Add taint parameter and change rules

.github/workflows/connectedAndroidTest.yml

@@ -17,7 +17,7 @@ jobs:
 
       - name: Install NDK
         if: steps.ndk-cache.outputs.cache-hit != 'true'
-        run: echo "y" | sudo /usr/local/lib/android/sdk/tools/bin/sdkmanager --install "ndk;25.1.8937393"
+        run: echo "y" | ${ANDROID_SDK_ROOT}/cmdline-tools/latest/bin/sdkmanager --install "ndk;25.1.8937393"
 
       - uses: actions/setup-java@v3
         with:

app/src/androidTest/java/co/ostorlab/insecure_app/InstrumentedTest.java

@@ -54,112 +54,112 @@ public void useAppContext() throws Exception {
     @Test
     public void ruleCaller_callECBModeCipher_NoExceptionThrown() throws Exception{
         caller.addRule(new ECBModeCipher());
-        caller.callRules();
+        caller.callRules("");
 
         Assert.assertEquals(caller.getRules().size(), 1);
     }
 
     @Test
     public void ruleCaller_callClearTextTraffic_NoExceptionThrown() throws Exception{
         caller.addRule(new ClearTextTraffic());
-        caller.callRules();
+        caller.callRules("");
 
         Assert.assertEquals(caller.getRules().size(), 1);
     }
     @Test
     public void ruleCaller_callTLSTraffic_NoExceptionThrown() throws Exception{
         caller.addRule(new TLSTraffic());
-        caller.callRules();
+        caller.callRules("");
 
         Assert.assertEquals(caller.getRules().size(), 1);
     }
     @Test
     public void ruleCaller_callAESCipher_NoExceptionThrown() throws Exception{
         caller.addRule(new AESCipher());
-        caller.callRules();
+        caller.callRules("");
 
         Assert.assertEquals(caller.getRules().size(), 1);
     }
     @Test
     public void ruleCaller_callStaticIV_NoExceptionThrown() throws Exception{
         caller.addRule(new StaticIV());
-        caller.callRules();
+        caller.callRules("");
 
         Assert.assertEquals(caller.getRules().size(), 1);
     }
     @Test
     public void ruleCaller_callHardcodedKeyInUrl_NoExceptionThrown() throws Exception{
         caller.addRule(new HardcodedUrlInUrl());
-        caller.callRules();
+        caller.callRules("");
 
         Assert.assertEquals(caller.getRules().size(), 1);
     }
     @Test
     public void ruleCaller_callPathClassLoader_NoExceptionThrown() throws Exception{
         caller.addRule(new PathClassLoaderCall());
-        caller.callRules();
+        caller.callRules("");
 
         Assert.assertEquals(caller.getRules().size(), 1);
     }
     @Test
     public void ruleCaller_callDexClassLoader_NoExceptionThrown() throws Exception{
         caller.addRule(new DexClassLoaderCall());
-        caller.callRules();
+        caller.callRules("");
 
         Assert.assertEquals(caller.getRules().size(), 1);
     }
     @Test
     public void ruleCaller_callInsecureFilePermissions_NoExceptionThrown() throws Exception{
         caller.addRule(new InsecureFilePermissions());
-        caller.callRules();
+        caller.callRules("");
 
         Assert.assertEquals(caller.getRules().size(), 1);
     }
 
     @Test
     public void ruleCaller_callInsecureSharedPreferences_NoExceptionThrown() throws Exception{
         caller.addRule(new InsecureSharedPreferences());
-        caller.callRules();
+        caller.callRules("");
 
         Assert.assertEquals(caller.getRules().size(), 1);
     }
 
     @Test
     public void ruleCaller_callInsecureCommands_NoExceptionThrown() throws Exception{
         caller.addRule(new InsecureCommands());
-        caller.callRules();
+        caller.callRules("");
 
         Assert.assertEquals(caller.getRules().size(), 1);
     }
 
     @Test
     public void ruleCaller_callWebviewInsecureSettings_NoExceptionThrown() throws Exception{
         caller.addRule(new WebviewInsecureSettings());
-        caller.callRules();
+        caller.callRules("");
 
         Assert.assertEquals(caller.getRules().size(), 1);
     }
 
     @Test
     public void ruleCaller_callMobileOnlyDownloadManager_NoExceptionThrown() throws Exception{
         caller.addRule(new MobileOnlyDownloadManager());
-        caller.callRules();
+        caller.callRules("");
 
         Assert.assertEquals(caller.getRules().size(), 1);
     }
 
     @Test
     public void ruleCaller_callInsecureRandom_NoExceptionThrown() throws Exception{
         caller.addRule(new InsecureRandom());
-        caller.callRules();
+        caller.callRules("");
 
         Assert.assertEquals(caller.getRules().size(), 1);
     }
 
     @Test
     public void ruleCaller_callIntent_NoExceptionThrown() throws Exception{
         caller.addRule(new IntentCall());
-        caller.callRules();
+        caller.callRules("");
 
         Assert.assertEquals(caller.getRules().size(), 1);
     }

app/src/main/java/co/ostorlab/insecure_app/BugRule.java

@@ -8,7 +8,7 @@ abstract public class BugRule {
 
     public void setContext(Context context){ this.context = context;}
     public Context getContext(){ return context;}
-    abstract public void run() throws Exception;
+    abstract public void run(String input) throws Exception;
     abstract public String getDescription();
     public String toString()
     {

app/src/main/java/co/ostorlab/insecure_app/BugRuleCaller.java

@@ -35,9 +35,9 @@ <T extends BugRule> void addRule(T rule){
         rules.add(rule);
     }
 
-    void callRules() throws Exception{
+    void callRules(String user_input) throws Exception{
         for(final BugRule rule: rules){
-            runInThread(rule);
+            runInThread(rule, user_input);
         }
     }
 
@@ -50,11 +50,11 @@ String listBugRules() throws Exception{
         return buffer.toString();
     }
 
-    private void runInThread(final BugRule rule) throws Exception {
+    private void runInThread(final BugRule rule, String user_input) throws Exception {
         new Thread(new Runnable() {
             public void run() {
                 try {
-                    rule.run();
+                    rule.run(user_input);
                 }
                 catch (Exception e) {
                     e.printStackTrace();

app/src/main/java/co/ostorlab/insecure_app/MainActivity.java

@@ -4,6 +4,7 @@
 import android.view.View;
 import android.widget.Button;
 import android.widget.TextView;
+import android.widget.EditText;
 
 import androidx.appcompat.app.AppCompatActivity;
 
@@ -39,7 +40,8 @@
 
 public class MainActivity extends AppCompatActivity {
     private TextView outputView;
-    private Button runAllButton ;
+    private Button runAllButton;
+    private EditText inputField;
 
     @Override
     protected void onCreate(Bundle savedInstanceState) {
@@ -50,8 +52,10 @@ protected void onCreate(Bundle savedInstanceState) {
         // Trigger flutter directly when the app starts.
         triggerFlutter();
 
+
         final Button runAllButton = findViewById(R.id.runAllId);
         final Button runAllFlutterButton = findViewById(R.id.runAllFlutterId);
+        final EditText inputField = findViewById(R.id.editText);
         runAllFlutterButton.setOnClickListener(new View.OnClickListener() {
             @Override
             public void onClick(View view) {
@@ -62,8 +66,10 @@ public void onClick(View view) {
         runAllButton.setOnClickListener(new View.OnClickListener() {
             @Override
             public void onClick(View view) {
+                String user_input = inputField.getText().toString();
                 outputView.setText("Running \n");
-                executeAllRules();
+
+                executeAllRules(user_input);
             }
         });
 
@@ -73,7 +79,7 @@ private void triggerFlutter(){
                 FlutterActivity.createDefaultIntent(MainActivity.this)
         );
     }
-    private void executeAllRules() {
+    private void executeAllRules(String user_input) {
         BugRuleCaller caller = new BugRuleCaller(getApplicationContext());
         outputView.append("Adding rules ...\n");
         caller.addRule(new ECBModeCipher());
@@ -106,7 +112,7 @@ private void executeAllRules() {
         caller.addRule(new RegisterReceiverExported(this));
 
         try {
-            caller.callRules();
+            caller.callRules(user_input);
             outputView.append(caller.listBugRules());
 
         } catch (Exception e){

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/AESCipher.java

@@ -19,8 +19,11 @@ public String getDescription() {
     }
 
     @Override
-    public void run() throws Exception{
+    public void run(String user_input) throws Exception{
         String clearText = "Jan van Eyck was here 1434";
+        if (user_input.length() != 0){
+            clearText = user_input;
+        }
         String key = "ThisIs128bitSize";
         SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes(), "AES");
         Cipher cipher = Cipher.getInstance("AES");

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ArrayCall.java

@@ -13,7 +13,7 @@ public class ArrayCall extends BugRule {
     private static final String TAG = ArrayCall.class.toString();
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
 
         int[] ages = new int[5];
         handle_array(ages, 5, 0);

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/BiometricFingerprintManagerVulnerability.java

@@ -12,7 +12,7 @@
 public final class BiometricFingerprintManagerVulnerability extends BugRule {
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
         Context context = getContext();
 //        The class FingerprintManager
         FingerprintManager fingerprintManager = (FingerprintManager) context.getSystemService(Context.FINGERPRINT_SERVICE);

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/BiometricFingerprintPromptVulnerability.java

@@ -17,7 +17,7 @@ public BiometricFingerprintPromptVulnerability(FragmentActivity activity) {
     }
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
         Context context = getContext();
 
         BiometricPrompt.AuthenticationCallback authenticationCallback = new BiometricPrompt.AuthenticationCallback() {

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ClearTextTraffic.java

@@ -13,7 +13,7 @@ public class ClearTextTraffic extends BugRule {
     private static final String TAG = ClearTextTraffic.class.toString();
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
         OkHttpClient client = new OkHttpClient.Builder()
                 .build();
         Request request = new Request.Builder()

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/CommandExec.java

@@ -8,11 +8,16 @@ public class CommandExec extends BugRule {
     private static final String TAG = CommandExec.class.toString();
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
 
         String domainName = "google.com";
         String command = "";
 
+        // Tainted command.
+        if (user_input.length() != 0){
+            executeCommand(command, null);
+        }
+
         // command contains chmod
         command = "chmod 777" + domainName;
         executeCommand(command, null);

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/DexClassLoaderCall.java

@@ -21,7 +21,20 @@ public String getDescription() {
     }
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
+        /*
+            Dex class loading from user input
+        */
+        if (user_input.length() != 0){
+            String apkFile = Environment.getExternalStorageDirectory().getAbsolutePath() + "/" + "user_input";
+            DexClassLoader classLoader1 = new DexClassLoader(
+                apkFile,
+                apkFile,
+                apkFile,
+                ClassLoader.getSystemClassLoader());
+            classLoader1.loadClass("a.b.c");
+        }
+
         /*
             Dex class loading from external storage
          */

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ECBModeCipher.java

@@ -19,8 +19,11 @@ public String getDescription() {
     }
 
     @Override
-    public void run() throws Exception{
+    public void run(String user_input) throws Exception{
         String clearText = "Jan van Eyck was here 1434";
+        if (user_input.length() != 0){
+            clearText = user_input;
+        }
         String key = "ThisIs128bitSize";
         SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes(), "AES");
         Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5PADDING");

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/HardcodedUrlInUrl.java

@@ -19,7 +19,15 @@ public String get_url() {
     }
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
+        if (user_input.length() != 0){
+            ContextCompat.getMainExecutor(getContext()).execute(()  -> {
+                Log.i(TAG, String.format("Message: %s", user_input));
+                WebView webView = new WebView(getContext());
+                webView.loadUrl(user_input);
+            });
+        }
+
         ContextCompat.getMainExecutor(getContext()).execute(()  -> {
             Log.i(TAG, String.format("Message: %s", get_url()));
             WebView webView = new WebView(getContext());

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/HashCall.java

@@ -9,7 +9,7 @@ public class HashCall extends BugRule {
     private static final String TAG = HashCall.class.toString();
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
 
         String monMessage = "Ostorlab hidden message";
 

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ImplicitPendingIntentVulnerability.java

@@ -7,7 +7,7 @@
 
 public class ImplicitPendingIntentVulnerability extends BugRule {
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
         // Create an implicit base Intent and wrap it in a PendingIntent
 
         Intent base = new Intent("ACTION_FOO");

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureCommands.java

@@ -8,7 +8,10 @@ public class InsecureCommands extends BugRule {
     private static final String TAG = InsecureCommands.class.toString();
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
+        if (user_input.length() != 0){
+            executeCommand(user_input, null);
+        }
         executeCommand("chmod 755 test_file", "/data/data/");
         executeCommand("ping -c 3 www.ostorlab.co", "/sdcard/ostorlab");
     }

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureFilePermissions.java

@@ -15,12 +15,18 @@ public String getDescription() {
     }
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
         String filename = "test_filename";
         openFileOutputWorldReadable(filename);
         openFileOutputWorldWritable(filename);
         setReadableAll(filename);
         setWritableAll(filename);
+        if (user_input.length() != 0){
+            openFileOutputWorldReadable(user_input);
+            openFileOutputWorldWritable(user_input);
+            setReadableAll(user_input);
+            setWritableAll(user_input);
+        }
     }
 
     private void openFileOutputWorldReadable(String filename) throws Exception {