Port MASTG-TEST-0050: Testing Runtime Integrity Checks (android) #3692
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…chniques and examples
Diolor
commented
Feb 6, 2026
Comment on lines
+18
to
+25
| 1. **Memory checksums**: Comparing memory contents or checksums against known good values. | ||
| 2. **Signature-based detection**: Searching memory for signatures of unwanted modifications. | ||
| 3. **Java Runtime tampering detection**: Detecting modifications to the Android Runtime (ART) made by hooking frameworks. | ||
| 4. **Injected class detection**: Identifying classes injected by frameworks like Xposed. | ||
| 5. **GOT hook detection**: Verifying Global Offset Table entries point to legitimate libraries. | ||
| 6. **Inline hook detection**: Inspecting function prologues/epilogues for trampolines or suspicious jump instructions. | ||
|
|
||
| Techniques 1 and 2 are foundational approaches that underpin the more specific detection methods (3-6). |
Collaborator
Author
There was a problem hiding this comment.
I tried to give a good structure here. I would definitely need a 2nd or 3rd expert to proof-read this as I am not extremely familiar with all techniques, especially native ones.
|
|
||
| On Android, common signatures to detect include: | ||
|
|
||
| - **Inline hook trampolines**: A trampoline is a small piece of code that redirects execution from one location to another. Hooking frameworks insert trampolines at function entry points to intercept calls—when the original function is called, the trampoline jumps to the hook handler instead. On ARM64, a common trampoline pattern loads a 64-bit target address into a scratch register and branches to it: `LDR X16, .+8; BR X16` followed by the 8-byte absolute address. Scratch registers (X16 and X17 on ARM64) are temporary registers that the calling convention allows to be overwritten without saving, making them ideal for trampolines. Based on the [ARM A64 instruction set encoding](https://developer.arm.com/documentation/ddi0602/latest/), this sequence encodes to bytes `50 00 00 58 00 02 1F D6`. Scanning for such patterns at function entry points can reveal hooks. The [O-MVLL anti-hooking pass](https://obfuscator.re/omvll/passes/anti-hook/) exploits the fact that Frida's Interceptor requires X16/X17 as scratch registers by injecting prologues that use these registers, preventing Frida from hooking. Note that ARM32/Thumb code uses different trampoline patterns (e.g., `LDR PC, [PC, #-4]`) and should be checked separately if the app includes 32-bit libraries. |
Collaborator
Author
There was a problem hiding this comment.
I can unshamelessly say that this bullet is AI-assisted, especially the bytes. However it looked interesting to bring for discussion here.
Let's not rush merging this before validating.
Collaborator
There was a problem hiding this comment.
Love the honest AI disclosure!
| --- | ||
| platform: android | ||
| title: App Terminating on Frida Hook Detection Before Cipher.doFinal Execution | ||
| id: MASTG-DEMO-0088 |
Collaborator
Author
There was a problem hiding this comment.
- Update before merge + filename
| --- | ||
| platform: android | ||
| title: Extracting Sensitive Data from Cipher.doFinal via Frida Hooking | ||
| id: MASTG-DEMO-0087 |
Collaborator
Author
There was a problem hiding this comment.
- Update before merge + filename
Diolor
commented
Feb 6, 2026
| --- | ||
| platform: android | ||
| title: Testing Runtime Hook Detection | ||
| id: MASTG-TEST-03te |
Collaborator
Author
There was a problem hiding this comment.
- Allocate before merge + filename
Diolor
commented
Feb 6, 2026
| - R | ||
| profiles: [R] | ||
| status: deprecated | ||
| covered_by: [MASTG-TEST-03te] |
cpholguera
reviewed
Feb 7, 2026
cpholguera
reviewed
Feb 7, 2026
cpholguera
reviewed
Feb 7, 2026
cpholguera
reviewed
Feb 7, 2026
| --- | ||
|
|
||
| Controls in this category verify the integrity of the app's memory space to defend the app against memory patches applied during runtime. Such patches include unwanted changes to binary code, bytecode, function pointer tables, and important data structures, as well as rogue code loaded into process memory. Integrity can be verified by: | ||
| Controls in this category verify the integrity of the app's memory to defend against runtime memory patches. Such patches include unwanted changes to binary code, bytecode, function pointer tables, and important data structures, as well as rogue code loaded into process memory. |
Collaborator
There was a problem hiding this comment.
I know "controls" was already there but I don't think this refers (anymore?) to MASVS controls. Should we say methods/techniques or something like that?
Collaborator
Author
There was a problem hiding this comment.
I don't mind much the term "controls" but we can also say "techniques" as you suggest. A technique that verifies a security goal such as integrity can be considered a control.
From ISC2's glossary:
control The use of access rules or countermeasures to limit a subject’s access to an object. See also security control, safeguards, and countermeasures.
Security control The mechanism used to address security vulnerabilities to reduce or man- age risk. See also control, safeguards, and countermeasures.
cpholguera
reviewed
Feb 7, 2026
Diolor
commented
Feb 9, 2026
| title: App Terminating on Frida Hook Detection Before Cipher.doFinal Execution | ||
| id: MASTG-DEMO-0088 | ||
| code: [kotlin] | ||
| test: MASTG-TEST-03te |
| title: Extracting Sensitive Data from Cipher.doFinal via Frida Hooking | ||
| id: MASTG-DEMO-0087 | ||
| code: [kotlin] | ||
| test: MASTG-TEST-03te |
| title: Bypassing Frida Detection in /proc/self/maps to Extract Sensitive Data | ||
| id: MASTG-DEMO-0089 | ||
| code: [kotlin] | ||
| test: MASTG-TEST-03te |
| --- | ||
| platform: android | ||
| title: Bypassing Frida Detection in /proc/self/maps to Extract Sensitive Data | ||
| id: MASTG-DEMO-0089 |
Collaborator
Author
There was a problem hiding this comment.
- Update before merge + filename
| --- | ||
| title: Hardening Against Runtime Hooking | ||
| alias: hardening-against-runtime-hooking | ||
| id: MASTG-BEST-0029 |
Collaborator
Author
There was a problem hiding this comment.
- Allocate before merge + filname
|
|
||
| Defending against runtime hooking requires a layered approach that combines several types of security controls: | ||
|
|
||
| - **Preventive controls**: Implement root detection (@MASTG-KNOW-0027) and device/app attestation (https://github.com/OWASP/mastg/issues/3505) as the first line of defense, since most hooking frameworks (e.g., Frida server, Xposed) require rooted devices. |
Collaborator
Author
There was a problem hiding this comment.
- Create new BEST practice: device, app attestation with hardware backed keys #3505 should be removed before merge. Demonstrated the connection of the topics
Diolor
commented
Feb 9, 2026
| - **Memory scanning**: Scan `/proc/self/maps` and process memory for known artifacts (e.g., "LIBFRIDA", frida-agent libraries, Xposed bridge classes). | ||
| - **Integrity checksums**: Compute checksums of critical code sections at build/load time and verify them periodically at runtime to detect patches and inline hooks. | ||
| - **GOT/PLT verification**: Verify that Global Offset Table entries point to addresses within their expected libraries. | ||
| - **Function prologue inspection**: Compare the first bytes of security-critical functions against their expected values to detect trampoline patterns (e.g., `LDR X16, .+8; BR X16` on ARM64). |
cpholguera
reviewed
Feb 9, 2026
demos/android/MASVS-RESILIENCE/MASTG-DEMO-0089/MASTG-DEMO-0089.md
Outdated
Show resolved
Hide resolved
cpholguera
reviewed
Feb 9, 2026
Co-authored-by: Carlos Holguera <[email protected]>
Collaborator
|
@Diolor please move temporarily to "fake IDs" to avoid the conflicts we're seeing here with other demos, best practices, etc. Thanks 🙏 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR closes #3017
Description
AI Tool Disclosure
If AI tools were used to generate or substantially modify code or text, complete the following.