Merge pull request #4675 from luchua-bc/cleartext-storage-shared-prefs

Java: Query to detect cleartext storage of sensitive information using Android SharedPreferences

Author: aschackmull

java/ql/src/experimental/Security/CWE/CWE-312/CleartextStorageSharedPrefs.java

@@ -0,0 +1,39 @@
+public void testSetSharedPrefs(Context context, String name, String password)
+{
+	{
+		// BAD - save sensitive information in cleartext
+		SharedPreferences sharedPrefs = context.getSharedPreferences("user_prefs", Context.MODE_PRIVATE);
+		Editor editor = sharedPrefs.edit();
+		editor.putString("name", name);
+		editor.putString("password", password);
+		editor.commit();
+	}
+
+	{
+		// GOOD - save sensitive information in encrypted format
+		SharedPreferences sharedPrefs = context.getSharedPreferences("user_prefs", Context.MODE_PRIVATE);
+		Editor editor = sharedPrefs.edit();
+		editor.putString("name", encrypt(name));
+		editor.putString("password", encrypt(password));
+		editor.commit();
+	}
+
+	{
+		// GOOD - save sensitive information using the built-in `EncryptedSharedPreferences` class in androidx.
+		MasterKey masterKey = new MasterKey.Builder(context, MasterKey.DEFAULT_MASTER_KEY_ALIAS)
+			.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
+			.build();
+
+		SharedPreferences sharedPreferences = EncryptedSharedPreferences.create(
+			context,
+			"secret_shared_prefs",
+			masterKey,
+			EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
+			EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM);
+
+		SharedPreferences.Editor editor = sharedPreferences.edit();
+		editor.putString("name", name);
+		editor.putString("password", password);
+		editor.commit();
+	}
+}

java/ql/src/experimental/Security/CWE/CWE-312/CleartextStorageSharedPrefs.qhelp

@@ -0,0 +1,40 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      <code>SharedPreferences</code> is an Android API that stores application preferences using simple sets of data values. Almost every Android application uses this API. It allows to easily save, alter, and retrieve the values stored in the user's profile. However, sensitive information should not be saved in cleartext. Otherwise it can be accessed by any process or user on rooted devices, or can be disclosed through chained vulnerabilities e.g. unexpected access to its private storage through exposed components. 
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>
+      Use the <code>EncryptedSharedPreferences</code> API or other encryption algorithms for storing sensitive information.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>
+      In the first example, sensitive user information is stored in cleartext.
+    </p>
+
+    <p>
+      In the second and third examples, the code encrypts sensitive information before saving it to the device.
+    </p>
+    <sample src="CleartextStorageSharedPrefs.java" />
+  </example>
+
+  <references>
+    <li>
+      CWE:
+      <a href="https://cwe.mitre.org/data/definitions/312.html">CWE-312: Cleartext Storage of Sensitive Information</a>
+    </li>
+    <li>
+      Android Developers:
+      <a href="https://developer.android.com/topic/security/data">Work with data more securely</a>
+    </li>
+    <li>
+      ProAndroidDev:
+      <a href="https://proandroiddev.com/encrypted-preferences-in-android-af57a89af7c8">Encrypted Preferences in Android</a>
+    </li>
+  </references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-312/CleartextStorageSharedPrefs.ql

@@ -0,0 +1,163 @@
+/**
+ * @name Cleartext storage of sensitive information using `SharedPreferences` on Android
+ * @description Cleartext Storage of Sensitive Information using SharedPreferences on Android allows access for users with root privileges or unexpected exposure from chained vulnerabilities.
+ * @kind problem
+ * @id java/android/cleartext-storage-shared-prefs
+ * @tags security
+ *       external/cwe/cwe-312
+ */
+
+import java
+import semmle.code.java.dataflow.DataFlow4
+import semmle.code.java.dataflow.DataFlow5
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.frameworks.android.Intent
+import semmle.code.java.frameworks.android.SharedPreferences
+import semmle.code.java.security.SensitiveActions
+
+/** Holds if the method call is a setter method of `SharedPreferences`. */
+private predicate sharedPreferencesInput(DataFlow::Node sharedPrefs, Expr input) {
+  exists(MethodAccess m |
+    m.getMethod() instanceof PutSharedPreferenceMethod and
+    input = m.getArgument(1) and
+    not exists(EncryptedValueFlowConfig conf | conf.hasFlow(_, DataFlow::exprNode(input))) and
+    sharedPrefs.asExpr() = m.getQualifier()
+  )
+}
+
+/** Holds if the method call is the store method of `SharedPreferences`. */
+private predicate sharedPreferencesStore(DataFlow::Node sharedPrefs, Expr store) {
+  exists(MethodAccess m |
+    m.getMethod() instanceof StoreSharedPreferenceMethod and
+    store = m and
+    sharedPrefs.asExpr() = m.getQualifier()
+  )
+}
+
+/** Flow from `SharedPreferences` to either a setter or a store method. */
+class SharedPreferencesFlowConfig extends DataFlow::Configuration {
+  SharedPreferencesFlowConfig() {
+    this = "CleartextStorageSharedPrefs::SharedPreferencesFlowConfig"
+  }
+
+  override predicate isSource(DataFlow::Node src) {
+    src.asExpr() instanceof SharedPreferencesEditorMethodAccess
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sharedPreferencesInput(sink, _) or
+    sharedPreferencesStore(sink, _)
+  }
+}
+
+/**
+ * Method call of encrypting sensitive information.
+ * As there are various implementations of encryption (reversible and non-reversible) from both JDK and third parties, this class simply checks method name to take a best guess to reduce false positives.
+ */
+class EncryptedSensitiveMethodAccess extends MethodAccess {
+  EncryptedSensitiveMethodAccess() {
+    this.getMethod().getName().toLowerCase().matches(["%encrypt%", "%hash%"])
+  }
+}
+
+/** Flow configuration of encrypting sensitive information. */
+class EncryptedValueFlowConfig extends DataFlow5::Configuration {
+  EncryptedValueFlowConfig() { this = "CleartextStorageSharedPrefs::EncryptedValueFlowConfig" }
+
+  override predicate isSource(DataFlow5::Node src) {
+    exists(EncryptedSensitiveMethodAccess ema | src.asExpr() = ema)
+  }
+
+  override predicate isSink(DataFlow5::Node sink) {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof PutSharedPreferenceMethod and
+      sink.asExpr() = ma.getArgument(1)
+    )
+  }
+}
+
+/** Flow from the create method of `androidx.security.crypto.EncryptedSharedPreferences` to its instance. */
+private class EncryptedSharedPrefFlowConfig extends DataFlow4::Configuration {
+  EncryptedSharedPrefFlowConfig() {
+    this = "CleartextStorageSharedPrefs::EncryptedSharedPrefFlowConfig"
+  }
+
+  override predicate isSource(DataFlow4::Node src) {
+    src.asExpr().(MethodAccess).getMethod() instanceof CreateEncryptedSharedPreferencesMethod
+  }
+
+  override predicate isSink(DataFlow4::Node sink) {
+    sink.asExpr().getType() instanceof SharedPreferences
+  }
+}
+
+/** The call to get a `SharedPreferences.Editor` object, which can set shared preferences or be stored to device. */
+class SharedPreferencesEditorMethodAccess extends MethodAccess {
+  SharedPreferencesEditorMethodAccess() {
+    this.getMethod() instanceof GetSharedPreferencesEditorMethod and
+    not exists(
+      EncryptedSharedPrefFlowConfig config // not exists `SharedPreferences sharedPreferences = EncryptedSharedPreferences.create(...)`
+    |
+      config.hasFlow(_, DataFlow::exprNode(this.getQualifier()))
+    )
+  }
+
+  /** Gets an input, for example `password` in `editor.putString("password", password);`. */
+  Expr getAnInput() {
+    exists(SharedPreferencesFlowConfig conf, DataFlow::Node n |
+      sharedPreferencesInput(n, result) and
+      conf.hasFlow(DataFlow::exprNode(this), n)
+    )
+  }
+
+  /** Gets a store, for example `editor.commit();`. */
+  Expr getAStore() {
+    exists(SharedPreferencesFlowConfig conf, DataFlow::Node n |
+      sharedPreferencesStore(n, result) and
+      conf.hasFlow(DataFlow::exprNode(this), n)
+    )
+  }
+}
+
+/**
+ * Flow from sensitive expressions to shared preferences.
+ * Note it can be merged into `SensitiveSourceFlowConfig` of `Security/CWE/CWE-312/SensitiveStorage.qll` when this query is promoted from the experimental directory.
+ */
+private class SensitiveSharedPrefsFlowConfig extends TaintTracking::Configuration {
+  SensitiveSharedPrefsFlowConfig() {
+    this = "CleartextStorageSharedPrefs::SensitiveSharedPrefsFlowConfig"
+  }
+
+  override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SensitiveExpr }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess m |
+      m.getMethod() instanceof PutSharedPreferenceMethod and
+      sink.asExpr() = m.getArgument(1)
+    )
+  }
+}
+
+/** Class for shared preferences that may contain 'sensitive' information */
+class SensitiveSharedPrefsSource extends Expr {
+  SensitiveSharedPrefsSource() {
+    // SensitiveExpr is abstract, this lets us inherit from it without
+    // being a technical subclass
+    this instanceof SensitiveExpr
+  }
+
+  /** Holds if this source flows to the `sink`. */
+  predicate flowsTo(Expr sink) {
+    exists(SensitiveSharedPrefsFlowConfig conf |
+      conf.hasFlow(DataFlow::exprNode(this), DataFlow::exprNode(sink))
+    )
+  }
+}
+
+from SensitiveSharedPrefsSource data, SharedPreferencesEditorMethodAccess s, Expr input, Expr store
+where
+  input = s.getAnInput() and
+  store = s.getAStore() and
+  data.flowsTo(input)
+select store, "'SharedPreferences' class $@ containing $@ is stored here. Data was added $@.", s,
+  s.toString(), data, "sensitive data", input, "here"

java/ql/src/semmle/code/java/frameworks/android/SharedPreferences.qll

@@ -0,0 +1,57 @@
+/** Provides classes related to `android.content.SharedPreferences`. */
+
+import java
+
+/** The interface `android.content.SharedPreferences`. */
+class SharedPreferences extends Interface {
+  SharedPreferences() { this.hasQualifiedName("android.content", "SharedPreferences") }
+}
+
+/** The class `androidx.security.crypto.EncryptedSharedPreferences`, which implements `SharedPreferences` with encryption support. */
+class EncryptedSharedPreferences extends Class {
+  EncryptedSharedPreferences() {
+    this.hasQualifiedName("androidx.security.crypto", "EncryptedSharedPreferences")
+  }
+}
+
+/** The `create` method of `androidx.security.crypto.EncryptedSharedPreferences`. */
+class CreateEncryptedSharedPreferencesMethod extends Method {
+  CreateEncryptedSharedPreferencesMethod() {
+    this.getDeclaringType() instanceof EncryptedSharedPreferences and
+    this.hasName("create")
+  }
+}
+
+/** The method `android.content.SharedPreferences::edit`, which returns an `android.content.SharedPreferences.Editor`. */
+class GetSharedPreferencesEditorMethod extends Method {
+  GetSharedPreferencesEditorMethod() {
+    this.getDeclaringType() instanceof SharedPreferences and
+    this.hasName("edit") and
+    this.getReturnType() instanceof SharedPreferencesEditor
+  }
+}
+
+/** The interface `android.content.SharedPreferences.Editor`. */
+class SharedPreferencesEditor extends Interface {
+  SharedPreferencesEditor() { this.hasQualifiedName("android.content", "SharedPreferences$Editor") }
+}
+
+/**
+ * A method that updates a key-value pair in a
+ * `android.content.SharedPreferences` through a `SharedPreferences.Editor`. The
+ * value is not written until a `StorePreferenceMethod` is called.
+ */
+class PutSharedPreferenceMethod extends Method {
+  PutSharedPreferenceMethod() {
+    this.getDeclaringType() instanceof SharedPreferencesEditor and
+    this.getName().matches("put%")
+  }
+}
+
+/** A method on `SharedPreferences.Editor` that writes the pending changes to the underlying `android.content.SharedPreferences`. */
+class StoreSharedPreferenceMethod extends Method {
+  StoreSharedPreferenceMethod() {
+    this.getDeclaringType() instanceof SharedPreferencesEditor and
+    this.hasName(["commit", "apply"])
+  }
+}

java/ql/test/experimental/query-tests/security/CWE-312/CleartextStorageSharedPrefs.expected

@@ -0,0 +1 @@
+| CleartextStorageSharedPrefs.java:19:3:19:17 | commit(...) | 'SharedPreferences' class $@ containing $@ is stored here. Data was added $@. | CleartextStorageSharedPrefs.java:16:19:16:36 | edit(...) | edit(...) | CleartextStorageSharedPrefs.java:18:32:18:39 | password | sensitive data | CleartextStorageSharedPrefs.java:18:32:18:39 | password | here |