Comments (4)
vanderaj
commented on July 20, 2024
These are special diagnostic features of certain Android platforms:
This is a platform issue on Android, and to a lesser extent Windows phones. Check this out.
The attack path is:
- On a single Google account, deploy an app to the google play store with a suitable code
- On a single device, Install the app
- On a single unlocked device, type the secret diagnostic code
- See interesting stuff
So unless the app is Angry Birds, or a core system component, it's unlikely that any nefarious behavior will occur until triggered by a user, who can also root the device, run with USB debugging and run the app under an emulator.
Please explain how someone who has unauthorized access to the phone or table would exploit this issue? Is this an issue that the ASVS should cover? Could it be covered under the malicious code L3 requirement?
For example, can you access these hidden menus from the emergency dialer whilst the phone is locked?
thanks
Andrew
from asvs.
bugwrangler
commented on July 20, 2024
Well, let me brief you the problem ~ I wanted to make clear POV for the app manifest file design.
I was testing android mobile app for one of our banking client.
Developer has put some Dailer Android:scheme=“android_secret_code” (XXXXXX) for the APP Secrets screen E.G – Using this hidden screen, User is allowed to change API , back logs server details, Put a Master password , Back up crash logs etc.
I just wanted to make sure, Dev should know - this kind of secrets screen easily available at end users side, so this must not grant access to any sensitive information disclosure.
E.g – I have taken your phone for giving a call, now Being attacker I can change API / Put a Master password – Next story I don’t need describe what can't be done using this. This issue reproduces with real device.
Yep - App oriented secret doesn't be execute via emergency dialer.
from asvs.
bugwrangler
commented on July 20, 2024
This should be cover in mobile control sheet, however its my individual view. We can discuss further with team and take a call where this best fit. 👍
from asvs.
danielcuthbert
commented on July 20, 2024
I feel this is covered in the mobile control sheet too.
from asvs.
Related Issues (20)
- 2.3.1 and 2.5.1 tags are misleading HOT 2
- Clarify horizontal and vertical access control (4.2.1) HOT 11
- Add ReqView format as generated output HOT 5
- 2.3.4 does not seem like registration HOT 1
- Proposal: the application must belong/covered to the HSTS preload list (probably level 3) HOT 45
- Do we want V7.4 to get moved to V10? HOT 3
- Minor V7 changes HOT 2
- Italian Translation HOT 1
- V11 rework by @jmanico HOT 16
- update 50.2.1 (v4.0.3-14.4.3) and/or split requirement for content-security-policy HOT 13
- move or merge 8.3.5 to V7 HOT 3
- URL Safety HOT 23
- proposal/discussion: OAuth - disallow web application to be OAuth public client (and to have direct communication with OAuth token endpoint) HOT 4
- proposal/discussion: OAuth - (for 1st party usage) only used (by the client) communication options must be allowed by authorization server HOT 4
- proposal/discussion: OAuth - separate requirement for redirect_uri string-match registration and handling HOT 8
- discussion: OAuth - using OAuth just for authentication HOT 6
- proposal/discussion: JWT - 3.5.6 add "type", and rephrase it to describe the goal HOT 7
- proposal/discussion: OAuth: requirement for refresh_token lifetime
- V51: Additional OAuth/OIDC proposals HOT 6
- discussion OAuth/OIDC: accepted flows and grants HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from asvs.