Port MASTG-TEST-0021: Testing Endpoint Identify Verification (android)

[sydseter]

This PR closes #2960.

Overview of additions:

Tests

• MASTG-TEST-0282: Unsafe Custom Trust Evaluation
  Summary: Verifies that any checkServerTrusted override in the app throws a CertificateException on invalid certificates rather than merely logging, ensuring proper TLS certificate validation to prevent MITM attacks.

• MASTG-TEST-0283: Incorrect Implementation of Server Hostname Verification
  Summary: Ensures the app uses HostnameVerifier.verify() (or equivalent) rather than always returning true (e.g. via ALLOW_ALL_HOSTNAME_VERIFIER), so hostname mismatches are caught and connections aren’t silently accepted.

• MASTG-TEST-0284: Incorrect SSL Error Handling in WebViews
  Summary: Checks that WebViewClient.onReceivedSslError handlers do not simply call handler.proceed() without throwing or blocking on SSL errors, thereby avoiding the silent acceptance of invalid certificates in WebViews.

• MASTG-TEST-0285: Outdated Android Version Allowing Trust in User-Provided CAs
  Summary: Checks if the app’s targetSdk is 23 or lower for which the system allows user-added CAs by default.

• MASTG-TEST-0286: Network Security Configuration Allowing Trust in User-Provided CAs
  Summary: Checks for the presence of <certificates src="user" /> in the network security config.

Demos

• MASTG-DEMO-0054: Improper use of checkServerTrusted
  Summary: A Kotlin sample that installs an all-trusting X509TrustManager whose checkServerTrusted method only logs warnings (never throws), demonstrating how certificate validation can be disabled.

• MASTG-DEMO-0055: Improper use of the HostnameVerifier
  Summary: Shows a sample where a custom HostnameVerifier always returns true, illustrating how hostname checks can be bypassed.

• MASTG-DEMO-0056: Improper use of the onReceivedSslError handler
  Summary: Provides a WebViewClient example overriding onReceivedSslError to log SSL errors but then unconditionally calling handler.proceed(), thereby ignoring TLS errors.

• MASTG-DEMO-0057: Network security config allows certificates imported on the user's behalf
  Summary: Contains a network_security_config.xml that includes <certificates src="user" />, demonstrating how the app can be configured to trust user-added CAs.

Note: we used a very simple approach for static analysis. Work will continue in #3353

[sydseter]

@cpholguera Have a look when you have the time.

[sydseter]

We need to do a renumbering of the tests. I wasn't sure which numbers to give them. These should completely replace MASTG-TEST-0021.

[cpholguera]

Awesome! I'll take a look when I'm back from vacation 🌴 Thanks a lot!

[cpholguera]

Thank you so much, @sydseter, this is really good! Please take a look at my feedback, and let me know if I can answer any questions.

---

Review Tip:

Please use the "Commit Suggestions" button to incorporate the suggestions as much as possible, as indicated here. This way, we can easily track the comments and suggestions, and they will be automatically resolved.

[sydseter]

Regarding the failing website build, it's most certainly because my code changes originate from a forked repository and therefore lack the necessary rights to use any tokens/secrets from this repository.

WARNING - ⚠️ Connection Error, skipping GitHub API Requests
WARNING -
⚠️ GitHub Token not set. Some features will be limited.
WARNING - To fix this issue, please set the GITHUB_TOKEN environment variable:
WARNING - export GITHUB_TOKEN=your_github_token_here
WARNING - You can create a token at: https://github.com/settings/tokens

[Copilot]

Pull Request Overview

This PR ports MASTG-TEST-0021 to Android, deprecates the old test, and adds new static tests (0282–0286), Semgrep rules, and corresponding demo samples to validate server certificate, hostname, and WebView SSL error handling.

• Deprecate MASTG-TEST-0021 and reference new V2 tests
• Add tests 0282–0286 covering unsafe TrustManager, HostnameVerifier, onReceivedSslError, API-level CA trust, and user-provided CAs
• Introduce Semgrep rules and demo projects (0054–0057) with run scripts and sample code

Reviewed Changes

Copilot reviewed 35 out of 35 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
tests/android/MASVS-NETWORK/MASTG-TEST-0021.md	Mark old test as deprecated and link to new tests
tests-beta/android/MASVS-NETWORK/MASTG-TEST-0282.md to 0286.md	Add five new static test specifications for network security
rules/mastg-android-network-*.yml	Add Semgrep rules to detect unsafe TrustManager, hostname, SSL use
demos/android/MASVS-NETWORK/MASTG-DEMO-0054–0057/*	Add demo apps, run scripts, sample code, and expected outputs
apps/android/MASTG-APP-0018.md	Add descriptor for the test application

Comments suppressed due to low confidence (3)

tests/android/MASVS-NETWORK/MASTG-TEST-0021.md:12

• [nitpick] Use consistent deprecation metadata across test files—for example, replace status: deprecated with deprecated_since to match other tests.

status: deprecated

rules/mastg-android-network-onreceivedsslerror.yml:11

• The rule matches any override of onReceivedSslError but doesn't verify if handler.proceed() is called—consider refining the pattern to specifically flag overrides that silently call proceed() without validation.

        - public void onReceivedSslError(...) {...}

apps/android/MASTG-APP-0018.md:1

• [nitpick] YAML frontmatter is missing an id field—adding it would align with the format of other app descriptors.

---

[cpholguera]

Excellent work @sydseter, thank you so much and please keep them coming!