diff --git a/docs/hooks/maswe-beta-banner.py b/docs/hooks/maswe-beta-banner.py index 524bd76a84..bfabbcdae9 100644 --- a/docs/hooks/maswe-beta-banner.py +++ b/docs/hooks/maswe-beta-banner.py @@ -1,21 +1,126 @@ import logging +import yaml import mkdocs.plugins +import glob +from collections import defaultdict log = logging.getLogger('mkdocs') +def get_v1_tests_data(): + + masvs_v1_tests_metadata = {} + + # Each test has an ID which is the filename + for file in glob.glob("tests/**/*.md", recursive=True): + with open(file, 'r') as f: + content = f.read() + frontmatter = next(yaml.load_all(content, Loader=yaml.FullLoader)) + # masvs category is frontmatter['masvs_v2_id'][0] without the final number. Example: MASVS-STORAGE-2 -> MASVS-STORAGE + masvs_category = frontmatter['masvs_v2_id'][0][:-2] + platform = frontmatter['platform'] + # get id from filename without extension + id = file.split('/')[-1].split('.')[0] + link = f"https://mas.owasp.org/MASTG/tests/{platform}/{masvs_category}/{id}/" + frontmatter['link'] = link + + masvs_v1_tests_metadata[id] = frontmatter + + # Populate the defaultdict with MASVS v1 IDs and corresponding MASTG-TEST IDs + masvs_v1_mapping = defaultdict(list) + for test_id, test_info in masvs_v1_tests_metadata.items(): + for masvs_id in test_info["masvs_v1_id"]: + masvs_v1_mapping[masvs_id].append(f"[{test_id}]({test_info['link']})") + + return masvs_v1_tests_metadata, masvs_v1_mapping + beta_banner = """ -!!! example "BETA" +??? example "Content in BETA" This content is in **beta** and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.). [:fontawesome-regular-paper-plane: Send Feedback](https://github.com/OWASP/owasp-mastg/discussions/categories/maswe-mastg-v2-beta-feedback) """ +def get_mastg_v1_coverage(meta): + mappings = meta.get('mappings', '') + + if mappings: + mastg_v1_tests_metadata, mastg_v1_mapping = get_v1_tests_data() + + masvs_v1_id = mappings.get('masvs-v1', '') + if len(masvs_v1_id) > 1: + raise ValueError(f"More than one MASVS v1 ID found: {masvs_v1_id}") + masvs_v1_id = masvs_v1_id[0] if masvs_v1_id else "" + mastg_v1_tests_map = mastg_v1_mapping.get(masvs_v1_id, []) + + mastg_v1_tests_map_list = [f"{test.split(']')[0].split('[')[1]}" for test in mastg_v1_tests_map] + mappings['mastg-v1'] = mastg_v1_tests_map_list + + mastg_v1_tests = "\n".join([f" - [{test} - {mastg_v1_tests_metadata[test]['title']} ({mastg_v1_tests_metadata[test]['platform']})]({mastg_v1_tests_metadata[test]['link']})" for test in mastg_v1_tests_map_list]) + if mastg_v1_tests == "": + mastg_v1_tests = " No MASTG v1 tests are related to this weakness." + return mastg_v1_tests + +def get_info_banner(meta): + + id = meta.get('id') + + refs = meta.get('refs', None) + refs_section = "" + if refs: + refs_section = " ## References\n\n" + refs_section += "\n".join([f" - <{ref}>" for ref in refs]) + + draft_info = meta.get('draft', None) + + description = draft_info.get('description', None) + + if draft_info.get('note', None): + description += "\n\n" + "> Note: " + draft_info.get('note', None) + + topics = draft_info.get('topics', None) + topics_section = "" + if topics: + topics_section = " ## Relevant Topics\n\n" + topics_section += "\n".join([f" - {topic}" for topic in topics]) + + mastg_v1_tests = get_mastg_v1_coverage(meta) + + info_banner = f""" +!!! warning "Draft Weakness" + + This weakness hasn't been created yet and it's in **draft**. But you can check its status or start working on it yourself. + If the issue has not yet been assigned, you can request to be assigned to it and submit a PR with the new content for that weakness by following our [guidelines](https://docs.google.com/document/d/1EMsVdfrDBAu0gmjWAUEs60q-fWaOmDB5oecY9d9pOlg/edit?usp=sharing). + + :material-github: Check our GitHub Issues for {id} + + ## Initial Description or Hints + + {description} + +{topics_section} + +{refs_section} + + ## MASTG v1 Coverage + +{mastg_v1_tests} +""" + return info_banner + # https://www.mkdocs.org/dev-guide/plugins/#on_page_markdown @mkdocs.plugins.event_priority(-50) def on_page_markdown(markdown, page, **kwargs): path = page.file.src_uri + banners = [] + if any(substring in path for substring in ["MASWE/", "MASTG/tests-beta/", "MASTG/demos/"]): - markdown = f"{beta_banner}\n\n{markdown}" + banners.append(beta_banner) + + if "MASWE/" in path and page.meta.get('status') == 'draft': + banners.append(get_info_banner(page.meta)) + + if banners: + markdown = "\n\n".join(banners) + "\n\n" + markdown return markdown diff --git a/weaknesses/MASVS-AUTH/MASWE-0028.md b/weaknesses/MASVS-AUTH/MASWE-0028.md new file mode 100644 index 0000000000..d3a6e28d1e --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0028.md @@ -0,0 +1,23 @@ +--- +title: MFA Implementation Best Practices Not Followed +id: MASWE-0028 +alias: mfa-best-practices +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v1: [MSTG-AUTH-9] + masvs-v2: [MASVS-AUTH-3] + +draft: + description: e.g. not using auto-fill + topics: + - platform auto-fill from SMS + - use of Sign-in with Apple + - MFA best practices + - (IEEE) unreliable channels such as voice mails and phone numbers must be avoided + - is not enforced only locally but server-side + - check if relies on static responses from the remote endpoint such as `"message":"Success"` +status: draft + +--- + diff --git a/weaknesses/MASVS-AUTH/MASWE-0029.md b/weaknesses/MASVS-AUTH/MASWE-0029.md new file mode 100644 index 0000000000..405e672f99 --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0029.md @@ -0,0 +1,31 @@ +--- +title: Step-Up Authentication Not Implemented After Login +id: MASWE-0029 +alias: step-up-auth +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v1: [MSTG-AUTH-10] + masvs-v2: [MASVS-AUTH-3, MASVS-PLATFORM-3] + cwe: [306] + +refs: +- https://developer.apple.com/documentation/localauthentication +- https://auth0.com/blog/what-is-step-up-authentication-when-to-use-it/ +- https://tdcolvin.medium.com/is-firebase-auth-secure-dace0563d41b +- https://github.com/WICG/trust-token-api +- https://blog.cloudflare.com/eliminating-captchas-on-iphones-and-macs-using-new-standard/ +draft: + description: An example of step-up authentication is when a user is logged into + their bank account (with or without MFA) and requests an action that is considered + sensitive, such as the transfer of a large sum of money. In such cases, the user + will be required to provide additional information to authenticate their identity + (e.g. using MFA) and ensure only the legitimate user is requesting the action. + topics: + - (ioXt) UP107 App shall re-authenticate the user when displaying sensitive PII + data or conducting sensitive transactions. + - null +status: draft + +--- + diff --git a/weaknesses/MASVS-AUTH/MASWE-0030.md b/weaknesses/MASVS-AUTH/MASWE-0030.md new file mode 100644 index 0000000000..e64902abc0 --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0030.md @@ -0,0 +1,26 @@ +--- +title: Re-Authenticates Not Triggered On Contextual State Changes +id: MASWE-0030 +alias: reauth-state-changes +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-AUTH-3] + +refs: +- https://developers.google.com/identity/sign-in/android/disconnect +draft: + description: Re-authentication means forcing a new login after e.g. timeout, changing + state from running in the background to running in the foreground, remarkable + changes in a user's location, profile, etc. + topics: + - timeout + - changing state from running in the background to running in the foreground + - (IEEE) remarkable changes in a user's location + - ASVS V3.3 Session Logout and Timeout Requirements + - NIST 800-63 + - etc. +status: draft + +--- + diff --git a/weaknesses/MASVS-AUTH/MASWE-0031.md b/weaknesses/MASVS-AUTH/MASWE-0031.md new file mode 100644 index 0000000000..7635970bf3 --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0031.md @@ -0,0 +1,19 @@ +--- +title: Insecure use of Android Protected Confirmation +id: MASWE-0031 +alias: insecure-android-confirmation +platform: [android] +profiles: [L2] +mappings: + masvs-v2: [MASVS-AUTH-3] + +draft: + description: Android Protected Confirmation doesn't provide a secure information + channel for the user. Don't use it to display sensitive information that you wouldn't + ordinarily show on the user's device. + topics: + - Android Protected Confirmation +status: draft + +--- + diff --git a/weaknesses/MASVS-AUTH/MASWE-0032.md b/weaknesses/MASVS-AUTH/MASWE-0032.md new file mode 100644 index 0000000000..e100490122 --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0032.md @@ -0,0 +1,36 @@ +--- +title: Platform-provided Authentication APIs Not Used +id: MASWE-0032 +alias: platform-auth-apis +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-AUTH-1, MASVS-CODE-3] + +refs: +- https://developer.android.com/privacy-and-security/security-tips#Credentials +- https://developer.apple.com/documentation/security/password_autofill +- https://developer.apple.com/videos/play/wwdc2017/206 +- https://developer.android.com/guide/topics/text/autofill-optimize +draft: + description: AKA don't roll your own authentication security. Platform-provided + APIs are designed and implemented by experts who have deep knowledge of the platform's + security features and considerations. These APIs often incorporate security best + practices and are regularly updated to address new threats and vulnerabilities. + Not using platform-provided authentication APIs in mobile apps can result in security + vulnerabilities, inconsistent user experience, missed integration opportunities, + and increased development and maintenance efforts. + topics: + - credential auto-fill to avoid copy/paste + - correct use of Android AccountManager (e.g. invoke a cloud-based service and don't + store passwords on the device). AccountManager data stored in clear in some Android + versions. + - use of CREATOR afterretrieving an account with AccountManager + - use of Authentication Services framework on iOS + - iOS Password AutoFill streamlines logging into web services at your domain. However, + if you need to log into a third-party service, use ASWebAuthenticationSession + instead +status: draft + +--- + diff --git a/weaknesses/MASVS-AUTH/MASWE-0033.md b/weaknesses/MASVS-AUTH/MASWE-0033.md new file mode 100644 index 0000000000..25a9b93c88 --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0033.md @@ -0,0 +1,33 @@ +--- +title: Authentication or Authorization Protocol Security Best Practices Not Followed +id: MASWE-0033 +alias: auth-protocol-best-practices +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-AUTH-1] + +refs: +- https://mobidev.biz/blog/single-sign-on-sso-implementation-benefits-enterprise +- https://developers.google.com/identity/protocols/risc +- https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession/3237231-prefersephemeralwebbrowsersessio?language=objc +- https://developer.apple.com/videos/play/tech-talks/301 +- https://developers.google.com/identity/protocols/oauth2 +draft: + description: For example, when using oauth2, the app does not use PKCE, etc. See + RFC-8252. Focus on client-side best practices. + topics: + - best practices from RFC-8252 + - SSO -> OpenID Connect (OIDC) + - use of Google Service Accounts + - use of RISC + - use of Apple Redirect extensions for Enterprise + - using use SFAuthenticationSession (deprecated) instead of ASWebAuthenticationSession + - secure mutual authentication using X.509v3 certificates + - use of context to add security to authentication e.g. via IP or location data + - set prefersEphemeralWebBrowserSession to true before calling start for a session + on iOS +status: draft + +--- + diff --git a/weaknesses/MASVS-AUTH/MASWE-0034.md b/weaknesses/MASVS-AUTH/MASWE-0034.md new file mode 100644 index 0000000000..56e267fa51 --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0034.md @@ -0,0 +1,17 @@ +--- +title: Insecure Implementation of Confirm Credentials +id: MASWE-0034 +alias: insecure-confirm-credentials +platform: [android] +profiles: [L2] +mappings: + masvs-v2: [MASVS-AUTH-1] + +draft: + description: https://mas.owasp.org/MASTG/tests/android/MASVS-AUTH/MASTG-TEST-0017/ + topics: + - Confirm Credentials +status: draft + +--- + diff --git a/weaknesses/MASVS-AUTH/MASWE-0035.md b/weaknesses/MASVS-AUTH/MASWE-0035.md new file mode 100644 index 0000000000..cb6fe9ad74 --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0035.md @@ -0,0 +1,33 @@ +--- +title: Passwordless Authentication Not Implemented +id: MASWE-0035 +alias: no-passwordless-auth +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-AUTH-1, MASVS-STORAGE-1] + +refs: +- https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication +- https://www.w3.org/TR/webauthn-2/ +- https://fidoalliance.org/white-paper-multi-device-fido-credentials/ +- https://developers.google.com/identity/fido +- https://developers.google.com/identity/fido#what_are_passkeys +- https://fidoalliance.org/developers/ +- https://fidoalliance.org/product-category/android-client/ +- https://fidoalliance.org/product-category/ios-client/ +- https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys +- https://techcommunity.microsoft.com/t5/azure-active-directory-identity/expansion-of-fido-standard-and-new-updates-for-microsoft/ba-p/3290633 +- https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_security_key_authentication_using_physical_keys +- https://developer.apple.com/videos/play/wwdc2021/10106/ +draft: + description: there's no use of passwordless authentication mechanisms e.g. passkeys + topics: + - passkeys or multi-device FIDO credentials + - WebAuthn/ASAuthorization + - use of Physical Security Keys which stored the public-private key pair on a physical + medium, such as a security card or a USB key +status: draft + +--- + diff --git a/weaknesses/MASVS-AUTH/MASWE-0036.md b/weaknesses/MASVS-AUTH/MASWE-0036.md new file mode 100644 index 0000000000..5c207a2201 --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0036.md @@ -0,0 +1,28 @@ +--- +title: Authentication Material Stored Unencrypted on the Device +id: MASWE-0036 +alias: auth-material-unencrypted +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v2: [MASVS-AUTH-1, MASVS-STORAGE-1] + +refs: +- https://developers.google.com/identity/blockstore/android?hl=en +- https://cloud.google.com/docs/authentication/api-keys#securing_an_api_key +- https://cloud.google.com/docs/authentication/api-keys#adding_application_restrictions +- https://cloud.google.com/docs/authentication/best-practices-applications#semi-trusted_or_restricted_environments +- https://cloud.google.com/docs/authentication/best-practices-applications#security_considerations +- https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple/ +draft: + description: General authentication best practice. + topics: + - session IDs + - tokens + - passwords + - API keys + - use of sign-in with Apple/Google +status: draft + +--- + diff --git a/weaknesses/MASVS-AUTH/MASWE-0037.md b/weaknesses/MASVS-AUTH/MASWE-0037.md new file mode 100644 index 0000000000..48576a4e46 --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0037.md @@ -0,0 +1,20 @@ +--- +title: Authentication Material Sent over Insecure Connections +id: MASWE-0037 +alias: auth-material-over-insecure-connections +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v2: [MASVS-AUTH-1, MASVS-NETWORK-1] + +draft: + description: General authentication best practice. + topics: + - session IDs + - tokens + - passwords + - API keys +status: draft + +--- + diff --git a/weaknesses/MASVS-AUTH/MASWE-0038.md b/weaknesses/MASVS-AUTH/MASWE-0038.md new file mode 100644 index 0000000000..df4d866198 --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0038.md @@ -0,0 +1,26 @@ +--- +title: Authentication Tokens Not Validated +id: MASWE-0038 +alias: unvalidated-auth-tokens +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-AUTH-3] + masvs-v2: [MASVS-AUTH-1, MASVS-CODE-4] + +refs: +- https://developers.google.com/identity/sign-in/android/backend-auth#verify-the-integrity-of-the-id-token +- https://developers.google.com/identity/protocols/oauth2/openid-connect#validatinganidtoken +- https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens +draft: + description: e.g. oauth2/jwt client-side checks + topics: + - code grant + - expiration + - none algorithm + - PKCE + - implicit grant +status: draft + +--- + diff --git a/weaknesses/MASVS-AUTH/MASWE-0039.md b/weaknesses/MASVS-AUTH/MASWE-0039.md new file mode 100644 index 0000000000..94ef4c1d5f --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0039.md @@ -0,0 +1,21 @@ +--- +title: Shared Web Credentials and Website-association Not Implemented +id: MASWE-0039 +alias: no-shared-web-credentials +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-AUTH-1, MASVS-PLATFORM-1] + +refs: +- https://developer.apple.com/documentation/security/shared_web_credentials +draft: + description: Best practice for sharing credentials between apps and their website + counterparts. + topics: + - Website-association + - Shared Web Credentials +status: draft + +--- + diff --git a/weaknesses/MASVS-AUTH/MASWE-0040.md b/weaknesses/MASVS-AUTH/MASWE-0040.md new file mode 100644 index 0000000000..0e50ee3982 --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0040.md @@ -0,0 +1,17 @@ +--- +title: Insecure Authentication in WebViews +id: MASWE-0040 +alias: insecure-webview-auth +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v2: [MASVS-AUTH-1, MASVS-PLATFORM-2] + +draft: + description: e.g. via WebView.getHttpAuthUsernamePassword / WebViewClient.onReceivedHttpAuthRequest + topics: + - Using WebView.getHttpAuthUsernamePassword / WebViewClient.onReceivedHttpAuthRequest +status: draft + +--- + diff --git a/weaknesses/MASVS-AUTH/MASWE-0041.md b/weaknesses/MASVS-AUTH/MASWE-0041.md new file mode 100644 index 0000000000..8b52d2abaa --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0041.md @@ -0,0 +1,23 @@ +--- +title: Authentication Enforced Only Locally Instead of on the Server-side +id: MASWE-0041 +alias: local-auth-enforcement +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-AUTH-1] + masvs-v2: [MASVS-AUTH-2] + cwe: [603, 307, 287] + +draft: + description: General authentication best practice. Only for apps with connection. + The app performs local authentication involving the remote endpoint and according + to the platform best practices. + topics: + - (IEEE) Since client-side security controls are capable of being invaded, authentication + and authorization controls should be implemented on the server-side. + - biometry only used as part of MFA authentication and not as the only auth method +status: draft + +--- + diff --git a/weaknesses/MASVS-AUTH/MASWE-0042.md b/weaknesses/MASVS-AUTH/MASWE-0042.md new file mode 100644 index 0000000000..0ef1293a36 --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0042.md @@ -0,0 +1,24 @@ +--- +title: Authorization Enforced Only Locally Instead of on the Server-side +id: MASWE-0042 +alias: local-authz-enforcement +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-AUTH-12] + masvs-v2: [MASVS-AUTH-2] + cwe: [284, 285, 862, 863] + +refs: +- https://developers.google.com/identity/smartlock-passwords/android/associate-apps-and-sites +draft: + description: General authentication best practice. Only for apps with connection. + topics: + - Authorization Enforced Locally + - use of oauth + - use of SharedWebcredentials + - use of WebAuthn/ASAuthorization +status: draft + +--- + diff --git a/weaknesses/MASVS-AUTH/MASWE-0043.md b/weaknesses/MASVS-AUTH/MASWE-0043.md new file mode 100644 index 0000000000..a4ef612bf7 --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0043.md @@ -0,0 +1,19 @@ +--- +title: App Custom PIN Not Bound to Platform KeyStore +id: MASWE-0043 +alias: custom-pin-keystore +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-AUTH-2, MASVS-CRYPTO-2] + +draft: + description: It's better to use the OS Local Auth / bind to a key stored in the + platform KeyStore. + topics: + - use the OS Local Auth + - binding to keys stored in the platform KeyStore +status: draft + +--- + diff --git a/weaknesses/MASVS-AUTH/MASWE-0044.md b/weaknesses/MASVS-AUTH/MASWE-0044.md new file mode 100644 index 0000000000..f88d598fd2 --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0044.md @@ -0,0 +1,26 @@ +--- +title: Biometric Authentication is Event-bound +id: MASWE-0044 +alias: event-bound-biometric-auth +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v1: [MSTG-AUTH-8] + masvs-v2: [MASVS-AUTH-2] + +refs: +- https://developer.android.com/training/sign-in/biometric-auth#crypto +- https://labs.withsecure.com/publications/how-secure-is-your-android-keystore-authentication +- https://developer.apple.com/documentation/localauthentication/accessing_keychain_items_with_face_id_or_touch_id +- https://github.com/sensepost/objection/issues/136#issuecomment-419664574 +- https://github.com/sensepost/objection/wiki/Understanding-the-iOS-Biometrics-Bypass +draft: + description: It should be based on unlock platform KeyStore / crypto, use CryptoObject + topics: + - no use of CryptoObject + - keychain items protected with access control flags such as kSecAccessControlTouchIDAny + or kSecAccessControlTouchIDCurrentSet +status: draft + +--- + diff --git a/weaknesses/MASVS-AUTH/MASWE-0045.md b/weaknesses/MASVS-AUTH/MASWE-0045.md new file mode 100644 index 0000000000..ec7f3a8d66 --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0045.md @@ -0,0 +1,23 @@ +--- +title: Fallback to Non-biometric Credentials Allowed for Sensitive Transactions +id: MASWE-0045 +alias: no-biometric-fallback +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-AUTH-2] + +refs: +- https://developer.android.com/training/sign-in/biometric-auth#allow-fallback +- https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id#3148834 +- https://developer.apple.com/documentation/localauthentication/lapolicy/deviceownerauthenticationwithbiometrics/ +draft: + description: e.g. via DEVICE_CREDENTIAL on Android and LAPolicy.deviceOwnerAuthentication + on iOS + topics: + - DEVICE_CREDENTIAL on Android + - LAPolicy.deviceOwnerAuthentication on iOS +status: draft + +--- + diff --git a/weaknesses/MASVS-AUTH/MASWE-0046.md b/weaknesses/MASVS-AUTH/MASWE-0046.md new file mode 100644 index 0000000000..463703032d --- /dev/null +++ b/weaknesses/MASVS-AUTH/MASWE-0046.md @@ -0,0 +1,22 @@ +--- +title: Crypto Keys Not Invalidated on New Biometric Enrollment +id: MASWE-0046 +alias: crypto-keys-biometric-enrollment +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-AUTH-2, MASVS-CRYPTO-2] + +draft: + description: Biometric related crypto keys should be is invalidated by default whenever + new biometric enrollments are added. + topics: + - Enabled by default on Android but can be disabled by calling `setInvalidatedByBiometricEnrollment(false)` + - Disabled by default on iOS but can be enabled using `SecAccessControlCreateFlags.biometryCurrentSet` + (prev. `touchIDCurrentSet`) when setting access control (since iOS 9). This invalidates + keychain items when a fingerprint is added or removed. See kSecAccessControlTouchIDCurrentSet, + biometryCurrentSet. +status: draft + +--- + diff --git a/weaknesses/MASVS-CODE/MASWE-0075.md b/weaknesses/MASVS-CODE/MASWE-0075.md new file mode 100644 index 0000000000..e19d9bfc14 --- /dev/null +++ b/weaknesses/MASVS-CODE/MASWE-0075.md @@ -0,0 +1,25 @@ +--- +title: Enforced Updating Not Implemented +id: MASWE-0075 +alias: enforced-updating +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v1: [MSTG-ARCH-9] + masvs-v2: [MASVS-CODE-2] + +refs: +- https://developer.android.com/guide/playcore/in-app-updates +- https://developer.android.com/reference/com/google/android/play/core/appupdate/AppUpdateManager +- https://medium.com/swlh/updating-users-to-the-latest-app-release-on-ios-ed96e4c76705 +- https://gist.github.com/DineshKachhot/f63fcebceca6351fc982cafd38f6f05c +draft: + description: Check if the app enforces updates e.g. via AppUpdateManager on Android. + However, the backend would be enforcing this and not only the app locally. + topics: + - AppUpdateManager on Android + - itunes check on app version on iOS +status: draft + +--- + diff --git a/weaknesses/MASVS-CODE/MASWE-0076.md b/weaknesses/MASVS-CODE/MASWE-0076.md new file mode 100644 index 0000000000..eb65f89c47 --- /dev/null +++ b/weaknesses/MASVS-CODE/MASWE-0076.md @@ -0,0 +1,23 @@ +--- +title: Dependencies with Known Vulnerabilities +id: MASWE-0076 +alias: known-vuln-deps +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-CODE-5] + masvs-v2: [MASVS-CODE-3] + +draft: + description: e.g. via dependency check and SBOM (software bill of materials) + topics: + - Frameworks on iOS + - Gradle dependencies on Android + - maven dependencies on Android + - cocoapods on iOS + - swift package manager on iOS + - carthage on iOS +status: draft + +--- + diff --git a/weaknesses/MASVS-CODE/MASWE-0077.md b/weaknesses/MASVS-CODE/MASWE-0077.md new file mode 100644 index 0000000000..59d55a2fa5 --- /dev/null +++ b/weaknesses/MASVS-CODE/MASWE-0077.md @@ -0,0 +1,20 @@ +--- +title: Running on a recent Platform Version Not Ensured +id: MASWE-0077 +alias: run-on-recent-platform-version +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-CODE-1] + +draft: + description: e.g. via minSdkVersion on Android and MinimumOSVersion on iOS. with + this we Ensure services/components availability (MASVS-STORAGE-1), also the NSC/ATS + availability - Android > 7.0 / iOS > 9.0 (MASVS-NETWORK-1) and WebView secure + config (MASVS-PLATFORM-2). + topics: + - check the OS version +status: draft + +--- + diff --git a/weaknesses/MASVS-CODE/MASWE-0078.md b/weaknesses/MASVS-CODE/MASWE-0078.md new file mode 100644 index 0000000000..f450fb7b60 --- /dev/null +++ b/weaknesses/MASVS-CODE/MASWE-0078.md @@ -0,0 +1,19 @@ +--- +title: Latest Platform Version Not Targeted +id: MASWE-0078 +alias: target-latest-platform-version +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-CODE-1] + +draft: + description: e.g. via targetSDK on Android The app should be targeting the latest + or sufficiently secure for the use-case. + topics: + - targetSDK on Android + - XCode version on iOS +status: draft + +--- + diff --git a/weaknesses/MASVS-CODE/MASWE-0079.md b/weaknesses/MASVS-CODE/MASWE-0079.md new file mode 100644 index 0000000000..01f4ed828a --- /dev/null +++ b/weaknesses/MASVS-CODE/MASWE-0079.md @@ -0,0 +1,18 @@ +--- +title: Unsafe Handling of Data from the Network +id: MASWE-0079 +alias: unsafe-network-data +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v2: [MASVS-CODE-4] + +draft: + description: Data received from the network should be treated as untrusted even + if it is received over a secure channel. + topics: + - network +status: draft + +--- + diff --git a/weaknesses/MASVS-CODE/MASWE-0080.md b/weaknesses/MASVS-CODE/MASWE-0080.md new file mode 100644 index 0000000000..c56b666e23 --- /dev/null +++ b/weaknesses/MASVS-CODE/MASWE-0080.md @@ -0,0 +1,21 @@ +--- +title: Unsafe Handling of Data from Backups +id: MASWE-0080 +alias: unsafe-backup-data +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v2: [MASVS-CODE-4] + +refs: +- https://developer.android.com/guide/topics/data/keyvaluebackup#RestoreVersion +draft: + description: e.g. on Android via android:fullBackupContent (Android 11-) or android:dataExtractionRules + (Android 12+). On iOS seek for isExcludedFromBackup and check for file operations + that reset backup exclusion. + topics: + - backups +status: draft + +--- + diff --git a/weaknesses/MASVS-CODE/MASWE-0081.md b/weaknesses/MASVS-CODE/MASWE-0081.md new file mode 100644 index 0000000000..decfa3d3d2 --- /dev/null +++ b/weaknesses/MASVS-CODE/MASWE-0081.md @@ -0,0 +1,19 @@ +--- +title: Unsafe Handling Of Data From External Interfaces +id: MASWE-0081 +alias: unsafe-external-data +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v2: [MASVS-CODE-4] + +draft: + description: When data is received from external interfaces (e.g. Bluetooth, NFC, + etc.), it should be treated as untrusted. + topics: + - Bluetooth + - NFC +status: draft + +--- + diff --git a/weaknesses/MASVS-CODE/MASWE-0082.md b/weaknesses/MASVS-CODE/MASWE-0082.md new file mode 100644 index 0000000000..b8b37f80df --- /dev/null +++ b/weaknesses/MASVS-CODE/MASWE-0082.md @@ -0,0 +1,22 @@ +--- +title: Unsafe Handling of Data From Local Storage +id: MASWE-0082 +alias: unsafe-local-storage +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v2: [MASVS-CODE-4] + +refs: +- https://developer.android.com/topic/security/risks/path-traversal +- https://developer.android.com/topic/security/risks/zip-path-traversal +draft: + description: When data is read from local storage, it should be treated as untrusted. + topics: + - Internal Storage + - External Storage + - UIDocumentPickerViewController used by the receiver app +status: draft + +--- + diff --git a/weaknesses/MASVS-CODE/MASWE-0083.md b/weaknesses/MASVS-CODE/MASWE-0083.md new file mode 100644 index 0000000000..d8f3ad6030 --- /dev/null +++ b/weaknesses/MASVS-CODE/MASWE-0083.md @@ -0,0 +1,21 @@ +--- +title: Unsafe Handling of Data From The User Interface +id: MASWE-0083 +alias: unsafe-ui-data +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-PLATFORM-2] + masvs-v2: [MASVS-CODE-4, MASVS-PLATFORM-3] + +draft: + description: e.g. text fields, QR codes, URLs, pasteboard, etc. + topics: + - text Fields + - QR Codes + - URLs + - Pasteboard +status: draft + +--- + diff --git a/weaknesses/MASVS-CODE/MASWE-0084.md b/weaknesses/MASVS-CODE/MASWE-0084.md new file mode 100644 index 0000000000..1aec403b68 --- /dev/null +++ b/weaknesses/MASVS-CODE/MASWE-0084.md @@ -0,0 +1,26 @@ +--- +title: Unsafe Handling of Data from IPC +id: MASWE-0084 +alias: unsafe-ipc-data +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-PLATFORM-2] + masvs-v2: [MASVS-CODE-4, MASVS-PLATFORM-1] + +draft: + description: e.g. received intents, broadcast receivers, URL validation, URL schemes, + etc. + topics: + - intents + - broadcast receivers + - content providers + - content URIs + - File Coordinator + - deep links + - app links + - custom schemes +status: draft + +--- + diff --git a/weaknesses/MASVS-CODE/MASWE-0085.md b/weaknesses/MASVS-CODE/MASWE-0085.md new file mode 100644 index 0000000000..89223e731e --- /dev/null +++ b/weaknesses/MASVS-CODE/MASWE-0085.md @@ -0,0 +1,18 @@ +--- +title: Unsafe Dynamic Code Loading +id: MASWE-0085 +alias: unsafe-code-loading +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-CODE-4] + +draft: + description: e.g. when using dlopen, DexClassLoader, etc. + topics: + - dlopen + - DexClassLoader +status: draft + +--- + diff --git a/weaknesses/MASVS-CODE/MASWE-0086.md b/weaknesses/MASVS-CODE/MASWE-0086.md new file mode 100644 index 0000000000..a52118f2d1 --- /dev/null +++ b/weaknesses/MASVS-CODE/MASWE-0086.md @@ -0,0 +1,20 @@ +--- +title: SQL Injection +id: MASWE-0086 +alias: sql-injection +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v2: [MASVS-CODE-4] + +refs: +- https://developer.android.com/topic/security/risks/sql-injection +draft: + description: e.g. prepared statements with variable binding (i.e. parameterized + queries) + topics: + - not using prepared statements +status: draft + +--- + diff --git a/weaknesses/MASVS-CODE/MASWE-0087.md b/weaknesses/MASVS-CODE/MASWE-0087.md new file mode 100644 index 0000000000..7b4ad69339 --- /dev/null +++ b/weaknesses/MASVS-CODE/MASWE-0087.md @@ -0,0 +1,20 @@ +--- +title: Insecure Parsing and Escaping +id: MASWE-0087 +alias: insecure-parsing-escaping +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-CODE-4] + +draft: + description: e.g. XML External Entity (XXE) attacks, X509 certificate parsing, character + escaping. + topics: + - XML + - x509 certificates + - character escaping +status: draft + +--- + diff --git a/weaknesses/MASVS-CODE/MASWE-0088.md b/weaknesses/MASVS-CODE/MASWE-0088.md new file mode 100644 index 0000000000..9c851cd261 --- /dev/null +++ b/weaknesses/MASVS-CODE/MASWE-0088.md @@ -0,0 +1,22 @@ +--- +title: Insecure Object Deserialization +id: MASWE-0088 +alias: insecure-deserialization +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-CODE-4] + +draft: + description: e.g. XML, JSON, java.io.Serializable, Parcelable on Android or NSCoding + on iOS. + topics: + - XML + - JSON + - java.io.Serializable + - Parcelable + - NSCoding +status: draft + +--- + diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0009.md b/weaknesses/MASVS-CRYPTO/MASWE-0009.md new file mode 100644 index 0000000000..96386a32a1 --- /dev/null +++ b/weaknesses/MASVS-CRYPTO/MASWE-0009.md @@ -0,0 +1,22 @@ +--- +title: Weak Cryptographic Key Generation +id: MASWE-0009 +alias: weak-crypto-key-generation +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-CRYPTO-2] + masvs-v2: [MASVS-CRYPTO-2] + +refs: +- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf +- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf +draft: + description: e.g. 1024-bit RSA keys, 128-bit AES keys, 160-bit ECDSA keys, 80-bit + symmetric keys + topics: + - insufficient Key Length +status: draft + +--- + diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0010.md b/weaknesses/MASVS-CRYPTO/MASWE-0010.md new file mode 100644 index 0000000000..be51528b4e --- /dev/null +++ b/weaknesses/MASVS-CRYPTO/MASWE-0010.md @@ -0,0 +1,21 @@ +--- +title: Weak Cryptographic Key Derivation +id: MASWE-0010 +alias: weak-crypto-key-derivation +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-CRYPTO-2] + masvs-v2: [MASVS-CRYPTO-2] + +refs: +- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf +draft: + description: e.g. PBKDF2 with insufficient iterations, lack of salt, etc. + topics: + - weak sources + - lack of salt encryption when doing PBKDF2 +status: draft + +--- + diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0011.md b/weaknesses/MASVS-CRYPTO/MASWE-0011.md new file mode 100644 index 0000000000..f1f6581b35 --- /dev/null +++ b/weaknesses/MASVS-CRYPTO/MASWE-0011.md @@ -0,0 +1,21 @@ +--- +title: Cryptographic Key Rotation Not Implemented +id: MASWE-0011 +alias: no-key-rotation +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-CRYPTO-2] + +refs: +- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf +- https://developers.google.com/tink/managing-key-rotation +draft: + description: Key rotation is a best practice to limit the impact of a key compromise. + It is especially important for long-lived keys such as asymmetric keys. + topics: + - long-lived keys (cryptoperiods as per NIST.SP.800-57pt1r5) +status: draft + +--- + diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0012.md b/weaknesses/MASVS-CRYPTO/MASWE-0012.md new file mode 100644 index 0000000000..4c2306fdc9 --- /dev/null +++ b/weaknesses/MASVS-CRYPTO/MASWE-0012.md @@ -0,0 +1,23 @@ +--- +title: Insecure or Wrong Usage of Cryptographic Key +id: MASWE-0012 +alias: insecure-key-usage +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v1: [MSTG-CRYPTO-5] + masvs-v2: [MASVS-CRYPTO-2] + +refs: +- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf +draft: + description: According to NIST.SP.800-57pt1r5, in general, a single key shall be + used for only one purpose (e.g., encryption, integrity, authentication, key wrapping, + random bit generation, or digital signatures) + topics: + - authorized key algorithm + - key reuse for different purposes or operations (encrypt, decrypt, sign,...) +status: draft + +--- + diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0013.md b/weaknesses/MASVS-CRYPTO/MASWE-0013.md new file mode 100644 index 0000000000..eb36542681 --- /dev/null +++ b/weaknesses/MASVS-CRYPTO/MASWE-0013.md @@ -0,0 +1,21 @@ +--- +title: Hardcoded Cryptographic Keys in Use +id: MASWE-0013 +alias: hardcoded-crypto-keys-usage +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-CRYPTO-1] + masvs-v2: [MASVS-CRYPTO-2] + +refs: +- https://developer.android.com/topic/security/risks/hardcoded-cryptographic-secrets +draft: + description: One thing is to include hardcoded keys in the code, another is to use + them. + topics: + - hardcoded keys used at runtime +status: draft + +--- + diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0014.md b/weaknesses/MASVS-CRYPTO/MASWE-0014.md new file mode 100644 index 0000000000..d4a87e04ab --- /dev/null +++ b/weaknesses/MASVS-CRYPTO/MASWE-0014.md @@ -0,0 +1,25 @@ +--- +title: Cryptographic Keys Not Properly Protected at Rest +id: MASWE-0014 +alias: crypto-keys-not-protected-at-rest +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-STORAGE-1] + masvs-v2: [MASVS-CRYPTO-2, MASVS-STORAGE-1] + +refs: +- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf +draft: + description: e.g. storing keys in SharedPreferences, storing keys in files, hardcoded + keys, etc. + topics: + - platform keystore (Android KeyStore / iOS KeyChain) + - TEE/SE + - Cryptographic Keys Not Encrypted with key from platform keystore. envelope encryption + (DEK+KEK) (considered "equivalent protection") + - Key Wrapping (NIST.SP.800-175Br1 5.3.5) +status: draft + +--- + diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0015.md b/weaknesses/MASVS-CRYPTO/MASWE-0015.md new file mode 100644 index 0000000000..b3290262a7 --- /dev/null +++ b/weaknesses/MASVS-CRYPTO/MASWE-0015.md @@ -0,0 +1,22 @@ +--- +title: Deprecated Android KeyStore Implementations +id: MASWE-0015 +alias: deprecated-keystore +platform: [android] +profiles: [L2] +mappings: + masvs-v1: [MSTG-CRYPTO-4] + masvs-v2: [MASVS-CRYPTO-2, MASVS-CODE-3] + +refs: +- https://labs.withsecure.com/publications/how-secure-is-your-android-keystore-authentication +- https://developer.android.com/reference/java/security/KeyStore +- https://developer.android.com/about/versions/12/behavior-changes-all#bouncy-castle +draft: + description: Avoid deprecated implementations such as BKS + topics: + - Bouncy Castle (BKS) +status: draft + +--- + diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0016.md b/weaknesses/MASVS-CRYPTO/MASWE-0016.md new file mode 100644 index 0000000000..98e314d078 --- /dev/null +++ b/weaknesses/MASVS-CRYPTO/MASWE-0016.md @@ -0,0 +1,25 @@ +--- +title: Unsafe Handling of Imported Cryptographic Keys +id: MASWE-0016 +alias: unsafe-imported-key-handling +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-CRYPTO-2, MASVS-CODE-4] + +refs: +- https://mas.owasp.org/MASTG/Android/0x05d-Testing-Data-Storage/#secure-key-import-into-keystore +- https://developer.android.com/privacy-and-security/keystore#ImportingEncryptedKeys +- https://developer.android.com/reference/kotlin/android/security/keystore/KeyProtection +- https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_as_data#2933724 +draft: + description: Importing keys without validating their origin or integrity, or using + insecure custom key exchange protocols, can inadvertently introduce malicious + or compromised keys into the app environment. + topics: + - key import from untrusted sources + - key import from untrusted storage +status: draft + +--- + diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0017.md b/weaknesses/MASVS-CRYPTO/MASWE-0017.md new file mode 100644 index 0000000000..b837bfd8a2 --- /dev/null +++ b/weaknesses/MASVS-CRYPTO/MASWE-0017.md @@ -0,0 +1,24 @@ +--- +title: Cryptographic Keys Not Properly Protected on Export +id: MASWE-0017 +alias: crypto-keys-not-protected-export +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-CRYPTO-2, MASVS-STORAGE-1, MASVS-NETWORK-1] + +refs: +- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf +- https://developer.android.com/reference/kotlin/android/security/keystore/KeyProtection +- https://developer.apple.com/documentation/cryptokit/aes/keywrap +- https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_as_data#2933723 +draft: + description: Before exporting, keys should be "wrapped" or encrypted with another + key. This process ensures that the cryptographic key is protected during and after + export. This is true even if the key is sent over a secure channel. + topics: + - key wrapping (NIST.SP.800-175Br1 5.3.5) +status: draft + +--- + diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0018.md b/weaknesses/MASVS-CRYPTO/MASWE-0018.md new file mode 100644 index 0000000000..34f6215e38 --- /dev/null +++ b/weaknesses/MASVS-CRYPTO/MASWE-0018.md @@ -0,0 +1,34 @@ +--- +title: Cryptographic Keys Access Not Restricted +id: MASWE-0018 +alias: crypto-key-access-not-restricted +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-CRYPTO-2, MASVS-AUTH-2, MASVS-AUTH-3] + +refs: +- https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setUnlockedDeviceRequired(boolean) +- https://developer.apple.com/documentation/security/ksecattraccessiblewhenunlockedthisdeviceonly +- https://developer.android.com/training/sign-in/biometric-auth#prompt-the-user-to-authenticate-with-biometrics +- https://developer.apple.com/documentation/security/keychain_services/keychain_items/restricting_keychain_item_accessibility#2974973 +draft: + description: Ensuring that cryptographic keys are accessible only under strict conditions, + such as when the device is unlocked by an authenticated user, within secure application + contexts, or for limited periods of time, is critical to maintaining the confidentiality + and integrity of encrypted data. + topics: + - from a Background Process + - locked device (iOS kSecAttrAccessibleWhenUnlockedThisDeviceOnly, Android setUnlockedDeviceRequired) + - time-based access (duration) + - Require User Presence + - application-specific password + - biometric authentication + - key use restricted e.g. requiring user auth with biometrics, User Presence. + - especially for sensitive operations + - keys restricted/authorized for a duration of time or specific crypto operation, + etc. +status: draft + +--- + diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0019.md b/weaknesses/MASVS-CRYPTO/MASWE-0019.md new file mode 100644 index 0000000000..eef91014e6 --- /dev/null +++ b/weaknesses/MASVS-CRYPTO/MASWE-0019.md @@ -0,0 +1,38 @@ +--- +title: Potentially Weak Cryptography Implementations +id: MASWE-0019 +alias: potentially-weak-crypto-impl +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v1: [MSTG-CRYPTO-2] + masvs-v2: [MASVS-CRYPTO-1, MASVS-CODE-3] + +refs: +- https://cwe.mitre.org/data/definitions/1240.html +- https://cwe.mitre.org/data/definitions/327.html +- https://developer.android.com/reference/javax/crypto/Cipher#getInstance(java.lang.String) +- https://developer.android.com/privacy-and-security/security-gms-provider +- https://developer.android.com/privacy-and-security/cryptography#bc-algorithms +- https://developer.android.com/privacy-and-security/cryptography#jetpack_security_crypto_library +- https://developer.android.com/privacy-and-security/cryptography#crypto_provider +- https://developer.android.com/privacy-and-security/cryptography#deprecated-functionality +- https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile +draft: + description: Don't use outdated or known weak implementations and don't build your + own cryptography. Using custom cryptography instead of relying on established, + expert-designed APIs or certified modules exposes apps to vulnerabilities due + to potential implementation flaws and lack of rigorous security review. + topics: + - platform-provided cryptographic APIs (e.g. conscrypt/CryptoKit) + - custom-made cryptographic APIs (e.g. via xor, bit flipping, etc. or cryptographic + constants or values such as sbox, etc.) + - custom algorithms, primitives, protocols + - specify Cipher.getInstance provider (Android) + - Android Security Provider (Android) + - Jetpack Security Crypto Library (Android) + - BoucyCastle algorithms (Android) +status: draft + +--- + diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0020.md b/weaknesses/MASVS-CRYPTO/MASWE-0020.md new file mode 100644 index 0000000000..07e649feee --- /dev/null +++ b/weaknesses/MASVS-CRYPTO/MASWE-0020.md @@ -0,0 +1,27 @@ +--- +title: Weak Encryption +id: MASWE-0020 +alias: weak-encryption +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-CRYPTO-4] + masvs-v2: [MASVS-CRYPTO-1] + +refs: +- https://support.google.com/faqs/answer/10046138?hl=en +- https://support.google.com/faqs/answer/9450925?hl=en +- https://support.google.com/faqs/answer/9450925?hl=en +- https://developer.android.com/privacy-and-security/cryptography#deprecated-functionality +- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf +draft: + description: The use of outdated encryption methods like DES and 3DES may compromise + data confidentiality and integrity. + topics: + - Weak encryption algorithms (e.g. DES, 3DES, etc.) + - Weak encryption modes (e.g. ECB, etc.) + - Cipher.getInstance("AES") defaults to ECB (Android) +status: draft + +--- + diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md new file mode 100644 index 0000000000..bb618ee00e --- /dev/null +++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md @@ -0,0 +1,22 @@ +--- +title: Weak Hashing +id: MASWE-0021 +alias: weak-hashing +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-CRYPTO-4] + masvs-v2: [MASVS-CRYPTO-1] + +refs: +- https://developer.android.com/privacy-and-security/cryptography#deprecated-functionality +- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf +draft: + description: Utilizing weak hashing algorithms such as MD5 and SHA1 in a security + sensitive context may compromise data integrity and authenticity. + topics: + - Weak hashing algorithms (e.g. MD5, SHA1, etc.) +status: draft + +--- + diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0022.md b/weaknesses/MASVS-CRYPTO/MASWE-0022.md new file mode 100644 index 0000000000..84d2b000a8 --- /dev/null +++ b/weaknesses/MASVS-CRYPTO/MASWE-0022.md @@ -0,0 +1,26 @@ +--- +title: Predictable Initialization Vectors (IVs) +id: MASWE-0022 +alias: predictable-ivs +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-CRYPTO-4] + masvs-v2: [MASVS-CRYPTO-1] + +refs: +- https://developer.android.com/privacy-and-security/cryptography#pbe-without-iv +draft: + description: The use of predictable IVs (hardcoded, null, reused) in a security + sensitive context can weaken data encryption strength and potentially compromise + confidentiality. + topics: + - not use the IvParameterSpec.class anymore for GCM, use the GCMParameterSpec.class + instead (Android) + - Hardcoded IVs + - Null IVs + - Reused IVs +status: draft + +--- + diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0023.md b/weaknesses/MASVS-CRYPTO/MASWE-0023.md new file mode 100644 index 0000000000..27818a4a2b --- /dev/null +++ b/weaknesses/MASVS-CRYPTO/MASWE-0023.md @@ -0,0 +1,26 @@ +--- +title: Weak Padding +id: MASWE-0023 +alias: weak-padding +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-CRYPTO-4] + masvs-v2: [MASVS-CRYPTO-1] + +refs: +- https://developer.android.com/privacy-and-security/cryptography#deprecated-functionality +- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf +- https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38a.pdf +- https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile +draft: + description: The use of weak padding such as NoPadding, ZeroPadding, etc. in a security + sensitive context should be avoided to ensure the integrity and authenticity of + the data. + topics: + - NoPadding + - PKCS1-v1_5 +status: draft + +--- + diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0024.md b/weaknesses/MASVS-CRYPTO/MASWE-0024.md new file mode 100644 index 0000000000..dfbf239d39 --- /dev/null +++ b/weaknesses/MASVS-CRYPTO/MASWE-0024.md @@ -0,0 +1,21 @@ +--- +title: Weak Message Authentication Codes (MAC) +id: MASWE-0024 +alias: weak-mac +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-CRYPTO-4] + masvs-v2: [MASVS-CRYPTO-1] + +refs: +- https://developer.android.com/privacy-and-security/cryptography#deprecated-functionality +- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf +draft: + description: The use of weak MAC such as HmacMD5, etc. in a security sensitive context + may expose cryptographic vulnerabilities, affecting data integrity. + topics: null +status: draft + +--- + diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0025.md b/weaknesses/MASVS-CRYPTO/MASWE-0025.md new file mode 100644 index 0000000000..5c3d04ad56 --- /dev/null +++ b/weaknesses/MASVS-CRYPTO/MASWE-0025.md @@ -0,0 +1,22 @@ +--- +title: Weak Signature +id: MASWE-0025 +alias: weak-signatures +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-CRYPTO-4] + masvs-v2: [MASVS-CRYPTO-1] + +refs: +- https://developer.android.com/privacy-and-security/cryptography#deprecated-functionality +- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf +- https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf +draft: + description: The use of weak signature such as SHA1withRSA, etc. in a security sensitive + context should be avoided to ensure the integrity and authenticity of the data. + topics: null +status: draft + +--- + diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0026.md b/weaknesses/MASVS-CRYPTO/MASWE-0026.md new file mode 100644 index 0000000000..2d44fa0b28 --- /dev/null +++ b/weaknesses/MASVS-CRYPTO/MASWE-0026.md @@ -0,0 +1,21 @@ +--- +title: Improper Verification of Cryptographic Signature +id: MASWE-0026 +alias: improper-signature-verification +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-CRYPTO-4] + masvs-v2: [MASVS-CRYPTO-1] + +refs: +- https://cwe.mitre.org/data/definitions/347.html +- https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf +draft: + description: Cryptographic signature verification should be performed properly to + ensure the integrity and authenticity of the data. + topics: null +status: draft + +--- + diff --git a/weaknesses/MASVS-NETWORK/MASWE-0047.md b/weaknesses/MASVS-NETWORK/MASWE-0047.md new file mode 100644 index 0000000000..236b9c0cdc --- /dev/null +++ b/weaknesses/MASVS-NETWORK/MASWE-0047.md @@ -0,0 +1,24 @@ +--- +title: Insecure Identity Pinning +id: MASWE-0047 +alias: insecure-pinning +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v1: [MSTG-NETWORK-4] + masvs-v2: [MASVS-NETWORK-2] + +draft: + description: e.g. via NSC/ATS, okhttp CertificatePinner, volley, trustkit, Cordova, + AFNetworking SSLPinningMode + topics: + - NSC/ATS + - net-frameworks e.g. okhttp CertificatePinner, volley, trustkit, Cordova, AFNetworking + SSLPinningMode + - Dynamic Pinning e.g. via the ssl-pinning-android library + - Check for MITM resiliency, e.g. with trusted interceptor cert. consider "proxy + unaware apps" +status: draft + +--- + diff --git a/weaknesses/MASVS-NETWORK/MASWE-0048.md b/weaknesses/MASVS-NETWORK/MASWE-0048.md new file mode 100644 index 0000000000..7e96383e8f --- /dev/null +++ b/weaknesses/MASVS-NETWORK/MASWE-0048.md @@ -0,0 +1,17 @@ +--- +title: Insecure Non-HTTP Traffic +id: MASWE-0048 +alias: insecure-non-http +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-NETWORK-1] + masvs-v2: [MASVS-NETWORK-1] + +draft: + description: e.g. FTP, SMTP, etc. + topics: null +status: draft + +--- + diff --git a/weaknesses/MASVS-NETWORK/MASWE-0049.md b/weaknesses/MASVS-NETWORK/MASWE-0049.md new file mode 100644 index 0000000000..262305a179 --- /dev/null +++ b/weaknesses/MASVS-NETWORK/MASWE-0049.md @@ -0,0 +1,23 @@ +--- +title: Proved Networking APIs Not used +id: MASWE-0049 +alias: no-proved-net-apis +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v1: [MSTG-NETWORK-6] + masvs-v2: [MASVS-NETWORK-1, MASVS-CODE-3] + +draft: + description: AKA don't roll your own network security. For example, platform-provided + authentication APIs or openssl are designed and implemented by experts who have + deep knowledge of the platform's security features and considerations. These APIs + often incorporate security best practices and are regularly updated to address + new threats and vulnerabilities. + topics: + - Platform-provided Networking APIs Not used + note: maybe merge with the next one or find a better separation +status: draft + +--- + diff --git a/weaknesses/MASVS-NETWORK/MASWE-0050.md b/weaknesses/MASVS-NETWORK/MASWE-0050.md new file mode 100644 index 0000000000..76c41a60c0 --- /dev/null +++ b/weaknesses/MASVS-NETWORK/MASWE-0050.md @@ -0,0 +1,35 @@ +--- +title: Cleartext Traffic +id: MASWE-0050 +alias: cleartext-traffic +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-NETWORK-2] + masvs-v2: [MASVS-NETWORK-1] + cwe: [CWE-319] + +draft: + description: The app sends or receives data over an insecure channel, such as HTTP, + FTP, or SMTP. This data can be intercepted and read by an attacker without needing + to perform Man-in-the-Middle attacks. The app should use HTTPS, SFTP, or SMTPS + instead. + topics: + - exceptions and if justifications are given using the platform provided mechanisms + (Secure by Default Configuration). + - Cleartext Traffic allowed in App Network Configuration (usesCleartextTraffic in + Android Manifest, cleartextTrafficPermitted in NSC, ATS allowInsecureLoads) + - cleartext in traffic capture + - Usage of HTTP traffic (e.g. HTTP URLs) + - cross-platform framework e.g. Flutter, Xamarin + - use of low-level APIs e.g. SSLSocket on Android or Network on iOS. ATS doesn't + apply there. Prefer high-level API calls such as Android HttpsURLConnection/iOS + URLSession. + - configs./ input params, logic e.g. on third-party or low-level frameworks such + as SSLSocket on Android or Network on iOS + - Watch Communications + - Peer-to-peer communications (e.g. WiFi-direct, Nearby) +status: draft + +--- + diff --git a/weaknesses/MASVS-NETWORK/MASWE-0051.md b/weaknesses/MASVS-NETWORK/MASWE-0051.md new file mode 100644 index 0000000000..4545c4b206 --- /dev/null +++ b/weaknesses/MASVS-NETWORK/MASWE-0051.md @@ -0,0 +1,21 @@ +--- +title: Unprotected Open Ports +id: MASWE-0051 +alias: open-ports +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v1: [MSTG-NETWORK-2] + masvs-v2: [MASVS-NETWORK-1] + +draft: + description: e.g. the app uses a server socket and binds to INADDR_ANY or uses a + loopback address. This allows other apps to connect to the app's server socket + and communicate with it. + topics: + - no loopback + - no binding to INADDR_ANY +status: draft + +--- + diff --git a/weaknesses/MASVS-NETWORK/MASWE-0052.md b/weaknesses/MASVS-NETWORK/MASWE-0052.md new file mode 100644 index 0000000000..72d66007c5 --- /dev/null +++ b/weaknesses/MASVS-NETWORK/MASWE-0052.md @@ -0,0 +1,37 @@ +--- +title: Insecure Certificate Validation +id: MASWE-0052 +alias: insecure-cert-val +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-NETWORK-3] + masvs-v2: [MASVS-NETWORK-1] + cwe: [CWE-295] + +draft: + description: e.g. not checking the certificate chain, not checking the hostname, + not checking the validity period, not checking the revocation status, etc. The + certificate validation should be secure by default. This includes the platform-provided + mechanisms such as NSC/ATS as well as third-party libraries and frameworks. + topics: + - via NSC/ATS + - via manual server trust evaluation (e.g. iOS SecTrust / Android TrustManager. + okhttpTrustManager). + - Using a TrustManager that does no certificate validation (e.g. X509TrustManager + with getAcceptedIssuers returning always null, checkServerTrusted not performing + any validation, etc.). + - doesn't accept self-signed/untrusted CAs + - Custom Trust Anchors, app trusting any user supplied CAs + - check OS version's default trust anchors on Android + - insecure TLS settings + - third-party libraries e.g. okhttp uses MODERN_TLS or RESTRICTED_TLS configs, no + fallbacks via COMPATIBLE_TLS, no weak TLS version or ciphersuites + - using SSLSocket or Cordova apps + - MITM via an arbitrary certificate signed by a trusted CA works + - WebView clients (e.g. WebViewClient.onReceivedSslError, not TLS errors ignored, + mixed content, insecure handlers) +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0053.md b/weaknesses/MASVS-PLATFORM/MASWE-0053.md new file mode 100644 index 0000000000..03eda7264d --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0053.md @@ -0,0 +1,21 @@ +--- +title: Sensitive Data Leaked via the User Interface +id: MASWE-0053 +alias: data-leak-ui +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v1: [MSTG-STORAGE-7] + masvs-v2: [MASVS-PLATFORM-3, MASVS-STORAGE-2] + +draft: + description: e.g. leaking passwords, PINs via the UI + topics: + - secureText + - copy/paste disabled + - auto-correct + - etc. +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0054.md b/weaknesses/MASVS-PLATFORM/MASWE-0054.md new file mode 100644 index 0000000000..28619ba92f --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0054.md @@ -0,0 +1,18 @@ +--- +title: Sensitive Data Leaked via Notifications +id: MASWE-0054 +alias: data-leak-notifications +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-PLATFORM-3, MASVS-STORAGE-2] + +draft: + description: e.g. stealing pending intents from notifications via notificationlistenerservice + or tapjacking wire transfer UI. + topics: + - NotificationListenerService +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0055.md b/weaknesses/MASVS-PLATFORM/MASWE-0055.md new file mode 100644 index 0000000000..6180ac853f --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0055.md @@ -0,0 +1,23 @@ +--- +title: Sensitive Data Leaked via Screenshots +id: MASWE-0055 +alias: data-leak-screenshots +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v1: [MSTG-STORAGE-9] + masvs-v2: [MASVS-PLATFORM-3, MASVS-STORAGE-2] + +refs: +- https://developer.android.com/about/versions/14/features/screenshot-detection +draft: + description: no method is used to prevent specific content from being captured (e.g. + via FLAG_SECURE on Android and Secure Text Entry on iOS) + topics: + - Screenshots Not Prevented (e.g. via DETECT_SCREEN_CAPTURE on Android) + - Screenshots not deleted when backgrounding + - Auto-Generated Screenshots +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0056.md b/weaknesses/MASVS-PLATFORM/MASWE-0056.md new file mode 100644 index 0000000000..05f9a3ad74 --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0056.md @@ -0,0 +1,23 @@ +--- +title: Tapjacking Attacks +id: MASWE-0056 +alias: tapjacking-attacks +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v1: [MSTG-PLATFORM-9] + masvs-v2: [MASVS-PLATFORM-3, MASVS-CODE-1] + +refs: +- https://developer.android.com/topic/security/risks/tapjacking +draft: + description: not using View.setFilterTouchesWhenObscured(true) or android:filterTouchesWhenObscured="true" + in the AndroidManifest.xml or not ignoring touch events that have FLAG_WINDOW_IS_PARTIALLY_OBSCURED + flag + topics: + - Full occlusion + - Partial occlusion +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0057.md b/weaknesses/MASVS-PLATFORM/MASWE-0057.md new file mode 100644 index 0000000000..edadf7b430 --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0057.md @@ -0,0 +1,21 @@ +--- +title: StrandHogg Attack / Task Affinity Vulnerability +id: MASWE-0057 +alias: strandhogg-attack +platform: [android] +profiles: [L1, L2] +mappings: + masvs-v2: [MASVS-PLATFORM-3] + +refs: +- https://developer.android.com/topic/security/risks/strandhogg +draft: + description: This vulnerability is exploited by manipulating the allowTaskReparenting + and taskAffinity settings. + topics: + - StrandHogg Attack v1 + - StrandHogg Attack v2 +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0058.md b/weaknesses/MASVS-PLATFORM/MASWE-0058.md new file mode 100644 index 0000000000..550eea985b --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0058.md @@ -0,0 +1,23 @@ +--- +title: Insecure Deep Links +id: MASWE-0058 +alias: insecure-deep-links +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-PLATFORM-3] + masvs-v2: [MASVS-PLATFORM-1, MASVS-STORAGE-2, MASVS-CODE-4] + +draft: + description: e.g. use of URL Custom Schemes, unverified AppLinks/Universal Links, + not validating URLs + topics: + - URL Custom Schemes + - AppLinks + - Universal Links + - URL validation + - Check for OS version. e.g. deep link are more secure after Android XX +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0059.md b/weaknesses/MASVS-PLATFORM/MASWE-0059.md new file mode 100644 index 0000000000..72d60efd9d --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0059.md @@ -0,0 +1,18 @@ +--- +title: Use Of Unauthenticated Platform IPC +id: MASWE-0059 +alias: unauthenticated-ipc +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v2: [MASVS-PLATFORM-1, MASVS-STORAGE-2] + +draft: + description: e.g. (ab)using the clipboard or using localhost server for IPC + topics: + - (ab)using the clipboard + - using localhost server +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0060.md b/weaknesses/MASVS-PLATFORM/MASWE-0060.md new file mode 100644 index 0000000000..544ecddc3b --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0060.md @@ -0,0 +1,20 @@ +--- +title: Insecure Use of UIActivity +id: MASWE-0060 +alias: insecure-uiactivity +platform: [ios] +profiles: [L1, L2] +mappings: + masvs-v2: [MASVS-PLATFORM-1, MASVS-STORAGE-2] + +draft: + description: e.g. data (items) being shared, custom activities, excluded activity + types. + topics: + - data (items) being shared + - custom activities + - excluded activity types +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0061.md b/weaknesses/MASVS-PLATFORM/MASWE-0061.md new file mode 100644 index 0000000000..a60b0b2b39 --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0061.md @@ -0,0 +1,19 @@ +--- +title: Insecure Use of App Extensions +id: MASWE-0061 +alias: insecure-app-extensions +platform: [ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-PLATFORM-11] + masvs-v2: [MASVS-PLATFORM-1, MASVS-STORAGE-2] + +draft: + description: restricting use of certain extensions + topics: + - restricting use of certain extensions via `application:shouldAllowExtensionPointIdentifier:` + - Third-Party Keyboards Not Disabled via UIApplicationKeyboardExtensionPointIdentifier +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0062.md b/weaknesses/MASVS-PLATFORM/MASWE-0062.md new file mode 100644 index 0000000000..f869ac1c67 --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0062.md @@ -0,0 +1,26 @@ +--- +title: Insecure Services +id: MASWE-0062 +alias: insecure-services +platform: [android] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-PLATFORM-4] + masvs-v2: [MASVS-PLATFORM-1, MASVS-STORAGE-2] + +refs: +- https://developer.android.com/privacy-and-security/security-tips#Services +- https://developer.android.com/guide/topics/manifest/service-element +- https://developer.android.com/reference/android/app/Service +- https://developer.android.com/privacy-and-security/security-tips#binder-and-messenger-interfaces +draft: + description: Unintentionally exported services, unrestricted permissions. Exposed + binders e.g not using checkCallingPermission() to verify whether the caller has + a required permission. + topics: + - Services + - Exposed Binders via Exported Services +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0063.md b/weaknesses/MASVS-PLATFORM/MASWE-0063.md new file mode 100644 index 0000000000..0d56e023a2 --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0063.md @@ -0,0 +1,25 @@ +--- +title: Insecure Broadcast Receivers +id: MASWE-0063 +alias: insecure-broadcast-receivers +platform: [android] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-PLATFORM-4] + masvs-v2: [MASVS-PLATFORM-1, MASVS-STORAGE-2] + +refs: +- https://developer.android.com/guide/components/broadcasts#security-and-best-practices +- https://developer.android.com/topic/security/risks/sticky-broadcast +- https://developer.android.com/privacy-and-security/security-tips#BroadcastReceivers +draft: + description: Unintentionally exported broadcast receivers, unrestricted permissions, + sticky broadcasts. + topics: + - Unintentionally exported broadcast receivers + - Unrestricted permissions + - Sticky broadcasts +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0064.md b/weaknesses/MASVS-PLATFORM/MASWE-0064.md new file mode 100644 index 0000000000..75e7f52f5a --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0064.md @@ -0,0 +1,29 @@ +--- +title: Insecure Content Providers +id: MASWE-0064 +alias: insecure-content-providers +platform: [android] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-STORAGE-6] + masvs-v2: [MASVS-PLATFORM-1, MASVS-STORAGE-1] + +refs: +- https://developer.android.com/topic/security/risks/content-resolver +- https://developer.android.com/reference/androidx/core/content/FileProvider +- https://developer.android.com/topic/security/risks/file-providers +- https://developer.android.com/privacy-and-security/security-tips#ContentProviders +draft: + description: Unintentionally exported content providers, unprotected content providers, + permission tags, protection level + topics: + - file-system based + - FileProvider (Android) + - database based + - exposed + - permission tags + - protection level +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0065.md b/weaknesses/MASVS-PLATFORM/MASWE-0065.md new file mode 100644 index 0000000000..1a940804e9 --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0065.md @@ -0,0 +1,30 @@ +--- +title: Sensitive Data Permanently Shared with Other Apps +id: MASWE-0065 +alias: sensitive-data-shared-other-apps +platform: [android] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-STORAGE-6] + masvs-v2: [MASVS-PLATFORM-1, MASVS-STORAGE-1] + +refs: +- https://developer.android.com/topic/security/risks/content-resolver +- https://developer.android.com/reference/androidx/core/content/FileProvider +- https://developer.android.com/topic/security/risks/file-providers +- https://developer.android.com/privacy-and-security/security-tips#ContentProviders +draft: + description: Provide clients one-time access to data. For example using URI permission + grant flags and content provider permissions to display an app's PDF file in a + separate PDF Viewer app. + topics: + - content providers + - FLAG_GRANT_READ_URI_PERMISSION + - FLAG_GRANT_WRITE_URI_PERMISSION + - FLAG_GRANT_PERSISTABLE + - content URIs + - file URIs +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0066.md b/weaknesses/MASVS-PLATFORM/MASWE-0066.md new file mode 100644 index 0000000000..65776c40e1 --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0066.md @@ -0,0 +1,30 @@ +--- +title: Insecure Intents +id: MASWE-0066 +alias: insecure-intents +platform: [android] +profiles: [L1, L2] +mappings: + masvs-v2: [MASVS-PLATFORM-1, MASVS-STORAGE-2] + +refs: +- https://support.google.com/faqs/answer/9267555?hl=en +- https://developer.android.com/privacy-and-security/security-tips#intents +- https://developer.android.com/topic/security/risks/intent-redirection +- https://developer.android.com/topic/security/risks/implicit-intent-hijacking +- https://developer.android.com/topic/security/risks/pending-intent +draft: + description: e.g. calling startActivity, startService, sendBroadcast, or setResult + on untrusted Intents without validating or sanitizing these Intents. Using an + implicit intent to start a service is a security hazard, because you can't be + certain what service will respond to the intent and the user can't see which service + starts. e.g. mutable pending intents (not using FLAG_IMMUTABLE), replaying pending + intents (not using FLAG_ONE_SHOT) + topics: + - Insecure Intent Redirection + - Insecure Implicit Intents + - Insecure Pending Intents (Mutable, Replaying) +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0067.md b/weaknesses/MASVS-PLATFORM/MASWE-0067.md new file mode 100644 index 0000000000..765ae18f91 --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0067.md @@ -0,0 +1,21 @@ +--- +title: Debuggable Flag Not Disabled +id: MASWE-0067 +alias: debuggable-flag +platform: [android, ios] +profiles: [R] +mappings: + masvs-v1: [MSTG-RESILIENCE-2] + masvs-v2: [MASVS-PLATFORM-1, MASVS-RESILIENCE-4] + +refs: +- https://developer.android.com/topic/security/risks/android-debuggable +- https://developer.android.com/guide/topics/manifest/application-element +draft: + description: not setting android:debuggable="false" on Android or get-task-allow="true" + in the entitlements file on iOS + topics: null +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0068.md b/weaknesses/MASVS-PLATFORM/MASWE-0068.md new file mode 100644 index 0000000000..08d5d6350e --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0068.md @@ -0,0 +1,20 @@ +--- +title: JavaScript Bridges in WebViews +id: MASWE-0068 +alias: js-bridges-webviews +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-PLATFORM-7] + masvs-v2: [MASVS-PLATFORM-2, MASVS-STORAGE-2] + +refs: +- https://support.google.com/faqs/answer/9095419 +draft: + description: via addJavascriptInterface + topics: + - addJavascriptInterface +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0069.md b/weaknesses/MASVS-PLATFORM/MASWE-0069.md new file mode 100644 index 0000000000..1e679b920a --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0069.md @@ -0,0 +1,21 @@ +--- +title: WebViews Allows Access to Local Resources +id: MASWE-0069 +alias: webviews-local-resources +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-PLATFORM-6] + masvs-v2: [MASVS-PLATFORM-2, MASVS-STORAGE-2] + +draft: + description: use of setAllowFileAccessFromFileURLs. Mitigations include setAllowFileAccess(false), + setAllowContentAccess(false) + topics: + - universal file access + - restrict content access + - handlers e.g. file:// vs content:// +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0070.md b/weaknesses/MASVS-PLATFORM/MASWE-0070.md new file mode 100644 index 0000000000..1364a51391 --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0070.md @@ -0,0 +1,16 @@ +--- +title: JavaScript Loaded from Untrusted Sources +id: MASWE-0070 +alias: js-untrusted-sources +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v2: [MASVS-PLATFORM-2, MASVS-CODE-4] + +draft: + description: e.g. not validating the source of the JavaScript code + topics: null +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0071.md b/weaknesses/MASVS-PLATFORM/MASWE-0071.md new file mode 100644 index 0000000000..ad7813fafa --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0071.md @@ -0,0 +1,22 @@ +--- +title: WebViews Loading Content from Untrusted Sources +id: MASWE-0071 +alias: webviews-untrusted-content +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v2: [MASVS-PLATFORM-2, MASVS-CODE-4] + +draft: + description: WebView objects shouldn't load URLs from untrusted sources. Also, your + app shouldn't let users navigate to sites that are outside of your control. Whenever + possible, use an allowlist to restrict the content loaded by your app's WebView + objects e.g. via WebViewClient.shouldOverrideUrlLoading + topics: + - not restricting navigation + - not using SafeBrowsing + - loading URL from untrusted sources e.g. intents or deep links +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0072.md b/weaknesses/MASVS-PLATFORM/MASWE-0072.md new file mode 100644 index 0000000000..49f59121ef --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0072.md @@ -0,0 +1,23 @@ +--- +title: Universal XSS +id: MASWE-0072 +alias: universal-xss +platform: [android, ios] +profiles: [L1, L2] +mappings: + masvs-v2: [MASVS-PLATFORM-2, MASVS-CODE-4] + +refs: +- https://hackerone.com/reports/532836 +- https://www.cybersecurity-help.cz/vdb/SB2021110227 +- https://cwe.mitre.org/data/definitions/79.html +- https://blog.oversecured.com/Evernote-Universal-XSS-theft-of-all-cookies-from-all-sites-and-more/ +draft: + description: Successful exploitation of this vulnerability may allow a remote attacker + to steal potentially sensitive information, change appearance of a web page, perform + phishing and drive-by-download attacks. + topics: null +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0073.md b/weaknesses/MASVS-PLATFORM/MASWE-0073.md new file mode 100644 index 0000000000..42bcc78500 --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0073.md @@ -0,0 +1,18 @@ +--- +title: Insecure WebResourceResponse Implementations +id: MASWE-0073 +alias: insecure-webresourceresponse +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-PLATFORM-2, MASVS-CODE-4] + +refs: +- https://blog.oversecured.com/Android-Exploring-vulnerabilities-in-WebResourceResponse/ +draft: + description: not using WebViewAssetLoader + topics: null +status: draft + +--- + diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0074.md b/weaknesses/MASVS-PLATFORM/MASWE-0074.md new file mode 100644 index 0000000000..77535dcee1 --- /dev/null +++ b/weaknesses/MASVS-PLATFORM/MASWE-0074.md @@ -0,0 +1,20 @@ +--- +title: Web Content Debugging Enabled +id: MASWE-0074 +alias: web-content-debugging +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v2: [MASVS-PLATFORM-2, MASVS-RESILIENCE-4] + +refs: +- https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean) +- https://developer.apple.com/documentation/webkit/wkwebview/4111163-isinspectable +draft: + description: using setWebContentsDebuggingEnabled in Android or WKWebView.isInspectable + on iOS + topics: null +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0089.md b/weaknesses/MASVS-RESILIENCE/MASWE-0089.md new file mode 100644 index 0000000000..62f9cbc90b --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0089.md @@ -0,0 +1,23 @@ +--- +title: Code Obfuscation Not Implemented +id: MASWE-0089 +alias: code-obfuscation +platform: [android, ios] +profiles: [R] +mappings: + masvs-v1: [MSTG-RESILIENCE-9] + masvs-v2: [MASVS-RESILIENCE-3] + +draft: + description: e.g. polymorphic obfuscation, method-inlining, insertion of opaque + predicates, instruction substitution, and instruction block chopping. + topics: + - polymorphic obfuscation + - method-inlining + - insertion of opaque predicates + - instruction substitution + - instruction block chopping +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0090.md b/weaknesses/MASVS-RESILIENCE/MASWE-0090.md new file mode 100644 index 0000000000..d3978bc3bf --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0090.md @@ -0,0 +1,19 @@ +--- +title: Resource Obfuscation Not Implemented +id: MASWE-0090 +alias: resource-obfuscation +platform: [android, ios] +profiles: [R] +mappings: + masvs-v1: [MSTG-RESILIENCE-11] + masvs-v2: [MASVS-RESILIENCE-3] + +draft: + description: e.g. resource obfuscation, binary encryption/packing + topics: + - data/resource obfuscated/encrypted + - binaries encrypted/packed +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0091.md b/weaknesses/MASVS-RESILIENCE/MASWE-0091.md new file mode 100644 index 0000000000..1810ee79ff --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0091.md @@ -0,0 +1,18 @@ +--- +title: Anti-Deobfuscation Techniques Not Implemented +id: MASWE-0091 +alias: anti-deobfuscation +platform: [android, ios] +profiles: [R] +mappings: + masvs-v1: [MSTG-RESILIENCE-12] + masvs-v2: [MASVS-RESILIENCE-3] + +draft: + description: incl. anti-deobfuscation techniques + topics: + - anti-deobfuscation techniques +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0092.md b/weaknesses/MASVS-RESILIENCE/MASWE-0092.md new file mode 100644 index 0000000000..39fbc5452c --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0092.md @@ -0,0 +1,17 @@ +--- +title: Static Analysis Tools Not Prevented +id: MASWE-0092 +alias: static-analysis-tools +platform: [android, ios] +profiles: [R] +mappings: + masvs-v2: [MASVS-RESILIENCE-3] + +draft: + description: AKA static damage control + topics: + - prevent decompilation +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0093.md b/weaknesses/MASVS-RESILIENCE/MASWE-0093.md new file mode 100644 index 0000000000..e7f57441c0 --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0093.md @@ -0,0 +1,18 @@ +--- +title: Debugging Symbols Not Removed +id: MASWE-0093 +alias: debugging-symbols +platform: [android, ios] +profiles: [R] +mappings: + masvs-v1: [MSTG-CODE-3] + masvs-v2: [MASVS-RESILIENCE-3] + +draft: + description: nm or objdump reveal symbols + topics: + - debugging symbols not removed +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0094.md b/weaknesses/MASVS-RESILIENCE/MASWE-0094.md new file mode 100644 index 0000000000..1b684a86f4 --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0094.md @@ -0,0 +1,20 @@ +--- +title: Non-Production Resources Not Removed +id: MASWE-0094 +alias: non-production-resources +platform: [android, ios] +profiles: [R] +mappings: + masvs-v1: [MSTG-CODE-4] + masvs-v2: [MASVS-RESILIENCE-3] + +draft: + description: e.g. non-production URLs, code flows, verbose logging + topics: + - non-production URLs + - code flows + - verbose logging +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0095.md b/weaknesses/MASVS-RESILIENCE/MASWE-0095.md new file mode 100644 index 0000000000..af1a8be299 --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0095.md @@ -0,0 +1,19 @@ +--- +title: Code That Disables Security Controls Not Removed +id: MASWE-0095 +alias: code-disables-security +platform: [android, ios] +profiles: [R] +mappings: + masvs-v1: [MSTG-CODE-4] + masvs-v2: [MASVS-RESILIENCE-3] + +draft: + description: backdoors, hidden settings to e.g. disable TLS verification + topics: + - backdoors + - hidden settings to e.g. disable TLS verification +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0096.md b/weaknesses/MASVS-RESILIENCE/MASWE-0096.md new file mode 100644 index 0000000000..7024ce964b --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0096.md @@ -0,0 +1,20 @@ +--- +title: Data Sent Unencrypted Over Encrypted Connections +id: MASWE-0096 +alias: data-unencrypted +platform: [android, ios] +profiles: [R] +mappings: + masvs-v1: [MSTG-RESILIENCE-13] + masvs-v2: [MASVS-RESILIENCE-3, MASVS-NETWORK-1] + +draft: + description: Use payload/End-2-End Encryption. Even if the connection is encrypted + (e.g. HTTPS), performing a MITM attack should not reveal any sensitive information + (e.g. about the inner workings of the app and its operations. This is not necessarily + related to privacy). + topics: null +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0097.md b/weaknesses/MASVS-RESILIENCE/MASWE-0097.md new file mode 100644 index 0000000000..e5aadb5beb --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0097.md @@ -0,0 +1,20 @@ +--- +title: Root/Jailbreak Detection Not Implemented +id: MASWE-0097 +alias: root-jailbreak-detection +platform: [android, ios] +profiles: [R] +mappings: + masvs-v1: [MSTG-RESILIENCE-1] + masvs-v2: [MASVS-RESILIENCE-1] + +draft: + description: no root/jailbreak detection implemented e.g. check for Cydia, SuperSU, + Magisk, Xposed, etc. + topics: + - detection in place + - Effectiveness Assessment (e.g. bypassing the detection) +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0098.md b/weaknesses/MASVS-RESILIENCE/MASWE-0098.md new file mode 100644 index 0000000000..00dc3d2a53 --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0098.md @@ -0,0 +1,18 @@ +--- +title: App Virtualization Environment Detection Not Implemented +id: MASWE-0098 +alias: app-virtualization-detection +platform: [android, ios] +profiles: [R] +mappings: + masvs-v2: [MASVS-RESILIENCE-1] + +draft: + description: runs as a so-called "clone app" + topics: + - detection in place + - Effectiveness Assessment (e.g. bypassing the detection) +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0099.md b/weaknesses/MASVS-RESILIENCE/MASWE-0099.md new file mode 100644 index 0000000000..97c48c872e --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0099.md @@ -0,0 +1,20 @@ +--- +title: Emulator Detection Not Implemented +id: MASWE-0099 +alias: emulator-detection +platform: [android, ios] +profiles: [R] +mappings: + masvs-v1: [MSTG-RESILIENCE-5] + masvs-v2: [MASVS-RESILIENCE-1] + +draft: + description: e.g. identifying features and limitations available for commonly used + emulation solutions + topics: + - detection in place + - Effectiveness Assessment (e.g. bypassing the detection) +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0100.md b/weaknesses/MASVS-RESILIENCE/MASWE-0100.md new file mode 100644 index 0000000000..2c504566ab --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0100.md @@ -0,0 +1,19 @@ +--- +title: Device Attestation Not Implemented +id: MASWE-0100 +alias: device-attestation +platform: [android, ios] +profiles: [R] +mappings: + masvs-v1: [MSTG-RESILIENCE-10] + masvs-v2: [MASVS-RESILIENCE-1] + +draft: + description: e.g. Gooogle Play Integrity API, iOS DeviceCheck API + topics: + - detection in place + - Effectiveness Assessment (e.g. bypassing the detection) +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0101.md b/weaknesses/MASVS-RESILIENCE/MASWE-0101.md new file mode 100644 index 0000000000..7ba3b07e06 --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0101.md @@ -0,0 +1,18 @@ +--- +title: Debugger Detection Not Implemented +id: MASWE-0101 +alias: debugger-detection +platform: [android, ios] +profiles: [R] +mappings: + masvs-v1: [MSTG-RESILIENCE-2] + masvs-v2: [MASVS-RESILIENCE-4] + +draft: + description: implementing techniques to detect debuggers + topics: + - debugger detection +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0102.md b/weaknesses/MASVS-RESILIENCE/MASWE-0102.md new file mode 100644 index 0000000000..d13c9ca53a --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0102.md @@ -0,0 +1,20 @@ +--- +title: Dynamic Analysis Tools Detection Not Implemented +id: MASWE-0102 +alias: dynamic-analysis-tools +platform: [android, ios] +profiles: [R] +mappings: + masvs-v1: [MSTG-RESILIENCE-4] + masvs-v2: [MASVS-RESILIENCE-4] + +draft: + description: e.g. Frida, Xposed, Cydia Substrate, etc. + topics: + - frida detection + - xposed detection + - cydia substrate detection +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0103.md b/weaknesses/MASVS-RESILIENCE/MASWE-0103.md new file mode 100644 index 0000000000..4518faf2b9 --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0103.md @@ -0,0 +1,19 @@ +--- +title: RASP Techniques Not Implemented +id: MASWE-0103 +alias: rasp-techniques +platform: [android, ios] +profiles: [R] +mappings: + masvs-v1: [MSTG-RESILIENCE-8] + masvs-v2: [MASVS-RESILIENCE-4] + +draft: + description: e.g. Runtime Application Self-Protection, detection triggering different + responses + topics: + - detection triggering different responses +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0104.md b/weaknesses/MASVS-RESILIENCE/MASWE-0104.md new file mode 100644 index 0000000000..0b30b09112 --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0104.md @@ -0,0 +1,30 @@ +--- +title: App Integrity Not Verified +id: MASWE-0104 +alias: app-integrity +platform: [android, ios] +profiles: [R] +mappings: + masvs-v1: [MSTG-CODE-1] + masvs-v2: [MASVS-RESILIENCE-2] + +refs: +- https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format +draft: + description: Potentially relevant for apps in alternative app stores (not Google + PlayStore or Apple AppStore). Also, e.g. Android V1 signing scheme only or iOS + CodeDirectory v less than 20400. Also, e.g. App Signature or Binaries, native + libraries including e.g. AppAttest + topics: + - App Signature or Binaries check on runtime + - native libraries including e.g. AppAttest + - Invalid App Signing Certificate + - Latest Available Signing Scheme Not Used - Android V1 signing scheme only + - Latest Available Signing Scheme Not Used - iOS CodeDirectory v less than 20400 + - detection in place + - Effectiveness Assessment (e.g. bypassing the detection) + note: consider Static Code Modification? / Repackaging Detection Not Implemented +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0105.md b/weaknesses/MASVS-RESILIENCE/MASWE-0105.md new file mode 100644 index 0000000000..d7cadd9da4 --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0105.md @@ -0,0 +1,20 @@ +--- +title: Integrity of App Resources Not Verified +id: MASWE-0105 +alias: app-resources-integrity +platform: [android, ios] +profiles: [R] +mappings: + masvs-v1: [MSTG-RESILIENCE-3] + masvs-v2: [MASVS-RESILIENCE-2, MASVS-CODE-4] + +draft: + description: e.g. integrity of downloaded resources or dynamically loaded resources + topics: + - Sandbox Integrity + - Integrity of downloaded resources + - Integrity of dynamically loaded resources (e.g. via backup restore) +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0106.md b/weaknesses/MASVS-RESILIENCE/MASWE-0106.md new file mode 100644 index 0000000000..b87bf5446e --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0106.md @@ -0,0 +1,16 @@ +--- +title: Official Store Verification Not Implemented +id: MASWE-0106 +alias: store-verification +platform: [android, ios] +profiles: [R] +mappings: + masvs-v2: [MASVS-RESILIENCE-2] + +draft: + description: Google PlayStore or Apple AppStore + topics: null +status: draft + +--- + diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0107.md b/weaknesses/MASVS-RESILIENCE/MASWE-0107.md new file mode 100644 index 0000000000..ee737dbe13 --- /dev/null +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0107.md @@ -0,0 +1,17 @@ +--- +title: Runtime Code Integrity Not Verified +id: MASWE-0107 +alias: runtime-code-integrity +platform: [android, ios] +profiles: [R] +mappings: + masvs-v1: [MSTG-RESILIENCE-6] + masvs-v2: [MASVS-RESILIENCE-2] + +draft: + description: e.g. memory tampering detection + topics: null +status: draft + +--- + diff --git a/weaknesses/MASVS-STORAGE/MASWE-0002.md b/weaknesses/MASVS-STORAGE/MASWE-0002.md new file mode 100644 index 0000000000..745241794b --- /dev/null +++ b/weaknesses/MASVS-STORAGE/MASWE-0002.md @@ -0,0 +1,22 @@ +--- +title: Sensitive Data Stored With Insufficient Access Restrictions in Internal Locations +id: MASWE-0002 +alias: data-insufficient-access-restrictions-internal +platform: [android] +profiles: [L1, L2] +mappings: + masvs-v1: [MSTG-STORAGE-2] + masvs-v2: [MASVS-STORAGE-2] + +refs: +- https://developer.android.com/about/versions/nougat/android-7.0-changes#permfilesys +draft: + description: Sensitive data may be stored in internal locations without ensuring + exclusive app access (e.g. by using the wrong file permissions) and may be accessible + to other apps. + topics: + - File permissions (Android) +status: draft + +--- + diff --git a/weaknesses/MASVS-STORAGE/MASWE-0003.md b/weaknesses/MASVS-STORAGE/MASWE-0003.md new file mode 100644 index 0000000000..cc5dc2a481 --- /dev/null +++ b/weaknesses/MASVS-STORAGE/MASWE-0003.md @@ -0,0 +1,22 @@ +--- +title: Backup Unencrypted +id: MASWE-0003 +alias: backup-unencrypted +platform: [android] +profiles: [L2] +mappings: + masvs-v1: [MSTG-STORAGE-8] + masvs-v2: [MASVS-STORAGE-2, MASVS-PRIVACY-1] + +refs: +- https://developer.android.com/guide/topics/data/autobackup#define-device-conditions +draft: + description: The app may not encrypt sensitive data in backups, which may compromise + data confidentiality. + topics: + - Backup Device Conditions clientSideEncryption and deviceToDeviceTransfer Not Checked + (Android) +status: draft + +--- + diff --git a/weaknesses/MASVS-STORAGE/MASWE-0004.md b/weaknesses/MASVS-STORAGE/MASWE-0004.md new file mode 100644 index 0000000000..4a3f7602dc --- /dev/null +++ b/weaknesses/MASVS-STORAGE/MASWE-0004.md @@ -0,0 +1,23 @@ +--- +title: Sensitive Data Not Excluded From Backup +id: MASWE-0004 +alias: data-not-excluded-backup +platform: [android, ios] +profiles: [L1, L2, P] +mappings: + masvs-v1: [MSTG-STORAGE-8] + masvs-v2: [MASVS-STORAGE-2, MASVS-PRIVACY-1] + +refs: +- https://developer.android.com/guide/topics/data/autobackup#include-exclude-android-11 +- https://developer.android.com/guide/topics/data/autobackup#include-exclude-android-12 +draft: + description: sensitive data can be excluded to prevent it from being backed up. + topics: + - '`android:fullBackupContent` (Android 11-) or `android:dataExtractionRules` (Android + 12+)' + - iOS `isExcludedFromBackup` (iOS) +status: draft + +--- + diff --git a/weaknesses/MASVS-STORAGE/MASWE-0006.md b/weaknesses/MASVS-STORAGE/MASWE-0006.md new file mode 100644 index 0000000000..8f88ad19a2 --- /dev/null +++ b/weaknesses/MASVS-STORAGE/MASWE-0006.md @@ -0,0 +1,26 @@ +--- +title: Sensitive Data Stored Unencrypted in Private Storage Locations +id: MASWE-0006 +alias: data-unencrypted-private-storage +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v1: [MSTG-STORAGE-2] + masvs-v2: [MASVS-STORAGE-1, MASVS-CRYPTO-2] + +draft: + description: Sensitive data may be stored in internal locations without encryption + and may be accessible to other apps under certain conditions. + topics: + - envelope encryption (DEK+KEK) or equivalent (Android) + - Android Security Lib usage (EncryptedFile/EncryptedSharedPreferences) (Android) + - Don't roll your own storage encryption, use platform provided APIs EncryptedFile/EncryptedSharedPreferences. + (Android) + - iOS KeyChain DataProtection classes (iOS) + - envelope encryption (DEK+KEK) or equivalent (iOS) + - sensitive data must not encoded (e.g. base64, simple bit operations such as XOR + or bit flipping) instead of encrypted +status: draft + +--- + diff --git a/weaknesses/MASVS-STORAGE/MASWE-0008.md b/weaknesses/MASVS-STORAGE/MASWE-0008.md new file mode 100644 index 0000000000..6c631f9a73 --- /dev/null +++ b/weaknesses/MASVS-STORAGE/MASWE-0008.md @@ -0,0 +1,29 @@ +--- +title: Device Access Security Policy Not Enforced +id: MASWE-0008 +alias: device-access-policy-not-enforced +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v1: [MSTG-STORAGE-11] + masvs-v2: [MASVS-STORAGE-1, MASVS-AUTH-2] + +refs: +- https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id +- https://grep.app/search?q=isdevicesecure%28&filter[repo][0]=threema-ch/threema-android +draft: + description: The app may not enforce device access security policy (e.g. device + passcode) and may allow for unauthorized access to sensitive data. + topics: + - user set a device passcode via isDeviceSecure() on Android better than only ensuring + that the lock screen is set via `KeyguardManager.isKeyguardSecure()` + - before attempting to authenticate, test to make sure that you actually have the + ability to do so by calling the LAContext.canEvaluatePolicy(_:error:) method on + iOS + - to make sure that biometrics can be used, verify that the `kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly` + or the `kSecAttrAccessibleWhenPasscodeSet` protection class is set when the `SecAccessControlCreateWithFlags` + method is called +status: draft + +--- +