Port MASTG-TEST-0060 (by @guardsquare)

demos/ios/MASVS-STORAGE/MASTG-DEMO-0021/MASTG-DEMO-0022.md

@@ -0,0 +1,36 @@
+---
+platform: android
+title: Testing Memory for Sensitive Data
+id: MASTG-DEMO-0022
+code: [swift]
+test: MASTG-TEST-0x60
+---
+
+### Sample
+
+The following samples contain:
+
+- The Swift code simulates retrieving a secret from a server, then stores the secret in memory.
+
+{{ MastgTest.swift }}
+
+### Steps
+
+1. Install the target app on your device.
+2. Exercise it to trigger storing some information into the memory
+3. Run `run.sh`
+4. Close the app once you finish testing.
+
+{{ run.sh }}
+
+### Observation
+
+We can see the string from the app's memory inside `output.txt`.
+
+{{ output.txt }}
+
+The app keeps a reference to `MAS_API_KEY=8767086b9f6f976g-a8df76` string.
+
+### Evaluation
+
+The test fails because MAS_API_KEY=8767086b9f6f976g-a8df76 is found in memory. Although our code doesn’t explicitly retain this string, the UI TextView does. This makes it challenging to completely remove strings that are currently displayed. While you might accept some strings remaining in memory, you should still monitor their presence. However, if the string isn’t displayed on the screen but still appears in memory, this test definitely fails.

demos/ios/MASVS-STORAGE/MASTG-DEMO-0021/MastgTest.swift

@@ -0,0 +1,18 @@
+import SwiftUI
+
+struct MastgTest {
+
+  static func mastgTest(completion: @escaping (String) -> Void) {
+      // Base64 of "MAS_API_KEY=8767086b9f6f976g-a8df76"
+      let reseponseFromServer = "TUFTX0FQSV9LRVk9ODc2NzA4NmI5ZjZmOTc2Zy1hOGRmNzY="
+
+      // Decode the Base64 string and handle potential nil values
+      guard let decodedData = Data(base64Encoded: reseponseFromServer),
+            let decodedString = String(data: decodedData, encoding: .utf8) else {
+          completion("Error: Failed to decode Base64 string.")
+          return
+      }
+
+      completion("The secret in the memory held by this TextView: \(decodedString)")
+  }
+}

demos/ios/MASVS-STORAGE/MASTG-DEMO-0021/run.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+python3 ./fridump.py -U -s MASTestApp
+cat dump/strings.txt > output.txt

tests-beta/ios/MASVS-STORAGE/MASTG-TEST-0x60.md

@@ -0,0 +1,36 @@
+---
+platform: ios
+title: Testing Memory for Sensitive Data
+id: MASTG-TEST-0x60
+type: [dynamic]
+---
+
+## Overview
+
+This test checks if your app retains sensitive data in clear text in memory during runtime. An app should immediately clear and deallocate all sensitive data after use. Sensitive data includes, for example:
+
+- a password a user enters during sign-in
+- a credit card number used as a payment method
+
+In this test, we’ll use @MASTG-TOOL-0106 to dump all strings from the app’s memory and identify any sensitive data.
+
+## Steps
+
+1. Open your app
+2. Exercise it to trigger storing some information into the memory
+3. Run @MASTG-TOOL-0106 on it
+
+## Observation
+
+The output should contain a list of strings present in the runtime.
+
+## Evaluation
+
+The test case fails if you can find the use of any sensitive string
+
+## Mitigation
+
+- If you pass a sensitive data to another function, don't pass it via immutable data types, such as `String` and `NSString`. Use mutable data instead, so that you can overwrite it after use.
+- Avoid storing sensitive data inside global variables.
+- If you perform modification on sensitive data inside a function, make sure to overwrite all local variables after use.
+- Remove the references to sensitive strings immediately after you finish using them.

tests/ios/MASVS-STORAGE/MASTG-TEST-0060.md

@@ -7,6 +7,8 @@ platform: ios
 title: Testing Memory for Sensitive Data
 masvs_v1_levels:
 - L2
+status: deprecated
+covered_by: [MASTG-TEST-0x60]
 ---
 
 ## Overview