search

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
https://mas.owasp.org/
Creative Commons Attribution Share Alike 4.0 International
11.48k stars 2.26k forks source link

Uploading a picture without File Permissions #1778

Closed cpholguera closed 2 years ago

cpholguera commented 4 years ago

On Android it's possible for an app to request the user to select a picture and upload it without having to request read access to files. Add the corresponding API and info to

https://github.com/OWASP/owasp-mstg/blob/e6ddca17b0a95e521463cf66892a0e4496cd0e7d/Document/0x05h-Testing-Platform-Interaction.md#permission-analysis

Example app: LinkdIn

sushi2k commented 4 years ago

Same permission will be introduced in iOS. Both should be updated.

su-vikas commented 3 years ago

Can you provide a link for the APIs? Using linkedin as a search term doesn't help either.

For Android I found this one: https://developer.android.com/training/data-storage/shared/media#scoped_storage_enabled

Don't unnecessarily request storage-related permissions for devices that run Android 10 or higher. Your app can contribute to well-defined media collections, including the MediaStore. Downloads collection, without requesting any storage-related permissions. If you're developing a camera app, for example, you don't need to request storage-related permissions because your app owns the images that you're writing to the media store.

Is this the one?

su-vikas commented 3 years ago

For iOS, is it this one: https://developer.apple.com/documentation/photokit/requesting_authorization_to_access_photos?

Note

When using the UIImagePickerController to bring up the user's photo library, your app doesn't need to request permission explicitly.

cpholguera commented 3 years ago

The iOS one is right, exactly what I meant. But for Android it's not quite. Maybe something regarding ImagePicker as in iOS?

su-vikas commented 3 years ago

Seems in iOS 14 Apple introduced a replacement for UIImagePicker - PHPicker. I suppose in such a case, need to discuss both the APIs and mentioning which iOS version supports it.

https://developer.apple.com/videos/play/wwdc2020/10652/

su-vikas commented 3 years ago

PR #1845 only covers iOS part. Android part is still open, as I haven't found the complete information yet. I will open a new PR for Android.

cpholguera commented 3 years ago

anything new on this @su-vikas?