From 1148883caba59f9131acaa27cac3a74a49b6bee0 Mon Sep 17 00:00:00 2001 From: Mohamed Elyousfi Date: Mon, 25 Dec 2023 10:50:56 +0100 Subject: [PATCH 1/4] APK_DEBUG_SYMBOL_PRESENT --- .../APK_DEBUG_SYMBOL_PRESENT/description.md | 6 ++++++ .../_LOW/APK_DEBUG_SYMBOL_PRESENT/meta.json | 21 +++++++++++++++++++ .../recommendation.md | 2 ++ 3 files changed, 29 insertions(+) create mode 100644 MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/description.md create mode 100644 MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/meta.json create mode 100644 MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/recommendation.md diff --git a/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/description.md b/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/description.md new file mode 100644 index 00000000..470a2e22 --- /dev/null +++ b/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/description.md @@ -0,0 +1,6 @@ +The application should provide as little explanatory information as possible with the compiled code. Metadata such as +debugging information, line numbers, and descriptive function or method names make the binary or byte-code +easier to reverse engineer. + +It is noteworthy that most crash reporting tools support uploading symbols to perform stack trace symbolization and don't require +symbols to be present in the application. diff --git a/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/meta.json b/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/meta.json new file mode 100644 index 00000000..24c21071 --- /dev/null +++ b/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/meta.json @@ -0,0 +1,21 @@ +{ + "risk_rating": "low", + "short_description": "Debug Symbols were found in the application, which can help with reverse engineering the application or leaking internal information.", + "references": { + }, + "title": "Debug Symbols Present in the Application", + "privacy_issue": false, + "security_issue": true, + "categories": { + "OWASP_MASVS_L1": [ + "MSTG_CODE_3" + ], + "OWASP_MASVS_L2": [ + "MSTG_CODE_3" + ], + "PCI_STANDARDS":[ + "REQ_2_2", + "REQ_6_2" + ] + } +} diff --git a/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/recommendation.md b/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/recommendation.md new file mode 100644 index 00000000..051f5841 --- /dev/null +++ b/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/recommendation.md @@ -0,0 +1,2 @@ +Remove all symbols and debug data from the application. To do so, ensure the setting Strip Debug Symbols During Copy +to YES. The settings are in the Deployment / Settings menu. From e3b004057a727619cc38c3cc5e49f6058e74329d Mon Sep 17 00:00:00 2001 From: Mohamed Elyousfi Date: Mon, 25 Dec 2023 10:51:53 +0100 Subject: [PATCH 2/4] APK_DEBUG_SYMBOL_PRESENT --- .../ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/description.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/description.md b/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/description.md index 470a2e22..a82c7c6c 100644 --- a/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/description.md +++ b/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/description.md @@ -1,6 +1,3 @@ -The application should provide as little explanatory information as possible with the compiled code. Metadata such as -debugging information, line numbers, and descriptive function or method names make the binary or byte-code -easier to reverse engineer. +The application should provide as little explanatory information as possible with the compiled code. Metadata such as debugging information, line numbers, and descriptive function or method names make the binary or byte-code easier to reverse engineer. -It is noteworthy that most crash reporting tools support uploading symbols to perform stack trace symbolization and don't require -symbols to be present in the application. +It is noteworthy that most crash reporting tools support uploading symbols to perform stack trace symbolization and don't require symbols to be present in the application. From 3bc04f7a85977b64e0761ae2dacfd913cfc3de0e Mon Sep 17 00:00:00 2001 From: Mohamed Elyousfi Date: Mon, 25 Dec 2023 11:02:17 +0100 Subject: [PATCH 3/4] Update recommendation.md --- .../ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/recommendation.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/recommendation.md b/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/recommendation.md index 051f5841..cb02926c 100644 --- a/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/recommendation.md +++ b/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/recommendation.md @@ -1,2 +1 @@ -Remove all symbols and debug data from the application. To do so, ensure the setting Strip Debug Symbols During Copy -to YES. The settings are in the Deployment / Settings menu. +Remove all symbols and debug data from the application. To do so, configure the build type to exclude debug information. \ No newline at end of file From eb8050e5f685b73d3b92faea1e97686d965a6ed8 Mon Sep 17 00:00:00 2001 From: Mohamed Elyousfi Date: Mon, 25 Dec 2023 12:03:22 +0100 Subject: [PATCH 4/4] Update KB --- .../_LOW/APK_DEBUG_SYMBOL_PRESENT/description.md | 10 ++++++++-- .../_LOW/APK_DEBUG_SYMBOL_PRESENT/recommendation.md | 11 ++++++++++- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/description.md b/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/description.md index a82c7c6c..049b20ae 100644 --- a/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/description.md +++ b/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/description.md @@ -1,3 +1,9 @@ -The application should provide as little explanatory information as possible with the compiled code. Metadata such as debugging information, line numbers, and descriptive function or method names make the binary or byte-code easier to reverse engineer. +The application is shipped debug symbols and debug information such as debugging information, line numbers, and descriptive function or method names, which make it easier to reverse engineer. -It is noteworthy that most crash reporting tools support uploading symbols to perform stack trace symbolization and don't require symbols to be present in the application. +It is noteworthy that most crash reporting tools support uploading symbols to perform stack trace symbolization and don't require symbols to be present in the application. + +To verify that the native libraries are not shipped with debug symbols, use the following command: + +```bash +readelf --debug-dump=info +``` \ No newline at end of file diff --git a/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/recommendation.md b/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/recommendation.md index cb02926c..88e13527 100644 --- a/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/recommendation.md +++ b/MOBILE_CLIENT/ANDROID/_LOW/APK_DEBUG_SYMBOL_PRESENT/recommendation.md @@ -1 +1,10 @@ -Remove all symbols and debug data from the application. To do so, configure the build type to exclude debug information. \ No newline at end of file +Remove all symbols and debug data from the application. + +To do so, here are some recommendations: + +* Configure the build type to exclude debug information. +* Use [ProGuard](https://www.guardsquare.com/en/products/proguard) to strip native debugging symbols. +* Use the `strip` command to remove symbols from native libraries: +```bash +strip -s +``` \ No newline at end of file