-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Risk and Test - Sensitive Data Stored Unencrypted in Private Storage Locations [data-unencrypted-private-storage] #2566
base: master
Are you sure you want to change the base?
Changes from 1 commit
06a2a0e
acdce08
c469c44
21df242
a29fb63
c4ebaf2
ed8f910
df64230
c398e90
bb794de
ea50af4
8585fc9
9782a76
cb57040
0a76eb1
f1a713c
22d79f5
1aef397
f1f9c27
09f2530
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
--- | ||
platform: android | ||
title: Sensitive Data Written to Private Data Directory (Sandbox) Unencrypted. | ||
thomascannon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
type: [dynamic, filesystem] | ||
mitigations: | ||
- android-use-keystore | ||
- android-use-androidx-security | ||
prerequisites: | ||
- identify-sensitive-data | ||
--- | ||
|
||
thomascannon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
## Steps | ||
|
||
1. Start the device. | ||
|
||
2. Launch and use the app going through the various workflows while inputting sensitive data wherever you can. Taking note of the data you input can help identify it later using tools to search for it. | ||
thomascannon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
3. Take a copy of the app's private data directory for offline analysis. Using tar will preserve the filesystem structure and permissions. | ||
thomascannon marked this conversation as resolved.
Show resolved
Hide resolved
thomascannon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
4. Search the extracted data for items such as keys, passwords and any sensitive data inputted into the app. | ||
|
||
5. Check files for sensitive data that has been encoded with algorithms such as base64 which obscures but does not protect sensitive data. | ||
thomascannon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
## Observation | ||
|
||
Files within the private data directory contain sensitive data. | ||
|
||
## Evaluation | ||
|
||
The test case fails if you find sensitive data in the app's private data directory which has not been encrypted with strong cryptography. This includes plaintext data as well as encoding such as base64 or obfuscation such as xoring. | ||
thomascannon marked this conversation as resolved.
Show resolved
Hide resolved
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. please also change the directory name to data-unencrypted-private-storage |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
--- | ||
title: Sensitive Data Stored Unencrypted in Internal Locations | ||
thomascannon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
alias: data-unencrypted-internal | ||
thomascannon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
platform: [android, ios] | ||
profiles: [L2] | ||
mappings: | ||
masvs-v1: [MSTG-STORAGE-2] | ||
masvs-v2: [MASVS-STORAGE-1, MASVS-CRYPTO-2] | ||
mastg-v1: [MASTG-TEST-0052, MASTG-TEST-0001] | ||
|
||
thomascannon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
--- | ||
|
||
## Overview | ||
|
||
Mobile apps may need to store sensitive data locally within the application sandbox and this data is at risk of exposure via, for example, incorrect file permissions, an app vulnerability, device vulnerability or data backup mechanisms. | ||
thomascannon marked this conversation as resolved.
Show resolved
Hide resolved
thomascannon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
[sensitive data](MASTG-THEORY-0023.md "Sensitive Data") may include personally identifiable information (PII), passwords, cryptographic keys or session tokens. | ||
thomascannon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
Sensitive data stored locally on the device should be encrypted, and any keys used for encryption methods should be protected by the device's hardware-backed keystore, where available. | ||
|
||
thomascannon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
## Impact | ||
|
||
- **Loss of Confidentiality**: Under the right conditions an attacker could extract sensitive data stored internally within the application sandbox leading to loss of confidentiality and enable further attacks such as identity theft or account takeover. | ||
|
||
## Modes of Introduction | ||
|
||
- **Data Stored Unencrypted**: Sensitive data is written to the app's private data directory (sandbox) unencrypted. | ||
- **Hardcoded Encryption Key**: Sensitive data is encrypted but the key is hardcoded inside the application. | ||
- **Encryption Key Stored on Filesystem**: Sensitive data is encrypted but the key is stored alongside it or in another easily accessible location. | ||
- **Encryption Used is Insufficient**: Sensitive data is encrypted but the encryption is not considered to be strong. | ||
|
||
## Mitigations | ||
|
||
- Avoid storing sensitive data locally at all. | ||
thomascannon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
- Use the platform's hardware-backed keystore solution to store the key used for encryption. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should we offer more options to the users as it's detailed here? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Which ones would you recommend? The main ones aside from keystore it mentions storing it server side which I probably wouldn't recommend in most cases and key derived from user input which could be good if the UX is acceptable (e.g. for a password manager). We could just reference this whole section which raises another question about this process....should we just be duplicating (and updating) the current published mitigation advice but inside these risks? Or should we reference out to existing advice? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Flagged this to be discussed next week in the call. I think these are supposed to be moved to mitigations documents per the guide but the existing examples don't do that (yet). Also whether we should absorb the info from that link to the MASTG, reference it, or supersede it. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Per the call, for more specific and detailed recommended mitigations we should put them in their own mitigation files and link to them, and keep the high level / generic mitigations here. I'll work on splitting those out and creating mitigation documents based on the additional options @ZabGo linked above. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks @thomascannon and @ZabGo. The mitigations dir is here: https://github.com/OWASP/owasp-mastg/tree/master/mitigations Keep in mind that ideally we'd like to make these mitigations as generic as possible so that they can be reused. Also note that the mitigations may also be platform-specific. |
||
- Use platform features such as [androidx.security.crypto](https://developer.android.com/jetpack/androidx/releases/security) to safely store files and sharedpreferences. | ||
thomascannon marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
Further documentation: | ||
|
||
- [Android Developers: Encrypt All Sensitive Data](https://developer.android.com/privacy-and-security/risks/backup-leaks#risk:-storing-sensitive-data-unencrypted) | ||
- [iOS Documentation: Encrypt App Files](https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files) | ||
thomascannon marked this conversation as resolved.
Show resolved
Hide resolved
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please create an demo directory
demo-1/
with an demo.md and the rest of the required files? (see here, and the guidelines)