fix remaining links to MAS components

Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md

@@ -840,7 +840,7 @@ Android apps can implement some of those obfuscation techniques using different
 Learn more about Android obfuscation techniques:
 
 - ["Security Hardening of Android Native Code"](https://darvincitech.wordpress.com/2020/01/07/security-hardening-of-android-native-code/) by Gautam Arvind
-- ["APKiD: Fast Identification of AppShielding Products"](https://github.com/enovella/cve-bio-enovella/blob/master/slides/APKiD-NowSecure-Connect19-enovella.pdf) by Eduardo Novella
+- ["APKiD: Fast Identification of AppShielding Products"](https://github.com/enovella/cve-bio-enovella/blob/master/slides/APKiD-NowSecure-Connect19-enovella.pdf) by Eduardo Novella (@MASTG-TOOL-0009)
 - ["Challenges of Native Android Applications: Obfuscation and Vulnerabilities"](https://www.theses.fr/2020REN1S047.pdf) by Pierre Graux
 
 #### Using ProGuard

techniques/android/MASTG-TECH-0001.md

@@ -25,7 +25,7 @@ bullhead:/ # id
 uid=0(root) gid=0(root) groups=0(root) context=u:r:su:s0
 ```
 
-> Only if you're working with an emulator you may alternatively restart adb with root permissions with the command `adb root` so next time you enter `adb shell` you'll have root access already. This also allows to transfer data bidirectionally between your host computer and the Android file system, even with access to locations where only the root user has access to (via `adb push/pull`). See more about data transfer in section "[Host-Device Data Transfer](MASTG-TECH-0002.md)" below.
+> Only if you're working with an emulator you may alternatively restart adb with root permissions with the command `adb root` so next time you enter `adb shell` you'll have root access already. This also allows to transfer data bidirectionally between your host computer and the Android file system, even with access to locations where only the root user has access to (via `adb push/pull`). See more about data transfer in @MASTG-TECH-0002 below.
 
 ### Connect to Multiple Devices
 

techniques/android/MASTG-TECH-0018.md

@@ -87,7 +87,7 @@ To support both older and newer ARM processors, Android apps ship with multiple
 - armeabi-v7a: This ABI extends armeabi to include several CPU instruction set extensions.
 - arm64-v8a: ABI for ARMv8-based CPUs that support AArch64, the new 64-bit ARM architecture.
 
-Most disassemblers can handle any of those architectures. Below, we'll be viewing the armeabi-v7a version (located in `HelloWord-JNI/lib/armeabi-v7a/libnative-lib.so`) in radare2 and in IDA Pro. See the section "[Reviewing Disassembled Native Code](MASTG-TECH-0024.md "Reviewing Disassembled Native Code")" below to learn on how to proceed when inspecting the disassembled native code.
+Most disassemblers can handle any of those architectures. Below, we'll be viewing the armeabi-v7a version (located in `HelloWord-JNI/lib/armeabi-v7a/libnative-lib.so`) in radare2 and in IDA Pro. See @MASTG-TECH-0024 to learn on how to proceed when inspecting the disassembled native code.
 
 ## radare2
 

techniques/android/MASTG-TECH-0035.md

@@ -3,7 +3,7 @@ title: JNI Tracing
 platform: android
 ---
 
-As detailed in section [Reviewing Disassembled Native Code](MASTG-TECH-0024.md), the first argument passed to every JNI function is a JNI interface pointer. This pointer contains a table of functions that allows native code to access the Android Runtime. Identifying calls to these functions can help with understanding library functionality, such as what strings are created or Java methods are called.
+As detailed in @MASTG-TECH-0024, the first argument passed to every JNI function is a JNI interface pointer. This pointer contains a table of functions that allows native code to access the Android Runtime. Identifying calls to these functions can help with understanding library functionality, such as what strings are created or Java methods are called.
 
 [jnitrace](https://github.com/chame1eon/jnitrace "jnitrace") is a Frida based tool similar to frida-trace which specifically targets the usage of Android's JNI API by native libraries, providing a convenient way to obtain JNI method traces including arguments and return values.
 
@@ -17,7 +17,7 @@ jnitrace -l libnative-lib.so sg.vantagepoint.helloworldjni
 
 <img src="Images/Chapters/0x05c/jni_tracing_helloworldjni.png" width="100%" />
 
-In the output you can see the trace of a call to `NewStringUTF` made from the native code (its return value is then given back to Java code, see section "[Reviewing Disassembled Native Code](MASTG-TECH-0024.md)" for more details). Note how similarly to frida-trace, the output is colorized helping to visually distinguish the different threads.
+In the output you can see the trace of a call to `NewStringUTF` made from the native code (its return value is then given back to Java code, see @MASTG-TECH-0024 for more details). Note how similarly to frida-trace, the output is colorized helping to visually distinguish the different threads.
 
 When tracing JNI API calls you can see the thread ID at the top, followed by the JNI method call including the method name, the input arguments and the return value. In the case of a call to a Java method from native code, the Java method arguments will also be supplied. Finally jnitrace will attempt to use the Frida backtracing library to show where the JNI call was made from.
 

techniques/android/MASTG-TECH-0044.md

@@ -182,7 +182,7 @@ In-memory search can be very useful to quickly know if certain data is located i
 
 ### Memory Dump
 
-You can dump the app's process memory with @MASTG-TOOL-0038 and [Fridump](https://github.com/Nightbringer21/fridump "Fridump"). To take advantage of these tools on a non-rooted device, the Android app must be repackaged with `frida-gadget.so` and re-signed. A detailed explanation of this process can be found at @MASTG-TECH-0026. To use these tools on a rooted device, simply have frida-server installed and running.
+You can dump the app's process memory with @MASTG-TOOL-0038 and @MASTG-TOOL-0106. To take advantage of these tools on a non-rooted device, the Android app must be repackaged with `frida-gadget.so` and re-signed. A detailed explanation of this process can be found at @MASTG-TECH-0026. To use these tools on a rooted device, simply have frida-server installed and running.
 
 > Note: When using these tools, you might get several memory access violation errors which can normally be ignored. These tools inject a Frida agent and try to dump all the mapped memory of the app regardless of the access permissions (read/write/execute). Therefore, when the injected Frida agent tries to read a region that's not readable, it'll return the corresponding _memory access violation errors_. Refer to previous section "Memory Maps and Inspection" for more details.
 

techniques/ios/MASTG-TECH-0055.md

@@ -17,6 +17,6 @@ Finally, the app needs to be installed (sideloaded) and run with debugging commu
 ios-deploy --bundle Payload/my-app.app -W -d
 ```
 
-Refer to ["Installing Apps"](MASTG-TECH-0056.md) to learn about other installation methods. Some of them doesn't require you to have a macOS.
+Refer to @MASTG-TECH-0056 to learn about other installation methods. Some of them doesn't require you to have a macOS.
 
 > This repackaging method is enough for most use cases. For more advanced repackaging, refer to @MASTG-TECH-0092.

techniques/ios/MASTG-TECH-0076.md

@@ -61,4 +61,4 @@ In our first step, we observed that the application verifies the input string on
 
 <img src="Images/Chapters/0x06c/manual_reversing_ghidra_buttonclick_decompiled.png" width="600px" />
 
-Now we have followed the complete flow and have all the information about the application flow. We also concluded that the hidden flag is present in a text label and in order to determine the value of the label, we need to revisit `viewDidLoad` function, and understand what is happening in the native function identified. Analysis of the native function is discussed in "[Reviewing Disassembled Native Code](MASTG-TECH-0077.md)".
+Now we have followed the complete flow and have all the information about the application flow. We also concluded that the hidden flag is present in a text label and in order to determine the value of the label, we need to revisit `viewDidLoad` function, and understand what is happening in the native function identified. Analysis of the native function is discussed in @MASTG-TECH-0077.

techniques/ios/MASTG-TECH-0077.md

@@ -38,4 +38,4 @@ To determine the value of the hidden flag we need to know the return value of ea
 
 <img src="Images/Chapters/0x06c/manual_reversing_ghidra_function_graph.png" width="100%" />
 
-Manually analyzing all the native functions completely will be time consuming and might not be the wisest approach. In such a scenario using a [dynamic analysis](MASTG-TECH-0067.md) approach is highly recommended. For instance, by using the techniques like hooking or simply debugging the application, we can easily determine the returned values. Normally it's a good idea to use a dynamic analysis approach and then fallback to manually analyzing the functions in a feedback loop. This way you can benefit from both approaches at the same time while saving time and reducing effort.
+Manually analyzing all the native functions completely will be time consuming and might not be the wisest approach. In such a scenario using a dynamic analysis approach is highly recommended (see @MASTG-TECH-0067). For instance, by using the techniques like hooking or simply debugging the application, we can easily determine the returned values. Normally it's a good idea to use a dynamic analysis approach and then fallback to manually analyzing the functions in a feedback loop. This way you can benefit from both approaches at the same time while saving time and reducing effort.

techniques/ios/MASTG-TECH-0088.md

@@ -23,7 +23,7 @@ Note that in order to install an IPA on Corellium devices it has to be unencrypt
 
 To use Unicorn's _full power_, we would need to implement all the necessary infrastructure which generally is readily available from the operating system, e.g. binary loader, linker and other dependencies or use another higher level frameworks such as [Qiling](https://qiling.io "Qiling") which leverages Unicorn to emulate CPU instructions, but understands the OS context. However, this is superfluous for this very localized challenge where only executing a small part of the binary will suffice.
 
-While performing manual analysis in "[Reviewing Disassembled Native Code](MASTG-TECH-0077.md)", we determined that the function at address 0x1000080d4 is responsible for dynamically generating the secret string. As we're about to see, all the necessary code is pretty much self-contained in the binary, making this a perfect scenario to use a CPU emulator like Unicorn.
+While performing manual analysis in @MASTG-TECH-0077, we determined that the function at address 0x1000080d4 is responsible for dynamically generating the secret string. As we're about to see, all the necessary code is pretty much self-contained in the binary, making this a perfect scenario to use a CPU emulator like Unicorn.
 
 <img src="Images/Chapters/0x06c/manual_reversing_ghidra_native_disassembly.png" width="100%" />
 

techniques/ios/MASTG-TECH-0089.md

@@ -15,7 +15,7 @@ For Android, we used Angr's symbolic execution engine to solve a challenge. In t
 
 > The Mach-O backend in Angr is not well-supported, but it works perfectly fine for our case.
 
-While manually analyzing the code in the [Reviewing Disassembled Native Code](MASTG-TECH-0077.md "Reviewing Disassembled Native Code")" section, we reached a point where performing further manual analysis was cumbersome. The function at offset `0x1000080d4` was identified as the final target which contains the secret string.
+While manually analyzing the code in @MASTG-TECH-0077, we reached a point where performing further manual analysis was cumbersome. The function at offset `0x1000080d4` was identified as the final target which contains the secret string.
 
 If we revisit that function, we can see that it involves multiple sub-function calls and interestingly none of these functions have any dependencies on other library calls or system calls. This is a perfect case to use Angr's concrete execution engine. Follow the steps below to solve this challenge:
 

techniques/ios/MASTG-TECH-0095.md

@@ -5,7 +5,7 @@ platform: ios
 
 ## Frida
 
-In section ["Execution Tracing"](MASTG-TECH-0085.md) we've used frida-trace when navigating to a website in Safari and found that the `initWithURL:` method is called to initialize a new URL request object. We can look up the declaration of this method on the [Apple Developer Website](https://developer.apple.com/documentation/foundation/nsbundle/1409352-initwithurl?language=objc "Apple Developer Website - initWithURL Instance Method"):
+In @MASTG-TECH-0085 we've used frida-trace when navigating to a website in Safari and found that the `initWithURL:` method is called to initialize a new URL request object. We can look up the declaration of this method on the [Apple Developer Website](https://developer.apple.com/documentation/foundation/nsbundle/1409352-initwithurl?language=objc "Apple Developer Website - initWithURL Instance Method"):
 
 ```objectivec
 - (instancetype)initWithURL:(NSURL *)url;

techniques/ios/MASTG-TECH-0096.md

@@ -168,7 +168,7 @@ In-memory search can be very useful to quickly know if certain data is located i
 
 ## Memory Dump
 
-You can dump the app's process memory with @MASTG-TOOL-0038 and [Fridump](https://github.com/Nightbringer21/fridump "Fridump"). To take advantage of these tools on a non-jailbroken device, the Android app must be repackaged with `frida-gadget.so` and re-signed. A detailed explanation of this process is described in @MASTG-TECH-0079. To use these tools on a jailbroken phone, simply have frida-server installed and running.
+You can dump the app's process memory with @MASTG-TOOL-0038 and @MASTG-TOOL-0106. To take advantage of these tools on a non-jailbroken device, the Android app must be repackaged with `frida-gadget.so` and re-signed. A detailed explanation of this process is described in @MASTG-TECH-0079. To use these tools on a jailbroken phone, simply have frida-server installed and running.
 
 With objection it is possible to dump all memory of the running process on the device by using the command `memory dump all`.
 

tests/android/MASVS-PLATFORM/MASTG-TEST-0028.md

@@ -14,7 +14,7 @@ masvs_v1_levels:
 
 Any existing [deep links](../../../Document/0x05h-Testing-Platform-Interaction.md#deep-links "Deep Links") (including App Links) can potentially increase the app attack surface. This [includes many risks](https://people.cs.vt.edu/gangwang/deep17.pdf) such as link hijacking, sensitive functionality exposure, etc.
 
-- Before Android 12 (API level 31), if the app has any [non-verifiable links](https://developer.android.com/training/app-links/verify-site-associations#fix-errors), it can cause the system to not verify all Android App Links for that app.
+- Before Android 12 (API level 31), if the app has any [non-verifiable links](https://developer.android.com/training/app-links/verify-android-applinks#fix-errors), it can cause the system to not verify all Android App Links for that app.
 - Starting on Android 12 (API level 31), apps benefit from a [reduced attack surface](https://developer.android.com/training/app-links/deep-linking). A generic web intent resolves to the user's default browser app unless the target app is approved for the specific domain contained in that web intent.
 
 All deep links must be enumerated and verified for correct website association. The actions they perform must be well tested, especially all input data, which should be deemed untrustworthy and thus should always be validated.

tests/android/MASVS-STORAGE/MASTG-TEST-0011.md

@@ -271,7 +271,7 @@ There are various ways to analyze the memory of a process, e.g. live analysis vi
 
 ### Retrieving and Analyzing a Memory Dump
 
-Whether you are using a rooted or a non-rooted device, you can dump the app's process memory with @MASTG-TOOL-0038 and [Fridump](https://github.com/Nightbringer21/fridump "Fridump"). You can find a detailed explanation of this process in @MASTG-TECH-0044, in the chapter "Tampering and Reverse Engineering on Android".
+Whether you are using a rooted or a non-rooted device, you can dump the app's process memory with @MASTG-TOOL-0038 and @MASTG-TOOL-0106. You can find a detailed explanation of this process in @MASTG-TECH-0044, in the chapter "Tampering and Reverse Engineering on Android".
 
 After the memory has been dumped (e.g. to a file called "memory"), depending on the nature of the data you're looking for, you'll need a set of different tools to process and analyze that memory dump. For instance, if you're focusing on strings, it might be sufficient for you to execute the command `strings` or `rabin2 -zz` to extract those strings.
 

tests/ios/MASVS-PLATFORM/MASTG-TEST-0070.md

@@ -203,7 +203,7 @@ $ rabin2 -zq Telegram\ X.app/Telegram\ X | grep openURL
 0x1000df772 35 34 openURL:options:completionHandler:
 ```
 
-As expected, `openURL:options:completionHandler:` is among the ones found (remember that it might be also present because the app opens custom URL schemes). Next, to ensure that no sensitive information is being leaked you'll have to perform dynamic analysis and inspect the data being transmitted. Please refer to "[Identifying and Hooking the URL Handler Method](../MASVS-PLATFORM/MASTG-TEST-0075.md#identifying-and-hooking-the-url-handler-method "Identifying and Hooking the URL Handler Method")" for some examples on hooking and tracing this method.
+As expected, `openURL:options:completionHandler:` is among the ones found (remember that it might be also present because the app opens custom URL schemes). Next, to ensure that no sensitive information is being leaked you'll have to perform dynamic analysis and inspect the data being transmitted. Please refer to @MASTG-TEST-0075 for some examples on hooking and tracing this method.
 
 ## Dynamic Analysis
 
@@ -232,7 +232,7 @@ Unlike custom URL schemes, unfortunately you cannot test universal links from Sa
 
 > To do it from Safari you will have to find an existing link on a website that once clicked, it will be recognized as a Universal Link. This can be a bit time consuming.
 
-Alternatively you can also use Frida for this, see the section "[Performing URL Requests](../MASVS-PLATFORM/MASTG-TEST-0075.md#performing-url-requests)" for more details.
+Alternatively you can also use Frida for this, see @MASTG-TEST-0075 for more details.
 
 ### Identifying Valid Universal Links
 

tests/ios/MASVS-STORAGE/MASTG-TEST-0060.md

@@ -30,7 +30,7 @@ There are several approaches and tools available for dynamically testing the mem
 
 ### Retrieving and Analyzing a Memory Dump
 
-Whether you are using a jailbroken or a non-jailbroken device, you can dump the app's process memory with @MASTG-TOOL-0038 and [Fridump](https://github.com/Nightbringer21/fridump "Fridump"). You can find a detailed explanation of this process in ["Memory Dump"](../../../techniques/android/MASTG-TECH-0044.md#memory-dump "Memory Dump").
+Whether you are using a jailbroken or a non-jailbroken device, you can dump the app's process memory with @MASTG-TOOL-0038 and  @MASTG-TOOL-0106. You can find a detailed explanation of this process in @MASTG-TECH-0044.
 
 After the memory has been dumped (e.g. to a file called "memory"), depending on the nature of the data you're looking for, you'll need a set of different tools to process and analyze that memory dump. For instance, if you're focusing on strings, it might be sufficient for you to execute the command `strings` or `rabin2 -zz` to extract those strings.
 
@@ -68,4 +68,4 @@ Usage: /[!bf] [arg]  Search stuff (see 'e??search' for options)
 
 By using @MASTG-TOOL-0036 you can analyze and inspect the app's memory while running and without needing to dump it. For example, you may run the previous search commands from r2frida and search the memory for a string, hexadecimal values, etc. When doing so, remember to prepend the search command (and any other r2frida specific commands) with a backslash `:` after starting the session with `r2 frida://usb//<name_of_your_app>`.
 
-For more information, options and approaches, please refer to ["In-Memory Search"](../../../techniques/ios/MASTG-TECH-0096.md#in-memory-search "In-Memory Search").
+For more information, options and approaches, please refer to @MASTG-TECH-0096.md.