Port MASTG-TEST-0055 (by @guardsquare) #3054
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| --- | ||
| platform: ios | ||
| title: Sensitive Data Not Excluded From Keyboard Caching | ||
| id: MASTG-TEST-0x55-1 | ||
| type: [static] | ||
| weakness: MASWE-0053 | ||
| --- | ||
|
|
||
| ## Overview | ||
|
|
||
| This test checks whether the target app prevents the caching of sensitive information entered into text fields. The keyboard may suggest previously entered text when typing in any app on the device. | ||
|
|
||
| Any of the following attributes, if present, will prevent the caching mechanism for text inputs: | ||
|
|
||
| - [`UITextAutocorrectionTypeNo`](https://developer.apple.com/documentation/uikit/uitextautocorrectiontype/uitextautocorrectiontypeno) | ||
| - [`secureTextEntry`](https://developer.apple.com/documentation/uikit/uitextinputtraits/1624427-securetextentry) | ||
|
|
||
| If the app uses Storyboards or XIB files, check whether the UI elements such as `UITextFields`, `UITextViews`, and `UISearchBars` use the `UITextAutocorrectionTypeNo` attribute. | ||
|
|
||
| ## Steps | ||
|
|
||
| 1. Run a static analysis tool such as @MASTG-TOOL-0073 on the app binary to verify if your app uses the above attributes. | ||
|
|
||
| ## Observation | ||
|
|
||
| The output should indicate whether the app uses no-caching attributes. | ||
|
|
||
| ## Evaluation | ||
|
|
||
| The test case fails if any of the text fields in your app accepts sensitive data but do not use no-caching attributes. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| --- | ||
| platform: ios | ||
| title: Sensitive Data Present In Keyboard Cache | ||
| id: MASTG-TEST-0x55-2 | ||
| type: [dynamic] | ||
| weakness: MASWE-0053 | ||
| --- | ||
|
|
||
| ## Overview | ||
|
|
||
| This test checks whether the keyboard cache contains sensitive data from the target app. | ||
|
|
||
| ## Steps | ||
|
There was a problem hiding this comment. is this test really useful/meaningful/valuable? There was a problem hiding this comment. After thinking it over again, I am not sure about value of these tests:
In general, it's difficult to test for this weakness statically because we don't know what data is sensitive and where it's typed. Therefore, I suggest we:
|
||
|
|
||
| 1. Reset your iOS device keyboard cache by navigating to `Settings > General > Reset > Reset Keyboard Dictionary`. | ||
| 2. Exercise the application and identify the functionalities that allow users to enter sensitive data. | ||
| 3. Use @MASTG-TECH-0052 to retrieve the keyboard cache file with the extension `.dat` at `/private/var/mobile/Library/Keyboard/` and its subdirectories. | ||
|
There was a problem hiding this comment. was this working? which iOS version was it? There was a problem hiding this comment. Yes, it worked on iOS 15.4.1 iPhone XS. The file is |
||
|
|
||
| ## Observation | ||
|
|
||
| The output should contain all cached strings. | ||
|
|
||
| ## Evaluation | ||
|
|
||
| The test case fails if you can find any sensitive cached strings in the output, such as username, passwords, email addresses, and credit card numbers. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can this really be tested by just having the IPA?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no easy way to get it from a built IPA file. I am afraid we can only review the source code, or use dynamic analysis to hook an init function of TextField? Do you want me to create a dynamic test for it?