Add new Tests and Demos for additional MASWE-0006 issues #3420
Description
I agree. You can add new tests for "MASWE-0006: Sensitive Data Stored Unencrypted in Private Storage Locations".
For example, the new test we'd need here could have this metadata:
---
platform: android
title: SharedPreferences API Storing Sensitive Data Unencrypted in the App Sandbox
id: MASTG-TEST-02xx
type: [dynamic]
weakness: MASWE-0006
profiles: [L2]
---And then, in separate PRs, you could add:
---
platform: android
title: DataStore API Storing Sensitive Data Unencrypted in the App Sandbox
id: MASTG-TEST-02xx
type: [dynamic]
weakness: MASWE-0006
profiles: [L2]
---etc.
Important: each Overview should detail the specific locations and APIs, always linking to the corresponding MASTG-KNOW component, for example:
- Shared Preferences -> TODO: assign the new MASTG-KNOW ID
- MediaStore API -> TODO: find the new MASTG-KNOW ID
Note: These items are currently in https://mas.owasp.org/MASTG/knowledge/android/MASVS-STORAGE/MASTG-KNOW-0042/ but this could be split into different articles with unique IDs.
Makes sense: I will write Tests and Demos for
- App Writing Sensitive Data to Sandbox using SharedPreferences
- App Writing Sensitive Data to Sandbox using DataStore
- App Writing Sensitive Data to Sandbox using Room
- App Writing Sensitive Data to Sandbox using SQLite
There is already a Demos for:
- App Writing Sensitive Data to World Readable External Storage (MASTG-DEMO-0005)
- App Writing Sensitive Data to Sandboxed External Location (MASTG-DEMO-0004)
- App Writing Sensitive Data to World Readable External Location (MASTG-DEMO-0003)
I will start with the tests, but would wait for some feedback after the first PR.
Originally posted by @bernhste in #3359 (comment)