Add a test case to check for sensitive information hardcoded

[crazykid95]

Platform: Android, iOS Description: This test case includes detecting the following issues from the source code of the app:

• Hard embedded sensitive information, for example: MSTG mentioned hard-coding encryption key in the source code at MSTG-CRYPTO-05, but developers can also embed other types of sensitive information like authentication information, sensitive tokens, app secret keys, etc.
• The information about the back end infrastructure that is vulnerable: for example: hidden back-end endpoints, The URL leads to the Google Firebase database which is misconfigured.

[sushi2k]

Hi @crazykid95. Thanks for raising the issue! You are right there is way more than keys and some of the items you mentioned are covered in the static analysis part of iOS https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06d-Testing-Data-Storage.md#static-analysis and Android https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#static-analysis. The static analysis part of these sections could use some more (regex) patterns and tools to detect such information. If you have any ideas on how to detect such sensitive information please share here, then we can discuss and you could add a PR :-) For example MobSF is already getting URLs out of the APK and IPAs, maybe that's a way to start. Or also TruffleHog (if source code is provided).

[crazykid95]

Hi @crazykid95. Thanks for raising the issue! You are right there is way more than keys and some of the items you mentioned are covered in the static analysis part of iOS https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06d-Testing-Data-Storage.md#static-analysis and Android https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#static-analysis. The static analysis part of these sections could use some more (regex) patterns and tools to detect such information. If you have any ideas on how to detect such sensitive information please share here, then we can discuss and you could add a PR :-) For example MobSF is already getting URLs out of the APK and IPAs, maybe that's a way to start. Or also TruffleHog (if source code is provided).

Hi @sushi2k Yes, what do you think if I create a PR to add an subsection named "App Package" under section https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#static-analysis for Android? (Like the "Local Storage", "KeyStore", "KeyChain", "Third Party libraries" subsections we have). "App Package" subsection will make sure developers use regex to recursive search for sensitive information, endpoints, URL patterns, etc. After they unzip the APK package. And I will also add the use of MobSF to search for sensitive information into dynamic analysis section as well.

[cpholguera]

Hi @crazykid95, sorry about the late response, we were and are very busy with the new refactoring of both MASVS and MSTG.

Right now, as you mentioned, there's only one MASVS requirement mentioning something "hardcoded" (MSTG-CRYPTO-1). We're thinking about introducing a new V7 (MSTG-CODE) requirement for hardcoded sensitive information.

For now, it would be great if you could open the PR as you described. If needed we can move the content once the new MASVS requirement is available.

Thanks for noticing this!