public void AllowBackupFalse()
{
AndroidManifestFile androidManifestFile = GetAndroidManifestFile("AllowBackupFalse.xml.test");
_analyzer.Analyze(androidManifestFile);
Assert.AreEqual(0, _vulnerabilities.Count);
}
public void DebuggableMissing()
{
AndroidManifestFile androidManifestFile = GetAndroidManifestFile("DebuggableMissing.xml.test");
_analyzer.Analyze(androidManifestFile);
Assert.AreEqual(0, _vulnerabilities.Count);
}
public void NonExistingFile()
{
AndroidManifestFile manifestFile = GetAndroidManifestFile("NonExistingFile.xml");
XElement element = manifestFile.GetXElement();
Assert.AreEqual("Content", element.Value);
}
public void MinSdkSupported()
{
AndroidManifestFile androidManifestFile = GetAndroidManifestFile("MinSdkSupported.xml.test");
_analyzer.Analyze(androidManifestFile);
Assert.AreEqual(0, _vulnerabilities.Count);
}
public void InvalidDocument()
{
AndroidManifestFile manifestFile = GetAndroidManifestFile("InvalidDocument.txt");
XElement element = manifestFile.GetXElement();
Assert.AreEqual("Content", element.Value);
}
public void AllowBackupMissing()
{
AndroidManifestFile androidManifestFile = GetAndroidManifestFile("AllowBackupMissing.xml");
_analyzer.Analyze(androidManifestFile);
Assert.AreEqual(1, _vulnerabilities.Count);
}
public void MinSdkText()
{
AndroidManifestFile androidManifestFile = GetAndroidManifestFile("MinSdkText.xml");
_analyzer.Analyze(androidManifestFile);
Assert.AreEqual(0, _vulnerabilities.Count);
}
public void UsesSdkMissing()
{
AndroidManifestFile androidManifestFile = GetAndroidManifestFile("UsesSdkMissing.xml");
_analyzer.Analyze(androidManifestFile);
Assert.AreEqual(0, _vulnerabilities.Count);
}
public override void Analyze(AndroidManifestFile androidManifestFile)
{
var vulnerabilities = androidManifestFile.GetXElement()
.Elements("application")
.Where(IsBackupAllowed)
.Select(e => new Vulnerability
{
Code = "AllowBackup",
Title = "Backups are enabled",
Description = $"Enabling backups may leak sensitive data to the cloud.",
FilePath = androidManifestFile.FilePath,
FullyQualifiedName = "AndroidManifest.xml",
LineNumber = ((IXmlLineInfo)e).LineNumber
}).ToList();
vulnerabilities.ForEach(OnVulnerabilityDiscovered);
}
public override void Analyze(AndroidManifestFile androidManifestFile)
{
var vulnerabilities = androidManifestFile.GetXElement()
.Elements("application")
.Where(IsDebuggable)
.Select(e => new Vulnerability
{
Code = "Debuggable",
Title = "App has debugging enabled",
Description = "Enabling debugging makes it easier for an attacker to reverse engineer your app.",
FilePath = androidManifestFile.FilePath,
FullyQualifiedName = "AndroidManifest.xml",
LineNumber = ((IXmlLineInfo)e).LineNumber
}).ToList();
vulnerabilities.ForEach(OnVulnerabilityDiscovered);
}
public override void Analyze(AndroidManifestFile androidManifestFile)
{
var vulnerabilities = androidManifestFile.GetXElement()
.Elements("uses-sdk")
.Where(IsOutdated)
.Select(e => new Vulnerability
{
Code = "MinSdk",
Title = "App supports outdated Android version",
Description = "Apps should no longer support Android Gingerbread or lower. This version is used by less than 0.3% of all devices and the latest release was in 2011.",
FilePath = androidManifestFile.FilePath,
FullyQualifiedName = "AndroidManifest.xml",
LineNumber = ((IXmlLineInfo)e).LineNumber
}).ToList();
vulnerabilities.ForEach(OnVulnerabilityDiscovered);
}
public override void Analyze(AndroidManifestFile androidManifestFile)
{
var vulnerabilities = androidManifestFile.GetXElement()
.Elements("application")
.Where(IsBackupAllowed)
.Select(e => new Vulnerability
{
Code = "AllowBackup",
Title = "Backups are enabled",
SeverityLevel = SeverityLevel.Medium,
Description = $"Enabling backups may leak (sensitive) app data to Google's cloud services. If you would like to disable this feature, set 'allowBackup' to false in the <application> element.",
FilePath = androidManifestFile.FilePath,
FullyQualifiedName = "AndroidManifest.xml",
LineNumber = ((IXmlLineInfo)e).LineNumber
}).ToList();
vulnerabilities.ForEach(OnVulnerabilityDiscovered);
}
public void AllowBackupTrue()
{
AndroidManifestFile androidManifestFile = GetAndroidManifestFile("AllowBackupTrue.xml");
_analyzer.Analyze(androidManifestFile);
Assert.AreEqual(1, _vulnerabilities.Count);
Vulnerability vulnerability = _vulnerabilities[0];
Assert.AreEqual("AllowBackup", vulnerability.Code);
Assert.AreEqual("Backups are enabled", vulnerability.Title);
Assert.AreEqual("Enabling backups may leak sensitive data to the cloud.", vulnerability.Description);
string expectedPath = Path.Combine("TestFiles", "AllowBackup", "AllowBackupTrue.xml");
Assert.AreEqual(expectedPath, vulnerability.FilePath);
Assert.AreEqual("AndroidManifest.xml", vulnerability.FullyQualifiedName);
Assert.AreEqual(11, vulnerability.LineNumber);
}
public void MinSdkUnsupported()
{
AndroidManifestFile androidManifestFile = GetAndroidManifestFile("MinSdkUnsupported.xml");
_analyzer.Analyze(androidManifestFile);
Assert.AreEqual(1, _vulnerabilities.Count);
Vulnerability vulnerability = _vulnerabilities[0];
Assert.AreEqual("MinSdk", vulnerability.Code);
Assert.AreEqual("App supports outdated Android version", vulnerability.Title);
Assert.AreEqual("Apps should no longer support Android Gingerbread or lower. This version is used by less than 0.3% of all devices and the latest release was in 2011.", vulnerability.Description);
string expectedPath = Path.Combine("TestFiles", "MinSdk", "MinSdkUnsupported.xml");
Assert.AreEqual(expectedPath, vulnerability.FilePath);
Assert.AreEqual("AndroidManifest.xml", vulnerability.FullyQualifiedName);
Assert.AreEqual(9, vulnerability.LineNumber);
}
public void DebuggableTrue()
{
AndroidManifestFile androidManifestFile = GetAndroidManifestFile("DebuggableTrue.xml");
_analyzer.Analyze(androidManifestFile);
Assert.AreEqual(1, _vulnerabilities.Count);
Vulnerability vulnerability = _vulnerabilities[0];
Assert.AreEqual("Debuggable", vulnerability.Code);
Assert.AreEqual("App has debugging enabled", vulnerability.Title);
Assert.AreEqual("Enabling debugging makes it easier for an attacker to reverse engineer your app.", vulnerability.Description);
string expectedPath = Path.Combine("TestFiles", "Debuggable", "DebuggableTrue.xml");
Assert.AreEqual(expectedPath, vulnerability.FilePath);
Assert.AreEqual("AndroidManifest.xml", vulnerability.FullyQualifiedName);
Assert.AreEqual(11, vulnerability.LineNumber);
}
public void AllowBackupTrue()
{
AndroidManifestFile androidManifestFile = GetAndroidManifestFile("AllowBackupTrue.xml");
_analyzer.Analyze(androidManifestFile);
Assert.AreEqual(1, _vulnerabilities.Count);
Vulnerability vulnerability = _vulnerabilities[0];
Assert.AreEqual("AllowBackup", vulnerability.Code);
Assert.AreEqual("Backups are enabled", vulnerability.Title);
Assert.AreEqual(SeverityLevel.Medium, vulnerability.SeverityLevel);
Assert.AreEqual("Enabling backups may leak (sensitive) app data to Google's cloud services. If you would like to disable this feature, set 'allowBackup' to false in the <application> element.", vulnerability.Description);
string expectedPath = Path.Combine("TestFiles", "AllowBackup", "AllowBackupTrue.xml");
Assert.AreEqual(expectedPath, vulnerability.FilePath);
Assert.AreEqual("AndroidManifest.xml", vulnerability.FullyQualifiedName);
Assert.AreEqual(11, vulnerability.LineNumber);
}
public abstract void Analyze(AndroidManifestFile androidManifestFile);
