feat(mobile): add unified Security Shepherd Android app#894
Open
SeanDuggan wants to merge 10 commits into
Open
feat(mobile): add unified Security Shepherd Android app#894SeanDuggan wants to merge 10 commits into
SeanDuggan wants to merge 10 commits into
Conversation
Replaces the collection of per-challenge standalone APKs with a single unified app (org.owasp.mobileshepherd) covering all 19 mobile modules: lessons and challenges for Client-Side Injection, Insecure Data Storage, Insecure Communication, Insufficient Cryptography, Reverse Engineering, Poor Authentication, Security Misconfiguration, Privacy Controls, Input Validation, Insecure Authorization, and Supply Chain. Android app changes: - New unified app with Navigation Component and ViewBinding - Material Design 3 with dark mode support - Full login/registration flow connected to the web platform - Progress tracking and scoreboard integration - Cheatsheets for all 19 modules - CI workflow for Android lint and build Server-side changes: - Add MobileFlagGet, MobileFlagSubmit, MobileInsecureApi, MobileModuleFlags, MobileModuleProgress, MobileModuleStart, MobileRegister servlets - Update MobileLogin servlet - Update coreSchema.sql with mobile module tables and procedures - Add i18n properties for mobile challenge/lesson strings - Add Android lint and build GitHub Actions workflows
MobileFlagGet was calling Getter.hasPlayerStarted() as a DB fallback for the in-memory module-start cache, but this method does not exist in upstream's Getter class. Remove the fallback; the in-memory check in MobileModuleProgress.hasStarted() is sufficient.
…ster Fix Spotless violations: - MobileLogin.java: convert CRLF to LF line endings - MobileRegister.java: reflow Javadoc and method call line breaks
The previous version re-inserted 68 modules that already exist in the upstream schema, causing PRIMARY KEY violations during integration test DB setup and failing all IT tests. Replace with upstream coreSchema.sql and append only the 9 genuinely new mobile modules: - Mobile Insecure Authorization (lesson) - Mobile Insecure Communication (lesson + challenge) - Mobile Security Misconfiguration (lesson + challenge) - Mobile Input Validation (lesson) - Mobile Privacy Controls (lesson) - Mobile Supply Chain (lesson) - Mobile Insufficient Cryptography (lesson) incrementalRank values set to 105-113 (after upstream's highest rank of ~100) to avoid conflicts.
…edWhereClause testGetModuleStatusMenuWhenMobileOnlyOpen validates that every module in the DB belongs to either the web or mobile hardcoded category list. Our 7 new mobile categories were missing from the list, causing the test to fail with a count mismatch after openOnlyMobileCategories() was called.
getModulesJson() calls ResourceBundle.getString() for each module's moduleNameLangPointer and 'category.' + moduleCategoryLangPointer. Without these keys, a MissingResourceException is thrown mid-iteration, causing getModulesJson() to return an incomplete JSON array (missing the modules wrapper element), which breaks LevelsIT and GetterIT tests. Adds 9 module name keys and 7 category keys for the new modules added in coreSchema.sql.
Delete 16 DB modules, their JSP pages, cheatsheet entries, locale keys and solutions that have no corresponding fragment in the Android app. These modules (Mobile Broken Crypto x4, Content Provider x2, Data Leakage x3, RE lesson+RE2+RE3, Untrusted Input, Poor Auth 2, IDS2+IDS3) were causing IT test failures in testGetModuleStatusMenuWhenMobileOnlyOpen because the DB module count diverged from what the Setter where-clause matched. Also add a dedicated DB module and cheatsheet entry for InsufficientCryptoChallengeFragment (previously mapped to the deleted Broken Crypto 1 row) and update MODULE_DB_IDS accordingly. Removes four empty categories from mobileModuleCategoryHardcodedWhereClause (Mobile Broken Crypto, Mobile Content Provider, Mobile Data Leakage, Mobile Security Decisions via Untrusted Input).
The RE lesson (LessonFragment / nav_lesson) exists on the Android app and maps to FlagValidator.Module.RE_LESSON in MainActivity. It was incorrectly removed in the previous commit. Restore: - coreSchema.sql INSERT for module 2ab09c0c (Reverse Engineering lesson) and its cheatSheetCreate call - reverse.engineering locale key in moduleNames.properties - solutions.properties entry for 2ab09c0c - The lesson JSP file 19753b94... - MODULE_DB_IDS entry for re_lesson in MobileModuleFlags
The Content Provider Leakage module (5b461ebe...) was removed from coreSchema.sql when old mobile modules without app implementations were deleted. Replace it with the Client Side Injection lesson (335440fe...) which exists in the current schema and serves the same purpose in testCheckPlayerResultWhenModuleNotComplete.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replaces the collection of per-challenge standalone APKs with a single unified app (org.owasp.mobileshepherd) covering all 19 mobile modules: lessons and challenges for Client-Side Injection, Insecure Data Storage, Insecure Communication, Insufficient Cryptography, Reverse Engineering, Poor Authentication, Security Misconfiguration, Privacy Controls, Input Validation, Insecure Authorization, and Supply Chain.
Android app changes:
Server-side changes: