Port MASTG-TEST-0046: Testing Anti-Debugging Detection (android) (by @vulnit) (#3699)

* Add MASTG-TOOL-0141 (debugmepLS)

* Improve MASTG-TECH-0031 on non-debuggable apps
Add a reference to MASTG-TOOL-0141 to describe the possibility of using hooking-based tools to enable JDWP-based debugging on non-debuggable apps.

* Initial draft of MASTG-TEST-0046 for v2

* Initial commit for native debugging in Android

* Add LLDB for Android

* Improve lldb for android usage

* Deprecate GDB in favor of lldb

* Use tool IDs

* Use warning block for note

* Fix android:debuggable rule typo

* Add new rule for runtime JDWP debug check

* Add JDWP debugging demo

* Move MASTG-DEMO-0040 to MASTG-DEMO-0x40

* Fix inconsistencies

* Add lldb instability notice

* Differentiate DVM and ART anti-debugging
We should probably discuss the ART part, I looked around in Android's source but can't seem to find JdwpAdbState

* Improve lldb incompatibility notice

* Make MASTG-TECH-0071 generic

* Add comment on passing test for MASTG-TEST-0046-1

* Recommend RASP usage on MASTG-TEST-0046

* Add MASTG-TEST-0046-2

* Archive reference link

* Add demo for MASTG-TEST-0046-2

* Fix markdown linting issues

* Simplify ptrace_self demo

* Also use fake ids for tools

* Consider ro.debuggable=1

* Add example for debuggable app

* Move lldb segfault notice to its tool entry

* Update MASTG-TEST-0046-1 with suggested fixes

* Add best practice for debugging check

* Use 'kind: pass' when needed

* Remove FLAG_DEBUGGABLE checks

* Remove FLAG_DEBUGGABLE checks

* Update DEMO-0x40 evaluation

* Update DEMO-0x41 evaluation

* Use hosts key in Android tool front matter

* Reword JDWP overview to reference best practice

* Normalize debugging command blocks in TECH-0031

* Scope JDWP demo PASS/FAIL markers to branches

* Fix typo

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x41/MASTG-DEMO-0x41.md

Co-authored-by: Jan Seredynski <janseredynski@gmail.com>

* fix(demo): Simplify buffer zero initialization

Co-authored-by: Jan Seredynski <janseredynski@gmail.com>

* fix: Remove leftover iOS references and add '-a' flag to strings

Co-authored-by: Jan Seredynski <janseredynski@gmail.com>

* fix(test): Remove timing APIs from MASTG-TEST-0046

* feat(demo): Use newer PTRACE_SEIZE for DEMO-0x41

* fix(demo): Stop using semgrep over sourcecode, use R2 instead for MASTG-DEMO-0x41

* fix(demo): Fix leftover references to PTRACE_ATTACH

* fix(demo): Restrict semgrep rule to java

* docs(test): Deprecate MASTG-TEST-0046

* Add platform to each lldb tool

* Apply suggestion from @serek8

Co-authored-by: Jan Seredynski <janseredynski@gmail.com>

* Make tools more concise and move examples to the TECH

* Refactor tests: update test IDs and add new tests for debugging detection APIs. The tests had type: [static, dynamic], which should only be used under very specific conditions that must be really justified. Additionally, the static tests mixed both code-analysis steps and runtime-behavior observations, and the dynamic test was purely manual (attach debugger + observe) rather than using instrumentation.

* Update demos for JDWP and native debugging checks to use consistent test IDs and improve documentation clarity

* Update tests to mirror the patterns of MASTG-TEST-0324/0325/0351

* Enable relocation application in native debugger checks to align with guidelines

* Add externalNativeBuild configuration for CMake in Android demo

* Refactor GitHub Actions workflow for Android demos: improve matrix generation, enhance caching logic, and streamline file copying process. Add support for native libs.

* Fix path assignment in externalNativeBuild configuration to use file() method for CMake in Android demo

---------

Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
Co-authored-by: Sergio García <32015541+Olasergiolas@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Jan Seredynski <janseredynski@gmail.com>

Author: 4 people

.github/instructions/mastg-tools.instructions.md

@@ -70,6 +70,7 @@ Common patterns that match existing pages in `tools/`:
 - Start with a short description paragraph (often with a link to the upstream project or docs).
 - Add sections only when they add value for that tool. Typical headings are `## Installation`, `## Usage`, and tool-specific headings (for example, `## Installing Frida on iOS`).
 - Include copyable commands when relevant. If usage is extensive, keep only the most common commands and link to a technique or upstream docs.
+- **Do not add step-by-step usage examples or multi-step walkthroughs to tool pages.** These belong in a technique page (for example, @MASTG-TECH-0031). The website will automatically list any techniques that reference the tool as examples of use on the rendered tool page, so adding them to the right technique page is the correct way to surface them.
 - Add caveats as `!!! note` / `!!! warning` admonitions when needed (version pinning, jailbreak/root requirements, security warnings).
 - Link to related techniques/tests/demos where it helps the reader complete a workflow.
 

.github/workflows/build-android-demos.yml

@@ -19,58 +19,68 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
         with:
           sparse-checkout: demos/android
-          fetch-depth: 2 # Required for git diff in PRs
+          fetch-depth: 0
 
       - name: Generate matrix
         id: set-matrix
+        shell: bash
         run: |
+          set -euo pipefail
+
           if [ "${{ github.event_name }}" = "pull_request" ]; then
-            # Get list of changed files in demos/android/ directory
-            changed_files=$(git diff --name-only ${{ github.event.pull_request.base.sha }} HEAD -- 'demos/android/*')
+            changed_files="$(git diff --name-only "${{ github.event.pull_request.base.sha }}" HEAD -- 'demos/android/**')"
 
             echo "Changed files:"
             echo "$changed_files"
 
-            # Extract unique demo directories
-            matrix=$(echo "$changed_files" | grep -oE 'demos/android/[^/]*/MASTG-DEMO-[^/]+' | sort -u | head -c -1 | tr '\n' ' ' | sed 's/ /","/g')
-
-            # If no changes, set empty matrix
-            if [ -z "$matrix" ]; then
-              echo "matrix={\"demo\":[]}" >> $GITHUB_OUTPUT
-            else
-              echo "matrix={\"demo\":[\"$matrix\"]}" >> $GITHUB_OUTPUT
-            fi
+            demos="$(echo "$changed_files" \
+              | grep -oE '^demos/android/[^/]+/MASTG-DEMO-[^/]+' \
+              | sort -u || true)"
           else
-            # Default behavior: include all demos for master branch
-            matrix=$(echo demos/android/*/MASTG-DEMO-* | sed 's/ /","/g')
-            echo "matrix={\"demo\":[\"$matrix\"]}" >> $GITHUB_OUTPUT
+            demos="$(find demos/android -mindepth 2 -maxdepth 2 -type d -name 'MASTG-DEMO-*' | sort)"
           fi
+
+          matrix="$(printf '%s\n' "$demos" \
+            | jq -R 'select(length > 0)' \
+            | jq -sc '{demo: .}')"
+
+          echo "matrix=$matrix" >> "$GITHUB_OUTPUT"
           echo "Print matrix: $matrix"
+
       - name: Print matrix
-        run: echo "${{ steps.set-matrix.outputs.matrix }}"
+        run: echo '${{ steps.set-matrix.outputs.matrix }}'
 
   build-base-app:
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    outputs:
+      mastestapp_hash: ${{ steps.get-mastestapp-hash.outputs.mastestapp_hash }}
+
     steps:
       - name: Get last commit hash of mas-app-android
         id: get-mastestapp-hash
+        shell: bash
         run: |
-          echo "MASTESTAPP_HASH=$(git ls-remote https://github.com/cpholguera/mas-app-android.git HEAD | awk '{print $1}')" >> $GITHUB_ENV 
-          echo "MASTESTAPP_HASH=$MASTESTAPP_HASH" >> $GITHUB_OUTPUT
+          set -euo pipefail
+
+          hash="$(git ls-remote https://github.com/cpholguera/mas-app-android.git HEAD | awk '{print $1}')"
+
+          echo "mastestapp_hash=$hash" >> "$GITHUB_OUTPUT"
+          echo "MASTESTAPP_HASH=$hash" >> "$GITHUB_ENV"
 
       - name: Check if already cached
         id: cache-check
         uses: actions/cache/restore@v5
         with:
           lookup-only: true
-          path: mas-app-android/ # we're forced to write a path even if we don't need it
-          key: base-app-${{ env.MASTESTAPP_HASH }}
+          path: mas-app-android/
+          key: base-app-${{ steps.get-mastestapp-hash.outputs.mastestapp_hash }}
 
       - name: Set up JDK 17
         if: steps.cache-check.outputs.cache-hit != 'true'
@@ -85,41 +95,52 @@ jobs:
         with:
           cache-read-only: false
 
+      - name: Accept Android SDK licenses
+        if: steps.cache-check.outputs.cache-hit != 'true'
+        run: yes | "$ANDROID_HOME/cmdline-tools/latest/bin/sdkmanager" --licenses
+
       - name: Clone mas-app-android repository
         if: steps.cache-check.outputs.cache-hit != 'true'
         uses: actions/checkout@v6
         with:
           repository: cpholguera/mas-app-android
           path: mas-app-android
-          ref: ${{ env.MASTESTAPP_HASH }}
+          ref: ${{ steps.get-mastestapp-hash.outputs.mastestapp_hash }}
 
       - name: Build base app
         if: steps.cache-check.outputs.cache-hit != 'true'
+        shell: bash
         run: |
+          set -euo pipefail
+
           cd mas-app-android
-          grep -q 'org.gradle.caching=true' gradle.properties || echo -en "\norg.gradle.caching=true\norg.gradle.configuration-cache=true\n" >> gradle.properties
-          ./gradlew assembleDebug --stacktrace || (
-            echo "Build failed"
-            exit 1
-          )
+
+          grep -q 'org.gradle.caching=true' gradle.properties \
+            || echo -en "\norg.gradle.caching=true\norg.gradle.configuration-cache=true\n" >> gradle.properties
+
+          ./gradlew assembleDebug --stacktrace
+
           echo "Build succeeded"
 
       - name: Saving cache
         if: steps.cache-check.outputs.cache-hit != 'true'
         uses: actions/cache/save@v5
         with:
           path: mas-app-android/
-          key: ${{ steps.cache-check.outputs.cache-primary-key }}
-   
+          key: base-app-${{ steps.get-mastestapp-hash.outputs.mastestapp_hash }}
+
   build:
-    needs: [generate-matrix, build-base-app]
+    needs:
+      - generate-matrix
+      - build-base-app
     if: ${{ needs.generate-matrix.outputs.matrix != '{"demo":[]}' }}
     runs-on: ubuntu-latest
-    timeout-minutes: 30  # Increase this value as needed
+    timeout-minutes: 30
+
     strategy:
       matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
-      max-parallel: 3  # Limit the number of parallel jobs
-    
+      max-parallel: 3
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
@@ -137,101 +158,126 @@ jobs:
         with:
           cache-read-only: true
 
-      - name: Restore cache
+      - name: Accept Android SDK licenses
+        run: yes | "$ANDROID_HOME/cmdline-tools/latest/bin/sdkmanager" --licenses
+
+      - name: Restore base app cache
         id: cache-base-app
         uses: actions/cache/restore@v5
         with:
           path: mas-app-android/
-          key: base-app-${{ env.MASTESTAPP_HASH }}
+          key: base-app-${{ needs.build-base-app.outputs.mastestapp_hash }}
+          fail-on-cache-miss: true
 
       - name: Replace files and build APK
+        shell: bash
         run: |
+          set -euo pipefail
+
           demo="${{ matrix.demo }}"
-          [ -d "$demo" ] || (
+
+          [ -d "$demo" ] || {
             echo "Demo directory not found: $demo"
             exit 1
-          )
+          }
 
           echo "Processing $demo"
-          cp -f "$demo/MastgTest.kt" mas-app-android/app/src/main/java/org/owasp/mastestapp/MastgTest.kt 2>/dev/null \
-            && echo "Copied MastgTest.kt for $demo" \
-            || echo "No MastgTest.kt found for $demo"
-          cp -f "$demo/MainActivity.kt" mas-app-android/app/src/main/java/org/owasp/mastestapp/MainActivity.kt 2>/dev/null \
-            && echo "Copied MainActivity.kt for $demo" \
-            || echo "No MainActivity.kt found for $demo"
-          cp -f "$demo/MastgTestWebView.kt" mas-app-android/app/src/main/java/org/owasp/mastestapp/MastgTestWebView.kt 2>/dev/null \
-            && echo "Copied MastgTestWebView.kt for $demo" \
-            || echo "No MastgTestWebView.kt found for $demo"
-          cp -f "$demo/AndroidManifest.xml" mas-app-android/app/src/main/AndroidManifest.xml 2>/dev/null \
-            && echo "Copied AndroidManifest.xml for $demo" \
-            || echo "No AndroidManifest.xml found for $demo"
-          cp -f "$demo/filepaths.xml" mas-app-android/app/src/main/res/xml/filepaths.xml 2>/dev/null \
-            && echo "Copied filepaths.xml for $demo" \
-            || echo "No filepaths.xml found for $demo"
-          cp -f "$demo/network_security_config.xml" mas-app-android/app/src/main/res/xml/network_security_config.xml 2>/dev/null \
-            && echo "Copied network_security_config.xml for $demo" \
-            || echo "No network_security_config.xml found for $demo"
-          cp -f "$demo/backup_rules.xml" mas-app-android/app/src/main/res/xml/backup_rules.xml 2>/dev/null \
-            && echo "Copied backup_rules.xml for $demo" \
-            || echo "No backup_rules.xml found for $demo"
-          cp -f "$demo/data_extraction_rules.xml" mas-app-android/app/src/main/res/xml/data_extraction_rules.xml 2>/dev/null \
-            && echo "Copied data_extraction_rules.xml for $demo" \
-            || echo "No data_extraction_rules.xml found for $demo"
-
-          # Copy .proto files if any exist
+
+          copy_if_exists() {
+            local source_file="$1"
+            local target_file="$2"
+            local label="$3"
+
+            if [ -f "$source_file" ]; then
+              cp -f "$source_file" "$target_file"
+              echo "Copied $label for $demo"
+            else
+              echo "No $label found for $demo"
+            fi
+          }
+
+          copy_if_exists "$demo/MastgTest.kt" mas-app-android/app/src/main/java/org/owasp/mastestapp/MastgTest.kt MastgTest.kt
+          copy_if_exists "$demo/MainActivity.kt" mas-app-android/app/src/main/java/org/owasp/mastestapp/MainActivity.kt MainActivity.kt
+          copy_if_exists "$demo/MastgTestWebView.kt" mas-app-android/app/src/main/java/org/owasp/mastestapp/MastgTestWebView.kt MastgTestWebView.kt
+          copy_if_exists "$demo/AndroidManifest.xml" mas-app-android/app/src/main/AndroidManifest.xml AndroidManifest.xml
+          copy_if_exists "$demo/filepaths.xml" mas-app-android/app/src/main/res/xml/filepaths.xml filepaths.xml
+          copy_if_exists "$demo/network_security_config.xml" mas-app-android/app/src/main/res/xml/network_security_config.xml network_security_config.xml
+          copy_if_exists "$demo/backup_rules.xml" mas-app-android/app/src/main/res/xml/backup_rules.xml backup_rules.xml
+          copy_if_exists "$demo/data_extraction_rules.xml" mas-app-android/app/src/main/res/xml/data_extraction_rules.xml data_extraction_rules.xml
+
           if find "$demo" -maxdepth 1 -name "*.proto" -print -quit 2>/dev/null | grep -q .; then
             mkdir -p mas-app-android/app/src/main/proto
-            find "$demo" -maxdepth 1 -name "*.proto" -print0 2>/dev/null | while IFS= read -r -d '' proto_file; do
-              cp -f "$proto_file" mas-app-android/app/src/main/proto/ \
-                && echo "Copied $(basename "$proto_file") for $demo"
-            done
+
+            find "$demo" -maxdepth 1 -name "*.proto" -print0 2>/dev/null \
+              | while IFS= read -r -d '' proto_file; do
+                  cp -f "$proto_file" mas-app-android/app/src/main/proto/
+                  echo "Copied $(basename "$proto_file") for $demo"
+                done
           else
             echo "No .proto files found for $demo"
           fi
 
+          if [ -f "$demo/CMakeLists.txt" ]; then
+            mkdir -p mas-app-android/app/src/main/cpp
+
+            cp -f "$demo/CMakeLists.txt" mas-app-android/app/src/main/cpp/CMakeLists.txt
+            echo "Copied CMakeLists.txt for $demo"
+
+            find "$demo" -maxdepth 1 -name "*.cpp" -print0 2>/dev/null \
+              | while IFS= read -r -d '' cpp_file; do
+                  cp -f "$cpp_file" mas-app-android/app/src/main/cpp/
+                  echo "Copied $(basename "$cpp_file") for $demo"
+                done
+          else
+            echo "No CMakeLists.txt found for $demo"
+          fi
+
           insert_block() {
-            local kind="$1"          # plugins / sections / libs
-            local upper="${kind^^}"  # PLUGINS / SECTIONS / LIBS  (bash-specific)
+            local kind="$1"
+            local upper="${kind^^}"
             local file="$demo/build.gradle.kts.$kind"
             local target="mas-app-android/app/build.gradle.kts"
-          
+
             if [ -f "$file" ]; then
               sed -i '/\/\/ ADD_'"$upper"'_HERE/{
                 r '"$file"'
                 d
               }' "$target"
-          
+
               echo "Replaced $kind in build.gradle.kts for $demo"
             else
               echo "No build.gradle.kts.$kind found for $demo, skipping $kind replacement"
             fi
           }
-          
+
           insert_block plugins
           insert_block sections
+          insert_block android
           insert_block libs
 
           echo "Building APK for $demo"
+
           cd mas-app-android
-          grep -q 'org.gradle.caching=true' gradle.properties || echo -en "\norg.gradle.caching=true\norg.gradle.configuration-cache=true\n" >> gradle.properties
-          ./gradlew assembleDebug --stacktrace || (
-            echo "Build failed for $demo"
-            exit 1
-          )
+
+          grep -q 'org.gradle.caching=true' gradle.properties \
+            || echo -en "\norg.gradle.caching=true\norg.gradle.configuration-cache=true\n" >> gradle.properties
+
+          ./gradlew assembleDebug --stacktrace
+
           cd ..
-          echo "Build succeeded for $demo"          
+
+          echo "Build succeeded for $demo"
 
           apk_filename="$(basename "$demo").apk"
-          mv mas-app-android/app/build/outputs/apk/debug/app-debug.apk "$apk_filename" || (
-            echo "APK not found for $demo"
-            exit 1
-          )
+
+          mv mas-app-android/app/build/outputs/apk/debug/app-debug.apk "$apk_filename"
+
           echo "APK for $demo moved to $apk_filename"
-          echo "APK_NAME=$apk_filename" >> $GITHUB_ENV
+          echo "APK_NAME=$apk_filename" >> "$GITHUB_ENV"
 
       - name: Upload APK
         uses: actions/upload-artifact@v6
         with:
           name: ${{ env.APK_NAME }}
-          path: "${{ env.APK_NAME }}"
-          if-no-files-found: error
+          path: ${{ env.APK_NAME }}
+          if-no-files-found: error

best-practices/MASTG-BEST-0x32.md

@@ -0,0 +1,17 @@
+---
+title: Continuous Anti-Debugging Checks
+alias: continuous-anti-debugging-checks
+id: MASTG-BEST-0x32
+platform: android
+knowledge: [MASTG-KNOW-0028]
+---
+
+Implement frequent anti-debugging checks during sensitive execution paths instead of relying on a one-time check at startup.
+
+A one-time check is easy to bypass because an attacker can attach a debugger after initialization and continue analysis without triggering the initial detection logic. Re-checking debugger state at runtime raises attacker effort and improves resilience.
+
+On Android, you can combine Java and native checks depending on your threat model. For example, use [`Debug.isDebuggerConnected()`](https://developer.android.com/reference/android/os/Debug#isDebuggerConnected()) in Java flows and complement it with native checks in sensitive JNI paths.
+
+Furthermore, tight continuous polling loops can be resource heavy. A good balance is to implement checkpoint-based checks before sensitive actions (for example, key use, payment approval, privileged API calls, or secrets access) and short periodic checks only while sensitive flows are active. This model reduces overhead while still making post-start debugger attachment harder.
+
+Treat anti-debugging as a defense-in-depth control, not as a standalone guarantee. Advanced attackers can still bypass checks through patching, instrumentation, or hooks.

demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x40/AndroidManifest.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools">
+
+    <uses-permission android:name="android.permission.INTERNET" />
+
+    <application
+        android:allowBackup="true"
+        android:dataExtractionRules="@xml/data_extraction_rules"
+        android:fullBackupContent="@xml/backup_rules"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:supportsRtl="true"
+        android:theme="@style/Theme.MASTestApp"
+        tools:targetApi="31">
+        <activity
+            android:name=".MainActivity"
+            android:exported="true"
+            android:windowSoftInputMode="adjustResize"
+            android:theme="@style/Theme.MASTestApp">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application>
+
+</manifest>