[MASWE-0004] Sensitive Data Not Excluded From Backup

demos/android/MASVS-STORAGE/MASTG-DEMO-0014/MASTG-DEMO-0020.md

@@ -0,0 +1,43 @@
+---
+platform: android
+title: Sensitive Data Not Excluded From Backup
+id: MASTG-DEMO-0020
+code: [kotlin]
+test: MASTG-TEST-0216
+---
+
+### Sample
+
+The snippet below shows sample code that creates two files inside [`filesDir`](https://developer.android.com/reference/android/content/Context#getFilesDir()). One of the files is also marked as `exclude` inside `backup_rules.xml`.
+
+{{ MastgTest.kt # backup_rules.xml }}
+
+### Steps
+
+1. Install the target app on your device.
+2. Execute `run_before.sh` which runs @MASTG-TOOL-0004.
+3. Open the app and exercise it to trigger file creations.
+4. Execute `run_after.sh`.
+5. Close the app once you finish testing.
+
+{{ run.sh }}
+
+### Observation
+
+The output contains a list of all restored files.
+
+{{ output.txt }}
+
+Their content is inside the `./restored_files/` directory and contains:
+
+A password:
+
+{{ restored_files/secret.txt }}
+
+The file was created in `/data/user/0/org.owasp.mastestapp/files/` which is equivalent to `/data/data/org.owasp.mastestapp/files/`.
+
+Note that the sample app wrote two files: `secret.txt` and `backup_excluded_secret.txt`. The latter is not restored because it is marked as `exclude` in the `backup_rules.xml` file.
+
+### Evaluation
+
+The test fails because `secret.txt` is restored from the backup and it contains sensitive data.

demos/android/MASVS-STORAGE/MASTG-DEMO-0014/MastgTest.kt

@@ -0,0 +1,35 @@
+package org.owasp.mastestapp
+
+import android.content.Context
+import android.util.Log
+import java.io.File
+import java.io.FileOutputStream
+import java.io.IOException
+
+class MastgTest (private val context: Context){
+
+    fun mastgTest(): String {
+
+        val externalStorageDir = context.getExternalFilesDir(null)
+
+        val fileName = File(externalStorageDir, "secret.txt")
+        val fileNameOfBackupExcludedFile = File(externalStorageDir, "backup_excluded_secret.txt")
+        val fileContent = "secr3tPa\$\$W0rd\n"
+
+        try {
+            FileOutputStream(fileName).use { output ->
+                output.write(fileContent.toByteArray())
+                Log.d("WriteExternalStorage", "File written to external storage successfully.")
+            }
+            FileOutputStream(fileNameOfBackupExcludedFile).use { output ->
+                output.write(fileContent.toByteArray())
+                Log.d("WriteExternalStorage", "File written to external storage successfully.")
+            }
+        } catch (e: IOException) {
+            Log.e("WriteExternalStorage", "Error writing file to external storage", e)
+            return "ERROR!!\n\nError writing file to external storage"
+        }
+
+        return "SUCCESS!!\n\nFiles saved to $externalStorageDir"
+    }
+}

demos/android/MASVS-STORAGE/MASTG-DEMO-0014/backup_rules.xml

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<full-backup-content>
+    <exclude domain="file" path="backup_excluded_secret.txt" />
+</full-backup-content>

demos/android/MASVS-STORAGE/MASTG-DEMO-0014/output.txt

@@ -0,0 +1,2 @@
+/data/user/0/org.owasp.mastestapp/files/profileInstalled
+/data/user/0/org.owasp.mastestapp/files/secret.txt

demos/android/MASVS-STORAGE/MASTG-DEMO-0014/restored_files/secret.txt

@@ -0,0 +1 @@
+secr3tPa$$W0rd

demos/android/MASVS-STORAGE/MASTG-DEMO-0014/run.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+# USAGE: ./run.sh <package name>
+# EXAMPLE: ./run.sh org.owasp.mastestapp
+# SUMMARY: List all files restered from a backup
+
+# Script from https://developer.android.com/identity/data/testingbackup
+# Initialize and create a backup
+adb shell bmgr enable true
+adb shell bmgr transport com.android.localtransport/.LocalTransport | grep -q "Selected transport" || (echo "Error: error selecting local transport"; exit 1)
+adb shell settings put secure backup_local_transport_parameters 'is_encrypted=true'
+adb shell bmgr backupnow "$1" | grep -F "Package $1 with result: Success" || (echo "Backup failed"; exit 1)
+
+# Uninstall and reinstall the app to clear the data and trigger a restore
+apk_path_list=$(adb shell pm path "$1")
+OIFS=$IFS
+IFS=$'\n'
+apk_number=0
+for apk_line in $apk_path_list
+do
+    (( ++apk_number ))
+    apk_path=${apk_line:8:1000}
+    adb pull "$apk_path" "myapk${apk_number}.apk"
+done
+IFS=$OIFS
+adb shell pm uninstall --user 0 "$1"
+apks=$(seq -f 'myapk%.f.apk' 1 $apk_number)
+adb install-multiple -t --user 0 $apks
+
+# Clean up
+adb shell bmgr transport com.google.android.gms/.backup.BackupTransportService
+rm $apks
+
+echo "Done"
+
+
+# Demo script
+# You might need to enable root for ADB first with `adb root`
+adb shell "find /data/user/0/org.owasp.mastestapp/ -type f" > output.txt
+mkdir -p restored_files
+while read -r line; do
+  adb pull "$line" ./restored_files/
+done < output.txt

demos/ios/MASVS-STORAGE/MASTG-DEMO-0019/MASTG-DEMO-0019.md

@@ -0,0 +1,30 @@
+---
+platform: ios
+title: Sensitive Data Not Excluded From Backup
+code: [swift]
+id: MASTG-DEMO-0019
+test: MASTG-TEST-0215
+---
+
+### Sample
+
+The code snippet below shows sample code that creates a file and marks it with `isExcludedFromBackupKey`.
+
+{{ MastgTest.swift }}
+
+### Steps
+
+1. Unzip the app package and locate the main binary file (@MASTG-TECH-0058), which in this case is `./Payload/MASTestApp.app/MASTestApp`.
+2. Run `run.sh`.
+
+{{ run.sh }}
+
+### Observation
+
+The output contains information that `isExcludedFromBackupKey` was used in the app.
+
+{{ output.txt }}
+
+### Evaluation
+
+The test fails because `secret.txt` might be restored from the backup and it contains sensitive data.

demos/ios/MASVS-STORAGE/MASTG-DEMO-0019/MastgTest.swift

@@ -0,0 +1,27 @@
+import SwiftUI
+
+struct MastgTest {
+    static func mastgTest(completion: @escaping (String) -> Void) {
+    // Define the file name and create the file URL
+    let documentsDirectory = FileManager.default.urls(for: .documentDirectory, in: .userDomainMask).first!
+    let fileName = "secret.txt"
+    var fileURL = documentsDirectory.appendingPathComponent(fileName)
+
+    // Create the file content
+    let fileContent = "MAS_API_KEY=8767086b9f6f976g-a8df76"
+
+    do {
+        try fileContent.write(to: fileURL, atomically: true, encoding: .utf8)
+
+        // Set the isExcludedFromBackup flag
+        var resourceValues = URLResourceValues()
+        resourceValues.isExcludedFromBackup = true
+
+        try fileURL.setResourceValues(resourceValues)
+
+    } catch {
+      completion("Error creating file: \(error)")
+    }
+    completion("File created and isExcludedFromBackup flag set to true")
+    }
+}

demos/ios/MASVS-STORAGE/MASTG-DEMO-0019/isExcludedFromBackup.r2

@@ -0,0 +1,12 @@
+!printf "Uses of isExcludedFromBackup:\n"
+afl~isExcludedFromBackup
+
+!printf "\n"
+
+!printf "xrefs to isExcludedFromBackup:\n"
+axt @ 0x10000cc28
+
+!printf "\n"
+!printf "Use of isExcludedFromBackup:\n"
+
+pd-- 5 @ 0x100004594

demos/ios/MASVS-STORAGE/MASTG-DEMO-0019/output.txt

@@ -0,0 +1,17 @@
+Uses of isExcludedFromBackup:
+0x10000cc28    1     12 sym.imp.Foundation.URLResourceValues.isExcludedFromBackup...Sgvs
+
+xrefs to isExcludedFromBackup:
+sym.MASTestApp.MastgTest.mastg.completion...FZ 0x100004594 [CALL:--x] bl sym.imp.Foundation.URLResourceValues.isExcludedFromBackup...Sgvs
+
+Use of isExcludedFromBackup:
+│           0x100004580      080540f9       ldr x8, [x8, 8]
+│           0x100004584      00013fd6       blr x8
+│           0x100004588      e80314aa       mov x8, x20
+│           0x10000458c      a1210094       bl sym.imp.Foundation.URLResourceValues...VACycfC...ycfC
+│           0x100004590      20008052       mov w0, 1
+│           0x100004594      a5210094       bl sym Foundation.URLResourceValues.isExcludedFromBackup...Sgvs ; sym.imp.Foundation.URLResourceValues.isExcludedFromBackup...Sgvs
+│           0x100004598      a82300d1       sub x8, x29, 8
+│           0x10000459c      140150f8       ldur x20, [x8, -0x100]
+│           0x1000045a0      a82302d1       sub x8, x29, 0x88
+│           0x1000045a4      080150f8       ldur x8, [x8, -0x100]

demos/ios/MASVS-STORAGE/MASTG-DEMO-0019/run.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+r2 -q -i isExcludedFromBackup.r2 -A MASTestApp

tests-beta/android/MASVS-STORAGE/MASTG-TEST-0216.md

@@ -0,0 +1,40 @@
+---
+platform: android
+title: Sensitive Data Not Excluded From Backup
+id: MASTG-TEST-0216
+type: [dynamic, filesystem]
+weakness: MASWE-0004
+---
+
+## Overview
+
+This test verifies whether your app correctly instructs the system to exclude sensitive files from backups. There are two distinct APIs for instructing the system to exclude files:
+
+1. [Auto Backup](https://developer.android.com/identity/data/autobackup)
+2. [Key-value backup](https://developer.android.com/identity/data/autobackup)
+
+Regardless of which API you use, Android provides a way to start the backup daemon to back up and restore your app's files. You can use this daemon to initiate the backup process and restore the app's data, allowing you to verify which files have been restored from the backup.
+
+## Steps
+
+1. Start the device.
+
+2. Install an app on your device.
+
+3. Launch and use the app going through the various workflows while inputting sensitive data wherever you can.
+
+4. Run the backup daemon.
+
+5. Uninstall the app and install it again. Don't open the app anymore.
+
+6. Restore the data from the backup.
+
+7. Verify that restored files don't contain sensitive data. Test both private and shared storage locations.
+
+## Observation
+
+The output should contain a list of files that are restored from the backup.
+
+## Evaluation
+
+Identify the files that contain sensitive data and instruct the system to exclude them from the backup. If you use Auto Backup, mark them with `exclude` tag inside `backup_rules.xml` or `data_extraction_riles.xml` depending on your target API. Make sure you use fill out both `cloud-backup` and `device-transfer` parameters. If you use Key-value approach, set up your [BackupAgent](https://developer.android.com/identity/data/keyvaluebackup#BackupAgent) accordingly.

tests-beta/ios/MASVS-STORAGE/MASTG-TEST-0215.md

@@ -0,0 +1,27 @@
+---
+platform: ios
+title: Sensitive Data Not Excluded From Backup
+id: MASTG-TEST-0215
+type: [static, filesystem]
+weakness: MASWE-0004
+---
+
+## Overview
+
+iOS provides the [`isExcludedFromBackup`](https://developer.apple.com/documentation/foundation/urlresourcevalues/1780002-isexcludedfrombackup) API to guide the system not to back up a given file. However, this API [does not guarantee that a file will be excluded](https://developer.apple.com/documentation/foundation/optimizing_your_app_s_data_for_icloud_backup/#3928527):
+
+> "The `isExcludedFromBackup` resource value exists only to provide guidance to the system about which files and directories it can exclude; it’s not a mechanism to guarantee those items never appear in a backup or on a restored device."
+
+Therefore, the only way to properly protect your files from a backup is to encrypt them.
+
+## Steps
+
+1. Run a static analysis tool such as @MASTG-TOOL-0073 on the app binary, or use a dynamic analysis tool like @MASTG-TOOL-0039, and look for uses of `isExcludedFromBackup` API.
+
+## Observation
+
+Inspect all files that you marked with `isExcludedFromBackup`.
+
+## Evaluation
+
+Make sure to encrypt any files you want to protect from a backup, as `isExcludedFromBackup` does not guarantee that a file will be excluded.

weaknesses/MASVS-STORAGE/MASWE-0004.md

@@ -21,3 +21,28 @@ status: draft
 
 ---
 
+## Overview
+
+iOS and Android automatically back up app data to cloud services, and users can also create local backups on physical machines, or backups are automatically created during data transfers when switching between phones. When developers fail to properly configure how their app handles backups and neglect to exclude sensitive files, the backups may contain sensitive user and app data. Under certain conditions, the backups may not be adequately secured by the cloud provider, or a malicious actor could tamper with the backed up files, potentially altering the app's behavior or extracting confidential information.
+
+## Impact
+
+- **Modification of app's behavior**: An attacker can tamper with data inside the backup, altering the app's logic. For example, they could modify a database that tracks the state of premium features and then restore the modified backup to the device. Another common scenario is backing up the device before redeeming a one-time coupon and restoring the backup afterward. This would allow the malicious actor to reuse the same coupon multiple times.
+
+- **Loss of confidentiality**: Sensitive data stored in backups (e.g., personal information, photos, documents, audio files) may be extracted by attackers, leading to privacy breaches.
+
+- **Leakage of authentication material**: An attacker can extract passwords, cryptographic keys, and session tokens to facilitate additional attacks, such as identity theft, account takeover, or unauthorized access.
+
+## Modes of Introduction
+
+- **Automatic System Backups**: By default, iOS and Android back up app data to the cloud once the user consents during the initial setup.
+
+- **Local Backups**: Users can back up their devices to local systems (e.g., laptops). If local backups are stored unencrypted or not securely handled, attackers could tamper with this data.
+
+- **Device-To-Device Transfer**: Transferring data between devices (e.g., via iCloud or Google’s device-to-device migration tools) enables an attacker to perform similar attacks.
+
+## Mitigations
+
+- Exclude sensitive files from backups using platform-specific attributes, such as `android:allowBackup` or `BackupAgent` with `excludeFromBackup` for Android. On iOS, API such as `NSURLIsExcludedFromBackupKey` [doesn't guarantee](https://developer.apple.com/documentation/foundation/optimizing_your_app_s_data_for_icloud_backup/#3928527) exclusion from the backup. Therefore, you should encrypt your data instead.
+- Store sensitive data in locations excluded from backups by default, like the Keychain or `Library/Caches` on iOS.
+- Encrypt sensitive data before storage to ensure confidentiality, even if it gets backed up.