From 07f914bcfcf8746dbfff6d242bc5c037699b17f5 Mon Sep 17 00:00:00 2001 From: yu fujioka Date: Sun, 14 Aug 2022 21:46:39 +0900 Subject: [PATCH 1/8] add new testing tool APKLab --- Document/0x05c-Reverse-Engineering-and-Tampering.md | 1 + Document/0x08a-Testing-Tools.md | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/Document/0x05c-Reverse-Engineering-and-Tampering.md b/Document/0x05c-Reverse-Engineering-and-Tampering.md index e919297c19..a0193a022b 100644 --- a/Document/0x05c-Reverse-Engineering-and-Tampering.md +++ b/Document/0x05c-Reverse-Engineering-and-Tampering.md @@ -34,6 +34,7 @@ If you want to look directly into Java source code on a GUI, simply open your AP Android decompilers go one step further and attempt to convert Android bytecode back into Java source code, making it more human-readable. Fortunately, Java decompilers generally handle Android bytecode well. The above mentioned tools embed, and sometimes even combine, popular free decompilers such as: +- [APKLab](https://github.com/APKLab/APKLab "APKLab") - [JD](http://jd.benow.ca/ "JD") - [JAD](http://www.javadecompilers.com/jad "JAD") - [jadx](https://github.com/skylot/jadx "jadx") diff --git a/Document/0x08a-Testing-Tools.md b/Document/0x08a-Testing-Tools.md index 90a6db4057..6c36a2cb68 100644 --- a/Document/0x08a-Testing-Tools.md +++ b/Document/0x08a-Testing-Tools.md @@ -1109,6 +1109,16 @@ For more information on what this tool can be used for, check out: - [APKiD: PEiD for Android Apps](https://github.com/enovella/cve-bio-enovella/blob/master/slides/bheu18-enovella-APKID.pdf) - [APKiD: Fast Identification of AppShielding Products](https://github.com/enovella/cve-bio-enovella/blob/master/slides/APKiD-NowSecure-Connect19-enovella.pdf) +### APKLab + +[APKLab](https://github.com/APKLab/APKLab "APKLab") is a Visual Studio Code extension that can unpack APKs, decompile DEX, apply patch, and rebuild APKs. +Internally it uses [apktool](https://github.com/iBotPeaches/Apktool "apktool") and [jadx](https://github.com/skylot/jadx "jadx"), so you can use those features in Visual Studio Code. + +In addition, APKLab provides various features such as signing APKs, MITM Patch, and more. +For more information, you can refer to the following documentation. + +- APKLab - + ### Apktool [Apktool](https://github.com/iBotPeaches/Apktool) is used to unpack Android app packages (APKs). Simply unzipping APKs with the standard `unzip` utility leaves some files unreadable. `AndroidManifest.xml` is encoded into binary XML format which isnโ€™t readable with a text editor. Also, the app resources are still packaged into a single archive file. From 68130ed27576fc689330f28aa005e37a32013d33 Mon Sep 17 00:00:00 2001 From: yu fujioka Date: Thu, 18 Aug 2022 14:46:23 +0900 Subject: [PATCH 2/8] Update Document/0x08a-Testing-Tools.md Co-authored-by: Carlos Holguera --- Document/0x08a-Testing-Tools.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Document/0x08a-Testing-Tools.md b/Document/0x08a-Testing-Tools.md index 6c36a2cb68..72d4eae7f4 100644 --- a/Document/0x08a-Testing-Tools.md +++ b/Document/0x08a-Testing-Tools.md @@ -1115,9 +1115,7 @@ For more information on what this tool can be used for, check out: Internally it uses [apktool](https://github.com/iBotPeaches/Apktool "apktool") and [jadx](https://github.com/skylot/jadx "jadx"), so you can use those features in Visual Studio Code. In addition, APKLab provides various features such as signing APKs, MITM Patch, and more. -For more information, you can refer to the following documentation. - -- APKLab - +For more information, you can refer to [APKLab's official documentation](https://apklab.surendrajat.xyz/). ### Apktool From 3021d953c0080aec0eda46eb59d06a0015e48f33 Mon Sep 17 00:00:00 2001 From: yu fujioka Date: Thu, 18 Aug 2022 14:46:57 +0900 Subject: [PATCH 3/8] Update Document/0x08a-Testing-Tools.md Co-authored-by: Carlos Holguera --- Document/0x08a-Testing-Tools.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Document/0x08a-Testing-Tools.md b/Document/0x08a-Testing-Tools.md index 72d4eae7f4..0786bc17f2 100644 --- a/Document/0x08a-Testing-Tools.md +++ b/Document/0x08a-Testing-Tools.md @@ -1111,8 +1111,7 @@ For more information on what this tool can be used for, check out: ### APKLab -[APKLab](https://github.com/APKLab/APKLab "APKLab") is a Visual Studio Code extension that can unpack APKs, decompile DEX, apply patch, and rebuild APKs. -Internally it uses [apktool](https://github.com/iBotPeaches/Apktool "apktool") and [jadx](https://github.com/skylot/jadx "jadx"), so you can use those features in Visual Studio Code. +[APKLab](https://github.com/APKLab/APKLab "APKLab") is a convenient Visual Studio Code extension leveraging tools such as [apktool](#apktool) and [jadx](#jadx) to enable features including app unpacking, decompilation, code patching (e.g. for MITM), and repackaging straight from the IDE. In addition, APKLab provides various features such as signing APKs, MITM Patch, and more. For more information, you can refer to [APKLab's official documentation](https://apklab.surendrajat.xyz/). From 9c651c73e76af88366f63e17f0f01bf15c999a60 Mon Sep 17 00:00:00 2001 From: yu fujioka Date: Thu, 18 Aug 2022 14:47:11 +0900 Subject: [PATCH 4/8] Update Document/0x08a-Testing-Tools.md Co-authored-by: Carlos Holguera --- Document/0x08a-Testing-Tools.md | 1 - 1 file changed, 1 deletion(-) diff --git a/Document/0x08a-Testing-Tools.md b/Document/0x08a-Testing-Tools.md index 0786bc17f2..6ce3da2c7c 100644 --- a/Document/0x08a-Testing-Tools.md +++ b/Document/0x08a-Testing-Tools.md @@ -1113,7 +1113,6 @@ For more information on what this tool can be used for, check out: [APKLab](https://github.com/APKLab/APKLab "APKLab") is a convenient Visual Studio Code extension leveraging tools such as [apktool](#apktool) and [jadx](#jadx) to enable features including app unpacking, decompilation, code patching (e.g. for MITM), and repackaging straight from the IDE. -In addition, APKLab provides various features such as signing APKs, MITM Patch, and more. For more information, you can refer to [APKLab's official documentation](https://apklab.surendrajat.xyz/). ### Apktool From 86fd672baebca79e1374731547d666c43d8a4ea9 Mon Sep 17 00:00:00 2001 From: yu fujioka Date: Thu, 18 Aug 2022 14:51:24 +0900 Subject: [PATCH 5/8] apply #discussion_r947654273 https://github.com/OWASP/owasp-mstg/pull/2177#discussion_r947654273 --- Document/0x05c-Reverse-Engineering-and-Tampering.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Document/0x05c-Reverse-Engineering-and-Tampering.md b/Document/0x05c-Reverse-Engineering-and-Tampering.md index a0193a022b..554aefbbce 100644 --- a/Document/0x05c-Reverse-Engineering-and-Tampering.md +++ b/Document/0x05c-Reverse-Engineering-and-Tampering.md @@ -34,14 +34,13 @@ If you want to look directly into Java source code on a GUI, simply open your AP Android decompilers go one step further and attempt to convert Android bytecode back into Java source code, making it more human-readable. Fortunately, Java decompilers generally handle Android bytecode well. The above mentioned tools embed, and sometimes even combine, popular free decompilers such as: -- [APKLab](https://github.com/APKLab/APKLab "APKLab") - [JD](http://jd.benow.ca/ "JD") - [JAD](http://www.javadecompilers.com/jad "JAD") - [jadx](https://github.com/skylot/jadx "jadx") - [Procyon](https://github.com/mstrobel/procyon "Procyon") - [CFR](https://www.benf.org/other/cfr/ "CFR") -Alternatively run [apkx](0x08a-Testing-Tools.md#apkx) on your APK or use the exported files from the previous tools to open the Java source code in another tool such as an IDE. +Alternatively you can use the [APKLab](https://github.com/APKLab/APKLab) extension for Visual Studio Code or run [apkx](0x08a-Testing-Tools.md#apkx) on your APK or use the exported files from the previous tools to open the reversed source code on your preferred IDE. In the following example we'll be using [UnCrackable App for Android Level 1](0x08b-Reference-Apps.md#uncrackable-app-for-android-level-1). First, let's install the app on a device or emulator and run it to see what the crackme is about. From fed673f20468664098e7aae63bdbcc98535f9124 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Thu, 18 Aug 2022 11:06:34 +0200 Subject: [PATCH 6/8] fix link to tools chapter --- Document/0x05c-Reverse-Engineering-and-Tampering.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Document/0x05c-Reverse-Engineering-and-Tampering.md b/Document/0x05c-Reverse-Engineering-and-Tampering.md index 554aefbbce..bb308cddef 100644 --- a/Document/0x05c-Reverse-Engineering-and-Tampering.md +++ b/Document/0x05c-Reverse-Engineering-and-Tampering.md @@ -40,7 +40,7 @@ Android decompilers go one step further and attempt to convert Android bytecode - [Procyon](https://github.com/mstrobel/procyon "Procyon") - [CFR](https://www.benf.org/other/cfr/ "CFR") -Alternatively you can use the [APKLab](https://github.com/APKLab/APKLab) extension for Visual Studio Code or run [apkx](0x08a-Testing-Tools.md#apkx) on your APK or use the exported files from the previous tools to open the reversed source code on your preferred IDE. +Alternatively you can use the [APKLab](0x08a-Testing-Tools.md#apklab) extension for Visual Studio Code or run [apkx](0x08a-Testing-Tools.md#apkx) on your APK or use the exported files from the previous tools to open the reversed source code on your preferred IDE. In the following example we'll be using [UnCrackable App for Android Level 1](0x08b-Reference-Apps.md#uncrackable-app-for-android-level-1). First, let's install the app on a device or emulator and run it to see what the crackme is about. From 5d6f1130810b7f45005ef40653b5d57cf18549cb Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Thu, 18 Aug 2022 05:24:56 -0400 Subject: [PATCH 7/8] fix spelling --- .github/ISSUE_TEMPLATE/make-donation.yml | 2 +- .github/workflows/spell-checker.yml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/make-donation.yml b/.github/ISSUE_TEMPLATE/make-donation.yml index c2bcaf5483..90a3ffb0c7 100644 --- a/.github/ISSUE_TEMPLATE/make-donation.yml +++ b/.github/ISSUE_TEMPLATE/make-donation.yml @@ -66,7 +66,7 @@ body: id: paperback attributes: label: ๐Ÿ“˜ MSTG Paperback Copies - description: Would you like to receive the paperback copie(s) of the MSTG as indicated in your Donation Package? + description: Would you like to receive the paperback copies of the MSTG as indicated in your Donation Package? options: - ๐ŸŒฑ No, please save the money for the project and help the environment and climate. - ๐Ÿ“ฎ Yes, please send them to me. diff --git a/.github/workflows/spell-checker.yml b/.github/workflows/spell-checker.yml index 6e1afdf1f8..ccc001963b 100644 --- a/.github/workflows/spell-checker.yml +++ b/.github/workflows/spell-checker.yml @@ -14,4 +14,5 @@ jobs: - uses: actions/checkout@v2 - uses: codespell-project/actions-codespell@master with: - ignore_words_list: ba,compliancy,firt,ist,keypair,ligh,ser,synopsys,theses,zuser + ignore_words_list: "ba,bund,compliancy,firt,ist,keypair,ligh,ro,ser,synopsys,theses,zuser" + skip: "*.json,*.yml,*.apk,*.ipa" From 3f1c331335a7b44f71a8d2ea506c947039c096f6 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Thu, 18 Aug 2022 05:27:24 -0400 Subject: [PATCH 8/8] fix spelling --- Document/0x04i-Testing-User-Privacy-Protection.md | 2 +- Document/0x05e-Testing-Cryptography.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Document/0x04i-Testing-User-Privacy-Protection.md b/Document/0x04i-Testing-User-Privacy-Protection.md index 53379d5f3d..e4e6fab5e0 100644 --- a/Document/0x04i-Testing-User-Privacy-Protection.md +++ b/Document/0x04i-Testing-User-Privacy-Protection.md @@ -110,7 +110,7 @@ You can follow these steps: 2. Go to the section ["Privacy Details"](https://developer.apple.com/app-store/app-privacy-details/) (App Store) or ["Safety Section"](https://android-developers.googleblog.com/2021/05/new-safety-section-in-google-play-will.html) (Google Play). 3. Verify if there's any information available at all. -The test passes if the developer has complied with the app marketplace guidelines and included the required labels and explanations. Store and provide the information you got from the app marketplace as evidence, so that you can later use it to evaluate potential violations of privacy or data protection. +The test passes if the developer has compiled with the app marketplace guidelines and included the required labels and explanations. Store and provide the information you got from the app marketplace as evidence, so that you can later use it to evaluate potential violations of privacy or data protection. ### Dynamic analysis diff --git a/Document/0x05e-Testing-Cryptography.md b/Document/0x05e-Testing-Cryptography.md index 8a284f7798..e7af241397 100644 --- a/Document/0x05e-Testing-Cryptography.md +++ b/Document/0x05e-Testing-Cryptography.md @@ -28,7 +28,7 @@ These phases are managed by the Keystore/KeyChain system. However how the system Apps that target modern API levels, went through the following changes: -- For Android 7.0 (API level 24) and above [the Android Developer blog shows that](https://android-developers.googleblog.com/2016/06/security-crypto-provider-deprecated-in.html "Security provider Crypto deprecated in Andorid N"): +- For Android 7.0 (API level 24) and above [the Android Developer blog shows that](https://android-developers.googleblog.com/2016/06/security-crypto-provider-deprecated-in.html "Security provider Crypto deprecated in Android N"): - It is recommended to stop specifying a security provider. Instead, always use a [patched security provider](0x05e-Testing-Cryptography.md#updating-provider). - The support for the `Crypto` provider has dropped and the provider is deprecated. The same applies to its `SHA1PRNG` for secure random. - For Android 8.1 (API level 27) and above the [Developer Documentation](https://developer.android.com/about/versions/oreo/android-8.1 "Cryptography updates") shows that: