Skip to content

Port MASTG-TEST-0010 and MASTG-TEST-0059 (by @guardsquare) #3112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 65 commits into from
Aug 31, 2025
Merged

Port MASTG-TEST-0010 and MASTG-TEST-0059 (by @guardsquare) #3112

merged 65 commits into from
Aug 31, 2025

Conversation

serek8
Copy link
Collaborator

@serek8 serek8 commented Jan 13, 2025
edited by cpholguera
Loading

Closes #2970 closes #2984.

This PR ports two legacy test cases (MASTG-TEST-0010 and MASTG-TEST-0059) by deprecating them and introducing new MASTG V2 versions that test for sensitive information exposure in auto-generated screenshots on Android and iOS platforms.

  • Deprecates existing test cases MASTG-TEST-0010 (Android) and MASTG-TEST-0059 (iOS)
  • Adds new comprehensive test cases MASTG-TEST-0289, MASTG-TEST-0290, and MASTG-TEST-0291 for screenshot security testing
  • Introduces supporting materials including semgrep rules, demos, and best practices documentation

Changes

File Description
tests/android/MASVS-PLATFORM/MASTG-TEST-0010.md Marks legacy Android screenshot test as deprecated
tests/ios/MASVS-PLATFORM/MASTG-TEST-0059.md Marks legacy iOS screenshot test as deprecated
tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0289.md New runtime verification test for Android screenshot protection
tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0291.md New static analysis test for Android FLAG_SECURE usage
tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0290.md New runtime verification test for iOS screenshot protection
rules/mastg-android-sensitive-data-in-screenshot.yml Semgrep rules for detecting FLAG_SECURE usage patterns
demos/android/MASVS-PLATFORM/MASTG-DEMO-0061/* Demo files showing FLAG_SECURE implementation and detection
knowledge/ios/MASVS-STORAGE/MASTG-KNOW-0099.md Enhanced documentation about iOS screenshot storage mechanics
best-practices/MASTG-BEST-0014.md New best practices guide for preventing screenshots

@serek8 serek8 mentioned this pull request Jan 13, 2025
Closed
@serek8 serek8 requested a review from cpholguera January 13, 2025 13:41
@serek8 serek8 changed the title Sensitive Data Leaked via Screenshots Sensitive Data Leaked via Screenshots (by @guardsquare) Jan 13, 2025
@sushi2k sushi2k requested review from sushi2k and removed request for cpholguera January 17, 2025 08:38
cpholguera
cpholguera reviewed Jan 17, 2025
View reviewed changes
cpholguera
cpholguera requested changes Jan 30, 2025
View reviewed changes
@cpholguera cpholguera changed the title Sensitive Data Leaked via Screenshots (by @guardsquare) New MASWE-0055: Sensitive Data Leaked via Screenshots (by @guardsquare) Feb 24, 2025
@cpholguera
Copy link
Collaborator

@serek8 please check the suggested changes. Thanks!

cpholguera and others added 21 commits August 16, 2025 19:26
@cpholguera
Merge branch 'master' into issue-2695-fix
6da0176
@cpholguera
Fix image for task switcher with FLAG_SECURE
6f9ba7a
@cpholguera
Relocate android test which was under ios
0bd4d1a
@cpholguera
Add profiles to MASTG-TEST-0216
7271ef0
@cpholguera
Fix punctuation and TECH reference in MASTG-TEST-0289
cfb6b4c
@cpholguera
Finalize test, demo and rule about FLAG_SECURE implementation for scr…
adb341f 
…eeenshot prevention on Android
@cpholguera
Remove unused code in demo
40d5a07
@cpholguera
Refine evaluation criteria for MASTG-TEST-0216 by removing redundant …
fd80a87 
…failure condition
@cpholguera
Revise title and content for MASTG-BEST-0014 to enhance clarity on pr…
4a5f3d7 
…eventing screenshots and screen recording
@serek8
Move content to Knowledge
7b25e88
@serek8
Update a link to BEST
44800de
@serek8
Add best practices for screenshots
6247dd2
@cpholguera
Enhance runtime verification tests for sensitive content exposure by …
b58ceb3 
…updating type to include 'manual', refining steps for clarity, and improving overview descriptions for both Android and iOS.
@cpholguera
rm best practices, will be added in a separate PR
41a4010
@cpholguera
Remove best practices references from MASTG-TEST-0288 and MASTG-TEST-…
bc42926 
…0290, add missing profile
@cpholguera
rm demo and test about capture detection
4f9fc3a
@cpholguera
fix ids
760bff2
@cpholguera
fix ids
6b8b292
@cpholguera
fix broken ref
996f3e6
@cpholguera
Update MASTG-TEST-0289 and MASTG-TEST-0290 wording and type
0a20bcb
@cpholguera
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into pr…
3c762ba 
…/serek8/3112
@cpholguera cpholguera requested a review from Copilot August 31, 2025 09:17
Copilot
Copilot AI reviewed Aug 31, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR ports two legacy test cases (MASTG-TEST-0010 and MASTG-TEST-0059) by deprecating them and introducing new MASTG V2 versions that test for sensitive information exposure in auto-generated screenshots on Android and iOS platforms.

  • Deprecates existing test cases MASTG-TEST-0010 (Android) and MASTG-TEST-0059 (iOS)
  • Adds new comprehensive test cases MASTG-TEST-0289, MASTG-TEST-0290, and MASTG-TEST-0291 for screenshot security testing
  • Introduces supporting materials including semgrep rules, demos, and best practices documentation

Reviewed Changes

Copilot reviewed 13 out of 15 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
tests/android/MASVS-PLATFORM/MASTG-TEST-0010.md Marks legacy Android screenshot test as deprecated
tests/ios/MASVS-PLATFORM/MASTG-TEST-0059.md Marks legacy iOS screenshot test as deprecated
tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0289.md New runtime verification test for Android screenshot protection
tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0291.md New static analysis test for Android FLAG_SECURE usage
tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0290.md New runtime verification test for iOS screenshot protection
rules/mastg-android-sensitive-data-in-screenshot.yml Semgrep rules for detecting FLAG_SECURE usage patterns
demos/android/MASVS-PLATFORM/MASTG-DEMO-0061/* Demo files showing FLAG_SECURE implementation and detection
knowledge/ios/MASVS-STORAGE/MASTG-KNOW-0099.md Enhanced documentation about iOS screenshot storage mechanics
best-practices/MASTG-BEST-0014.md New best practices guide for preventing screenshots

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@cpholguera cpholguera merged commit 9a7030e into OWASP:master Aug 31, 2025
8 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@cpholguera cpholguera cpholguera approved these changes

@sushi2k sushi2k Awaiting requested review from sushi2k

+1 more reviewer

@carlosb1111 carlosb1111 carlosb1111 left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
MASVS-PLATFORM MASVS-STORAGE MASWE
Projects
None yet
Milestone
No milestone
3 participants
@serek8 @cpholguera @carlosb1111