New Risk - Backup Unencrypted [backup-unencrypted]

[cpholguera]

Description

Create a new risk for "Backup Unencrypted (MASVS-STORAGE-2)" using the following information:

The app may not encrypt sensitive data in backups, which may compromise data confidentiality.

Create "risks/MASVS-STORAGE/2-***-****/backup-unencrypted/risk.md" including the following content:

---
title: Backup Unencrypted
alias: backup-unencrypted
platform: [android]
profiles: [L2]
mappings:
  masvs-v1: [MSTG-STORAGE-8]
  masvs-v2: [MASVS-STORAGE-2, MASVS-PRIVACY-1]
  mastg-v1: [MASTG-TEST-0058, MASTG-TEST-0009]

---

## Overview

## Impact

## Modes of Introduction

## Mitigations

To complete the sections follow the guidelines from Writing MASTG Risks & Tests

Use at least the following references:

• https://developer.android.com/guide/topics/data/autobackup#define-device-conditions

When creating the corresponding tests, use the following areas to guide you:

• Backup Device Conditions clientSideEncryption and deviceToDeviceTransfer Not Checked (Android)

MASTG v1 Refactoring:

If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.

• MASTG-TEST-0058 - Testing Backups for Sensitive Data (ios)
• MASTG-TEST-0009 - Testing Backups for Sensitive Data (android)

Acceptance Criteria

• [ ] The risk has been created in the correct directory (risks/MASVS-STORAGE/2-***-****/backup-unencrypted/risk.md)
• [ ] The risk content follows the guidelines
• [ ] At least one GitHub Issue has been created for the corresponding tests (derived from "Modes of Introduction")
• [ ] The risk indicates the related MASTG v1 tests in its metadata.

[cpholguera]

@e-a-security

[e-a-security]

First run-through:

Overview

Applications commonly store data for use, whether locally on the device, within external storage, or remotely in cloud storage. When stored data relates to sensitive information, such as a user's personal data or authentication keys and passwords, additional security measures can be applied to prevent the leaking of this sensitive data if the backup is accessed by someone other than the intended user.

Impact

An attacker with access to an application's backup file can retrieve any unencrypted data that the application has backed up. As a result, any sensitive data exposed can be used by the attacker in future attacks or be readily exploited.

Modes of Introduction

• Default Settings: Mobile OSs may not encrypt backup data by default, risking sensitive data exposure.
• Custom Solutions: Some developers' custom backup solutions may neglect proper data encryption.
• Third-party Services: Integration with third-party backup services without ensuring encryption can lead to vulnerabilities.
• Development Practices: Temporarily disabling encryption for debugging, then failing to re-enable it, leaves production backups unsecured.

Migration:

• Encrypt Backup Data: Ensure all backup data is encrypted using strong encryption algorithms before it is stored or transmitted. For iOS, use the APIs that enforce encryption during iCloud backups. For Android, utilize the Backup Service API with encryption enabled for cloud backups.
• Secure Backup Keys: Use the platform's keystore (iOS Keychain or Android Keystore) to securely store encryption keys. Never store keys within the backup data itself or in insecure locations.
• Backup Access Controls: Implement strict access controls for backup data. Ensure that only authorized users and systems can access or restore from backups.

Additional Nodes

Prerequisites --> identify-sensitive-data CVEs --> Off a couple google searches, found just this one so far, will locate more; I don't see many options based on some searching here: https://cve.mitre.org/cve/search_cve_list.html

• CVE-2023-36620, The app is missing the android:allowBackup="false" attribute in the manifest. This allows the user to backup the internal memory of the app to a PC. This gives the user access to the API token that is used to authenticate requests to the API. https://nvd.nist.gov/vuln/detail/CVE-2023-36620
• Similar example here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16835
• This one is interesting: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15340
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7133
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4172
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0979

Tests brainstorming:

• iOS: https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0058/ I can use sast section here for the iOS tests, I can specifically check for missing data protection api usage, verification of iCloud backup settings. The custom solutions/3rd party bullet points might be hard to create tests for (outside of potentially looking for basic known encryption libraries for backing up data.

• Android: https://mas.owasp.org/MASTG/tests/android/MASVS-STORAGE/MASTG-TEST-0009/ This section also provides great sast logic to get started on tests. Additionally specifically looking for insecure/missing usage of https://developer.android.com/guide/topics/data/autobackup#define-device-conditions

[e-a-security]

Complete. Just waiting to see best way to upload files / which branch / version we want these to go into.

Structure Overview

• risk.md: Contains a detailed overview of the unencrypted backup risk, its impact, modes of introduction, and migration strategies.
• android-backup-unencrypted-use: For Android applications using unencrypted backups.
  • rules: YAML files for static analysis checks.
  • example: Java and XML examples demonstrating risks and mitigation techniques.
• ios-backup-unencrypted-use: For iOS applications at risk of including sensitive data in unencrypted backups.
  • rules: detect_sensitive_data_storage.yaml: A Semgrep rule to identify potential storage of sensitive data in ways that might be included in backups. Encourages review to ensure data is encrypted and properly excluded from backups.
  • example: SensitiveDataStorageExample.swift: Demonstrates handling of data in ways that could be included in unencrypted backups, along with techniques to exclude or encrypt such data properly.
  • run.sh: Script to facilitate running static analysis against the Swift example code, providing findings that highlight areas needing secure data handling attention.

Removing these 2:

Originally these show how secure encrypted backup is done which is the opposite of the unencrypted code - it feels redundant with the unencrypted code

• android-backup-encrypted-use: For Android applications implementing encrypted backups.
  • rules: YAML files for static analysis to encourage encrypted backup configurations.
  • example: Examples showing how to configure encrypted backups in AndroidManifest.xml.
• ios-backup-encrypted-use: For iOS applications ensuring sensitive data is excluded or encrypted in backups.
  • rules: Markdown guide for manual review guidelines on excluding sensitive data from backups.
  • example: Swift examples for programmatically excluding files from iCloud backups.

iOS Unencrypted Rules

Patterns of Concern

• UserDefaults for Sensitive Data: Storing sensitive information, such as tokens or personal identifiers, in UserDefaults.
• FileManager for Direct File Creation: Using FileManager to directly create files without encrypting the data first.
• Loading Data with NSKeyedArchiver Without Secure Coding: Serializing objects using NSKeyedArchiver without requiring secure coding can lead to sensitive data being saved in an unencrypted form
• Core Data Persistent Stores Without Encryption: Configuring Core Data without file encryption, which can result in the database being easily accessible and readable outside of the application's secure context.
• Disabling File Protection: Explicitly setting file protection attributes to none, thereby disabling the built-in encryption iOS provides for file storage.

Android Unencrypted Rules

• Unencrypted Android Backups: Detects when the allowBackup attribute is enabled, potentially leading to unencrypted data backups.
• Cloud Backup of Sensitive Data: Flags potential inclusion of sensitive data in cloud backups without proper exclusion settings.
• SharedPreferences Sensitive Data: Identifies usage of SharedPreferences to store sensitive data, which might not be encrypted by default.
• Missing Encryption in Data Handling: Highlights instances where sensitive data might be handled without apparent encryption, indicating a potential risk.
• External Storage Sensitive Data: Warns about writing sensitive data to external storage, which can be accessed by any app with the right permissions, without encrypting the data first.

[e-a-security]

PR https://github.com/e-a-security/owasp-mastg/pull/1 https://github.com/e-a-security/owasp-mastg/tree/backup-unencrypted/risks/MASVS-STORAGE/backup-unencrypted

[cpholguera]

@e-a-security could you please open the PR against our master branch? Thank you!

[e-a-security]

@cpholguera Gotcha, done here: https://github.com/OWASP/owasp-mastg/pull/2604 Let me know if I should change anything else. Thank you very much :)

[cpholguera]

NEW! Please review and include info and reference: https://developer.android.com/privacy-and-security/risks/backup-leaks