PoC frida.re Base Script

[bernhste]

Last month @cpholguera and I discussed how we could normalize demos which use frida.re to identify insecure or weak API usage.

This is a proposal of how we could do that. The quick summary:

1. There is a base-script in ./frida which hooks into provided API
2. The script decodes the input and return values during the runtime and capture a stack trace and some additional information. The format is JSON
3. The data is then exported to the output.txt file
4. The JSON can then be parsed in order to find the weak configuration. This can also be automatically in the future, or already with tools such as jq

As a PoC, I added 2 new DEMOS:

1. DEMO-0058: Use of Insecure ECB Block Mode in KeyGenParameterSpec
2. DEMO-0059: App Writing Sensitive Data to Sandbox using SharedPreferences

If you want to add a new DEMO, basically all you have to do is update the file hook.js to match the API you want to intercept.

Ideally we can use this setup to

1. Build a library of frida.re scripts for security relevant API
2. Define a set of rules how parse the output of the frida.re script to detect risky API calls

Please let me know if you have feedback or additional ideas.

[cpholguera]

Restoring the Request Changes status

[bernhste]

@cpholguera I've commented each comment.

[bernhste]

@cpholguera I've resolved or commented all discussions. A few discussions are unresolved, since I had some questions or feedback. But I think we should make issues for these topics in order to close this PR.

Should I write these issues already or wait for feedback from the remaining open discussions in this PR?

[cpholguera]

@bernhste I think something related to the website build checker action is currently broken (probably since I moved the action to the new mas-website repo). Don't worry about it for now.

[cpholguera]

@bernhste I fixed the website checker ;)

[bernhste]

@bernhste I fixed the website checker ;)

Perfect. I just wanted to create an issue :)

[bernhste]

@cpholguera From my point of view, there all the discussed changes have now been reviewed and resolved.

[Copilot]

Pull Request Overview

This PR introduces a Proof of Concept (PoC) for a standardized Frida-based framework to detect insecure or weak API usage across MASTG demos. The framework includes a base script architecture, Android-specific decoders, and automated JSON output for analysis.

• Adds reusable Frida script infrastructure with base hooks, decoders, and JSON output
• Creates two demonstration cases for crypto and storage security issues
• Provides automated evaluation scripts using jq for parsing security findings

Reviewed Changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
utils/frida/android/run.sh	Main script that merges hook configurations with base scripts and runs Frida analysis
utils/frida/android/base_script.js	Core Frida script providing hook registration, method interception, and event logging
utils/frida/android/android_decoder.js	Android-specific value decoders for various Java types and data structures
demos/android/MASVS-STORAGE/MASTG-DEMO-0059/*	Demo for detecting unencrypted sensitive data in SharedPreferences
demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/*	Demo for detecting insecure ECB block mode usage in KeyGenParameterSpec

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}