Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MASWE-0004] Sensitive Data Not Excluded From Backup #2542

Open
4 tasks
cpholguera opened this issue Feb 5, 2024 · 3 comments · May be fixed by #2866
Open
4 tasks

[MASWE-0004] Sensitive Data Not Excluded From Backup #2542

cpholguera opened this issue Feb 5, 2024 · 3 comments · May be fixed by #2866
Assignees
@serek8
Labels
MASTG Refactor MASVS-STORAGE
Milestone
MASWE-STORAGE

Comments

@cpholguera
Copy link
Collaborator

cpholguera commented Feb 5, 2024
edited
Loading

Description

Create a new risk for "Sensitive Data Not Excluded From Backup (MASVS-STORAGE-2)" using the following information:

sensitive data can be excluded to prevent it from being backed up.

Create "risks/MASVS-STORAGE/2-***-****/data-not-excluded-backup/risk.md" including the following content:

---
title: Sensitive Data Not Excluded From Backup
alias: data-not-excluded-backup
platform: [android, ios]
profiles: [L1, L2, P]
mappings:
  masvs-v1: [MSTG-STORAGE-8]
  masvs-v2: [MASVS-STORAGE-2, MASVS-PRIVACY-1]
  mastg-v1: [MASTG-TEST-0058, MASTG-TEST-0009]

---

## Overview

## Impact

## Modes of Introduction

## Mitigations

To complete the sections follow the guidelines from Writing MASTG Risks & Tests

Use at least the following references:

When creating the corresponding tests, use the following areas to guide you:

  • android:fullBackupContent (Android 11-) or android:dataExtractionRules (Android 12+)
  • iOS isExcludedFromBackup (iOS)
  • cryptographic keys in backups (?)

MASTG v1 Refactoring:

If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.

Acceptance Criteria

  • The risk has been created in the correct directory (risks/MASVS-STORAGE/2-***-****/data-not-excluded-backup/risk.md)
  • The risk content follows the guidelines
  • At least one GitHub Issue has been created for the corresponding tests (derived from "Modes of Introduction")
  • The risk indicates the related MASTG v1 tests in its metadata.
@titze titze mentioned this issue Feb 6, 2024
Closed
4 tasks
@cpholguera
Copy link
Collaborator Author

@githubrlloyd

@titze
Copy link
Collaborator

titze commented Feb 23, 2024

I am not sure there is a reliable way to exclude files from backup on iOS. isExcludedFromBackup is only a hint of what can be excluded:

The isExcludedFromBackup resource value exists only to provide guidance to the system about which files and directories it can exclude; it’s not a mechanism to guarantee those items never appear in a backup or on a restored device.

https://developer.apple.com/documentation/foundation/optimizing_your_app_s_data_for_icloud_backup

If this is really the case, isn't the full risk already covered by #2544. Or should there really be a separate issue for this (@cpholguera)

@cpholguera
Copy link
Collaborator Author

NEW! Please review and include info and reference: https://developer.android.com/privacy-and-security/risks/backup-leaks

@cpholguera cpholguera changed the title New Risk - Sensitive Data Not Excluded From Backup [data-not-excluded-backup] [MASWE-0004] Sensitive Data Not Excluded From Backup Jul 7, 2024
@cpholguera cpholguera assigned serek8 and unassigned githubrlloyd Jul 9, 2024
@serek8 serek8 linked a pull request Aug 6, 2024 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@serek8 serek8

Labels
MASTG Refactor MASVS-STORAGE
Projects
None yet
Milestone
MASWE-STORAGE
Development

Successfully merging a pull request may close this issue.

[MASWE-0004] Sensitive Data Not Excluded From Backup serek8/owasp-mstg
4 participants
@titze @serek8 @githubrlloyd @cpholguera