MASVS-STORAGE
Testing Local Storage for Sensitive Data -> sau khi dùng hết chức năng thì coi trong folder của app có chứa thông tin gì nhạy cảm hong -> hong
Testing the Device-Access-Security Policy -> Testing Memory for Sensitive Data -> dùng frida dump mem để lụm thông tin -> hong có gì hết -> no Vulnerable
Testing Backups for Sensitive Data -> hong có android:allowBackup="true" -> no Vulnerable
Testing Logs for Sensitive Data -> logcat app xem có gì hong -> hong thấy gì sensitve -> no Vulnerable
Determining Whether Sensitive Data Is Shared with Third Parties via Notifications -> Determining Whether the Keyboard Cache Is Disabled for Text Input Fields -> coi thử password có cache lại để rcm hong -> no Vulnerable Determining Whether Sensitive Data Is Shared with Third Parties via Embedded Services -> coi request coi thông tin nhạy cảm có gởi ra cho 3 third hong -> MASVS-CRYPTO
MASVS-AUTH
Testing Confirm Credentials -> not Vulnerable
Testing Biometric Authentication-> hong thấy dùng biometric -> not Vulnerable
MASVS-NETWORK
Testing the Security Provider -> Testing Data Encryption on the Network -> not Vulnerable
MASVS-PLATFORM
Testing for App Permissions -> dùng mobsf scan -> not Vulnerable
Testing for Sensitive Functionality Exposure Through IPC -> Testing Deep Links -> hong thấy có -> not Vulnerable
Testing for Vulnerable Implementation of PendingIntent -> Determining Whether Sensitive Stored Data Has Been Exposed via IPC Mechanisms
Testing WebView Protocol Handlers -> thấy cái package gooo hong dùng webview
Testing JavaScript Execution in WebViews -> Testing WebViews Cleanup -> coi dữ liệu trong folder có bị xóa hay hong
Testing for Java Objects Exposed Through WebViews -> Checking for Sensitive Data Disclosure Through the User Interface -> có masking sensitive data chưa
Testing for Overlay Attacks -> MASVS-CODE
Checking for Weaknesses in Third Party Libraries -> hong pen do hong có whitebox source code -> not Vulnerable
Testing Object Persistence -> coi thử khi lưu dữ liệu có dùng dạng object hay hong
Make Sure That Free Security Features Are Activated -> not vuln
MASVS-RESILIENCE
Making Sure that the App is Properly Signed -> này coi trong report của mobsf or dùng apksigner verify -> not Vulnerable
Testing for Debugging Symbols -> not Vulnerable
Testing Obfuscation -> có obfuscate source java
Testing for Debugging Code and Verbose Error Logging -> Testing whether the App is Debuggable -> hong thấy có trong file manifest -> not Vulnerable
Testing Anti-Debugging Detection -> debug vơi
---------- tổng hợp bug -----------------
Testing the Device-Access-Security Policy -> dth có check root/usb debug,.... -> có check nhưng hook bypass khá dễ -> Vulnerable Testing Reverse Engineering Tools Detection -> khi bypass root detect và cái app check của google service là nó hong còn hiện nữa -> vuln
Testing Emulator Detection -> có check -> đã bypass -> Vulnerable
Testing Root Detection -> có check, quá dễ để bypass -> đã bypass -> Vulnerable
Testing Runtime Integrity Checks -> dùng frida để hook vào vẫn bth -> vuln
Finding Sensitive Information in Auto-Generated Screenshots -> app có che mờ sensitive data khi screenshot hay hong -> có cho chụp phần dổi pass -> Vulnerable
Testing Endpoint Identify Verification -> cần coi lại coi thử nếu không dung script và chỉ cài self cert thì ntn -> vẫn có request đi qua -> vuln
Testing Custom Certificate Stores and Certificate Pinning -> hông triển khai ssl pinning -> Vulnerable
Testing Local Storage for Sensitive Data -> sau khi dùng hết chức năng thì coi trong folder của app có chứa thông tin gì nhạy cảm hong -> có lưu firebase app check token