Port MASTG-TEST-0052: Testing Local Data Storage (ios) (by @guardsquare) #3045
Conversation
There was a problem hiding this comment.
This test still has something fundamental that we need to capture in a new test (or two): the app uses the Keychain API in 2 ways
- to store data in the Keychain itself (the keychain wasn't designed for this but developers do it)
- to encrypt data using keys from the Keychain and store it in private storage (envelope encryption)
|
|
||
| 1. Run a static analysis tool such as @MASTG-TOOL-0073 on the app binary. | ||
|
|
||
| 2. Search for APIs that indicates a use of Private Storage. This API includes: |
There was a problem hiding this comment.
I think we should add the use of encryption APIs for envelope encryption or the explicit use of insecure data protection classes (?)
There was a problem hiding this comment.
I am not sure I understand
There was a problem hiding this comment.
We need to add here any references to encryption APIs so that the tester has everything they need.
See below in "Evaluation": we address now the "writing files" part but not the "unencrypted" part.
If we have both, then the rev. engineer can go and reverse the files and validate.
There was a problem hiding this comment.
This would be L1: https://developer.apple.com/documentation/uikit/encrypting-your-app-s-files
And for L2 we'd actually encrypt the files with a key from the Keychain
cpholguera
changed the title
Co-authored-by: Carlos Holguera <[email protected]>
…nto port-MASTG-TEST-0052
This PR closes #2929.
I split this test into 3: