[MASWE-0004] Sensitive Data Not Excluded From Backup

demos/android/MASVS-STORAGE/MASTG-DEMO-0014/MASTG-DEMO-0014.md

@@ -0,0 +1,45 @@
+---
+platform: android
+title: Sensitive Data Not Excluded From Backup
+id: MASTG-DEMO-0014
+code: [kotlin]
+test: MASTG-TEST-0211
+---
+
+### Sample
+
+The snippet below shows sample code that creates two files inside [`filesDir`](https://developer.android.com/reference/android/content/Context#getFilesDir()). One of the files is also marked as `exclude` inside `backup_rules.xml`.
+
+{{ MastgTest.kt }}
+
+{{ backup_rules.xml }}
+
+### Steps
+
+1. Install an app on your device.
+2. Execute `run_before.sh` which runs @MASTG-TOOL-0004.
+3. Open an app and exercise it to trigger file creations.
+4. Execute `run_after.sh`.
+5. Close the app once you finish testing.
+
+{{ run.sh }}
+
+### Observation
+
+There is a list of all restored files inside `output.txt`.
+
+{{ output.txt }}
+
+Their content is inside the `./restored_files/` directory and contains:
+
+A password:
+
+{{ restored_files/secret.txt }}
+
+The file was created in `/data/user/0/org.owasp.mastestapp/files/` which is equivalent to `/data/data/org.owasp.mastestapp/files/`.
+
+Note that the sample app wrote two files: `secret.txt` and `backup_excluded_secret.txt`. The latter is not restored because it is marked as `exclude` in the `backup_rules.xml` file.
+
+### Evaluation
+
+If you don't intend to restore this file, this test fails.

demos/android/MASVS-STORAGE/MASTG-DEMO-0014/MastgTest.kt

@@ -0,0 +1,35 @@
+package org.owasp.mastestapp
+
+import android.content.Context
+import android.util.Log
+import java.io.File
+import java.io.FileOutputStream
+import java.io.IOException
+
+class MastgTest (private val context: Context){
+
+    fun mastgTest(): String {
+
+        val externalStorageDir = context.getExternalFilesDir(null)
+
+        val fileName = File(externalStorageDir, "secret.txt")
+        val fileNameOfBackupExcludedFile = File(externalStorageDir, "backup_excluded_secret.txt")
+        val fileContent = "secr3tPa\$\$W0rd\n"
+
+        try {
+            FileOutputStream(fileName).use { output ->
+                output.write(fileContent.toByteArray())
+                Log.d("WriteExternalStorage", "File written to external storage successfully.")
+            }
+            FileOutputStream(fileNameOfBackupExcludedFile).use { output ->
+                output.write(fileContent.toByteArray())
+                Log.d("WriteExternalStorage", "File written to external storage successfully.")
+            }
+        } catch (e: IOException) {
+            Log.e("WriteExternalStorage", "Error writing file to external storage", e)
+            return "ERROR!!\n\nError writing file to external storage"
+        }
+
+        return "SUCCESS!!\n\nFiles saved to $externalStorageDir"
+    }
+}

demos/android/MASVS-STORAGE/MASTG-DEMO-0014/backup_rules.xml

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<full-backup-content>
+    <exclude domain="file" path="backup_excluded_secret.txt" />
+</full-backup-content>

demos/android/MASVS-STORAGE/MASTG-DEMO-0014/output.txt

@@ -0,0 +1,2 @@
+/data/user/0/org.owasp.mastestapp/files/profileInstalled
+/data/user/0/org.owasp.mastestapp/files/secret.txt

demos/android/MASVS-STORAGE/MASTG-DEMO-0014/restored_files/secret.txt

@@ -0,0 +1 @@
+secr3tPa$$W0rd

demos/android/MASVS-STORAGE/MASTG-DEMO-0014/run.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+# USAGE: ./run.sh <package name>
+# EXAMPLE: ./run.sh org.owasp.mastestapp
+# SUMMARY: List all files restered from a backup
+
+# Script from https://developer.android.com/identity/data/testingbackup
+# Initialize and create a backup
+adb shell bmgr enable true
+adb shell bmgr transport com.android.localtransport/.LocalTransport | grep -q "Selected transport" || (echo "Error: error selecting local transport"; exit 1)
+adb shell settings put secure backup_local_transport_parameters 'is_encrypted=true'
+adb shell bmgr backupnow "$1" | grep -F "Package $1 with result: Success" || (echo "Backup failed"; exit 1)
+
+# Uninstall and reinstall the app to clear the data and trigger a restore
+apk_path_list=$(adb shell pm path "$1")
+OIFS=$IFS
+IFS=$'\n'
+apk_number=0
+for apk_line in $apk_path_list
+do
+    (( ++apk_number ))
+    apk_path=${apk_line:8:1000}
+    adb pull "$apk_path" "myapk${apk_number}.apk"
+done
+IFS=$OIFS
+adb shell pm uninstall --user 0 "$1"
+apks=$(seq -f 'myapk%.f.apk' 1 $apk_number)
+adb install-multiple -t --user 0 $apks
+
+# Clean up
+adb shell bmgr transport com.google.android.gms/.backup.BackupTransportService
+rm $apks
+
+echo "Done"
+
+
+# Demo script
+# You might need to enable root for ADB first with `adb root`
+adb shell "find /data/user/0/org.owasp.mastestapp/ -type f" > output.txt
+mkdir -p restored_files
+while read -r line; do
+  adb pull "$line" ./restored_files/
+done < output.txt

demos/ios/MASVS-STORAGE/MASTG-DEMO-0013/MASTG-DEMO-0013.md

@@ -0,0 +1,34 @@
+---
+platform: ios
+title: Sensitive Data Not Excluded From Backup
+code: [swift]
+id: MASTG-DEMO-0013
+test: MASTG-TEST-0210
+---
+
+### Sample
+
+The code snippet below shows sample code that creates a file and marks it with `isExcludedFromBackupKey`.
+
+{{ MastgTest.swift }}
+
+### Steps
+
+1. Unzip the app package and locate the main binary file (@MASTG-TECH-0058), which in this case is `./Payload/MASTestApp.app/MASTestApp`.
+2. Run `run.sh`.
+
+{{ run.sh }}
+
+### Observation
+
+The output contains information that `isExcludedFromBackupKey` was used in the app.
+
+{{ output.txt }}
+
+### Evaluation
+
+In the output we can see how the `kSecAttrKeySizeInBits` attribute is set to `1024` bits (0x400 in hexadecimal) using the `x8` register. This is later used to call `SecKeyCreateRandomKey`.
+
+{{ evaluation.txt }}
+
+iOS doesn't guarantee that any file marked with `isExcludedFromBackupKey` will be excluded from a backup. Encrypt this file if necessary.

demos/ios/MASVS-STORAGE/MASTG-DEMO-0013/MastgTest.swift

@@ -0,0 +1,27 @@
+import SwiftUI
+
+struct MastgTest {
+    static func mastgTest(completion: @escaping (String) -> Void) {
+    // Define the file name and create the file URL
+    let documentsDirectory = FileManager.default.urls(for: .documentDirectory, in: .userDomainMask).first!
+    let fileName = "secret.txt"
+    var fileURL = documentsDirectory.appendingPathComponent(fileName)
+
+    // Create the file content
+    let fileContent = "MAS_API_KEY=8767086b9f6f976g-a8df76"
+
+    do {
+        try fileContent.write(to: fileURL, atomically: true, encoding: .utf8)
+
+        // Set the isExcludedFromBackup flag
+        var resourceValues = URLResourceValues()
+        resourceValues.isExcludedFromBackup = true
+
+        try fileURL.setResourceValues(resourceValues)
+
+    } catch {
+      completion("Error creating file: \(error)")
+    }
+    completion("File created and isExcludedFromBackup flag set to true")
+    }
+}

demos/ios/MASVS-STORAGE/MASTG-DEMO-0013/output.txt

@@ -0,0 +1 @@
+This app seems to exclude files from a backup but the developer might not be aware that the system doesn't guarantee that this file will be excluded from a backup. Make sure to encrypt this file if you want to prevent restoring this data.

demos/ios/MASVS-STORAGE/MASTG-DEMO-0013/run.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+if grep -qiE "isExcludedFromBackup|NSURLIsExcludedFromBackupKey" ./MASTestApp; then
+    echo "This app appears to exclude files from backups; however, the developer may not be aware that the system does not guarantee these files will be excluded. To ensure the protection of this data, make sure to encrypt the file if you want to prevent it from being restored." > output.txt
+else
+    echo "This app doesn't seem to use 'ExcludedFromBackup' flag." > output.txt
+fi

tests-beta/android/MASVS-STORAGE/MASTG-TEST-0211.md

@@ -0,0 +1,39 @@
+---
+platform: android
+title: Sensitive Data Not Excluded From Backup
+id: MASTG-TEST-0211
+type: [dynamic, filesystem]
+weakness: MASWE-0004
+---
+
+## Overview
+
+This test verifies whether your app correctly instructs the system to exclude sensitive files from backups. There are two distinct APIs for instructing the system to exclude files:
+
+1. [Auto Backup](https://developer.android.com/identity/data/autobackup)
+2. [Key-value backup](https://developer.android.com/identity/data/autobackup)
+Regardless of which API you use, Android provides a way to start the backup daemon to back up and restore your app's files. You can use this daemon to initiate the backup process and restore the app's data, allowing you to verify which files have been restored from the backup.
+
+## Steps
+
+1. Start the device.
+
+2. Install an app on your device.
+
+3. Launch and use the app going through the various workflows while inputting sensitive data wherever you can.
+
+4. Run the backup daemon.
+
+5. Uninstall the app and install it again. Don't open the app anymore.
+
+6. Restore the data from the backup.
+
+7. Verify that restored files don't contain sensitive data. Test both Private and Shared storage locations.
+
+## Observation
+
+After installing the app for the second time and restoring data from the backup, inspect the files inside the Private and Shared storages and note down files with sensitive content.
+
+## Evaluation
+
+Once you complete the list of restored files containing sensitive data, instruct the system to exclude them from the backup. If you use Auto Backup, mark them with `exclude` tag inside `backup_rules.xml` or `data_extraction_riles.xml` depending on your target API. Make sure you use fill out both `cloud-backup` and `device-transfer` parameters. If you use Key-value approach, set up your [BackupAgent](https://developer.android.com/identity/data/keyvaluebackup#BackupAgent) accordingly.

tests-beta/ios/MASVS-STORAGE/MASTG-TEST-0210.md

@@ -0,0 +1,23 @@
+---
+platform: ios
+title: Sensitive Data Not Excluded From Backup
+id: MASTG-TEST-0210
+type: [static, filesystem]
+weakness: MASWE-0004
+---
+
+## Overview
+
+iOS provides the [isExcludedFromBackup](https://developer.apple.com/documentation/foundation/urlresourcevalues/1780002-isexcludedfrombackup) API to guide the system not to back up a given file. However, this API does not guarantee that a file will be excluded. You can read more about it in the [Apple Documentation](https://developer.apple.com/documentation/foundation/optimizing_your_app_s_data_for_icloud_backup/). Therefore, the only way to properly protect your files from a backup is to encrypt them.
+
+## Steps
+
+1. Run a static analysis tool such as @MASTG-TOOL-0073 on the app binary, or use a dynamic analysis tool like @MASTG-TOOL-0039, and look for uses of `isExcludedFromBackup` API.
+
+## Observation
+
+Inspect all files that you marked with `isExcludedFromBackup`.
+
+## Evaluation
+
+Make sure to encrypt any files you want to protect from a backup, as `isExcludedFromBackup` does not guarantee that a file will be excluded.

weaknesses/MASVS-STORAGE/MASWE-0004.md

@@ -21,3 +21,28 @@
 
 ---
 
+## Overview
+
+iOS and Android automatically back up app data to cloud services, and users can also create local backups on physical machines, or backups are automatically created during data transfers when switching between phones. When developers fail to properly configure how their app handles backups and neglect to exclude sensitive files, the backups may contain sensitive user and app data. Under certain conditions, the backups may not be adequately secured by the cloud provider, or a malicious actor could tamper with the backed up files, potentially altering the app's behavior or extracting confidential information.
+
+## Impact
+
+- **Modification of app's behavior**: An attacker can tamper with data inside the backup, altering the app's logic. For example, they could modify a database that tracks the state of premium features and then restore the modified backup to the device. Another common scenario is backing up the device before redeeming a one-time coupon and restoring the backup afterward. This would allow the malicious actor to reuse the same coupon multiple times.
+
+- **Loss of confidentiality**: Sensitive data stored in backups (e.g., personal information, photos, documents, audio files) may be extracted by attackers, leading to privacy breaches.
+
+- **Leakage of authentication material**: An attacker can extract passwords, cryptographic keys, and session tokens to facilitate additional attacks, such as identity theft, account takeover, or unauthorized access.
+
+## Modes of Introduction
+
+- **Automatic System Backups**: By default, iOS and Android back up app data to the cloud once the user consents during the initial setup.
+
+- **Local Backups**: Users can back up their devices to local systems (e.g., laptops). If local backups are stored unencrypted or not securely handled, attackers could tamper with this data.
+
+- **Device-To-Device Transfer**: Transferring data between devices (e.g., via iCloud or Google’s device-to-device migration tools) enables an attacker to perform similar attacks.
+
+## Mitigations
+
+- Exclude sensitive files from backups using platform-specific attributes, such as `android:allowBackup` or `BackupAgent` with `excludeFromBackup` for Android. On iOS, API such as `NSURLIsExcludedFromBackupKey` [doesn't guarantee](https://developer.apple.com/documentation/foundation/optimizing_your_app_s_data_for_icloud_backup/#3928527) exclusion from the backup. Therefore, you should encrypt your data instead. 
+- Store sensitive data in locations excluded from backups by default, like the Keychain or `Library/Caches` on iOS.
+- Encrypt sensitive data before storage to ensure confidentiality, even if it gets backed up.