OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
https://mas.owasp.org/
Creative Commons Attribution Share Alike 4.0 International
11.81k stars 2.35k forks source link

[MSTG-CODE-2] Add a static analysis method for get-task-allow #2295

Closed cpholguera closed 1 year ago

cpholguera commented 2 years ago

Discussed in https://github.com/OWASP/owasp-mastg/discussions/2294

Originally posted by **sohsatoh** October 21, 2022 Currently, the static analysis section of MSTG-CODE-2 for iOS only describes methods for those who can access to the source code. However, there is a way to check that `get-task-allow` is true in the entitlement using ldid. https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues?language=objc Any thoughts on adding this to the Static Analysis section? (I wasn't sure whether I could submit a pull request directly, so I posted here.)
cpholguera commented 2 years ago

@sohsatoh Would you mind opening a PR for this?

It'd be great if you could shortly review the current content to see if there are any inaccuracies. Thanks a lot in advance!