDexClassLoader_NoExceptionThrown() throws Exception{ caller.addRule(new DexClassLoaderCall()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @Test public void ruleCaller_callInsecureFilePermissions_NoExceptionThrown() throws Exception{ caller.addRule(new InsecureFilePermissions()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -143,7 +143,7 @@ public void ruleCaller_callInsecureFilePermissions_NoExceptionThrown() throws Ex @Test public void ruleCaller_callWebviewInsecureSettings_NoExceptionThrown() throws Exception{ caller.addRule(new WebviewInsecureSettings()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -151,7 +151,7 @@ public void ruleCaller_callWebviewInsecureSettings_NoExceptionThrown() throws Ex @Test public void ruleCaller_callMobileOnlyDownloadManager_NoExceptionThrown() throws Exception{ caller.addRule(new MobileOnlyDownloadManager()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -159,7 +159,7 @@ public void ruleCaller_callMobileOnlyDownloadManager_NoExceptionThrown() throws @Test public void ruleCaller_callInsecureRandom_NoExceptionThrown() throws Exception{ caller.addRule(new InsecureRandom()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -167,7 +167,7 @@ public void ruleCaller_callInsecureRandom_NoExceptionThrown() throws Exception{ @Test public void ruleCaller_ArrayCall_NoExceptionThrown() throws Exception{ caller.addRule(new ArrayCall()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -175,7 +175,7 @@ public void ruleCaller_ArrayCall_NoExceptionThrown() throws Exception{ @Test public void ruleCaller_SQLiteDatabaseCall_NoExceptionThrown() throws Exception{ caller.addRule(new SQLiteDatabaseCall()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -183,7 +183,7 @@ public void ruleCaller_SQLiteDatabaseCall_NoExceptionThrown() throws Exception{ @Test public void ruleCaller_IntentCall_NoExceptionThrown() throws Exception{ caller.addRule(new IntentCall()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -191,7 +191,7 @@ public void ruleCaller_IntentCall_NoExceptionThrown() throws Exception{ @Test public void ruleCaller_SerializableMemoryCorruption_NoExceptionThrown() throws Exception{ caller.addRule(new SerializableMemoryCorruption()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -199,7 +199,7 @@ public void ruleCaller_SerializableMemoryCorruption_NoExceptionThrown() throws E @Test public void ruleCaller_PathTraversalVulnerability_NoExceptionThrown() throws Exception{ caller.addRule(new PathTraversalVulnerability()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -207,7 +207,7 @@ public void ruleCaller_PathTraversalVulnerability_NoExceptionThrown() throws Exc @Test public void ruleCaller_ParcelableMemoryCorruption_NoExceptionThrown() throws Exception{ caller.addRule(new ParcelableMemoryCorruption()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -215,7 +215,7 @@ public void ruleCaller_ParcelableMemoryCorruption_NoExceptionThrown() throws Exc @Test public void ruleCaller_ImplicitPendingIntentVulnerability_NoExceptionThrown() throws Exception{ caller.addRule(new ImplicitPendingIntentVulnerability()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -223,7 +223,7 @@ public void ruleCaller_ImplicitPendingIntentVulnerability_NoExceptionThrown() th @Test public void ruleCaller_BiometricFingerprintManagerVulnerability_NoExceptionThrown() throws Exception{ caller.addRule(new BiometricFingerprintManagerVulnerability()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -231,7 +231,7 @@ public void ruleCaller_BiometricFingerprintManagerVulnerability_NoExceptionThrow @Test public void ruleCaller_BiometricFingerprintPromptVulnerability_NoExceptionThrown() throws Exception{ caller.addRule(new BiometricFingerprintPromptVulnerability(mockActivity)); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } @@ -239,7 +239,7 @@ public void ruleCaller_BiometricFingerprintPromptVulnerability_NoExceptionThrown @Test public void ruleCaller_PackageContext_NoExceptionThrown() throws Exception{ caller.addRule(new PackageContextCall()); - caller.callRules(); + caller.callRules(""); Assert.assertEquals(caller.getRules().size(), 1); } From 9aad8ed65195772e031ba20c7699ba7e15c7bf5a Mon Sep 17 00:00:00 2001 From: ErebusZ Date: Thu, 25 Jan 2024 11:07:08 +0100 Subject: [PATCH 5/7] user intent instead of edit text --- .../co/ostorlab/insecure_app/MainActivity.java | 18 ++++++++++++------ .../insecure_app/bugs/calls/AESCipher.java | 2 +- .../insecure_app/bugs/calls/CommandExec.java | 2 +- .../bugs/calls/DexClassLoaderCall.java | 2 +- .../insecure_app/bugs/calls/ECBModeCipher.java | 2 +- .../bugs/calls/HardcodedUrlInUrl.java | 2 +- .../bugs/calls/InsecureCommands.java | 2 +- .../bugs/calls/InsecureFilePermissions.java | 2 +- .../bugs/calls/PathClassLoaderCall.java | 2 +- .../bugs/calls/PathTraversalVulnerability.java | 2 +- .../bugs/calls/SQLiteDatabaseCall.java | 2 +- .../calls/SerializableMemoryCorruption.java | 2 +- .../bugs/calls/WebviewInsecureSettings.java | 2 +- app/src/main/res/layout/activity_main.xml | 5 ----- 14 files changed, 24 insertions(+), 23 deletions(-) diff --git a/app/src/main/java/co/ostorlab/insecure_app/MainActivity.java b/app/src/main/java/co/ostorlab/insecure_app/MainActivity.java index c5e9d51..0988aff 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/MainActivity.java +++ b/app/src/main/java/co/ostorlab/insecure_app/MainActivity.java @@ -4,7 +4,7 @@ import android.view.View; import android.widget.Button; import android.widget.TextView; -import android.widget.EditText; +import android.content.Intent; import androidx.appcompat.app.AppCompatActivity; @@ -41,7 +41,6 @@ public class MainActivity extends AppCompatActivity { private TextView outputView; private Button runAllButton; - private EditText inputField; @Override protected void onCreate(Bundle savedInstanceState) { @@ -49,13 +48,22 @@ protected void onCreate(Bundle savedInstanceState) { setContentView(R.layout.activity_main); System.loadLibrary("native-lib"); outputView = findViewById(R.id.runOutputId); + + final Intent intent = getIntent(); + String user_input; + if (intent.hasExtra("user_input")) { + user_input = intent.getStringExtra("user_input"); + } + else { + user_input = ""; + } + // Trigger flutter directly when the app starts. - triggerFlutter(); +// triggerFlutter(); final Button runAllButton = findViewById(R.id.runAllId); final Button runAllFlutterButton = findViewById(R.id.runAllFlutterId); - final EditText inputField = findViewById(R.id.editText); runAllFlutterButton.setOnClickListener(new View.OnClickListener() { @Override public void onClick(View view) { @@ -66,9 +74,7 @@ public void onClick(View view) { runAllButton.setOnClickListener(new View.OnClickListener() { @Override public void onClick(View view) { - String user_input = inputField.getText().toString(); outputView.setText("Running \n"); - executeAllRules(user_input); } }); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/AESCipher.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/AESCipher.java index 5e357ae..65f1b99 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/AESCipher.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/AESCipher.java @@ -21,7 +21,7 @@ public String getDescription() { @Override public void run(String user_input) throws Exception{ String clearText = "Jan van Eyck was here 1434"; - if (user_input.length() != 0){ + if (user_input.isEmpty() == false){ clearText = user_input; } String key = "ThisIs128bitSize"; diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/CommandExec.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/CommandExec.java index 3a9568f..116fd1c 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/CommandExec.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/CommandExec.java @@ -14,7 +14,7 @@ public void run(String user_input) throws Exception { String command = ""; // Tainted command. - if (user_input.length() != 0){ + if (user_input.isEmpty() == false){ executeCommand(command, null); } diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/DexClassLoaderCall.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/DexClassLoaderCall.java index b3475ae..0c328ba 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/DexClassLoaderCall.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/DexClassLoaderCall.java @@ -25,7 +25,7 @@ public void run(String user_input) throws Exception { /* Dex class loading from user input */ - if (user_input.length() != 0){ + if (user_input.isEmpty() == false){ String apkFile = Environment.getExternalStorageDirectory().getAbsolutePath() + "/" + "user_input"; DexClassLoader classLoader1 = new DexClassLoader( apkFile, diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ECBModeCipher.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ECBModeCipher.java index 178b0dc..7043475 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ECBModeCipher.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ECBModeCipher.java @@ -21,7 +21,7 @@ public String getDescription() { @Override public void run(String user_input) throws Exception{ String clearText = "Jan van Eyck was here 1434"; - if (user_input.length() != 0){ + if (user_input.isEmpty() == false){ clearText = user_input; } String key = "ThisIs128bitSize"; diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/HardcodedUrlInUrl.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/HardcodedUrlInUrl.java index 1de6c4f..27a414f 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/HardcodedUrlInUrl.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/HardcodedUrlInUrl.java @@ -20,7 +20,7 @@ public String get_url() { @Override public void run(String user_input) throws Exception { - if (user_input.length() != 0){ + if (user_input.isEmpty() == false){ ContextCompat.getMainExecutor(getContext()).execute(() -> { Log.i(TAG, String.format("Message: %s", user_input)); WebView webView = new WebView(getContext()); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureCommands.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureCommands.java index 222bd82..7dd70bd 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureCommands.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureCommands.java @@ -9,7 +9,7 @@ public class InsecureCommands extends BugRule { @Override public void run(String user_input) throws Exception { - if (user_input.length() != 0){ + if (user_input.isEmpty() == false){ executeCommand(user_input, null); } executeCommand("chmod 755 test_file", "/data/data/"); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureFilePermissions.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureFilePermissions.java index e6e55b6..d60ecc1 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureFilePermissions.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureFilePermissions.java @@ -21,7 +21,7 @@ public void run(String user_input) throws Exception { openFileOutputWorldWritable(filename); setReadableAll(filename); setWritableAll(filename); - if (user_input.length() != 0){ + if (user_input.isEmpty() == false){ openFileOutputWorldReadable(user_input); openFileOutputWorldWritable(user_input); setReadableAll(user_input); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathClassLoaderCall.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathClassLoaderCall.java index 3befab7..432de80 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathClassLoaderCall.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathClassLoaderCall.java @@ -22,7 +22,7 @@ public void run(String user_input) throws Exception{ /* Path class loading from external storage */ - if (user_input.length() != 0){ + if (user_input.isEmpty() == false){ String apkFile = Environment.getExternalStorageDirectory().getAbsolutePath() + "/" + user_input; PathClassLoader classLoader1 = new PathClassLoader(apkFile, ClassLoader.getSystemClassLoader()); classLoader1.loadClass("a.b.c"); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathTraversalVulnerability.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathTraversalVulnerability.java index 6346407..4944fbf 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathTraversalVulnerability.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathTraversalVulnerability.java @@ -63,7 +63,7 @@ public ParcelFileDescriptor openFile(Uri uri, @NonNull String mode) throws FileN } @Override public void run(String user_input) throws Exception { - if (user_input.length() != 0){ + if (user_input.isEmpty() == false){ Provider taint_provider = new Provider(); Uri.Builder taint_builder = new Uri.Builder(); taint_builder.scheme("https"); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/SQLiteDatabaseCall.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/SQLiteDatabaseCall.java index f6cf5cb..e577dcf 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/SQLiteDatabaseCall.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/SQLiteDatabaseCall.java @@ -16,7 +16,7 @@ public void run(String user_input) throws Exception { mySQLiteOpenHelper.createTable(); String insert_query = "INSERT INTO accounts(name, amount) VALUES(?, ?)"; db.execSQL(insert_query, new Object[]{"Jack", 3000}); - if (user_input.length() != 0){ + if (user_input.isEmpty() == false){ db.execSQL(user_input, new Object[]{"Taint", 3001}); } mySQLiteOpenHelper.dropTable(); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/SerializableMemoryCorruption.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/SerializableMemoryCorruption.java index 9f5b1b1..f569e32 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/SerializableMemoryCorruption.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/SerializableMemoryCorruption.java @@ -35,7 +35,7 @@ private void writeObject(ObjectOutputStream oos) throws IOException { @Override public void run(String user_input) throws Exception { - if (user_input.length() != 0){ + if (user_input.isEmpty() == false){ FileInputStream fileInputStream = new FileInputStream(user_input); ObjectInputStream objectInputStream = new ObjectInputStream(fileInputStream); SerializableObject serializableObject = new SerializableObject(); diff --git a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/WebviewInsecureSettings.java b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/WebviewInsecureSettings.java index db6fe8a..849b657 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/WebviewInsecureSettings.java +++ b/app/src/main/java/co/ostorlab/insecure_app/bugs/calls/WebviewInsecureSettings.java @@ -23,7 +23,7 @@ public void run(String user_input) throws Exception { webView.getSettings().setAllowUniversalAccessFromFileURLs(true); webView.getSettings().setAllowFileAccess(true); webView.setWebContentsDebuggingEnabled(true); - if (user_input.length() != 0){ + if (user_input.isEmpty() == false){ webView.loadUrl(user_input); } else{ diff --git a/app/src/main/res/layout/activity_main.xml b/app/src/main/res/layout/activity_main.xml index 539c4d7..78d0df3 100644 --- a/app/src/main/res/layout/activity_main.xml +++ b/app/src/main/res/layout/activity_main.xml @@ -32,10 +32,5 @@ android:layout_height="517dp" android:singleLine="false" android:text="@string/output" /> - From 6db1a6bcafcf4f830cae5dbcc86b7f03bf52822d Mon Sep 17 00:00:00 2001 From: ErebusZ Date: Thu, 25 Jan 2024 11:49:49 +0100 Subject: [PATCH 6/7] pass the extra variable to the flutter intent and start both --- .../co/ostorlab/insecure_app/MainActivity.java | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/app/src/main/java/co/ostorlab/insecure_app/MainActivity.java b/app/src/main/java/co/ostorlab/insecure_app/MainActivity.java index 0988aff..e1976e2 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/MainActivity.java +++ b/app/src/main/java/co/ostorlab/insecure_app/MainActivity.java @@ -53,13 +53,17 @@ protected void onCreate(Bundle savedInstanceState) { String user_input; if (intent.hasExtra("user_input")) { user_input = intent.getStringExtra("user_input"); + executeAllRules(user_input); + triggerFlutter(user_input); } else { user_input = ""; + // Trigger flutter directly when the app starts. + triggerFlutter(user_input); } - // Trigger flutter directly when the app starts. -// triggerFlutter(); + + final Button runAllButton = findViewById(R.id.runAllId); @@ -67,7 +71,7 @@ protected void onCreate(Bundle savedInstanceState) { runAllFlutterButton.setOnClickListener(new View.OnClickListener() { @Override public void onClick(View view) { - triggerFlutter(); + triggerFlutter(user_input); } }); @@ -80,10 +84,10 @@ public void onClick(View view) { }); } - private void triggerFlutter(){ - startActivity( - FlutterActivity.createDefaultIntent(MainActivity.this) - ); + private void triggerFlutter(String user_input){ + Intent customIntent = new Intent(this, FlutterActivity.class); + customIntent.putExtra("user_input", user_input); + startActivity(customIntent); } private void executeAllRules(String user_input) { BugRuleCaller caller = new BugRuleCaller(getApplicationContext()); From b935e911444a686eddc1478c9dab2e144efd3fcb Mon Sep 17 00:00:00 2001 From: ErebusZ Date: Fri, 26 Jan 2024 08:59:03 +0100 Subject: [PATCH 7/7] small refactor --- .../co/ostorlab/insecure_app/MainActivity.java | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/app/src/main/java/co/ostorlab/insecure_app/MainActivity.java b/app/src/main/java/co/ostorlab/insecure_app/MainActivity.java index e1976e2..3c997e7 100644 --- a/app/src/main/java/co/ostorlab/insecure_app/MainActivity.java +++ b/app/src/main/java/co/ostorlab/insecure_app/MainActivity.java @@ -50,19 +50,10 @@ protected void onCreate(Bundle savedInstanceState) { outputView = findViewById(R.id.runOutputId); final Intent intent = getIntent(); - String user_input; - if (intent.hasExtra("user_input")) { - user_input = intent.getStringExtra("user_input"); - executeAllRules(user_input); - triggerFlutter(user_input); - } - else { - user_input = ""; - // Trigger flutter directly when the app starts. - triggerFlutter(user_input); - } - + String user_input = intent.hasExtra("user_input") ? intent.getStringExtra("user_input") : ""; + executeAllRules(user_input); + triggerFlutter(user_input);