The purpose of this test was to verify https://github.com/Path-Check/covid-safe-paths/pull/784 - but also the secure realm db: https://github.com/Path-Check/covid-safe-paths/pull/788

Testing was based on the OWASP principles for testing secure data storage on Android - https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md

Device: Android 10 Pixel 3A

Scope

MSTG-STORAGE-1: "System credential storage facilities need to be used to store sensitive data, such as PII, user credentials or cryptographic keys."
MSTG-STORAGE-2: "No sensitive data should be stored outside of the app container or system credential storage facilities."
MSTG-STORAGE-3: "No sensitive data is written to application logs."
MSTG-STORAGE-4: "No sensitive data is shared with third parties unless it is a necessary part of the architecture."
MSTG-STORAGE-5: "The keyboard cache is disabled on text inputs that process sensitive data."
MSTG-STORAGE-6: "No sensitive data is exposed via IPC mechanisms."
MSTG-STORAGE-7: "No sensitive data, such as passwords or pins, is exposed through the user interface."
MSTG-STORAGE-8: "No sensitive data is included in backups generated by the mobile operating system."
MSTG-STORAGE-9: "The app removes sensitive data from views when moved to the background."
MSTG-STORAGE-10: "The app does not hold sensitive data in memory longer than necessary, and memory is cleared explicitly after use."
MSTG-STORAGE-11: "The app enforces a minimum device-access-security policy, such as requiring the user to set a device passcode."
MSTG-PLATFORM-2: "All inputs from external sources and the user are validated and if necessary sanitized. This includes data received via the UI, IPC mechanisms such as intents, custom URLs, and network sources."

Issue Summary

https://pathcheck.atlassian.net/browse/SAF-235?atlOrigin=eyJpIjoiNzNmNWI3ZTJhYmZjNDM4N2E4YTMxZjBmMjkzNjkyOTkiLCJwIjoiamlyYS1zbGFjay1pbnQifQ

https://pathcheck.atlassian.net/browse/SAF-236?atlOrigin=eyJpIjoiMjg3NGFiMDM2NTNlNDI2NWJmMWFkYTljYjUwOThlYTgiLCJwIjoiamlyYS1zbGFjay1pbnQifQ

Testing Local Storage for Sensitive Data (MSTG-STORAGE-1 and MSTG-STORAGE-2)

Static Review

All of the OWASP principles and checks that were static, e.g code review, were conducted. The only finding was that the AndroidManifest.xml allows logging to external (insecure) storage, but it is not used.

Dynamic Review

Secure Database

I added the below line of code inside the getEncryptionKey() method in RealmSecureStorage.kt

Log.i(TAG, "Key: " + Base64.decode(existingKeyString, Base64.DEFAULT))

Once this code is built and deployed on a phone, you can view the key in adb logcat.

In my case this was something like: [B@83acf03

This needs to be converted to a 128 character hex string to load the database in Realm Studio, this should be possible with the following python:

import binascii

binascii.hexlify(key.encode('utf-8'))

However, the result is only 20 chars long, not 128.

It was also observed that the key appears different each time the app is reloaded (not redeployed):

05-10 18:27:51.568 3372 3436 I RealmSecureStorage: Key: [B@83acf03
05-10 18:33:52.486 4677 4704 I RealmSecureStorage: Key: [B@a68ccb9
05-10 18:34:09.255 4834 4856 I RealmSecureStorage: Key: [B@311585f

This behaviour doesn’t seem correct, i am probably doing something wrong here as the timestamp on the XML stored encryption key was 1714. I pulled that from shared_prefs and it looked quite different:

l3nwL9nl2V4HAn9Tqm06d1BFifEi9n/RE74L1OhJUqP3TbSXLrMRwFwMfKJK+jivGOrb/HMQGq+n T4+1C3P2kRcyzuqcDwIfo8JpN6j/k5bQcnk66t7HovjT+DuW0HHK6itVoQcrE42em88vb69stTsP 3XtT6lFU23qcMPDCaMBTPfA9KXSdv40k2sVbKNtbf8fyAZNY+Erw6YQHBnd7F/qXjx4/5/F7gf1u l7E44up3iSk9ZgSTImRz28Ud6TL/JXIVLYtXinZ66GkmjxsFDlBnrmsTscdVOcHOZelUBOnh8XYx ieLRgBXJzc7Dy2Jk2qlKmMHp2ZUoE6JDoixrow==

Then, back in python I was able to do

import base64

import binascii

binascii.hexlify(str(key).encode('utf-8'))

However, this gave me 1511 characters… way too many. Possibly there is another level of encrpytion applied to this file.

Legacy Databases

The RKStorage, logback.db and cordova_bg_geolocation.db SQL lite databases were examined.

Potential issue: CROSSED_PATHS still seems to contained data not migrated to the secure database

Testing Logs for Sensitive Data (MSTG-STORAGE-3)

ISSUE: Intersection related calcs are logged

Determining Whether Sensitive Data is Sent to Third Parties (MSTG-STORAGE-4)

No issues detected.

Determining Whether the Keyboard Cache Is Disabled for Text Input Fields (MSTG-STORAGE-5)

No such fields

Determining Whether Sensitive Stored Data Has Been Exposed via IPC Mechanisms (MSTG-STORAGE-6)

No providers

Checking for Sensitive Data Disclosure Through the User Interface (MSTG-STORAGE-7)

No issues found.

Testing Backups for Sensitive Data (MSTG-STORAGE-8)

Backup not permitted.

Finding Sensitive Information in Auto-Generated Screenshots (MSTG-STORAGE-9)

In my view, there is no need to prevent people from screenshotting their own exposure history

Checking Memory for Sensitive Data (MSTG-STORAGE-10)

Todo

Testing the Device-Access-Security Policy (MSTG-STORAGE-11)