Merge pull request #81 from Ostorlab/feature/support_PCI_compliance

Feature/adding the pci standard
Ostorlab · Oct 11, 2023 · 8e903f5 · 8e903f5
2 parents e3d4382 + 673de9d
commit 8e903f5
Show file tree

Hide file tree

Showing 137 changed files with 870 additions and 33 deletions.
diff --git a/MOBILE_CLIENT/ANDROID/_HARDENING/APK_DEBUG/meta.json b/MOBILE_CLIENT/ANDROID/_HARDENING/APK_DEBUG/meta.json
@@ -14,6 +14,9 @@
     ],
     "OWASP_MASVS_L2": [
       "MSTG_CODE_2"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_2_2"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_HARDENING/APK_ELF_NOTPROTECTED/meta.json b/MOBILE_CLIENT/ANDROID/_HARDENING/APK_ELF_NOTPROTECTED/meta.json
@@ -16,6 +16,9 @@
     ],
     "OWASP_MASVS_L2": [
       "MSTG_CODE_9"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_2_2"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_HARDENING/APK_INSECURE_NETWORK_SECURITY_CONFIG/meta.json b/MOBILE_CLIENT/ANDROID/_HARDENING/APK_INSECURE_NETWORK_SECURITY_CONFIG/meta.json
@@ -14,6 +14,10 @@
     ],
     "OWASP_MASVS_L2": [
       "MSTG_NETWORK_1"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_1_2",
+      "REQUIREMENT_2_2"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_HARDENING/APK_NOT_OBFUSCATED/meta.json b/MOBILE_CLIENT/ANDROID/_HARDENING/APK_NOT_OBFUSCATED/meta.json
@@ -13,6 +13,9 @@
     "OWASP_MASVS_RESILIENCE": [
       "MSTG_RESILIENCE_9",
       "MSTG_RESILIENCE_12"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_2_2"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_HIGH/APK_BIOMETRIC_AUTHENTICATION_BYPASS/meta.json b/MOBILE_CLIENT/ANDROID/_HIGH/APK_BIOMETRIC_AUTHENTICATION_BYPASS/meta.json
@@ -16,6 +16,11 @@
     "GDPR": [
       "ART_5",
       "ART_32"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_6_2",
+      "REQUIREMENT_6_3",
+      "REQUIREMENT_8_3"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_HIGH/APK_FILE_PROVIDER_PERMISSIVE_EXTERNAL_PATH/meta.json b/MOBILE_CLIENT/ANDROID/_HIGH/APK_FILE_PROVIDER_PERMISSIVE_EXTERNAL_PATH/meta.json
@@ -25,6 +25,11 @@
     "GDPR": [
       "ART_5",
       "ART_32"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_2_2",
+      "REQUIREMENT_6_2",
+      "REQUIREMENT_11_3"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_HIGH/APK_INSECURE_EXEC_CMD/meta.json b/MOBILE_CLIENT/ANDROID/_HIGH/APK_INSECURE_EXEC_CMD/meta.json
@@ -20,6 +20,11 @@
     "GDPR": [
       "ART_5",
       "ART_32"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_6_2",
+      "REQUIREMENT_6_3",
+      "REQUIREMENT_11_3"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_HIGH/APK_NOTIFICATION_SPOOFING/meta.json b/MOBILE_CLIENT/ANDROID/_HIGH/APK_NOTIFICATION_SPOOFING/meta.json
@@ -21,6 +21,12 @@
     "GDPR": [
       "ART_5",
       "ART_32"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_6_2",
+      "REQUIREMENT_6_3",
+      "REQUIREMENT_7_3",
+      "REQUIREMENT_11_3"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_HIGH/APK_WIFI_API_PII/meta.json b/MOBILE_CLIENT/ANDROID/_HIGH/APK_WIFI_API_PII/meta.json
@@ -17,6 +17,12 @@
       "ART_25",
       "ART_32",
       "ART_35"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_2_2",
+      "REQUIREMENT_6_2",
+      "REQUIREMENT_6_3",
+      "REQUIREMENT_7_3"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_HIGH/INSECURE_PACKAGE_CONTEXT/meta.json b/MOBILE_CLIENT/ANDROID/_HIGH/INSECURE_PACKAGE_CONTEXT/meta.json
@@ -22,7 +22,12 @@
         "ART_25",
         "ART_32",
         "ART_35"
-      ]
+      ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_6_2",
+      "REQUIREMENT_6_3",
+      "REQUIREMENT_11_3"
+    ]
     }
   }
 
diff --git a/MOBILE_CLIENT/ANDROID/_IMPORTANT/APK_EXPORTED/meta.json b/MOBILE_CLIENT/ANDROID/_IMPORTANT/APK_EXPORTED/meta.json
@@ -16,6 +16,9 @@
     ],
     "OWASP_MASVS_L2": [
       "MSTG_PLATFORM_4"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_6_2"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_INFO/APK_ANALYZE_JNI_ELF/meta.json b/MOBILE_CLIENT/ANDROID/_INFO/APK_ANALYZE_JNI_ELF/meta.json
@@ -7,5 +7,10 @@
   },
   "title": "List of JNI methods",
   "privacy_issue": false,
-  "security_issue": false
+  "security_issue": false,
+  "categories": {
+    "PCI_STANDARDS":[
+      "REQUIREMENT_6_2"
+    ]
+  }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_INFO/APK_DYNAMIC_CODE_LOAD/meta.json b/MOBILE_CLIENT/ANDROID/_INFO/APK_DYNAMIC_CODE_LOAD/meta.json
@@ -15,6 +15,9 @@
   "OWASP_MASVS_L2": [
     "MSTG_CODE_5",
     "MSTG_CODE_7"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_6_2"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_INFO/APK_DYNAMIC_COMMAND_EXEC/meta.json b/MOBILE_CLIENT/ANDROID/_INFO/APK_DYNAMIC_COMMAND_EXEC/meta.json
@@ -14,6 +14,9 @@
     ],
   "OWASP_MASVS_L2": [
     "MSTG_CODE_6"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_6_2"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_INFO/BROADCAST_RECEIVER_DYNAMIC_REGISTRATION/meta.json b/MOBILE_CLIENT/ANDROID/_INFO/BROADCAST_RECEIVER_DYNAMIC_REGISTRATION/meta.json
@@ -6,5 +6,13 @@
   },
   "title": "Broadcast receiver dynamic registration",
   "privacy_issue": false,
-  "security_issue": true
+  "security_issue": true,
+  "categories": {
+    "PCI_STANDARDS": [
+      "REQUIREMENT_2_2",
+      "REQUIREMENT_6_2",
+      "REQUIREMENT_6_3",
+      "REQUIREMENT_11_3"
+    ]
+  }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_ANDROIDSECURITY/meta.json b/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_ANDROIDSECURITY/meta.json
@@ -22,6 +22,13 @@
       "MSTG_CRYPTO_1",
       "MSTG_CRYPTO_2",
       "MSTG_CRYPTO_3"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_2_2",
+      "REQUIREMENT_3_6",
+      "REQUIREMENT_3_7",
+      "REQUIREMENT_4_2",
+      "REQUIREMENT_6_2"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_BLUETOOTH/meta.json b/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_BLUETOOTH/meta.json
@@ -6,5 +6,10 @@
   },
   "title": "Call to Bluetooth and BLE API",
   "privacy_issue": false,
-  "security_issue": true
+  "security_issue": true,
+  "categories": {
+    "PCI_STANDARDS":[
+      "REQUIREMENT_6_2"
+    ]
+  }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_CRYPTO/meta.json b/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_CRYPTO/meta.json
@@ -24,6 +24,13 @@
     "MSTG_CRYPTO_4",
     "MSTG_CRYPTO_5",
     "MSTG_CRYPTO_6"
-  ]
+  ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_2_2",
+      "REQUIREMENT_3_6",
+      "REQUIREMENT_3_7",
+      "REQUIREMENT_4_2",
+      "REQUIREMENT_6_2"
+    ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_DELETE_FILE/meta.json b/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_DELETE_FILE/meta.json
@@ -7,5 +7,10 @@
   },
   "title": "Call to delete file API",
   "privacy_issue": false,
-  "security_issue": true
+  "security_issue": true,
+  "categories": {
+    "PCI_STANDARDS":[
+      "REQUIREMENT_6_2"
+    ]
+  }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_DYNAMIC_CODE_LOADING/meta.json b/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_DYNAMIC_CODE_LOADING/meta.json
@@ -6,5 +6,12 @@
   },
   "title": "Call to dynamic code loading API",
   "privacy_issue": false,
-  "security_issue": true
+  "security_issue": true,
+  "categories": {
+    "PCI_STANDARDS":[
+      "REQUIREMENT_6_2",
+      "REQUIREMENT_6_3",
+      "REQUIREMENT_11_3"
+    ]
+  }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_EXEC/meta.json b/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_EXEC/meta.json
@@ -7,5 +7,10 @@
   },
   "title": "Call to command execution API",
   "privacy_issue": false,
-  "security_issue": true
+  "security_issue": true,
+  "categories": {
+    "PCI_STANDARDS":[
+      "REQUIREMENT_6_2"
+    ]
+  }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_EXTERNAL_STORAGE/meta.json b/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_EXTERNAL_STORAGE/meta.json
@@ -16,6 +16,13 @@
     ],
     "OWASP_MASVS_L2": [
       "MSTG_STORAGE_2"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_2_2",
+      "REQUIREMENT_3_5",
+      "REQUIREMENT_4_2",
+      "REQUIREMENT_6_2",
+      "REQUIREMENT_7_3"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_IPC/meta.json b/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_IPC/meta.json
@@ -20,6 +20,9 @@
       "MSTG_PLATFORM_1",
       "MSTG_PLATFORM_2",
       "MSTG_PLATFORM_3"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_6_2"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_LOG/meta.json b/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_LOG/meta.json
@@ -15,6 +15,13 @@
     ],
     "OWASP_MASVS_L2": [
       "MSTG_CODE_9"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_2_2",
+      "REQUIREMENT_6_2",
+      "REQUIREMENT_6_3",
+      "REQUIREMENT_10_3",
+      "REQUIREMENT_11_3"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_RANDOM/meta.json b/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_RANDOM/meta.json
@@ -14,6 +14,10 @@
     ],
     "OWASP_MASVS_L2": [
       "MSTG_CRYPTO_1"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_2_2",
+      "REQUIREMENT_6_2"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_SQL/meta.json b/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_SQL/meta.json
@@ -18,6 +18,13 @@
     ],
     "OWASP_MASVS_L2": [
       "MSTG_STORAGE_1"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_2_2",
+      "REQUIREMENT_3_5",
+      "REQUIREMENT_6_2",
+      "REQUIREMENT_6_3",
+      "REQUIREMENT_11_3"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_SSLTLS/meta.json b/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_SSLTLS/meta.json
@@ -5,5 +5,12 @@
   },
   "title": "Call to TLS API",
   "privacy_issue": false,
-  "security_issue": true
+  "security_issue": true,
+  "categories": {
+    "PCI_STANDARDS":[
+      "REQUIREMENT_3_6",
+      "REQUIREMENT_3_7",
+      "REQUIREMENT_4_2"
+    ]
+  }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_WEBVIEW/meta.json b/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_WEBVIEW/meta.json
@@ -16,6 +16,10 @@
     "OWASP_MASVS_L2": [
       "MSTG_PLATFORM_3",
       "MSTG_PLATFORM_5"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_2_2",
+      "REQUIREMENT_6_2"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_XML/meta.json b/MOBILE_CLIENT/ANDROID/_INFO/DANGEROUS_API_XML/meta.json
@@ -15,6 +15,12 @@
     ],
     "OWASP_MASVS_L2": [
       "MSTG_PLATFORM_2"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_2_2",
+      "REQUIREMENT_6_2",
+      "REQUIREMENT_6_3",
+      "REQUIREMENT_11_3"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_LOW/APK_FACEBOOK_REACT_DEV_SETTINGS_ENABLED/description.md b/MOBILE_CLIENT/ANDROID/_LOW/APK_FACEBOOK_REACT_DEV_SETTINGS_ENABLED/description.md
@@ -1,2 +1,2 @@
-The application exposes the `com.facebook.react.devsupport.DevSettingsActivity` activity. The  `DevSettingsActivity` Activity exposes developer settings and should not pas exposed in release versions of the application.
+The application exposes the `com.facebook.react.devsupport.DevSettingsActivity` activity. The  `DevSettingsActivity` Activity exposes developer settings and should not be exposed in release versions of the application.
 
diff --git a/MOBILE_CLIENT/ANDROID/_LOW/APK_FACEBOOK_REACT_DEV_SETTINGS_ENABLED/meta.json b/MOBILE_CLIENT/ANDROID/_LOW/APK_FACEBOOK_REACT_DEV_SETTINGS_ENABLED/meta.json
@@ -16,6 +16,10 @@
     "OWASP_MASVS_L2": [
       "MSTG_ARCH_1",
       "MSTG_CODE_4"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_2_2",
+      "REQUIREMENT_6_2"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_LOW/APK_HAS_FRAGILE_USER_DATA_NOT_SET/meta.json b/MOBILE_CLIENT/ANDROID/_LOW/APK_HAS_FRAGILE_USER_DATA_NOT_SET/meta.json
@@ -14,6 +14,11 @@
     ],
     "OWASP_MASVS_L2": [
       "MSTG_ARCH_12"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_3_2",
+      "REQUIREMENT_3_5",
+      "REQUIREMENT_6_2"
     ]
   }
 }
diff --git a/MOBILE_CLIENT/ANDROID/_LOW/APK_LIST_NOT_USED_PERMISSIONS/meta.json b/MOBILE_CLIENT/ANDROID/_LOW/APK_LIST_NOT_USED_PERMISSIONS/meta.json
@@ -17,6 +17,10 @@
     ],
     "CWE_TOP_25": [
       "CWE_276"
+    ],
+    "PCI_STANDARDS":[
+      "REQUIREMENT_6_2",
+      "REQUIREMENT_7_3"
     ]
   }
 }