Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port MASTG-TEST-0052 (by @guardsquare) #3045

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Port MASTG-TEST-0052 (by @guardsquare) #3045

wants to merge 4 commits into from

Conversation

serek8
Copy link
Collaborator

@serek8 serek8 commented Nov 6, 2024

This PR closes #2929.

I split this test into 3:

  • Filesystem Content comparison => MASWE-0006
  • Static search for APIs => MASWE-0006
  • Keychain Security Policies => MASWE-0008

@serek8 serek8 marked this pull request as ready for review November 6, 2024 12:22
@serek8 serek8 requested a review from cpholguera January 13, 2025 13:43
cpholguera
cpholguera requested changes Jan 30, 2025
View reviewed changes
tests-beta/ios/MASVS-STORAGE/MASTG-TEST-0x52-3.md

## Steps

1. Run a static analysis (e.g. @MASTG-TOOL-0073) on the app binary, or use @MASTG-TOOL-0038 to dynamically verify the properties of the keychain items during the app runtime.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test needs to be split into static and dynamic

tests/ios/MASVS-STORAGE/MASTG-TEST-0052.md
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test still has something fundamental that we need to capture in a new test (or two): the app uses the Keychain API in 2 ways

  • to store data in the Keychain itself (the keychain wasn't designed for this but developers do it)
  • to encrypt data using keys from the Keychain and store it in private storage (envelope encryption)

tests-beta/ios/MASVS-STORAGE/MASTG-TEST-0x52-2.md

1. Run a static analysis tool such as @MASTG-TOOL-0073 on the app binary.

2. Search for APIs that indicates a use of Private Storage. This API includes:
Copy link
Collaborator

@cpholguera cpholguera Jan 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should add the use of encryption APIs for envelope encryption or the explicit use of insecure data protection classes (?)

cpholguera
cpholguera reviewed Jan 30, 2025
View reviewed changes
tests-beta/ios/MASVS-STORAGE/MASTG-TEST-0x52-1.md
@@ -0,0 +1,31 @@
---
platform: ios
title: Data Stored in Private Storage - Content Comparison Test
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Android test is called "Data Stored in the App Sandbox at Runtime" but we can discuss the naming. This test doesn't match the pattern we defined for dynamic tests: "Runtime Use …", It could be "Runtime Storage of ..." but let me know what you think please.

cpholguera
cpholguera reviewed Jan 30, 2025
View reviewed changes
tests-beta/ios/MASVS-STORAGE/MASTG-TEST-0x52-2.md
Comment on lines +19 to +22
- [UserDefaults](https://developer.apple.com/documentation/foundation/userdefaults)
- [documentDirectory](https://developer.apple.com/documentation/foundation/filemanager/searchpathdirectory/documentdirectory)
- [applicationSupportDirectory](https://developer.apple.com/documentation/foundation/filemanager/searchpathdirectory/applicationsupportdirectory)
- [userDomainMask](https://developer.apple.com/documentation/foundation/filemanager/searchpathdomainmask/1408037-userdomainmask)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- [UserDefaults](https://developer.apple.com/documentation/foundation/userdefaults)
- [documentDirectory](https://developer.apple.com/documentation/foundation/filemanager/searchpathdirectory/documentdirectory)
- [applicationSupportDirectory](https://developer.apple.com/documentation/foundation/filemanager/searchpathdirectory/applicationsupportdirectory)
- [userDomainMask](https://developer.apple.com/documentation/foundation/filemanager/searchpathdomainmask/1408037-userdomainmask)
- [`UserDefaults`](https://developer.apple.com/documentation/foundation/userdefaults)
- [`documentDirectory`](https://developer.apple.com/documentation/foundation/filemanager/searchpathdirectory/documentdirectory)
- [`applicationSupportDirectory`](https://developer.apple.com/documentation/foundation/filemanager/searchpathdirectory/applicationsupportdirectory)
- [`userDomainMask`](https://developer.apple.com/documentation/foundation/filemanager/searchpathdomainmask/1408037-userdomainmask)

cpholguera
cpholguera reviewed Jan 30, 2025
View reviewed changes
tests-beta/ios/MASVS-STORAGE/MASTG-TEST-0x52-1.md
title: Data Stored in Private Storage - Content Comparison Test
id: MASTG-TEST-0x52-1
type: [dynamic]
weakness: MASWE-0006
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add best-practices: for all these tests, they will be similar if not the same I guess

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpholguera cpholguera cpholguera requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
changes-requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

MASTG v1->v2 MASTG-TEST-0052: Testing Local Data Storage (ios)
2 participants
@serek8 @cpholguera