Open cpholguera opened 5 months ago
@e-a-security
First run-through:
Applications commonly store data for use, whether locally on the device, within external storage, or remotely in cloud storage. When stored data relates to sensitive information, such as a user's personal data or authentication keys and passwords, additional security measures can be applied to prevent the leaking of this sensitive data if the backup is accessed by someone other than the intended user.
An attacker with access to an application's backup file can retrieve any unencrypted data that the application has backed up. As a result, any sensitive data exposed can be used by the attacker in future attacks or be readily exploited.
Prerequisites --> identify-sensitive-data CVEs --> Off a couple google searches, found just this one so far, will locate more; I don't see many options based on some searching here: https://cve.mitre.org/cve/search_cve_list.html
Tests brainstorming:
iOS: https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0058/ I can use sast section here for the iOS tests, I can specifically check for missing data protection api usage, verification of iCloud backup settings. The custom solutions/3rd party bullet points might be hard to create tests for (outside of potentially looking for basic known encryption libraries for backing up data.
Android: https://mas.owasp.org/MASTG/tests/android/MASVS-STORAGE/MASTG-TEST-0009/ This section also provides great sast logic to get started on tests. Additionally specifically looking for insecure/missing usage of https://developer.android.com/guide/topics/data/autobackup#define-device-conditions
Complete. Just waiting to see best way to upload files / which branch / version we want these to go into.
risk.md
: Contains a detailed overview of the unencrypted backup risk, its impact, modes of introduction, and migration strategies.android-backup-unencrypted-use
: For Android applications using unencrypted backups.
rules
: YAML files for static analysis checks.example
: Java and XML examples demonstrating risks and mitigation techniques.ios-backup-unencrypted-use
: For iOS applications at risk of including sensitive data in unencrypted backups.
rules
: detect_sensitive_data_storage.yaml: A Semgrep rule to identify potential storage of sensitive data in ways that might be included in backups. Encourages review to ensure data is encrypted and properly excluded from backups.example
: SensitiveDataStorageExample.swift: Demonstrates handling of data in ways that could be included in unencrypted backups, along with techniques to exclude or encrypt such data properly.run.sh
: Script to facilitate running static analysis against the Swift example code, providing findings that highlight areas needing secure data handling attention.Originally these show how secure encrypted backup is done which is the opposite of the unencrypted code - it feels redundant with the unencrypted code
android-backup-encrypted-use
: For Android applications implementing encrypted backups.
rules
: YAML files for static analysis to encourage encrypted backup configurations.example
: Examples showing how to configure encrypted backups in AndroidManifest.xml.ios-backup-encrypted-use
: For iOS applications ensuring sensitive data is excluded or encrypted in backups.
rules
: Markdown guide for manual review guidelines on excluding sensitive data from backups.example
: Swift examples for programmatically excluding files from iCloud backups.@e-a-security could you please open the PR against our master branch? Thank you!
@cpholguera Gotcha, done here: https://github.com/OWASP/owasp-mastg/pull/2604 Let me know if I should change anything else. Thank you very much :)
NEW! Please review and include info and reference: https://developer.android.com/privacy-and-security/risks/backup-leaks
Description
Create a new risk for "Backup Unencrypted (MASVS-STORAGE-2)" using the following information:
The app may not encrypt sensitive data in backups, which may compromise data confidentiality.
Create "
risks/MASVS-STORAGE/2-***-****/backup-unencrypted/risk.md
" including the following content:To complete the sections follow the guidelines from Writing MASTG Risks & Tests
Use at least the following references:
When creating the corresponding tests, use the following areas to guide you:
MASTG v1 Refactoring:
If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.
Acceptance Criteria
risks/MASVS-STORAGE/2-***-****/backup-unencrypted/risk.md
)