-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[MASWE-0003] Backup Unencrypted #2541
Comments
First run-through: OverviewApplications commonly store data for use, whether locally on the device, within external storage, or remotely in cloud storage. When stored data relates to sensitive information, such as a user's personal data or authentication keys and passwords, additional security measures can be applied to prevent the leaking of this sensitive data if the backup is accessed by someone other than the intended user. ImpactAn attacker with access to an application's backup file can retrieve any unencrypted data that the application has backed up. As a result, any sensitive data exposed can be used by the attacker in future attacks or be readily exploited. Modes of Introduction
Migration:
Additional NodesPrerequisites --> identify-sensitive-data
Tests brainstorming:
|
Complete. Just waiting to see best way to upload files / which branch / version we want these to go into. Structure Overview
Removing these 2:Originally these show how secure encrypted backup is done which is the opposite of the unencrypted code - it feels redundant with the unencrypted code
iOS Unencrypted RulesPatterns of Concern
Android Unencrypted Rules
|
@e-a-security could you please open the PR against our master branch? Thank you! |
@cpholguera Gotcha, done here: #2604 Let me know if I should change anything else. |
NEW! Please review and include info and reference: https://developer.android.com/privacy-and-security/risks/backup-leaks |
Description
Create a new risk for "Backup Unencrypted (MASVS-STORAGE-2)" using the following information:
The app may not encrypt sensitive data in backups, which may compromise data confidentiality.
Create "
risks/MASVS-STORAGE/2-***-****/backup-unencrypted/risk.md
" including the following content:To complete the sections follow the guidelines from Writing MASTG Risks & Tests
Use at least the following references:
When creating the corresponding tests, use the following areas to guide you:
MASTG v1 Refactoring:
If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.
Acceptance Criteria
risks/MASVS-STORAGE/2-***-****/backup-unencrypted/risk.md
)The text was updated successfully, but these errors were encountered: