[MASWE-0007] Sensitive Data Stored Unencrypted in Shared Storage Requiring No User Interaction

[cpholguera]

Description

Create a new risk for "Sensitive Data Stored Unencrypted in Shared Storage Requiring No User Interaction (MASVS-STORAGE-1)" using the following information:

Sensitive data may be stored in external locations (e.g. external storage, public folders, etc.) without encryption and may be accessible to other apps.

Create "risks/MASVS-STORAGE/1-***-****/data-unencrypted-shared-storage-no-user-interaction/risk.md" including the following content:

---
title: Sensitive Data Stored Unencrypted in Shared Storage Requiring No User Interaction
alias: data-unencrypted-shared-storage-no-user-interaction
platform: [android]
profiles: [L1, L2]
mappings:
  masvs-v1: [MSTG-STORAGE-2]
  masvs-v2: [MASVS-STORAGE-1]
  mastg-v1: [MASTG-TEST-0052, MASTG-TEST-0001]

---

## Overview

## Impact

## Modes of Introduction

## Mitigations

To complete the sections follow the guidelines from Writing MASTG Risks & Tests

When creating the corresponding tests, use the following areas to guide you:

• in scoped storage (external storage, Android)
• in external storage (public folders e.g. SD card, Photos, Downloads, Caches, etc.)
• in external caches
• in app-crafted backups

MASTG v1 Refactoring:

If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.

• MASTG-TEST-0052 - Testing Local Data Storage (ios)
• MASTG-TEST-0001 - Testing Local Storage for Sensitive Data (android)

Acceptance Criteria

• [ ] The risk has been created in the correct directory (risks/MASVS-STORAGE/1-***-****/data-unencrypted-external/risk.md)
• [ ] The risk content follows the guidelines
• [ ] At least one GitHub Issue has been created for the corresponding tests (derived from "Modes of Introduction")
• [ ] The risk indicates the related MASTG v1 tests in its metadata.

[titze]

Shouldn't

in app-crafted backups

be part of https://github.com/OWASP/owasp-mastg/issues/2542 (Sensitive Data Not Excluded From Backup)?

[cpholguera]

You are right @titze. Actually I'd say that belongs to https://github.com/OWASP/owasp-mastg/issues/2541

I'll update that, thank you!