Test cases in Android test harness for HTTP and HTTPS PII handlers

nogotofail/test/android/.gitignore

@@ -8,6 +8,7 @@ WORKSPACE
 # Generated files
 bin/
 gen/
+*.apk
 
 # Gradle files
 .gradle/

nogotofail/test/android/app/build.gradle

@@ -16,4 +16,8 @@ android {
             proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.txt'
         }
     }
+
+    dependencies {
+        compile 'com.google.android.gms:play-services:8.1.0'
+    }
 }

nogotofail/test/android/app/src/main/AndroidManifest.xml

@@ -24,6 +24,8 @@
         android:targetSdkVersion="21" />
 
     <uses-permission android:name="android.permission.INTERNET" />
+    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
+    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
 
     <application
         android:allowBackup="true"

nogotofail/test/android/app/src/main/java/net/nogotofail/mitmtester/BackgroundTestForHttpPii.java

@@ -0,0 +1,60 @@
+/*
+ * Copyright 2014 Google Inc. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.nogotofail.mitmtester;
+
+import android.content.Context;
+import android.location.Location;
+import com.google.android.gms.ads.identifier.AdvertisingIdClient;
+import net.nogotofail.mitmtester.util.ClientProperties;
+
+/**
+ * Extension of BackgroundTest class with awareness of application context.
+ * Note. Application context is needed to access system resources (Device IDs &
+ * location) and application resources (strings.xml).
+ */
+public abstract class BackgroundTestForHttpPii extends BackgroundTest {
+
+    protected static final String HTTP_TARGET = "http://android.com/";
+    protected static final String HTTPS_TARGET = "https://google.com/";
+    protected static final int CONNECTION_TIMEOUT = 10000;
+
+    protected String android_id, google_ad_id;
+    protected AdvertisingIdClient.Info advertising_info;
+    protected Location client_location;
+    protected String location_longitude, location_latitude;
+
+    private Context mContext;
+
+    protected BackgroundTestForHttpPii(Context app_context) {
+        mContext = app_context;
+    }
+
+    protected abstract void runTest() throws Exception;
+
+    protected Context getContext(){
+        return this.mContext;
+    }
+
+    protected void FetchPIITestData() {
+        android_id = ClientProperties.getAndroidId(mContext);
+        advertising_info = ClientProperties.getAdvertisingId(mContext);
+        google_ad_id = advertising_info.getId();
+        client_location = ClientProperties.getDeviceLocation(mContext);
+        location_longitude = String.valueOf(client_location.getLongitude());
+        location_latitude = String.valueOf(client_location.getLatitude());
+    }
+}

nogotofail/test/android/app/src/main/java/net/nogotofail/mitmtester/http/HttpPiiTest.java

@@ -0,0 +1,185 @@
+/*
+ * Copyright 2014 Google Inc. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.nogotofail.mitmtester.http;
+
+import net.nogotofail.mitmtester.BackgroundTestForHttpPii;
+
+import android.content.Context;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import org.apache.http.HttpResponse;
+import org.apache.http.client.HttpClient;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.entity.StringEntity;
+import org.apache.http.impl.client.DefaultHttpClient;
+import org.apache.http.message.BasicHeader;
+import org.apache.http.params.HttpConnectionParams;
+import org.apache.http.protocol.HTTP;
+import org.json.JSONObject;
+
+/*
+ *  HttpPiiTest simulates the scenario where PII appears
+ *  in the HTTP requests and responses.
+ */
+public class HttpPiiTest extends BackgroundTestForHttpPii {
+
+    HttpURLConnection connection = null;
+    URL url;
+
+    protected HttpPiiTest(Context app_context) {
+        super(app_context);
+    }
+    /**
+     * Runs tests with PII in HTTP request and responses.
+     */
+    @Override
+    protected void runTest() throws Exception {
+        // Retrieve PII for testing
+        FetchPIITestData();
+        // Run PII in clear-text (HTTP) query string
+        RunPiiQueryStringTest();
+        // Run PII in clear-text (HTTP) headers
+        RunPiiHeaderTest();
+        // Run PII in clear-text (HTTP) message body
+        RunPiiMessageBodyTest();
+    }
+
+    /**
+     * Runs tests inserting PII in request query strings.
+     */
+    protected void RunPiiQueryStringTest() throws Exception {
+        try {
+            // Send request with PII identifier in query string
+            url = new URL(HTTP_TARGET + "?google_ad_id=" + google_ad_id);
+            connection = (HttpURLConnection) url.openConnection();
+            connection.setConnectTimeout(CONNECTION_TIMEOUT);
+            connection.setReadTimeout(CONNECTION_TIMEOUT);
+            setProgressMessage("Issuing HTTP request with (clear-text) PII IDs in query string");
+            setTestResult(connection.getResponseCode() + " " + connection.getResponseMessage());
+            connection.disconnect();
+
+            // Send request with PII location in query string
+            url = new URL(HTTP_TARGET + "?longtitude=" + location_longitude +
+                    "&latitude=" + location_latitude);
+            connection = (HttpURLConnection) url.openConnection();
+            connection.setConnectTimeout(CONNECTION_TIMEOUT);
+            connection.setReadTimeout(CONNECTION_TIMEOUT);
+            setProgressMessage("Issuing HTTP request with (clear-text) PII location in query string");
+            setTestResult(connection.getResponseCode() + " " + connection.getResponseMessage());
+            connection.disconnect();
+        } catch (Exception e) {
+            setTestResult("Error: " + " " + e.getMessage());
+        } finally {
+            if (connection != null) {
+                connection.disconnect();
+            }
+        }
+    }
+
+    /**
+     * Runs tests inserting PII in request headers.
+     */
+    protected void RunPiiHeaderTest() throws Exception {
+        try {
+            // Send request with PII identifier in HTTP header
+            url = new URL(HTTP_TARGET);
+            connection = (HttpURLConnection) url.openConnection();
+            connection.setConnectTimeout(CONNECTION_TIMEOUT);
+            connection.setReadTimeout(CONNECTION_TIMEOUT);
+            connection.setRequestProperty("Header-Identifier", google_ad_id);
+            setProgressMessage("Issuing HTTP request with (clear-text) PII ID in header");
+            setTestResult(connection.getResponseCode() + " " + connection.getResponseMessage());
+            connection.disconnect();
+
+            // Send request with PII location in HTTP header
+            url = new URL(HTTP_TARGET);
+            connection = (HttpURLConnection) url.openConnection();
+            connection.setConnectTimeout(CONNECTION_TIMEOUT);
+            connection.setReadTimeout(CONNECTION_TIMEOUT);
+            connection.setRequestProperty("Header-Longitude", location_longitude);
+            connection.setRequestProperty("Header-Latitude", location_latitude);
+            setProgressMessage("Issuing HTTP request with (clear-text) PII location in header");
+            setTestResult(connection.getResponseCode() + " " + connection.getResponseMessage());
+            connection.disconnect();
+        }
+        finally {
+            if (connection != null) {
+                connection.disconnect();
+            }
+        }
+    }
+
+    /**
+     * Runs tests inserting PII in request and response message bodies.
+     */
+    protected void RunPiiMessageBodyTest() throws Exception {
+        HttpClient client = new DefaultHttpClient();
+        HttpConnectionParams.setConnectionTimeout(client.getParams(), CONNECTION_TIMEOUT); //Timeout Limit
+        HttpResponse response;
+        JSONObject json_data;
+        int response_code;
+        String response_message;
+
+        // Send PII identifier in HTTP POST request
+        try {
+            HttpPost post = new HttpPost(HTTP_TARGET);
+            json_data = new JSONObject();
+            json_data.put("google_ad_id", google_ad_id);
+            StringEntity se = new StringEntity(json_data.toString());
+            se.setContentType(new BasicHeader(HTTP.CONTENT_TYPE, "application/json"));
+            post.setEntity(se);
+            setProgressMessage("Issuing HTTP request with (clear-text) PII identifiers in " +
+                    "message body");
+            response = client.execute(post);
+
+            // Checking response
+            if(response!=null){
+                //Get the data in the entity
+                response_code = response.getStatusLine().getStatusCode();
+                response_message = response.getStatusLine().getReasonPhrase();
+                setTestResult(Integer.toString(response_code) + " " + response_message);
+            }
+        } catch(Exception e) {
+            e.printStackTrace();
+        }
+
+        // Send PII location in HTTP POST request
+        try {
+            HttpPost post = new HttpPost(HTTP_TARGET);
+            json_data = new JSONObject();
+            json_data.put("location_longitude", location_longitude);
+            json_data.put("location_latitude", location_latitude);
+            StringEntity se = new StringEntity(json_data.toString());
+            se.setContentType(new BasicHeader(HTTP.CONTENT_TYPE, "application/json"));
+            post.setEntity(se);
+            setProgressMessage("Issuing HTTP request with (clear-text) PII location in " +
+                    "message body");
+            response = client.execute(post);
+
+            // Checking response
+            if(response!=null){
+                //Get the data in the entity
+                response_code = response.getStatusLine().getStatusCode();
+                response_message = response.getStatusLine().getReasonPhrase();
+                setTestResult(Integer.toString(response_code) + " " + response_message);
+            }
+        } catch(Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+}

nogotofail/test/android/app/src/main/java/net/nogotofail/mitmtester/http/HttpTestActivity.java

@@ -16,6 +16,7 @@
 
 package net.nogotofail.mitmtester.http;
 
+import android.content.Context;
 import android.os.Bundle;
 import android.view.View;
 import net.nogotofail.mitmtester.R;
@@ -29,11 +30,24 @@ protected void onCreate(Bundle savedInstanceState) {
 
     setContentView(R.layout.http_test_activity);
 
+    final Context app_context = this.getApplicationContext();
+
     findViewById(R.id.http_with_authorization).setOnClickListener(new View.OnClickListener() {
       @Override
       public void onClick(View v) {
         startTest(new CleartextHttpCredentialsTest());
       }
     });
+
+    findViewById(R.id.test_http_pii).setOnClickListener(new View.OnClickListener() {
+      @Override
+      public void onClick(View v) { startTest(new HttpPiiTest(app_context));
+      }
+    });
+
+    findViewById(R.id.test_https_pii).setOnClickListener(new View.OnClickListener() {
+      @Override
+      public void onClick(View v) { startTest(new HttpsPiiTest(app_context)); }
+    });
   }
 }