Merge pull request #15281 from joefarebrother/android-sensitive-ui-notif

Java: Add query for exposure of sensitive information to android notifiactions
2026-04-27 09:45:15 +02:00 · 2024-01-26 16:42:55 +00:00
parent 73130ec665 dedba1fc54
commit 031bd8bd0c
33 changed files with 887 additions and 596 deletions
--- a/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.java
+++ b/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.java
@@ -0,0 +1,8 @@
+// BAD: `password` is exposed in a notification.
+void confirmPassword(String password) {
+    NotificationManager manager = NotificationManager.from(this);
+    manager.send(
+        new Notification.Builder(this, CHANNEL_ID)
+        .setContentText("Your password is: " + password)
+        .build());
+}
--- a/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.qhelp
+++ b/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.qhelp
@@ -0,0 +1,34 @@
+<!DOCTYPE qhelp PUBLIC
+ "-//Semmle//qhelp//EN"
+ "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Sensitive information such as passwords or two-factor authentication (2FA) codes should not be exposed in a system notification.
+      Notifications should not be considered secure, as other untrusted applications may be able to use a
+     <code>NotificationListenerService</code> to read the contents of notifications.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>
+    Do not expose sensitive data in notifications.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>
+    In the following sample, the <code>password</code> is sent as part of a notification. 
+    This can allow another application to read this password.
+    </p>
+
+    <sample src="AndroidSensitiveNotifications.java"/>
+  </example>
+
+  <references>
+    <li>
+      OWASP Mobile Application Security: <a href="https://mas.owasp.org/MASTG/Android/0x05d-Testing-Data-Storage/#app-notifications">Android Data Storage - Application Notifications</a> 
+    </li>
+  </references>
+
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.ql
+++ b/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Exposure of sensitive information to notifications
+ * @id java/android/sensitive-notification
+ * @kind path-problem
+ * @description Sensitive information exposed in a system notification can be read by an unauthorized application.
+ * @problem.severity error
+ * @precision medium
+ * @security-severity 6.5
+ * @tags security
+ *       external/cwe/cwe-200
+ */
+
+import java
+import java
+import semmle.code.java.security.SensitiveUiQuery
+import NotificationTracking::PathGraph
+
+from NotificationTracking::PathNode source, NotificationTracking::PathNode sink
+where NotificationTracking::flowPath(source, sink)
+select sink, source, sink, "This $@ is exposed in a system notification.", source,
+  "sensitive information"
--- a/java/ql/src/change-notes/2024-01-15-android-sensitive-notification-query.md
+++ b/java/ql/src/change-notes/2024-01-15-android-sensitive-notification-query.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query `java/android/sensitive-notification` to detect instances of sensitive data being exposed through Android notifications.