Refine documentation for SDK method observations and data handling tests

Author: Diolor

demos/android/MASVS-PRIVACY/MASTG-DEMO-00de3/MASTG-DEMO-00de3.md

@@ -30,7 +30,7 @@ This sample collects the following [user data](https://support.google.com/google
 
 ## Observation
 
-The output shows all instances of `logEvent` calls to Firebase Analytics SDK that were found at runtime, along with the parameters being sent. A backtrace is also provided to help identify the location in the code.
+The output shows all instances of `logEvent` calls to the Firebase Analytics SDK found at runtime, along with the parameters sent. A backtrace is also provided to help identify the location in the code.
 
 {{ output.json }}
 

tests-beta/android/MASVS-PRIVACY/MASTG-TEST-02te1.md

@@ -11,16 +11,18 @@ profiles: [P]
 
 This test verifies whether an app references SDK (third-party library) APIs known to handle sensitive data.
 
-> Note: This tests detects only **potential** sensitive data handling. For **confirming** that actual user data are being shared, please refer to @MASTG-TEST-02te3.
+As a prerequisite, we need to identify the SDK APIs (methods) it uses as entry points for data collection by reviewing the library's documentation or codebase. For example, [FirebaseAnalytics](https://firebase.google.com/docs/analytics)'s class `com.google.firebase.analytics.FirebaseAnalytics` has the method `logEvent` used to log data. The method to look for would be `logEvent` in class `com.google.firebase.analytics.FirebaseAnalytics`.
+
+> Note: This test detects only **potential** sensitive data handling. For **confirming** that actual user data are being shared, please refer to @MASTG-TEST-02te3.
 
 ## Steps
 
-1. Identify common SDK APIs (methods) the SDK uses as entry points to collect data by researching the library's documentation online or its codebase. For example, if the library is `com.example.analytics` and it has a method `trackEvent(String eventName, Map<String, String> properties)` used to accept data, then the method to search for would be `com.example.analytics.trackEvent`.
-2. Run @MASTG-TECH-0014 to look for uses of these methods where sensitive data may be passed to the SDK.
+1. Use @MASTG-TECH-0013 to reverse engineer the app.
+2. Use @MASTG-TECH-0014 to look for uses of these methods where sensitive data may be passed to the SDK.
 
 ## Observation
 
-The output should contain a list of locations where SDK methods are called.
+The output should list the locations where SDK methods are called.
 
 ## Evaluation
 

tests-beta/android/MASVS-PRIVACY/MASTG-TEST-02te3.md

@@ -21,7 +21,7 @@ This test verifies whether an app is sending sensitive data to an embedded SDK (
 
 ## Observation
 
-The output should contain a list of the locations where SDK methods are called.
+The output should list the locations where SDK methods are called, their stacktrace (call hierarchy leading to the call), and the arguments (values) passed to the SDK method at runtime.
 
 ## Evaluation