update example and technique

risks/MASVS-PRIVACY/1-data-minimization/sensitive-data-in-network-traffic/android-data-in-traffic-capture/example-1/example.md

@@ -11,21 +11,19 @@ code: [kotlin]
 
 ### Steps
 
-First, we need to start the device, in this case, the Android emulator:
+1. Start the device, in this case, the Android emulator:
 
-```bash
-emulator -avd Pixel_3a_API_33_arm64-v8a -writable-system
-```
+    ```bash
+    emulator -avd Pixel_3a_API_33_arm64-v8a -writable-system
+    ```
 
-Now, we launch the app from Android Studio.
+2. Run mitmproxy with the custom script for logging sensitive data and dump the relevant traffic to a file.
 
-Before clicking anything, we run our mitmproxy with our custom script for logging sensitive data and dump the relevant traffic to a file.
+    {{ ../mitm_sensitive_logger.py }}
 
-{{ ../mitm_sensitive_logger.py }}
+    {{ run.sh }}
 
-{{ run.sh }}
-
-Now, we click the button in the app.
+3. Launch the app from Android Studio and click the button in the app.
 
 ### Observation
 

risks/MASVS-PRIVACY/1-data-minimization/sensitive-data-in-network-traffic/android-data-in-traffic-capture/test.md

@@ -12,9 +12,11 @@ type: [dynamic, network]
 
 ## Steps
 
-1. Start [logging sensitive data from network traffic](../../../../../techniques/android/MASTG-TECH-0100.md).
+1. Start the device.
 
-2. Launch and use the app going through the various workflows while inputting sensitive data wherever you can. Especially, places where you know that will trigger network traffic.
+2. Start [logging sensitive data from network traffic](../../../../../techniques/android/MASTG-TECH-0100.md).
+
+3. Launch and use the app going through the various workflows while inputting sensitive data wherever you can. Especially, places where you know that will trigger network traffic.
 
 ## Observation
 

techniques/android/MASTG-TECH-0100.md

@@ -12,7 +12,18 @@ Once with mitmproxy installed and your device configured to use it, you can crea
 
 from mitmproxy import http
 
-SENSITIVE_STRINGS = ["dummyPassword", "sampleUser"]
+# This data would come from another file and should be defined after identifying the data that is considered sensitive for this application.
+# For example by using the Google Play Store Data Safety section.
+SENSITIVE_DATA = {
+    "precise_location_latitude": "37.7749",
+    "precise_location_longitude": "-122.4194",
+    "name": "John Doe",
+    "email_address": "[email protected]",
+    "phone_number": "+11234567890",
+    "credit_card_number": "1234 5678 9012 3456"
+}
+
+SENSITIVE_STRINGS = SENSITIVE_DATA.values()
 
 def contains_sensitive_data(string):
     return any(sensitive in string for sensitive in SENSITIVE_STRINGS)
@@ -26,18 +37,16 @@ def process_flow(flow):
 
     if (contains_sensitive_data(url) or 
         contains_sensitive_data(request_body) or 
-        any(contains_sensitive_data(header) for header in request_headers.values()) or
-        any(contains_sensitive_data(header) for header in response_headers.values()) or
         contains_sensitive_data(response_body)):
         with open("sensitive_data.log", "a") as file:
             if flow.response:
-                file.write(f"RESPONSE URL: {flow.request.pretty_url}\n")
-                file.write(f"Response Headers: {flow.response.headers}\n")
-                file.write(f"Response Body: {flow.response.text}\n\n")
+                file.write(f"RESPONSE URL: {url}\n")
+                file.write(f"Response Headers: {response_headers}\n")
+                file.write(f"Response Body: {response_body}\n\n")
             else:
-                file.write(f"REQUEST URL: {flow.request.pretty_url}\n")
-                file.write(f"Request Headers: {flow.request.headers}\n")
-                file.write(f"Request Body: {flow.request.text}\n\n")
+                file.write(f"REQUEST URL: {url}\n")
+                file.write(f"Request Headers: {request_headers}\n")
+                file.write(f"Request Body: {request_body}\n\n")
 def request(flow: http.HTTPFlow):
     process_flow(flow)