Add more test cases covering the v1 MASTG-TEST-0048: RE Tools Detection (android) (by @appknox)#3848
Open
ScreaMy7 wants to merge 19 commits into
Open
Add more test cases covering the v1 MASTG-TEST-0048: RE Tools Detection (android) (by @appknox)#3848ScreaMy7 wants to merge 19 commits into
ScreaMy7 wants to merge 19 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR ports v1 MASTG-TEST-0048 (RE Tools Detection / dynamic instrumentation detection on Android) into MASTG v2 by adding two new resilience tests (Frida + Xposed/LSPosed), along with supporting Semgrep rules, pass/fail demos, and best-practice pages.
Changes:
- Added two new v2 Android resilience tests for runtime detection (and bypassability) of Frida and Xposed/LSPosed.
- Added Semgrep rules to statically detect common Frida/Xposed signature checks in code.
- Added correlated demos (pass/fail) illustrating static detection and runtime bypass via Frida scripts.
Reviewed changes
Copilot reviewed 24 out of 24 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x48.md | New v2 test describing runtime Frida detection/bypass evaluation (dynamic hooks). |
| tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x49.md | New v2 test describing runtime Xposed/LSPosed detection/bypass evaluation (dynamic hooks). |
| rules/mastg-android-frida-detection.yml | New Semgrep rules for common Frida detection signatures (/proc, maps, default port, etc.). |
| rules/mastg-android-xposed-detection.yml | New Semgrep rules for common Xposed/LSPosed detection signatures (/proc/self/maps + stack inspection). |
| demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x48/MASTG-DEMO-0x48.md | Pass demo doc for static Frida-detection identification via Semgrep. |
| demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x48/MastgTest.kt | Kotlin sample implementing Frida detection routines. |
| demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x48/MastgTest_reversed.java | Reverse-engineered Java artifact used for static analysis demos. |
| demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x48/run.sh | Automation script to run Semgrep for the Frida-detection pass demo. |
| demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x48/output.txt | Captured Semgrep output for the Frida-detection pass demo. |
| demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x49/MASTG-DEMO-0x49.md | Fail demo doc for bypassing Frida detection. |
| demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x49/script.js | Frida script intended to bypass the Frida detection routines. |
| demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x49/run.sh | Automation script to run the Frida bypass demo. |
| demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x49/output.txt | Captured runtime output for the Frida bypass demo. |
| demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x4A/MASTG-DEMO-0x4A.md | Pass demo doc for static Xposed/LSPosed-detection identification via Semgrep. |
| demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x4A/MastgTest.kt | Kotlin sample implementing Xposed/LSPosed detection routines. |
| demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x4A/MastgTest_reversed.java | Reverse-engineered Java artifact used for static analysis demos. |
| demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x4A/run.sh | Automation script to run Semgrep for the Xposed/LSPosed pass demo. |
| demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x4A/output.txt | Captured Semgrep output for the Xposed/LSPosed pass demo. |
| demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x4B/MASTG-DEMO-0x4B.md | Fail demo doc for bypassing Xposed/LSPosed detection via API hooking. |
| demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x4B/script.js | Frida script implementing the bypass hooks for Xposed/LSPosed detection. |
| demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x4B/run.sh | Automation script to run the Xposed/LSPosed bypass demo. |
| demos/android/MASVS-RESILIENCE/MASTG-DEMO-0x4B/output.txt | Captured runtime output for the Xposed/LSPosed bypass demo. |
| best-practices/MASTG-BEST-0x48.md | New best practice page for Frida instrumentation detection. |
| best-practices/MASTG-BEST-0x49.md | New best practice page for Xposed/LSPosed instrumentation detection. |
…rsion-safe bypass scripts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR closes #3837
Description
Adds new MASVS-RESILIENCE content (TEST-0048) covering runtime detection of dynamic instrumentation frameworks (Frida and Xposed/LSPosed), with supporting demos, best practices, and static-analysis rules. For bypass demo I have used similar structure as #3692.
best-practice references (MASTG-BEST-0x48).
and best-practice references (MASTG-BEST-0x49).
MASTG-DEMO-0x49 (runtime bypass via Frida hooks + frida-server reconfiguration).
detection) and MASTG-DEMO-0x4B (runtime bypass via Frida hooks).
(mastg-android-frida-detection, mastg-android-xposed-detection).
Testing
Tested on Android 12 with LSPosed v1.9.2
Notes:
Modern alternatives such as Magisk/Zygisk module detection and native inline hook detection are planned as future TODO items.
AI Tool Disclosure
Check exactly one option.
If AI tools were used to generate or substantially modify code or text, complete the following.
For first-time contributors using AI tools.
Undisclosed use of AI tools will result in the PR being closed. Large rewrites or bulk changes generated by AI require explicit prior approval from the maintainers. Learn more in "Use of AI tools in contributions".
Contributor Checklist
Relevant documentation.
Contributors are expected to understand basic git and GitHub workflows, including forks, branches, commits, and pull requests. The project does not provide training. Pull requests that do not meet these minimum requirements may be closed without review.