Port MASTG-TEST-0053 (by @guardsquare)

demos/ios/MASVS-STORAGE/MASTG-DEMO-0023/MASTG-DEMO-0023.md

@@ -0,0 +1,33 @@
+---
+platform: ios
+title: Monitor secrets in logs
+code: [swift]
+id: MASTG-DEMO-0x53
+test: MASTG-TEST-0024
+---
+
+### Sample
+
+The code snippet below shows sample code that logs a sensitive token.
+
+{{ MastgTest.swift }}
+
+### Steps
+
+1. Install the app
+2. Run `run.sh`
+3. Exercise the app to trigger the logging
+4. Close the app
+5. Press Ctrl+C to stop capturing the logs
+
+{{ run.sh }}
+
+### Observation
+
+The `output.txt` contains all logged strings.
+
+{{ output.txt }}
+
+### Evaluation
+
+The test fails because we can see `TOKEN=123` inside the logs.

demos/ios/MASVS-STORAGE/MASTG-DEMO-0023/MastgTest.swift

@@ -0,0 +1,17 @@
+import SwiftUI
+
+struct MastgTest {
+
+  static func mastgTest(completion: @escaping (String) -> Void) {
+
+    let token = "TOKEN=123"
+
+    print("Leaking \(token) from print")
+    NSLog("Leaking \(token) from NSLog")
+    // Commented out for dynamic analysis because these APIs would crash
+    //    assertionFailure("Leaking \(token) from assertionFailure")
+    //    preconditionFailure("Leaking \(token) from preconditionFailure")
+    //    assert(false, "Leaking \(token) from assert")
+    completion("Successfully logged a token: \(token)")
+  }
+}

demos/ios/MASVS-STORAGE/MASTG-DEMO-0023/output.txt

@@ -0,0 +1,9 @@
+[connected]
+Nov  5 13:29:17 MASTestApp(UIKitCore)[7234] <Notice>: Sending UIEvent type: 0; subtype: 0; to window: <UIWindow: 0x10690cc10>; contextId: 0x8FE81D3D
+Nov  5 13:29:17 MASTestApp(libswiftFoundation.dylib)[7234] <Notice>: Leaking TOKEN=123 from NSLog
+Nov  5 13:29:17 SpringBoard(UIKitCore)[378] <Notice>: Evaluating dispatch of UIEvent: 0x280f21a40; type: 0; subtype: 0; backing type: 11; shouldSend: 1
+Nov  5 13:29:17 SpringBoard(UIKitCore)[378] <Notice>: Sending UIEvent type: 0; subtype: 0; to windows: 1
+Nov  5 13:29:17 SpringBoard(UIKitCore)[378] <Notice>: Sending UIEvent type: 0; subtype: 0; to window: <_UISystemGestureWindow: 0x102f076f0>;
+Nov  5 13:29:18 symptomsd(SymptomEvaluator)[458] <Notice>: Data Usage for online-auth-agent on flow 144852 - 
+Nov  5 13:29:18 symptomsd(SymptomEvaluator)[458] <Notice>: NBSM: TCP metrics iteration:5603 since 30.00 secs
+Nov  5 13:29:18 symptomsd(SymptomEvaluator)[458] <Notice>: NBSM: TCP progress metrics score: 0, problem ratio: 0.00 (baseline: 0.00)

demos/ios/MASVS-STORAGE/MASTG-DEMO-0023/run.sh

@@ -0,0 +1 @@
+idevicesyslog > output.txt

demos/ios/MASVS-STORAGE/MASTG-DEMO-0024/MASTG-DEMO-0024.md

@@ -0,0 +1,37 @@
+---
+platform: ios
+title: Uses of logging APIs with r2
+code: [swift]
+id: MASTG-DEMO-0x53
+test: MASTG-TEST-0024
+---
+
+### Sample
+
+The code snippet below shows sample code that logs a sensitive token.
+
+{{ MastgTest.swift }}
+
+### Steps
+
+1. Unzip the app package and locate the main binary file (@MASTG-TECH-0058), which in this case is `./Payload/MASTestApp.app/MASTestApp`.
+2. Run `run.sh` to find all occurrences of `NSLog`.
+3. Repeat the same steps as in `run.sh` using another such as e.g. `print`.
+
+{{ run.sh }}
+
+### Observation
+
+The `output.asm` contains location of `NSLog` usage in the binary.
+
+{{ output.asm }}
+
+Reading `output.asm` doesn't clearly show what arguments are passed to `NSLog`, so you can also make use of `function.asm` for a better overview.
+
+### Evaluation
+
+The test fails because there is a call to `NSLog` which takes the secret token as an argument.
+
+### Mitigation
+
+Instead of using APIs such as `NSLog` or `print`, use a macro statement that you can easily disable in the release builds.

demos/ios/MASVS-STORAGE/MASTG-DEMO-0024/MastgTest.swift

@@ -0,0 +1,16 @@
+import SwiftUI
+
+struct MastgTest {
+
+  static func mastgTest(completion: @escaping (String) -> Void) {
+
+    let token = "TOKEN=123"
+
+    print("Leaking \(token) from print")
+    NSLog("Leaking \(token) from NSLog")
+    assertionFailure("Leaking \(token) from assertionFailure")
+    preconditionFailure("Leaking \(token) from preconditionFailure")
+    assert(false, "Leaking \(token) from assert")
+    completion("Successfully logged a token: \(token)")
+  }
+}

demos/ios/MASVS-STORAGE/MASTG-DEMO-0024/loggingApis.r2

@@ -0,0 +1,18 @@
+e asm.bytes = false
+e scr.color=false
+e asm.var=false
+
+!printf "Uses of NSLog:\n"
+afl~NSLog
+
+!printf "\n"
+
+!printf "xrefs to NSLog:\n"
+axt @ 0x10000c6a4
+
+!printf "\n"
+!printf "Invocation of NSLog:\n"
+
+pd-- 5 @ 0x100004304
+
+pdf @ 0x1000042f4 > function.asm

demos/ios/MASVS-STORAGE/MASTG-DEMO-0024/output.asm

@@ -0,0 +1,18 @@
+Uses of NSLog:
+0x10000c6a4    1 12           sym.imp.Foundation.NSLog_Swift.String__Swift.CVarArg..._______
+
+xrefs to NSLog:
+(nofunc) 0x100000120 [UNKNOWN] invalid
+sym.__s10MASTestApp9MastgTestV05mastgD010completionyySSc_tFZ 0x100004304 [CALL] bl sym.imp.Foundation.NSLog_Swift.String__Swift.CVarArg..._______
+
+Invocation of NSLog:
+│           0x1000042f0      bl sym Swift._allocateUninitializedArray<A>(Builtin.Word) -> (Swift.Array<A>, Builtin.RawPointer) ; sym.imp.Swift._allocateUninitializedArray_A__Builtin.Word______Swift.Array_A___Builtin.RawPointer_
+│           0x1000042f4      ldr x1, [var_c0h]                         ; 0x4 ; 4
+│           0x1000042f8      mov x2, x0
+│           0x1000042fc      ldr x0, [var_b0h]                         ; 0x4 ; 4
+│           0x100004300      str x2, [var_b8h]
+│           0x100004304      bl sym.imp.Foundation.NSLog_Swift.String__Swift.CVarArg..._______
+│           0x100004308      ldr x0, [var_b8h]                         ; 0x4 ; 4
+│           0x10000430c      bl sym.imp.swift_bridgeObjectRelease
+│           0x100004310      ldr x0, [var_c0h]                         ; 0x4 ; 4
+│           0x100004314      bl sym.imp.swift_bridgeObjectRelease

demos/ios/MASVS-STORAGE/MASTG-DEMO-0024/run.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+r2 -q -i loggingApis.r2 -A MASTestApp > output.asm

tests-beta/ios/MASVS-STORAGE/MASTG-TEST-0x53-1.md

@@ -0,0 +1,33 @@
+---
+platform: ios
+title: Insertion of Sensitive Data into Logs
+id: MASTG-TEST-0x53
+type: [dynamic]
+weakness: MASWE-0001
+---
+
+## Overview
+
+On iOS platform, logging APIs like NSLog, NSAssert, NSCAssert, print and printf can inadvertently lead to the leakage of sensitive information. Log messages are recorded in Console and you can access them by `Xcode` or `idevicesyslog`. Although other apps on the device cannot read these logs, direct logging is generally discouraged due to its potential for data leakage.
+
+In this test, we will use dynamic analysis to verify what data is logged to the Console.
+
+## Steps
+
+1. Install the app
+2. Start recording the logs
+3. Run the app
+4. Navigate to the screen of the mobile app you want to analyse the log output from
+5. Close the app
+
+## Observation
+
+The output should contain all logged data.
+
+## Evaluation
+
+The test case fails if you can find sensitive data inside the output. Ideally, a production app shouldn’t use any logging functions at all.
+
+### Mitigation
+
+Instead of using APIs such as `NSLog` or `print`, use a macro statement that you can easily disable in the release builds.

tests-beta/ios/MASVS-STORAGE/MASTG-TEST-0x53-2.md

@@ -0,0 +1,29 @@
+---
+platform: ios
+title: Insertion of Sensitive Data into Logs
+id: MASTG-TEST-0x53
+type: [static]
+weakness: MASWE-0001
+---
+
+## Overview
+
+On iOS platform, logging APIs like NSLog, NSAssert, NSCAssert, print and printf can inadvertently lead to the leakage of sensitive information. Log messages are recorded in Console and you can access them by `Xcode` or `idevicesyslog`. Although other apps on the device cannot read these logs, direct logging is generally discouraged due to its potential for data leakage
+
+In this test, we will use static analysis to verify whether an app has any logging API which takes sensitive data.
+
+## Steps
+
+1. Run a static analysis tool such as @MASTG-TOOL-0073 on the app binary and look for uses of logging api API.
+
+## Observation
+
+The output should include the location of all logging functions. Check the decompiled code to verify if they receive sensitive data as input.
+
+## Evaluation
+
+The test case fails if you can find the use of APIs such as `NSLog` or `print`. Ideally, a production app shouldn’t use any logging functions at all.
+
+### Mitigation
+
+Instead of using APIs such as `NSLog` or `print`, use a macro statement that you can easily disable in the release builds.

tests/ios/MASVS-STORAGE/MASTG-TEST-0053.md

@@ -8,6 +8,8 @@ title: Checking Logs for Sensitive Data
 masvs_v1_levels:
 - L1
 - L2
+status: deprecated
+overed_by: [MASTG-TEST-0x53-1, MASTG-TEST-0x53-2]
 ---
 
 ## Overview