From 06a2a0eccd7418c7e0653af07626f72f1a886792 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Wed, 21 Feb 2024 20:07:22 +0000 Subject: [PATCH 01/52] Add Risk and Test for: Data Unencrypted Internal --- .../android-data-in-sandbox/test.md | 30 ++++++++++++++ .../data-unencrypted-internal/risk.md | 41 +++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md create mode 100644 risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md new file mode 100644 index 0000000000..62972106da --- /dev/null +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md @@ -0,0 +1,30 @@ +--- +platform: android +title: Sensitive Data Written to Private Data Directory (Sandbox) Unencrypted. +type: [dynamic, filesystem] +mitigations: +- android-use-keystore +- android-use-androidx-security +prerequisites: +- identify-sensitive-data +--- + +## Steps + +1. Start the device. + +2. Launch and use the app going through the various workflows while inputting sensitive data wherever you can. Taking note of the data you input can help identify it later using tools to search for it. + +3. Take a copy of the app's private data directory for offline analysis. Using tar will preserve the filesystem structure and permissions. + +4. Search the extracted data for items such as keys, passwords and any sensitive data inputted into the app. + +5. Check files for sensitive data that has been encoded with algorithms such as base64 which obscures but does not protect sensitive data. + +## Observation + +Files within the private data directory contain sensitive data. + +## Evaluation + +The test case fails if you find sensitive data in the app's private data directory which has not been encrypted with strong cryptography. This includes plaintext data as well as encoding such as base64 or obfuscation such as xoring. diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md new file mode 100644 index 0000000000..63a13b7192 --- /dev/null +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -0,0 +1,41 @@ +--- +title: Sensitive Data Stored Unencrypted in Internal Locations +alias: data-unencrypted-internal +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v1: [MSTG-STORAGE-2] + masvs-v2: [MASVS-STORAGE-1, MASVS-CRYPTO-2] + mastg-v1: [MASTG-TEST-0052, MASTG-TEST-0001] + +--- + +## Overview + +Mobile apps may need to store sensitive data locally within the application sandbox and this data is at risk of exposure via, for example, incorrect file permissions, an app vulnerability, device vulnerability or data backup mechanisms. + +[sensitive data](MASTG-THEORY-0023.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. + +Sensitive data stored locally on the device should be encrypted, and any keys used for encryption methods should be protected by the device's hardware-backed keystore, where available. + +## Impact + +- **Loss of Confidentiality**: Under the right conditions an attacker could extract sensitive data stored internally within the application sandbox leading to loss of confidentiality and enable further attacks such as identity theft or account takeover. + +## Modes of Introduction + +- **Data Stored Unencrypted**: Sensitive data is written to the app's private data directory (sandbox) unencrypted. +- **Hardcoded Encryption Key**: Sensitive data is encrypted but the key is hardcoded inside the application. +- **Encryption Key Stored on Filesystem**: Sensitive data is encrypted but the key is stored alongside it or in another easily accessible location. +- **Encryption Used is Insufficient**: Sensitive data is encrypted but the encryption is not considered to be strong. + +## Mitigations + +- Avoid storing sensitive data locally at all. +- Use the platform's hardware-backed keystore solution to store the key used for encryption. +- Use platform features such as [androidx.security.crypto](https://developer.android.com/jetpack/androidx/releases/security) to safely store files and sharedpreferences. + +Further documentation: + +- [Android Developers: Encrypt All Sensitive Data](https://developer.android.com/privacy-and-security/risks/backup-leaks#risk:-storing-sensitive-data-unencrypted) +- [iOS Documentation: Encrypt App Files](https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files) From acdce088c5a23607fdc530109609196df4bd7e31 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 27 Feb 2024 18:55:55 +0000 Subject: [PATCH 02/52] Update to clarify 'not storing data' as a mitigation --- .../data-unencrypted-internal/risk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index 63a13b7192..ca0adbd69c 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -31,7 +31,7 @@ Sensitive data stored locally on the device should be encrypted, and any keys us ## Mitigations -- Avoid storing sensitive data locally at all. +- Avoid storing sensitive data locally if not required for application functionality helps reduce the scope for risks. For example keeping PII server-side, rendering it at time of use, and removing any cached data on logout. - Use the platform's hardware-backed keystore solution to store the key used for encryption. - Use platform features such as [androidx.security.crypto](https://developer.android.com/jetpack/androidx/releases/security) to safely store files and sharedpreferences. From 21df242de9622926d32e1da57c17cd41ea63119f Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 5 Mar 2024 15:14:24 +0000 Subject: [PATCH 03/52] Update risk.md to make mitigation generic --- .../data-unencrypted-internal/risk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index ca0adbd69c..ec3fbd9301 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -33,7 +33,7 @@ Sensitive data stored locally on the device should be encrypted, and any keys us - Avoid storing sensitive data locally if not required for application functionality helps reduce the scope for risks. For example keeping PII server-side, rendering it at time of use, and removing any cached data on logout. - Use the platform's hardware-backed keystore solution to store the key used for encryption. -- Use platform features such as [androidx.security.crypto](https://developer.android.com/jetpack/androidx/releases/security) to safely store files and sharedpreferences. +- Use platform features for encrypting data at rest to safely store files and preferences. Further documentation: From a29fb631e96bdc76b50fb59583a4894b8e935a49 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 2 Apr 2024 12:02:47 +0100 Subject: [PATCH 04/52] Update risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/risk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index ec3fbd9301..56fede6f16 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -14,7 +14,7 @@ mappings: Mobile apps may need to store sensitive data locally within the application sandbox and this data is at risk of exposure via, for example, incorrect file permissions, an app vulnerability, device vulnerability or data backup mechanisms. -[sensitive data](MASTG-THEORY-0023.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. +[Sensitive data](MASTG-THEORY-0023.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. Sensitive data stored locally on the device should be encrypted, and any keys used for encryption methods should be protected by the device's hardware-backed keystore, where available. From c4ebaf2db0ea0bda110fb868bdc43e51a5b37e99 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 2 Apr 2024 12:03:31 +0100 Subject: [PATCH 05/52] Update risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md Add refs Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/risk.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index 56fede6f16..89a6871c1e 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -7,7 +7,9 @@ mappings: masvs-v1: [MSTG-STORAGE-2] masvs-v2: [MASVS-STORAGE-1, MASVS-CRYPTO-2] mastg-v1: [MASTG-TEST-0052, MASTG-TEST-0001] - +refs: + - https://developer.android.com/privacy-and-security/risks/backup-leaks#risk:-storing-sensitive-data-unencrypted + - https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files --- ## Overview From ed8f910ea7d74c1c265373a7dd18175d1c800818 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 2 Apr 2024 12:06:41 +0100 Subject: [PATCH 06/52] Fix typo in title Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/android-data-in-sandbox/test.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md index 62972106da..07a42728b7 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md @@ -1,6 +1,6 @@ --- platform: android -title: Sensitive Data Written to Private Data Directory (Sandbox) Unencrypted. +title: Sensitive Data Written to Private Data Directory (Sandbox) Unencrypted type: [dynamic, filesystem] mitigations: - android-use-keystore From df642300df9180e59f1abc3c885390f56e76504f Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 2 Apr 2024 12:13:29 +0100 Subject: [PATCH 07/52] Adding link to a technique from test.md --- .../data-unencrypted-internal/android-data-in-sandbox/test.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md index 07a42728b7..69d18492be 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md @@ -15,7 +15,7 @@ prerequisites: 2. Launch and use the app going through the various workflows while inputting sensitive data wherever you can. Taking note of the data you input can help identify it later using tools to search for it. -3. Take a copy of the app's private data directory for offline analysis. Using tar will preserve the filesystem structure and permissions. +3. Take a copy of the app's private data directory for offline analysis. See: https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0008. 4. Search the extracted data for items such as keys, passwords and any sensitive data inputted into the app. From c398e90aac41c4fba40a67d7c39e4384204d7b71 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 2 Apr 2024 12:25:23 +0100 Subject: [PATCH 08/52] Update observation and evaluation in test.md --- .../data-unencrypted-internal/android-data-in-sandbox/test.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md index 69d18492be..c8606eadac 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md @@ -23,8 +23,8 @@ prerequisites: ## Observation -Files within the private data directory contain sensitive data. +Data extracted from the app's private data directory which has been decompressed, decoded or deobfuscated where required. ## Evaluation -The test case fails if you find sensitive data in the app's private data directory which has not been encrypted with strong cryptography. This includes plaintext data as well as encoding such as base64 or obfuscation such as xoring. +Search the extracted data for items such as keys, passwords and any sensitive data inputted into the app. The test case fails if you find any of this sensitive data. From bb794de8ecd85d71bbc8a917aa9b0d311e0a61e8 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 2 Apr 2024 12:28:20 +0100 Subject: [PATCH 09/52] Update risk.md to remove "further documentation" as they are now in the refs section --- .../data-unencrypted-internal/risk.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index 89a6871c1e..8b22bb3c9a 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -36,8 +36,3 @@ Sensitive data stored locally on the device should be encrypted, and any keys us - Avoid storing sensitive data locally if not required for application functionality helps reduce the scope for risks. For example keeping PII server-side, rendering it at time of use, and removing any cached data on logout. - Use the platform's hardware-backed keystore solution to store the key used for encryption. - Use platform features for encrypting data at rest to safely store files and preferences. - -Further documentation: - -- [Android Developers: Encrypt All Sensitive Data](https://developer.android.com/privacy-and-security/risks/backup-leaks#risk:-storing-sensitive-data-unencrypted) -- [iOS Documentation: Encrypt App Files](https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files) From ea50af43b055ce33a2ddafbf95b5be7a141ef71a Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 7 May 2024 13:37:22 +0100 Subject: [PATCH 10/52] Updating test.md with Carlos' suggestions Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/android-data-in-sandbox/test.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md index c8606eadac..2cb8378dd3 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md @@ -17,9 +17,7 @@ prerequisites: 3. Take a copy of the app's private data directory for offline analysis. See: https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0008. -4. Search the extracted data for items such as keys, passwords and any sensitive data inputted into the app. - -5. Check files for sensitive data that has been encoded with algorithms such as base64 which obscures but does not protect sensitive data. +4. Attempt to identify and decode data that has been encoded using methods such as base64 encoding, hexadecimal representation, URL encoding, escape sequences, wide characters and common data obfuscation methods such as xoring. Also consider identifying and decompressing compressed files such as tar or zip. These methods obscure but do not protect sensitive data. ## Observation From 8585fc99eb8dda2a8cd9f4e786539b3b18abc75e Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 7 May 2024 13:38:03 +0100 Subject: [PATCH 11/52] Update Internal -> Private Storage Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/risk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index 8b22bb3c9a..89d50fa986 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -1,5 +1,5 @@ --- -title: Sensitive Data Stored Unencrypted in Internal Locations +title: Sensitive Data Stored Unencrypted in Private Storage Locations alias: data-unencrypted-internal platform: [android, ios] profiles: [L2] From 9782a76bc3690db923d542cd6163c0d94186b7e7 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 7 May 2024 13:38:31 +0100 Subject: [PATCH 12/52] Update Internal -> Private Storage Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/risk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index 89d50fa986..4b59c4ea8f 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -1,6 +1,6 @@ --- title: Sensitive Data Stored Unencrypted in Private Storage Locations -alias: data-unencrypted-internal +alias: data-unencrypted-private-storage platform: [android, ios] profiles: [L2] mappings: From cb57040fd1e2ad4127ee931fcdeaa4cdbd9d8202 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 7 May 2024 13:39:18 +0100 Subject: [PATCH 13/52] Update with new term Private Storage Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/risk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index 4b59c4ea8f..b9c8c58d97 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -14,7 +14,7 @@ refs: ## Overview -Mobile apps may need to store sensitive data locally within the application sandbox and this data is at risk of exposure via, for example, incorrect file permissions, an app vulnerability, device vulnerability or data backup mechanisms. +Mobile apps may need to store sensitive data locally within private storage locations such as the application sandbox and this data is at risk of exposure via, for example, incorrect file permissions, an app vulnerability, device vulnerability or data backup mechanisms. [Sensitive data](MASTG-THEORY-0023.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. From 0a76eb156ca43c6150229f3998c37969be1f4742 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 7 May 2024 13:40:13 +0100 Subject: [PATCH 14/52] Update to relative directory path Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/risk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index b9c8c58d97..da32406ac4 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -16,7 +16,7 @@ refs: Mobile apps may need to store sensitive data locally within private storage locations such as the application sandbox and this data is at risk of exposure via, for example, incorrect file permissions, an app vulnerability, device vulnerability or data backup mechanisms. -[Sensitive data](MASTG-THEORY-0023.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. +[Sensitive data](../../../../prerequisites/identify-sensitive-data.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. Sensitive data stored locally on the device should be encrypted, and any keys used for encryption methods should be protected by the device's hardware-backed keystore, where available. From f1a713cdbf04617b79e9ce2f1fe13469c16d8942 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 7 May 2024 13:41:58 +0100 Subject: [PATCH 15/52] Update test.md Overview with Carlos' suggestion Co-authored-by: Carlos Holguera --- .../android-data-in-sandbox/test.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md index 2cb8378dd3..291ac8f602 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md @@ -9,6 +9,12 @@ prerequisites: - identify-sensitive-data --- +## Overview + +Android apps use a variety of APIs to write data to internal storage. If you only need to inspect the list of created/modified files and their contents, the most effective approach is a snapshot-based approach like the one used in this test. + +This has the limitation that you won't know the APIs and locations in your code that are responsible; if you need to know, you should rather follow a dynamic analysis approach based on method tracing. + ## Steps 1. Start the device. From 22d79f5fdfb7d8ffb6d4657dbcb121da6750014d Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 7 May 2024 13:43:25 +0100 Subject: [PATCH 16/52] Update test.md links with relative paths and add a test step to take a before-snapshot Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/android-data-in-sandbox/test.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md index 291ac8f602..bee3501751 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md @@ -19,7 +19,9 @@ This has the limitation that you won't know the APIs and locations in your code 1. Start the device. -2. Launch and use the app going through the various workflows while inputting sensitive data wherever you can. Taking note of the data you input can help identify it later using tools to search for it. +2. Take a first [copy of the app's private data directory](../../../../../techniques/android/MASTG-TECH-0008.md) to have as a reference for offline analysis. + +3. Launch and use the app going through the various workflows while inputting sensitive data wherever you can. Taking note of the data you input can help identify it later using tools to search for it. 3. Take a copy of the app's private data directory for offline analysis. See: https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0008. From 1aef3978990b3db23375da5d4c04d0ede69abe0e Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 7 May 2024 13:44:33 +0100 Subject: [PATCH 17/52] Update risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/risk.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index da32406ac4..6f450116c3 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -18,8 +18,6 @@ Mobile apps may need to store sensitive data locally within private storage loca [Sensitive data](../../../../prerequisites/identify-sensitive-data.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. -Sensitive data stored locally on the device should be encrypted, and any keys used for encryption methods should be protected by the device's hardware-backed keystore, where available. - ## Impact - **Loss of Confidentiality**: Under the right conditions an attacker could extract sensitive data stored internally within the application sandbox leading to loss of confidentiality and enable further attacks such as identity theft or account takeover. From f1f9c27f8d0d9f49b9b88360c1112c0fcfa97ad2 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 7 May 2024 13:52:12 +0100 Subject: [PATCH 18/52] Correct numbering in test.md --- .../data-unencrypted-internal/android-data-in-sandbox/test.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md index bee3501751..8bd05fe34d 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md @@ -23,9 +23,9 @@ This has the limitation that you won't know the APIs and locations in your code 3. Launch and use the app going through the various workflows while inputting sensitive data wherever you can. Taking note of the data you input can help identify it later using tools to search for it. -3. Take a copy of the app's private data directory for offline analysis. See: https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0008. +4. Take a second copy of the app's private data directory for offline analysis and make a diff using the first copy to identify all files created or modify during your testing session. -4. Attempt to identify and decode data that has been encoded using methods such as base64 encoding, hexadecimal representation, URL encoding, escape sequences, wide characters and common data obfuscation methods such as xoring. Also consider identifying and decompressing compressed files such as tar or zip. These methods obscure but do not protect sensitive data. +5. Attempt to identify and decode data that has been encoded using methods such as base64 encoding, hexadecimal representation, URL encoding, escape sequences, wide characters and common data obfuscation methods such as xoring. Also consider identifying and decompressing compressed files such as tar or zip. These methods obscure but do not protect sensitive data. ## Observation From b698abe12fc676a987a5dabdf4a9f9b7e1875dd0 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Wed, 21 Feb 2024 20:07:22 +0000 Subject: [PATCH 19/52] Add Risk and Test for: Data Unencrypted Internal --- .../android-data-in-sandbox/test.md | 30 ++++++++++++++ .../data-unencrypted-internal/risk.md | 41 +++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md create mode 100644 risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md new file mode 100644 index 0000000000..62972106da --- /dev/null +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md @@ -0,0 +1,30 @@ +--- +platform: android +title: Sensitive Data Written to Private Data Directory (Sandbox) Unencrypted. +type: [dynamic, filesystem] +mitigations: +- android-use-keystore +- android-use-androidx-security +prerequisites: +- identify-sensitive-data +--- + +## Steps + +1. Start the device. + +2. Launch and use the app going through the various workflows while inputting sensitive data wherever you can. Taking note of the data you input can help identify it later using tools to search for it. + +3. Take a copy of the app's private data directory for offline analysis. Using tar will preserve the filesystem structure and permissions. + +4. Search the extracted data for items such as keys, passwords and any sensitive data inputted into the app. + +5. Check files for sensitive data that has been encoded with algorithms such as base64 which obscures but does not protect sensitive data. + +## Observation + +Files within the private data directory contain sensitive data. + +## Evaluation + +The test case fails if you find sensitive data in the app's private data directory which has not been encrypted with strong cryptography. This includes plaintext data as well as encoding such as base64 or obfuscation such as xoring. diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md new file mode 100644 index 0000000000..63a13b7192 --- /dev/null +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -0,0 +1,41 @@ +--- +title: Sensitive Data Stored Unencrypted in Internal Locations +alias: data-unencrypted-internal +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v1: [MSTG-STORAGE-2] + masvs-v2: [MASVS-STORAGE-1, MASVS-CRYPTO-2] + mastg-v1: [MASTG-TEST-0052, MASTG-TEST-0001] + +--- + +## Overview + +Mobile apps may need to store sensitive data locally within the application sandbox and this data is at risk of exposure via, for example, incorrect file permissions, an app vulnerability, device vulnerability or data backup mechanisms. + +[sensitive data](MASTG-THEORY-0023.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. + +Sensitive data stored locally on the device should be encrypted, and any keys used for encryption methods should be protected by the device's hardware-backed keystore, where available. + +## Impact + +- **Loss of Confidentiality**: Under the right conditions an attacker could extract sensitive data stored internally within the application sandbox leading to loss of confidentiality and enable further attacks such as identity theft or account takeover. + +## Modes of Introduction + +- **Data Stored Unencrypted**: Sensitive data is written to the app's private data directory (sandbox) unencrypted. +- **Hardcoded Encryption Key**: Sensitive data is encrypted but the key is hardcoded inside the application. +- **Encryption Key Stored on Filesystem**: Sensitive data is encrypted but the key is stored alongside it or in another easily accessible location. +- **Encryption Used is Insufficient**: Sensitive data is encrypted but the encryption is not considered to be strong. + +## Mitigations + +- Avoid storing sensitive data locally at all. +- Use the platform's hardware-backed keystore solution to store the key used for encryption. +- Use platform features such as [androidx.security.crypto](https://developer.android.com/jetpack/androidx/releases/security) to safely store files and sharedpreferences. + +Further documentation: + +- [Android Developers: Encrypt All Sensitive Data](https://developer.android.com/privacy-and-security/risks/backup-leaks#risk:-storing-sensitive-data-unencrypted) +- [iOS Documentation: Encrypt App Files](https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files) From a171a705e72e9e09ca0ea8657444b7804131f6f8 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 27 Feb 2024 18:55:55 +0000 Subject: [PATCH 20/52] Update to clarify 'not storing data' as a mitigation --- .../data-unencrypted-internal/risk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index 63a13b7192..ca0adbd69c 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -31,7 +31,7 @@ Sensitive data stored locally on the device should be encrypted, and any keys us ## Mitigations -- Avoid storing sensitive data locally at all. +- Avoid storing sensitive data locally if not required for application functionality helps reduce the scope for risks. For example keeping PII server-side, rendering it at time of use, and removing any cached data on logout. - Use the platform's hardware-backed keystore solution to store the key used for encryption. - Use platform features such as [androidx.security.crypto](https://developer.android.com/jetpack/androidx/releases/security) to safely store files and sharedpreferences. From f487f609942a5a6f8b9b902db78640e8e15b825b Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 5 Mar 2024 15:14:24 +0000 Subject: [PATCH 21/52] Update risk.md to make mitigation generic --- .../data-unencrypted-internal/risk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index ca0adbd69c..ec3fbd9301 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -33,7 +33,7 @@ Sensitive data stored locally on the device should be encrypted, and any keys us - Avoid storing sensitive data locally if not required for application functionality helps reduce the scope for risks. For example keeping PII server-side, rendering it at time of use, and removing any cached data on logout. - Use the platform's hardware-backed keystore solution to store the key used for encryption. -- Use platform features such as [androidx.security.crypto](https://developer.android.com/jetpack/androidx/releases/security) to safely store files and sharedpreferences. +- Use platform features for encrypting data at rest to safely store files and preferences. Further documentation: From 837cddcf32cbc7cc6ddcf36357184769c60000e0 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 2 Apr 2024 12:02:47 +0100 Subject: [PATCH 22/52] Update risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/risk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index ec3fbd9301..56fede6f16 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -14,7 +14,7 @@ mappings: Mobile apps may need to store sensitive data locally within the application sandbox and this data is at risk of exposure via, for example, incorrect file permissions, an app vulnerability, device vulnerability or data backup mechanisms. -[sensitive data](MASTG-THEORY-0023.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. +[Sensitive data](MASTG-THEORY-0023.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. Sensitive data stored locally on the device should be encrypted, and any keys used for encryption methods should be protected by the device's hardware-backed keystore, where available. From 6f429f7f39f37d4f0abe44e9338f8ebb5f201c88 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 2 Apr 2024 12:03:31 +0100 Subject: [PATCH 23/52] Update risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md Add refs Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/risk.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index 56fede6f16..89a6871c1e 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -7,7 +7,9 @@ mappings: masvs-v1: [MSTG-STORAGE-2] masvs-v2: [MASVS-STORAGE-1, MASVS-CRYPTO-2] mastg-v1: [MASTG-TEST-0052, MASTG-TEST-0001] - +refs: + - https://developer.android.com/privacy-and-security/risks/backup-leaks#risk:-storing-sensitive-data-unencrypted + - https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files --- ## Overview From a591166f844b1b5618c1d7804414a6054936b3cc Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 2 Apr 2024 12:06:41 +0100 Subject: [PATCH 24/52] Fix typo in title Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/android-data-in-sandbox/test.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md index 62972106da..07a42728b7 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md @@ -1,6 +1,6 @@ --- platform: android -title: Sensitive Data Written to Private Data Directory (Sandbox) Unencrypted. +title: Sensitive Data Written to Private Data Directory (Sandbox) Unencrypted type: [dynamic, filesystem] mitigations: - android-use-keystore From e138fecc26772b821cd2aac51d9959cc3b628094 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 2 Apr 2024 12:13:29 +0100 Subject: [PATCH 25/52] Adding link to a technique from test.md --- .../data-unencrypted-internal/android-data-in-sandbox/test.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md index 07a42728b7..69d18492be 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md @@ -15,7 +15,7 @@ prerequisites: 2. Launch and use the app going through the various workflows while inputting sensitive data wherever you can. Taking note of the data you input can help identify it later using tools to search for it. -3. Take a copy of the app's private data directory for offline analysis. Using tar will preserve the filesystem structure and permissions. +3. Take a copy of the app's private data directory for offline analysis. See: https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0008. 4. Search the extracted data for items such as keys, passwords and any sensitive data inputted into the app. From 96330fbf18f0de57891c7729332b98554f5cb83b Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 2 Apr 2024 12:25:23 +0100 Subject: [PATCH 26/52] Update observation and evaluation in test.md --- .../data-unencrypted-internal/android-data-in-sandbox/test.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md index 69d18492be..c8606eadac 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md @@ -23,8 +23,8 @@ prerequisites: ## Observation -Files within the private data directory contain sensitive data. +Data extracted from the app's private data directory which has been decompressed, decoded or deobfuscated where required. ## Evaluation -The test case fails if you find sensitive data in the app's private data directory which has not been encrypted with strong cryptography. This includes plaintext data as well as encoding such as base64 or obfuscation such as xoring. +Search the extracted data for items such as keys, passwords and any sensitive data inputted into the app. The test case fails if you find any of this sensitive data. From 3269afb96716bdb4943efb22c70cae22d42036f2 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 2 Apr 2024 12:28:20 +0100 Subject: [PATCH 27/52] Update risk.md to remove "further documentation" as they are now in the refs section --- .../data-unencrypted-internal/risk.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index 89a6871c1e..8b22bb3c9a 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -36,8 +36,3 @@ Sensitive data stored locally on the device should be encrypted, and any keys us - Avoid storing sensitive data locally if not required for application functionality helps reduce the scope for risks. For example keeping PII server-side, rendering it at time of use, and removing any cached data on logout. - Use the platform's hardware-backed keystore solution to store the key used for encryption. - Use platform features for encrypting data at rest to safely store files and preferences. - -Further documentation: - -- [Android Developers: Encrypt All Sensitive Data](https://developer.android.com/privacy-and-security/risks/backup-leaks#risk:-storing-sensitive-data-unencrypted) -- [iOS Documentation: Encrypt App Files](https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files) From 3024aff12b29f71bb80372239d7885140e06e293 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 7 May 2024 13:37:22 +0100 Subject: [PATCH 28/52] Updating test.md with Carlos' suggestions Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/android-data-in-sandbox/test.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md index c8606eadac..2cb8378dd3 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md @@ -17,9 +17,7 @@ prerequisites: 3. Take a copy of the app's private data directory for offline analysis. See: https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0008. -4. Search the extracted data for items such as keys, passwords and any sensitive data inputted into the app. - -5. Check files for sensitive data that has been encoded with algorithms such as base64 which obscures but does not protect sensitive data. +4. Attempt to identify and decode data that has been encoded using methods such as base64 encoding, hexadecimal representation, URL encoding, escape sequences, wide characters and common data obfuscation methods such as xoring. Also consider identifying and decompressing compressed files such as tar or zip. These methods obscure but do not protect sensitive data. ## Observation From 63be19eef646678fd3200ded8974cabcc50863ac Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 7 May 2024 13:38:03 +0100 Subject: [PATCH 29/52] Update Internal -> Private Storage Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/risk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index 8b22bb3c9a..89d50fa986 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -1,5 +1,5 @@ --- -title: Sensitive Data Stored Unencrypted in Internal Locations +title: Sensitive Data Stored Unencrypted in Private Storage Locations alias: data-unencrypted-internal platform: [android, ios] profiles: [L2] From c4717343259fd1c61a27c9db049b35a2ba5618ed Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 7 May 2024 13:38:31 +0100 Subject: [PATCH 30/52] Update Internal -> Private Storage Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/risk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index 89d50fa986..4b59c4ea8f 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -1,6 +1,6 @@ --- title: Sensitive Data Stored Unencrypted in Private Storage Locations -alias: data-unencrypted-internal +alias: data-unencrypted-private-storage platform: [android, ios] profiles: [L2] mappings: From 274e5cc369a02f1a136a831a23c9e296b2208458 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 7 May 2024 13:39:18 +0100 Subject: [PATCH 31/52] Update with new term Private Storage Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/risk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index 4b59c4ea8f..b9c8c58d97 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -14,7 +14,7 @@ refs: ## Overview -Mobile apps may need to store sensitive data locally within the application sandbox and this data is at risk of exposure via, for example, incorrect file permissions, an app vulnerability, device vulnerability or data backup mechanisms. +Mobile apps may need to store sensitive data locally within private storage locations such as the application sandbox and this data is at risk of exposure via, for example, incorrect file permissions, an app vulnerability, device vulnerability or data backup mechanisms. [Sensitive data](MASTG-THEORY-0023.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. From 254ba569bf8046de587a2c3b732fca73b32cde27 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 7 May 2024 13:40:13 +0100 Subject: [PATCH 32/52] Update to relative directory path Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/risk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index b9c8c58d97..da32406ac4 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -16,7 +16,7 @@ refs: Mobile apps may need to store sensitive data locally within private storage locations such as the application sandbox and this data is at risk of exposure via, for example, incorrect file permissions, an app vulnerability, device vulnerability or data backup mechanisms. -[Sensitive data](MASTG-THEORY-0023.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. +[Sensitive data](../../../../prerequisites/identify-sensitive-data.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. Sensitive data stored locally on the device should be encrypted, and any keys used for encryption methods should be protected by the device's hardware-backed keystore, where available. From 115ae2fb51b2df1fdc3ecee9a0f39dfa0091b1d7 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 7 May 2024 13:41:58 +0100 Subject: [PATCH 33/52] Update test.md Overview with Carlos' suggestion Co-authored-by: Carlos Holguera --- .../android-data-in-sandbox/test.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md index 2cb8378dd3..291ac8f602 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md @@ -9,6 +9,12 @@ prerequisites: - identify-sensitive-data --- +## Overview + +Android apps use a variety of APIs to write data to internal storage. If you only need to inspect the list of created/modified files and their contents, the most effective approach is a snapshot-based approach like the one used in this test. + +This has the limitation that you won't know the APIs and locations in your code that are responsible; if you need to know, you should rather follow a dynamic analysis approach based on method tracing. + ## Steps 1. Start the device. From 5b1bb492f76850059e76ea74ec122ef893448dd5 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 7 May 2024 13:43:25 +0100 Subject: [PATCH 34/52] Update test.md links with relative paths and add a test step to take a before-snapshot Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/android-data-in-sandbox/test.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md index 291ac8f602..bee3501751 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md @@ -19,7 +19,9 @@ This has the limitation that you won't know the APIs and locations in your code 1. Start the device. -2. Launch and use the app going through the various workflows while inputting sensitive data wherever you can. Taking note of the data you input can help identify it later using tools to search for it. +2. Take a first [copy of the app's private data directory](../../../../../techniques/android/MASTG-TECH-0008.md) to have as a reference for offline analysis. + +3. Launch and use the app going through the various workflows while inputting sensitive data wherever you can. Taking note of the data you input can help identify it later using tools to search for it. 3. Take a copy of the app's private data directory for offline analysis. See: https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0008. From b5d288e252160dc1e39522e4902e429cb2c705bc Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 7 May 2024 13:44:33 +0100 Subject: [PATCH 35/52] Update risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md Co-authored-by: Carlos Holguera --- .../data-unencrypted-internal/risk.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md index da32406ac4..6f450116c3 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md @@ -18,8 +18,6 @@ Mobile apps may need to store sensitive data locally within private storage loca [Sensitive data](../../../../prerequisites/identify-sensitive-data.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. -Sensitive data stored locally on the device should be encrypted, and any keys used for encryption methods should be protected by the device's hardware-backed keystore, where available. - ## Impact - **Loss of Confidentiality**: Under the right conditions an attacker could extract sensitive data stored internally within the application sandbox leading to loss of confidentiality and enable further attacks such as identity theft or account takeover. From 212bcff034907360d12f90a34fc684f5739c9fb9 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 7 May 2024 13:52:12 +0100 Subject: [PATCH 36/52] Correct numbering in test.md --- .../data-unencrypted-internal/android-data-in-sandbox/test.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md index bee3501751..8bd05fe34d 100644 --- a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md +++ b/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md @@ -23,9 +23,9 @@ This has the limitation that you won't know the APIs and locations in your code 3. Launch and use the app going through the various workflows while inputting sensitive data wherever you can. Taking note of the data you input can help identify it later using tools to search for it. -3. Take a copy of the app's private data directory for offline analysis. See: https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0008. +4. Take a second copy of the app's private data directory for offline analysis and make a diff using the first copy to identify all files created or modify during your testing session. -4. Attempt to identify and decode data that has been encoded using methods such as base64 encoding, hexadecimal representation, URL encoding, escape sequences, wide characters and common data obfuscation methods such as xoring. Also consider identifying and decompressing compressed files such as tar or zip. These methods obscure but do not protect sensitive data. +5. Attempt to identify and decode data that has been encoded using methods such as base64 encoding, hexadecimal representation, URL encoding, escape sequences, wide characters and common data obfuscation methods such as xoring. Also consider identifying and decompressing compressed files such as tar or zip. These methods obscure but do not protect sensitive data. ## Observation From ef9cd34eb324bb03291433556bbc38abdc564c90 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 9 Jul 2024 13:52:47 +0100 Subject: [PATCH 37/52] [MASWE-0006] Sensitive Data Stored Unencrypted in Private Storage Locations Fixes #2544 --- .../data-unencrypted-internal/android-data-in-sandbox/test.md | 0 .../1-secure-data-storage/data-unencrypted-internal/weakness.md | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename {risks/MASVS-STORAGE/1-store-sensitive-data-securely => weaknesses/MASVS-STORAGE/1-secure-data-storage}/data-unencrypted-internal/android-data-in-sandbox/test.md (100%) rename risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md => weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/weakness.md (100%) diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/test.md similarity index 100% rename from risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/android-data-in-sandbox/test.md rename to weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/test.md diff --git a/risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/weakness.md similarity index 100% rename from risks/MASVS-STORAGE/1-store-sensitive-data-securely/data-unencrypted-internal/risk.md rename to weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/weakness.md From 1a6ec8f214077bf49f084a9a5e3f82c3e4ce6718 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 9 Jul 2024 13:53:46 +0100 Subject: [PATCH 38/52] Move to new MASWE structure --- .../demo-1/MastgTest.kt | 36 ++++++++++++++++++ .../android-data-in-sandbox/demo-1/demo.md | 38 +++++++++++++++++++ .../demo-1/new_files/secret.txt | 1 + .../android-data-in-sandbox/demo-1/output.txt | 1 + .../demo-1/run_after.sh | 10 +++++ .../demo-1/run_before.sh | 6 +++ .../android-data-in-sandbox/test.md | 10 ++--- .../data-unencrypted-internal/weakness.md | 10 ++--- 8 files changed, 101 insertions(+), 11 deletions(-) create mode 100644 weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/MastgTest.kt create mode 100644 weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/demo.md create mode 100644 weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/new_files/secret.txt create mode 100644 weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/output.txt create mode 100755 weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/run_after.sh create mode 100755 weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/run_before.sh diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/MastgTest.kt b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/MastgTest.kt new file mode 100644 index 0000000000..39c04d5333 --- /dev/null +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/MastgTest.kt @@ -0,0 +1,36 @@ +package org.owasp.mastestapp + +import android.content.Context +import android.util.Log +import java.io.File +import java.io.FileOutputStream +import java.io.IOException +import android.content.ContentValues +import android.os.Environment +import android.provider.MediaStore +import java.io.OutputStream + +class MastgTest (private val context: Context){ + + fun mastgTest(): String { + mastgTestWriteIntFile() + return "SUCCESS!!\n\nFile has been written to internal files dir" + } + + fun mastgTestWriteIntFile() { + val internalStorageDir = context.getFilesDir(null) + val fileName = File(externalStorageDir, "secret.txt") + val fileContent = "secr3tPa$$W0rd\n" + + try { + FileOutputStream(fileName).use { output -> + output.write(fileContent.toByteArray()) + Log.d("WriteInternalStorage", "File written to internal storage successfully.") + } + } catch (e: IOException) { + Log.e("WriteInternalStorage", "Error writing file to internal storage", e) + } + } + +} + diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/demo.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/demo.md new file mode 100644 index 0000000000..905b9f6cee --- /dev/null +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/demo.md @@ -0,0 +1,38 @@ +--- +platform: android +title: File System Snapshots from Internal Storage +tools: [adb] +code: [kotlin] +--- + +### Sample + +The snippet below shows sample code that creates a file on the internal storage using the `getFilesDir` method. + +{{ MastgTest.kt }} + +### Steps + +1. Install an app on your device. +2. Execute `run_before.sh`. +3. Open an app and exercise it to trigger file creations. +4. Execute `run_after.sh`. +5. Close the app once you finish testing. + +{{ run_before.sh # run_after.sh }} + +### Observation + +There is a list of all created files inside `output.txt`. + +{{ output.txt }} + +Their content is inside the `./new_files/` directory and contains: + +A password: + +{{ new_files/secret.txt }} + +### Evaluation + +This test fails because the file is not encrypted and contains sensitive data (a password). You can further confirm this by reverse engineering the app and inspecting the code. diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/new_files/secret.txt b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/new_files/secret.txt new file mode 100644 index 0000000000..f5d3c92de6 --- /dev/null +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/new_files/secret.txt @@ -0,0 +1 @@ +secr3tPa$$W0rd \ No newline at end of file diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/output.txt b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/output.txt new file mode 100644 index 0000000000..55e6205ba0 --- /dev/null +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/output.txt @@ -0,0 +1 @@ +/data/user/0/org.owasp.mastestapp/files/secret.txt diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/run_after.sh b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/run_after.sh new file mode 100755 index 0000000000..e2ecb93f13 --- /dev/null +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/run_after.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +# SUMMARY: List all files created after the creation date of a file created in run_before + +adb shell "find /data/user/0/org.owasp.mastestapp/ -type f -newer /data/local/tmp/test_start" > output.txt +adb shell "rm /data/local/tmp/test_start" +mkdir -p new_files +while read -r line; do + adb pull "$line" ./new_files/ +done < output.txt diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/run_before.sh b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/run_before.sh new file mode 100755 index 0000000000..a29096474f --- /dev/null +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/run_before.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# SUMMARY: This script creates a dummy file to mark a timestamp that we can use later +# on to identify files created while the app was being exercised + +adb shell "touch /data/local/tmp/test_start" diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/test.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/test.md index 8bd05fe34d..45013a659d 100644 --- a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/test.md +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/test.md @@ -11,9 +11,7 @@ prerequisites: ## Overview -Android apps use a variety of APIs to write data to internal storage. If you only need to inspect the list of created/modified files and their contents, the most effective approach is a snapshot-based approach like the one used in this test. - -This has the limitation that you won't know the APIs and locations in your code that are responsible; if you need to know, you should rather follow a dynamic analysis approach based on method tracing. +The goal of this test is to retrieve the files written to the external storage and inspect them regardless of the APIs used to write them. It uses a simple approach based on [file retrieval from the device storage](/MASTG/techniques/android/MASTG-TECH-0002) before and after the app is exercised to identify the files created during the app's execution and to check if they contain sensitive data. ## Steps @@ -25,12 +23,12 @@ This has the limitation that you won't know the APIs and locations in your code 4. Take a second copy of the app's private data directory for offline analysis and make a diff using the first copy to identify all files created or modify during your testing session. -5. Attempt to identify and decode data that has been encoded using methods such as base64 encoding, hexadecimal representation, URL encoding, escape sequences, wide characters and common data obfuscation methods such as xoring. Also consider identifying and decompressing compressed files such as tar or zip. These methods obscure but do not protect sensitive data. - ## Observation -Data extracted from the app's private data directory which has been decompressed, decoded or deobfuscated where required. +The output should contain a list of files that were created in the app's private storage during execution. ## Evaluation +Attempt to identify and decode data that has been encoded using methods such as base64 encoding, hexadecimal representation, URL encoding, escape sequences, wide characters and common data obfuscation methods such as xoring. Also consider identifying and decompressing compressed files such as tar or zip. These methods obscure but do not protect sensitive data. + Search the extracted data for items such as keys, passwords and any sensitive data inputted into the app. The test case fails if you find any of this sensitive data. diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/weakness.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/weakness.md index 6f450116c3..f0c221bfaa 100644 --- a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/weakness.md +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/weakness.md @@ -7,9 +7,9 @@ mappings: masvs-v1: [MSTG-STORAGE-2] masvs-v2: [MASVS-STORAGE-1, MASVS-CRYPTO-2] mastg-v1: [MASTG-TEST-0052, MASTG-TEST-0001] -refs: - - https://developer.android.com/privacy-and-security/risks/backup-leaks#risk:-storing-sensitive-data-unencrypted - - https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files + cwe: [311] + android: https://developer.android.com/privacy-and-security/risks/backup-leaks#risk:-storing-sensitive-data-unencrypted + ios: https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files --- ## Overview @@ -31,6 +31,6 @@ Mobile apps may need to store sensitive data locally within private storage loca ## Mitigations -- Avoid storing sensitive data locally if not required for application functionality helps reduce the scope for risks. For example keeping PII server-side, rendering it at time of use, and removing any cached data on logout. -- Use the platform's hardware-backed keystore solution to store the key used for encryption. +- Avoid storing sensitive data locally if not required for application functionality to reduce the likelihood and impact of this weakness. For example keeping PII server-side, rendering it at time of use, and removing any cached data on logout. +- Use the platform's hardware-backed keystore solution to store keys used for encryption. - Use platform features for encrypting data at rest to safely store files and preferences. From 000aadb67d6fc1d81c8980f237fa7f87d6ab85d6 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 9 Jul 2024 15:20:14 +0100 Subject: [PATCH 39/52] Renamed to private-storage --- .../android-data-in-sandbox/demo-1/MastgTest.kt | 0 .../android-data-in-sandbox/demo-1/demo.md | 0 .../android-data-in-sandbox/demo-1/new_files/secret.txt | 0 .../android-data-in-sandbox/demo-1/output.txt | 0 .../android-data-in-sandbox/demo-1/run_after.sh | 0 .../android-data-in-sandbox/demo-1/run_before.sh | 0 .../android-data-in-sandbox/test.md | 0 .../weakness.md | 0 8 files changed, 0 insertions(+), 0 deletions(-) rename weaknesses/MASVS-STORAGE/1-secure-data-storage/{data-unencrypted-internal => data-unencrypted-private-storage}/android-data-in-sandbox/demo-1/MastgTest.kt (100%) rename weaknesses/MASVS-STORAGE/1-secure-data-storage/{data-unencrypted-internal => data-unencrypted-private-storage}/android-data-in-sandbox/demo-1/demo.md (100%) rename weaknesses/MASVS-STORAGE/1-secure-data-storage/{data-unencrypted-internal => data-unencrypted-private-storage}/android-data-in-sandbox/demo-1/new_files/secret.txt (100%) rename weaknesses/MASVS-STORAGE/1-secure-data-storage/{data-unencrypted-internal => data-unencrypted-private-storage}/android-data-in-sandbox/demo-1/output.txt (100%) rename weaknesses/MASVS-STORAGE/1-secure-data-storage/{data-unencrypted-internal => data-unencrypted-private-storage}/android-data-in-sandbox/demo-1/run_after.sh (100%) rename weaknesses/MASVS-STORAGE/1-secure-data-storage/{data-unencrypted-internal => data-unencrypted-private-storage}/android-data-in-sandbox/demo-1/run_before.sh (100%) rename weaknesses/MASVS-STORAGE/1-secure-data-storage/{data-unencrypted-internal => data-unencrypted-private-storage}/android-data-in-sandbox/test.md (100%) rename weaknesses/MASVS-STORAGE/1-secure-data-storage/{data-unencrypted-internal => data-unencrypted-private-storage}/weakness.md (100%) diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/MastgTest.kt b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/MastgTest.kt similarity index 100% rename from weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/MastgTest.kt rename to weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/MastgTest.kt diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/demo.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md similarity index 100% rename from weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/demo.md rename to weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/new_files/secret.txt b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/new_files/secret.txt similarity index 100% rename from weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/new_files/secret.txt rename to weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/new_files/secret.txt diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/output.txt b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/output.txt similarity index 100% rename from weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/output.txt rename to weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/output.txt diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/run_after.sh b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/run_after.sh similarity index 100% rename from weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/run_after.sh rename to weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/run_after.sh diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/run_before.sh b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/run_before.sh similarity index 100% rename from weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/demo-1/run_before.sh rename to weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/run_before.sh diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/test.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md similarity index 100% rename from weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/android-data-in-sandbox/test.md rename to weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/weakness.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md similarity index 100% rename from weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/weakness.md rename to weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md From 4dccaaec9e4c8b932dd814d9d095231dde89829f Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 9 Jul 2024 15:21:51 +0100 Subject: [PATCH 40/52] Update test title --- .../android-data-in-sandbox/test.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md index 45013a659d..234ca731c5 100644 --- a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md @@ -1,6 +1,6 @@ --- platform: android -title: Sensitive Data Written to Private Data Directory (Sandbox) Unencrypted +title: Data Stored in the App Sandbox at Runtime type: [dynamic, filesystem] mitigations: - android-use-keystore From 1c4ecf2392c48f6ae42db1f849cfbad23d5a5bc1 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 9 Jul 2024 15:38:29 +0100 Subject: [PATCH 41/52] Update refs --- .../data-unencrypted-internal/weakness.md | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/weakness.md diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/weakness.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/weakness.md new file mode 100644 index 0000000000..ad5ee53e7e --- /dev/null +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/weakness.md @@ -0,0 +1,37 @@ +--- +title: Sensitive Data Stored Unencrypted in Private Storage Locations +alias: data-unencrypted-private-storage +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v1: [MSTG-STORAGE-2] + masvs-v2: [MASVS-STORAGE-1, MASVS-CRYPTO-2] + mastg-v1: [MASTG-TEST-0052, MASTG-TEST-0001] + cwe: [311] + android: https://developer.android.com/privacy-and-security/risks/backup-leaks#risk:-storing-sensitive-data-unencrypted +refs: + - https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files +--- + +## Overview + +Mobile apps may need to store sensitive data locally within private storage locations such as the application sandbox and this data is at risk of exposure via, for example, incorrect file permissions, an app vulnerability, device vulnerability or data backup mechanisms. + +[Sensitive data](../../../../prerequisites/identify-sensitive-data.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. + +## Impact + +- **Loss of Confidentiality**: Under the right conditions an attacker could extract sensitive data stored internally within the application sandbox leading to loss of confidentiality and enable further attacks such as identity theft or account takeover. + +## Modes of Introduction + +- **Data Stored Unencrypted**: Sensitive data is written to the app's private data directory (sandbox) unencrypted. +- **Hardcoded Encryption Key**: Sensitive data is encrypted but the key is hardcoded inside the application. +- **Encryption Key Stored on Filesystem**: Sensitive data is encrypted but the key is stored alongside it or in another easily accessible location. +- **Encryption Used is Insufficient**: Sensitive data is encrypted but the encryption is not considered to be strong. + +## Mitigations + +- Avoid storing sensitive data locally if not required for application functionality to reduce the likelihood and impact of this weakness. For example keeping PII server-side, rendering it at time of use, and removing any cached data on logout. +- Use the platform's hardware-backed keystore solution to store keys used for encryption. +- Use platform features for encrypting data at rest to safely store files and preferences. From 265467e54a5fec96aca2137b083a34d67bd60c88 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Tue, 9 Jul 2024 15:50:39 +0100 Subject: [PATCH 42/52] Fix refs --- .../data-unencrypted-internal/weakness.md | 37 ------------------- .../weakness.md | 3 +- 2 files changed, 2 insertions(+), 38 deletions(-) delete mode 100644 weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/weakness.md diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/weakness.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/weakness.md deleted file mode 100644 index ad5ee53e7e..0000000000 --- a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-internal/weakness.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: Sensitive Data Stored Unencrypted in Private Storage Locations -alias: data-unencrypted-private-storage -platform: [android, ios] -profiles: [L2] -mappings: - masvs-v1: [MSTG-STORAGE-2] - masvs-v2: [MASVS-STORAGE-1, MASVS-CRYPTO-2] - mastg-v1: [MASTG-TEST-0052, MASTG-TEST-0001] - cwe: [311] - android: https://developer.android.com/privacy-and-security/risks/backup-leaks#risk:-storing-sensitive-data-unencrypted -refs: - - https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files ---- - -## Overview - -Mobile apps may need to store sensitive data locally within private storage locations such as the application sandbox and this data is at risk of exposure via, for example, incorrect file permissions, an app vulnerability, device vulnerability or data backup mechanisms. - -[Sensitive data](../../../../prerequisites/identify-sensitive-data.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. - -## Impact - -- **Loss of Confidentiality**: Under the right conditions an attacker could extract sensitive data stored internally within the application sandbox leading to loss of confidentiality and enable further attacks such as identity theft or account takeover. - -## Modes of Introduction - -- **Data Stored Unencrypted**: Sensitive data is written to the app's private data directory (sandbox) unencrypted. -- **Hardcoded Encryption Key**: Sensitive data is encrypted but the key is hardcoded inside the application. -- **Encryption Key Stored on Filesystem**: Sensitive data is encrypted but the key is stored alongside it or in another easily accessible location. -- **Encryption Used is Insufficient**: Sensitive data is encrypted but the encryption is not considered to be strong. - -## Mitigations - -- Avoid storing sensitive data locally if not required for application functionality to reduce the likelihood and impact of this weakness. For example keeping PII server-side, rendering it at time of use, and removing any cached data on logout. -- Use the platform's hardware-backed keystore solution to store keys used for encryption. -- Use platform features for encrypting data at rest to safely store files and preferences. diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md index f0c221bfaa..ad5ee53e7e 100644 --- a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md @@ -9,7 +9,8 @@ mappings: mastg-v1: [MASTG-TEST-0052, MASTG-TEST-0001] cwe: [311] android: https://developer.android.com/privacy-and-security/risks/backup-leaks#risk:-storing-sensitive-data-unencrypted - ios: https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files +refs: + - https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files --- ## Overview From 8aaf9610d21625b1f0252dd073a33374454ba614 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Wed, 10 Jul 2024 13:00:03 +0100 Subject: [PATCH 43/52] Update weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md Co-authored-by: Carlos Holguera --- .../android-data-in-sandbox/test.md | 1 + 1 file changed, 1 insertion(+) diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md index 234ca731c5..857bdd8b72 100644 --- a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md @@ -1,6 +1,7 @@ --- platform: android title: Data Stored in the App Sandbox at Runtime +id: MASTG-TEST-0207 type: [dynamic, filesystem] mitigations: - android-use-keystore From d8021ac818eec0437867e39e30e225d8061a93eb Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Wed, 10 Jul 2024 13:39:11 +0100 Subject: [PATCH 44/52] Update weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md Co-authored-by: Carlos Holguera --- .../android-data-in-sandbox/demo-1/demo.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md index 905b9f6cee..8a34bc3928 100644 --- a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md @@ -1,6 +1,7 @@ --- platform: android -title: File System Snapshots from Internal Storage +title: File System Snapshots from Internal Storage +id: MASTG-DEMO-0010 tools: [adb] code: [kotlin] --- From 018cee37d9319e7e6b02246fb44d43151ccb18fb Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Wed, 10 Jul 2024 13:39:24 +0100 Subject: [PATCH 45/52] Update weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md Co-authored-by: Carlos Holguera --- .../data-unencrypted-private-storage/weakness.md | 1 + 1 file changed, 1 insertion(+) diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md index ad5ee53e7e..535f399a1e 100644 --- a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md @@ -1,5 +1,6 @@ --- title: Sensitive Data Stored Unencrypted in Private Storage Locations +id: MASWE-0006 alias: data-unencrypted-private-storage platform: [android, ios] profiles: [L2] From 701dd45f1d07ad35dab78cee427eee8353e831ca Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Wed, 10 Jul 2024 13:41:38 +0100 Subject: [PATCH 46/52] Update weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/MastgTest.kt Co-authored-by: Carlos Holguera --- .../android-data-in-sandbox/demo-1/MastgTest.kt | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/MastgTest.kt b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/MastgTest.kt index 39c04d5333..ffbda12fce 100644 --- a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/MastgTest.kt +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/MastgTest.kt @@ -5,10 +5,6 @@ import android.util.Log import java.io.File import java.io.FileOutputStream import java.io.IOException -import android.content.ContentValues -import android.os.Environment -import android.provider.MediaStore -import java.io.OutputStream class MastgTest (private val context: Context){ @@ -16,11 +12,11 @@ class MastgTest (private val context: Context){ mastgTestWriteIntFile() return "SUCCESS!!\n\nFile has been written to internal files dir" } - - fun mastgTestWriteIntFile() { - val internalStorageDir = context.getFilesDir(null) - val fileName = File(externalStorageDir, "secret.txt") - val fileContent = "secr3tPa$$W0rd\n" + + private fun mastgTestWriteIntFile() { + val internalStorageDir = context.filesDir + val fileName = File(internalStorageDir, "secret.txt") + val fileContent = "secr3tPa\$\$W0rd\n" try { FileOutputStream(fileName).use { output -> From 4914a0f319e0e2ab1942a3b573b30652f600c4b4 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Wed, 10 Jul 2024 13:45:16 +0100 Subject: [PATCH 47/52] Update weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md Co-authored-by: Carlos Holguera --- .../data-unencrypted-private-storage/weakness.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md index 535f399a1e..df15faa225 100644 --- a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md @@ -34,5 +34,5 @@ Mobile apps may need to store sensitive data locally within private storage loca ## Mitigations - Avoid storing sensitive data locally if not required for application functionality to reduce the likelihood and impact of this weakness. For example keeping PII server-side, rendering it at time of use, and removing any cached data on logout. -- Use the platform's hardware-backed keystore solution to store keys used for encryption. -- Use platform features for encrypting data at rest to safely store files and preferences. +- Store cryptographic keys exclusively using the platform's hardware-backed keystore solution, such as the Android Keystore or the iOS Keychain. +- For storing other files and preferences, use platform-provided features for encrypting data at rest or other techniques implementing envelope encryption with Data Encryption Keys (DEK) and Key Encryption Keys (KEK) or equivalent methods. For example, on Android, use [EncryptedFile](https://developer.android.com/reference/androidx/security/crypto/EncryptedFile) or [EncryptedSharedPreferences](https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences); on iOS, use [iOS Data Protection](https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files). From 6e501fbe4c1ad85736c33597fb4bd3e174804594 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Wed, 10 Jul 2024 14:39:20 +0100 Subject: [PATCH 48/52] Update weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md Co-authored-by: Carlos Holguera --- .../android-data-in-sandbox/test.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md index 857bdd8b72..d8d1c1370e 100644 --- a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md @@ -12,7 +12,7 @@ prerequisites: ## Overview -The goal of this test is to retrieve the files written to the external storage and inspect them regardless of the APIs used to write them. It uses a simple approach based on [file retrieval from the device storage](/MASTG/techniques/android/MASTG-TECH-0002) before and after the app is exercised to identify the files created during the app's execution and to check if they contain sensitive data. +The goal of this test is to retrieve the files written to the **internal storage** and inspect them regardless of the APIs used to write them. It uses a simple approach based on [file retrieval from the device storage](/MASTG/techniques/android/MASTG-TECH-0002) before and after the app is exercised to identify the files created during the app's execution and to check if they contain sensitive data. ## Steps From 35fadaa18af68481db9e97b40b4214c36a4f575b Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Wed, 10 Jul 2024 14:39:42 +0100 Subject: [PATCH 49/52] Update weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md Co-authored-by: Carlos Holguera --- .../android-data-in-sandbox/demo-1/demo.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md index 8a34bc3928..2fd6a2559a 100644 --- a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md @@ -34,6 +34,8 @@ A password: {{ new_files/secret.txt }} +The file was created in `/data/user/0/org.owasp.mastestapp/files/` which is equivalent to `/data/data/org.owasp.mastestapp/files/`. + ### Evaluation This test fails because the file is not encrypted and contains sensitive data (a password). You can further confirm this by reverse engineering the app and inspecting the code. From d639c5478bad64ec11086146e436d490c1e93697 Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Wed, 10 Jul 2024 14:40:23 +0100 Subject: [PATCH 50/52] Update weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md Co-authored-by: Carlos Holguera --- .../android-data-in-sandbox/demo-1/demo.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md index 2fd6a2559a..8ff795a0a6 100644 --- a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md +++ b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md @@ -8,7 +8,7 @@ code: [kotlin] ### Sample -The snippet below shows sample code that creates a file on the internal storage using the `getFilesDir` method. +The snippet below shows sample code that creates a file on the **internal storage** using using the [`filesDir`](https://developer.android.com/reference/android/content/Context#getFilesDir()) property of the context object. {{ MastgTest.kt }} From 3fb0799e305211e04cc4d29846dbedbdbb5aea8c Mon Sep 17 00:00:00 2001 From: Thomas Cannon Date: Wed, 10 Jul 2024 15:15:48 +0100 Subject: [PATCH 51/52] Rename files and move to new flat structure --- .../MASTG-DEMO-0010/MASTG-DEMO-0010.md | 0 .../MASTG-DEMO-0010}/MastgTest.kt | 0 .../MASTG-DEMO-0010}/new_files/secret.txt | 0 .../MASVS-STORAGE/MASTG-DEMO-0010}/output.txt | 0 .../MASTG-DEMO-0010}/run_after.sh | 0 .../MASTG-DEMO-0010}/run_before.sh | 0 .../android/MASVS-STORAGE/MASTG-TEST-0207.md | 2 +- .../weakness.md | 38 ----------------- weaknesses/MASVS-STORAGE/MASWE-0006.md | 41 ++++++++++++------- 9 files changed, 28 insertions(+), 53 deletions(-) rename weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md => demos/android/MASVS-STORAGE/MASTG-DEMO-0010/MASTG-DEMO-0010.md (100%) rename {weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1 => demos/android/MASVS-STORAGE/MASTG-DEMO-0010}/MastgTest.kt (100%) rename {weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1 => demos/android/MASVS-STORAGE/MASTG-DEMO-0010}/new_files/secret.txt (100%) rename {weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1 => demos/android/MASVS-STORAGE/MASTG-DEMO-0010}/output.txt (100%) rename {weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1 => demos/android/MASVS-STORAGE/MASTG-DEMO-0010}/run_after.sh (100%) rename {weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1 => demos/android/MASVS-STORAGE/MASTG-DEMO-0010}/run_before.sh (100%) rename weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md => tests/android/MASVS-STORAGE/MASTG-TEST-0207.md (91%) delete mode 100644 weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md b/demos/android/MASVS-STORAGE/MASTG-DEMO-0010/MASTG-DEMO-0010.md similarity index 100% rename from weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/demo.md rename to demos/android/MASVS-STORAGE/MASTG-DEMO-0010/MASTG-DEMO-0010.md diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/MastgTest.kt b/demos/android/MASVS-STORAGE/MASTG-DEMO-0010/MastgTest.kt similarity index 100% rename from weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/MastgTest.kt rename to demos/android/MASVS-STORAGE/MASTG-DEMO-0010/MastgTest.kt diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/new_files/secret.txt b/demos/android/MASVS-STORAGE/MASTG-DEMO-0010/new_files/secret.txt similarity index 100% rename from weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/new_files/secret.txt rename to demos/android/MASVS-STORAGE/MASTG-DEMO-0010/new_files/secret.txt diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/output.txt b/demos/android/MASVS-STORAGE/MASTG-DEMO-0010/output.txt similarity index 100% rename from weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/output.txt rename to demos/android/MASVS-STORAGE/MASTG-DEMO-0010/output.txt diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/run_after.sh b/demos/android/MASVS-STORAGE/MASTG-DEMO-0010/run_after.sh similarity index 100% rename from weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/run_after.sh rename to demos/android/MASVS-STORAGE/MASTG-DEMO-0010/run_after.sh diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/run_before.sh b/demos/android/MASVS-STORAGE/MASTG-DEMO-0010/run_before.sh similarity index 100% rename from weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/demo-1/run_before.sh rename to demos/android/MASVS-STORAGE/MASTG-DEMO-0010/run_before.sh diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md b/tests/android/MASVS-STORAGE/MASTG-TEST-0207.md similarity index 91% rename from weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md rename to tests/android/MASVS-STORAGE/MASTG-TEST-0207.md index d8d1c1370e..319a8b287d 100644 --- a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/android-data-in-sandbox/test.md +++ b/tests/android/MASVS-STORAGE/MASTG-TEST-0207.md @@ -18,7 +18,7 @@ The goal of this test is to retrieve the files written to the **internal storage 1. Start the device. -2. Take a first [copy of the app's private data directory](../../../../../techniques/android/MASTG-TECH-0008.md) to have as a reference for offline analysis. +2. Take a first [copy of the app's private data directory](/MASTG/techniques/android/MASTG-TECH-0008.md) to have as a reference for offline analysis. 3. Launch and use the app going through the various workflows while inputting sensitive data wherever you can. Taking note of the data you input can help identify it later using tools to search for it. diff --git a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md b/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md deleted file mode 100644 index df15faa225..0000000000 --- a/weaknesses/MASVS-STORAGE/1-secure-data-storage/data-unencrypted-private-storage/weakness.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Sensitive Data Stored Unencrypted in Private Storage Locations -id: MASWE-0006 -alias: data-unencrypted-private-storage -platform: [android, ios] -profiles: [L2] -mappings: - masvs-v1: [MSTG-STORAGE-2] - masvs-v2: [MASVS-STORAGE-1, MASVS-CRYPTO-2] - mastg-v1: [MASTG-TEST-0052, MASTG-TEST-0001] - cwe: [311] - android: https://developer.android.com/privacy-and-security/risks/backup-leaks#risk:-storing-sensitive-data-unencrypted -refs: - - https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files ---- - -## Overview - -Mobile apps may need to store sensitive data locally within private storage locations such as the application sandbox and this data is at risk of exposure via, for example, incorrect file permissions, an app vulnerability, device vulnerability or data backup mechanisms. - -[Sensitive data](../../../../prerequisites/identify-sensitive-data.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. - -## Impact - -- **Loss of Confidentiality**: Under the right conditions an attacker could extract sensitive data stored internally within the application sandbox leading to loss of confidentiality and enable further attacks such as identity theft or account takeover. - -## Modes of Introduction - -- **Data Stored Unencrypted**: Sensitive data is written to the app's private data directory (sandbox) unencrypted. -- **Hardcoded Encryption Key**: Sensitive data is encrypted but the key is hardcoded inside the application. -- **Encryption Key Stored on Filesystem**: Sensitive data is encrypted but the key is stored alongside it or in another easily accessible location. -- **Encryption Used is Insufficient**: Sensitive data is encrypted but the encryption is not considered to be strong. - -## Mitigations - -- Avoid storing sensitive data locally if not required for application functionality to reduce the likelihood and impact of this weakness. For example keeping PII server-side, rendering it at time of use, and removing any cached data on logout. -- Store cryptographic keys exclusively using the platform's hardware-backed keystore solution, such as the Android Keystore or the iOS Keychain. -- For storing other files and preferences, use platform-provided features for encrypting data at rest or other techniques implementing envelope encryption with Data Encryption Keys (DEK) and Key Encryption Keys (KEK) or equivalent methods. For example, on Android, use [EncryptedFile](https://developer.android.com/reference/androidx/security/crypto/EncryptedFile) or [EncryptedSharedPreferences](https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences); on iOS, use [iOS Data Protection](https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files). diff --git a/weaknesses/MASVS-STORAGE/MASWE-0006.md b/weaknesses/MASVS-STORAGE/MASWE-0006.md index 8f88ad19a2..d173605ba0 100644 --- a/weaknesses/MASVS-STORAGE/MASWE-0006.md +++ b/weaknesses/MASVS-STORAGE/MASWE-0006.md @@ -7,20 +7,33 @@ profiles: [L2] mappings: masvs-v1: [MSTG-STORAGE-2] masvs-v2: [MASVS-STORAGE-1, MASVS-CRYPTO-2] + mastg-v1: [MASTG-TEST-0052, MASTG-TEST-0001] + cwe: [311] + android: https://developer.android.com/privacy-and-security/risks/backup-leaks#risk:-storing-sensitive-data-unencrypted +refs: + - https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files +status: new +--- -draft: - description: Sensitive data may be stored in internal locations without encryption - and may be accessible to other apps under certain conditions. - topics: - - envelope encryption (DEK+KEK) or equivalent (Android) - - Android Security Lib usage (EncryptedFile/EncryptedSharedPreferences) (Android) - - Don't roll your own storage encryption, use platform provided APIs EncryptedFile/EncryptedSharedPreferences. - (Android) - - iOS KeyChain DataProtection classes (iOS) - - envelope encryption (DEK+KEK) or equivalent (iOS) - - sensitive data must not encoded (e.g. base64, simple bit operations such as XOR - or bit flipping) instead of encrypted -status: draft +## Overview ---- +Mobile apps may need to store sensitive data locally within private storage locations such as the application sandbox and this data is at risk of exposure via, for example, incorrect file permissions, an app vulnerability, device vulnerability or data backup mechanisms. + +[Sensitive data](../../prerequisites/identify-sensitive-data.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. + +## Impact + +- **Loss of Confidentiality**: Under the right conditions an attacker could extract sensitive data stored internally within the application sandbox leading to loss of confidentiality and enable further attacks such as identity theft or account takeover. + +## Modes of Introduction + +- **Data Stored Unencrypted**: Sensitive data is written to the app's private data directory (sandbox) unencrypted. +- **Hardcoded Encryption Key**: Sensitive data is encrypted but the key is hardcoded inside the application. +- **Encryption Key Stored on Filesystem**: Sensitive data is encrypted but the key is stored alongside it or in another easily accessible location. +- **Encryption Used is Insufficient**: Sensitive data is encrypted but the encryption is not considered to be strong. + +## Mitigations +- Avoid storing sensitive data locally if not required for application functionality to reduce the likelihood and impact of this weakness. For example keeping PII server-side, rendering it at time of use, and removing any cached data on logout. +- Store cryptographic keys exclusively using the platform's hardware-backed keystore solution, such as the Android Keystore or the iOS Keychain. +- For storing other files and preferences, use platform-provided features for encrypting data at rest or other techniques implementing envelope encryption with Data Encryption Keys (DEK) and Key Encryption Keys (KEK) or equivalent methods. For example, on Android, use [EncryptedFile](https://developer.android.com/reference/androidx/security/crypto/EncryptedFile) or [EncryptedSharedPreferences](https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences); on iOS, use [iOS Data Protection](https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files). From d179bdefaa9e3646708b5dcc02fff78f8e1ee6a4 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Wed, 10 Jul 2024 17:15:02 +0200 Subject: [PATCH 52/52] Add references from demo to test and from test to weakness --- demos/android/MASVS-STORAGE/MASTG-DEMO-0010/MASTG-DEMO-0010.md | 1 + tests/android/MASVS-STORAGE/MASTG-TEST-0207.md | 1 + 2 files changed, 2 insertions(+) diff --git a/demos/android/MASVS-STORAGE/MASTG-DEMO-0010/MASTG-DEMO-0010.md b/demos/android/MASVS-STORAGE/MASTG-DEMO-0010/MASTG-DEMO-0010.md index 8ff795a0a6..d0093b7298 100644 --- a/demos/android/MASVS-STORAGE/MASTG-DEMO-0010/MASTG-DEMO-0010.md +++ b/demos/android/MASVS-STORAGE/MASTG-DEMO-0010/MASTG-DEMO-0010.md @@ -4,6 +4,7 @@ title: File System Snapshots from Internal Storage id: MASTG-DEMO-0010 tools: [adb] code: [kotlin] +test: MASTG-TEST-0207 --- ### Sample diff --git a/tests/android/MASVS-STORAGE/MASTG-TEST-0207.md b/tests/android/MASVS-STORAGE/MASTG-TEST-0207.md index 319a8b287d..77b3c6df67 100644 --- a/tests/android/MASVS-STORAGE/MASTG-TEST-0207.md +++ b/tests/android/MASVS-STORAGE/MASTG-TEST-0207.md @@ -8,6 +8,7 @@ mitigations: - android-use-androidx-security prerequisites: - identify-sensitive-data +weakness: MASWE-0006 --- ## Overview