Port mastg test 0022 (by @guardsquare)

Document/0x05g-Testing-Network-Communication.md

@@ -119,6 +119,36 @@ If at least one of the pinned digests matches, the certificate chain will be con
 </network-security-config>
 ```
 
+!!! note "Expiration dates"
+    If you [set an expiration date](https://developer.android.com/privacy-and-security/security-config#CertificatePinning), make sure to update your application in time. Otherwise pinning will **not** be performed at all after the configured date.
+
+!!! warning "Technologies not using Network Security Configuration"
+    If your application uses low level networking APIs or SDKs like Flutter, the Network Security Configuration might not be used by default. In those cases you need to enable certificate pinning specifically for the used technology.
+
+### Certificate pinning without Android Network Security Configuration
+
+If your application targets an Android version lower than Android 7.0 Nougat (SDK version 24), the Android Security Configuration is not available, and you need to implement certificate pinning manually.
+
+!!! warning "Implementing Certificate Pinning Manually"
+    Implementing certificate pinning manually has a high risk of adding functionality to your application that makes the app even less secure. If you are adding this manually take extreme care of implementing this correctly.
+
+Applications that use third-party networking libraries may utilize the libraries' certificate pinning functionality. For example, [okhttp](https://square.github.io/okhttp/features/https/#certificate-pinning-kt-java) can be set up with the `CertificatePinner` as follows:
+
+```java
+val client = OkHttpClient.Builder()
+      .certificatePinner(
+          CertificatePinner.Builder()
+              .add("publicobject.com", "sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=")
+              .build())
+      .build()
+```
+
+#### Hybrid Applications
+
+Hybrid applications might support certificate pinning through plugins.
+
+For example, applications based on Cordova do not support Certificate Pinning natively, so the plugin [PhoneGap SSL Certificate Checker](https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin) can be used.
+
 ### Security Provider
 
 Android relies on a [security provider](https://developer.android.com/training/articles/security-gms-provider.html "Update your security provider to protect against SSL exploits") to provide SSL/TLS-based connections. The problem with this kind of security provider (one example is [OpenSSL](https://www.openssl.org/news/vulnerabilities.html "OpenSSL Vulnerabilities")), which comes with the device, is that it often has bugs and/or vulnerabilities.

tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x22-1.md

@@ -0,0 +1,38 @@
+---
+title: Missing Certificate Pinning in Code
+platform: android
+id: MASTG-TEST-0x22-1
+type: [static]
+weakness: MASWE-0047
+---
+
+## Overview
+
+Apps can configure certificate pinning using the [Network Security Configuration]("../../../Document/0x05g-Testing-Network-Communication.md#certificate-pinning"). For each domain, one or multiple digests can be pinned.
+
+Certificate pinning can also be done manually in the code. Depending on the used technologies, this can be done for example by:
+
+- Pinning a certificate with a custom `TrustManager`,
+- configuring the used third party networking libraries to pin certificates,
+- use plugins to achieve certificate pinning for hybrid apps.
+
+Chapter [Certificate pinning without Android Network Security Configuration]("../../../Document/0x05g-Testing-Network-Communication.md#certificate-pinning-without-android-network-security-configuration") explains in more detail how this can be achieved in the app.
+
+The goal of this test is to check if any certificate pinning exists.
+
+!!! note "Limitations"
+    Since there are many different ways to achieve certificate pinning in the code, checking statically if the application performs pinning might not reveal all such locations. To make sure certificates are pinned for all relevant connections, additional dynamic analysis can be performed.
+
+## Steps
+
+1. Reverse engineer the app (@MASTG-TECH-0017).
+2. Inspect the AndroidManifest.xml, and check if a `networkSecurityConfig` is set in the `<application>` tag. If yes, inspect the referenced file, and all domains which have a pinned certificate.
+3. Run a static analysis tool such as @MASTG-TOOL-0011 or @MASTG-TOOL-0018 on the code and look for APIs or configurations performing certificate pinning (see above). Extract all domains for which the certificates are pinned.
+
+## Observation
+
+The output should contain a list of domains which enable certificate pinning.
+
+## Evaluation
+
+The test case fails if any relevant domain does not enable certificate pinning.

tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x22-2.md

@@ -0,0 +1,26 @@
+---
+title: Expired Certificate Pins
+platform: android
+id: MASTG-TEST-0x22-2
+type: [static]
+weakness: MASWE-0047
+---
+
+## Overview
+
+Apps can configure expiration dates for pinned certificates in the [Network Security Configuration]("../../../Document/0x05g-Testing-Network-Communication.md#certificate-pinning"). After the expiration date the pin is not used any more, and all installed CAs are trusted for that domain.
+
+The goal of this test is to check if any expiration date is in the past.
+
+## Steps
+
+1. Reverse engineer the app (@MASTG-TECH-0017).
+2. Inspect the AndroidManifest.xml, and check if a `networkSecurityConfig` is set in the `<application>` tag. If yes, inspect the referenced file, and extract the expiration dates for every domain.
+
+## Observation
+
+The output should contain a list of expiration dates for pinned certificates.
+
+## Evaluation
+
+The test case fails if any expiration date is in the past.

tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x22-3.md

@@ -0,0 +1,29 @@
+---
+title: Missing Certificate Pinning in Network Traffic 
+platform: network
+id: MASTG-TEST-0x22-3
+type: [static]
+weakness: MASWE-0047
+---
+
+## Overview
+
+There are various ways how [certificate pinning]("../../../Document/0x05g-Testing-Network-Communication.md#certificate-pinning-without-android-network-security-configuration") can be done for an application.
+
+Since statically finding all of the locations where certificate pinning is performed might not be feasible, this test case uses dynamic analysis to observe all connections the app makes.
+
+The goal of this test case is to dynamically check if the connection to a server can be intercepted using a [Man-in-the-Middle attack]("../../../Document/0x04f-Testing-Network-Communication.md#mitm-attack). If this is possible, it means the certificate is not pinned correctly or at all.
+
+## Steps
+
+1. Set up an intercepting proxy, for example @MASTG-TOOL-0077 or @MASTG-TOOL-0097.
+2. Install the application on a device connected to that proxy, and intercept the communication.
+3. Extract all domains which were intercepted.
+
+## Observation
+
+The output should contain a list domains, for which the interception was successful.
+
+## Evaluation
+
+The test case fails if any relevant domain was intercepted.

tests/android/MASVS-NETWORK/MASTG-TEST-0022.md

@@ -7,6 +7,9 @@ platform: android
 title: Testing Custom Certificate Stores and Certificate Pinning
 masvs_v1_levels:
 - L2
+status: deprecated
+covered_by: [MASTG-TEST-0x22-1,MASTG-TEST-0x22-2,MASTG-TEST-0x22-3]
+deprecation_note: New version available in MASTG V2
 ---
 
 ## Overview