Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port MASTG-TEST-0073 (by @guardsquare) #3051

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
+56 −0
Draft

Port MASTG-TEST-0073 (by @guardsquare) #3051

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x73-1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
---
platform: ios
title: Possible Leakage of Sensitive Data via UIPasteboard
id: MASTG-TEST-0x73-1
type: [static]
weakness: MASWE-0053
threat: [user]
---

## Overview

The systemwide general pasteboard can be obtained by the [`generalPasteboard`](https://developer.apple.com/documentation/uikit/uipasteboard/1622106-generalpasteboard "UIPasteboard generalPasteboard") function. The general pasteboard enables easy sharing of information between apps. However, it can also leak sensitive data, since every app and [potentially even other devices](https://developer.apple.com/documentation/uikit/uipasteboard#3671087 "UIPasteboard") can request the contents. Since iOS 16.0 this requires user interaction.

When you are dealing with sensitive data, usage of the general pasteboard should be avoided. This static test case identifies whether the app uses the general pasteboard.

## Steps

1. Extract the package as described in @MASTG-TECH-0058.
2. Perform static analysis as described in @MASTG-TECH-0066 or if the code is not available look for calls to
`UIPasteboard.generalPasteboard` using @MASTG-TECH-0076.

## Observation

The code or disassembly could contain calls to `UIPasteboard.generalPasteboard`.

## Evaluation

The test fails if there are calls to `UIPasteboard.generalPasteboard` and sensitive data is written into the resulting object with [`addItems`](https://developer.apple.com/documentation/uikit/uipasteboard/1622101-additems "Apple Developer"), [`setItems`](https://developer.apple.com/documentation/uikit/uipasteboard/1829417-setitems "Apple Developer"), [`setData`](https://developer.apple.com/documentation/uikit/uipasteboard/1622075-setdata "Apple Developer") or [`setValue`](https://developer.apple.com/documentation/uikit/uipasteboard/1622079-setvalue "Apple Developer").

The usage of the general systemwide pasteboard should be avoided when dealing with sensitive data. Prefer using a
[custom app pasteboard](https://developer.apple.com/documentation/uikit/uipasteboard/1622087-withuniquename "Apple Developer") instead.
25 changes: 25 additions & 0 deletions tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x73-2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
---
platform: ios
title: Leakage of Sensitive Data via UIPasteboard
id: MASTG-TEST-0x73-2
type: [dynamic]
weakness: MASWE-0053
threat: [user]
---

## Overview

The systemwide general pasteboard can be obtained by the [`generalPasteboard`](https://developer.apple.com/documentation/uikit/uipasteboard/1622106-generalpasteboard "UIPasteboard generalPasteboard") function. The general pasteboard enables easy sharing of information between apps. However, it can also leak sensitive data, since every app and [potentially even other devices](https://developer.apple.com/documentation/uikit/uipasteboard#3671087 "UIPasteboard") can request the contents. Since iOS 16.0 this requires user interaction.

When you are dealing with sensitive data, usage of the general pasteboard should be avoided. This dynamic test case identifies not only whether the app uses the general pasteboard but also if sensitive data is passed into it.

## Steps

1. Apply @MASTG-TECH-0067 or @MASTG-TECH-0079 to trace calls to [`addItems`](https://developer.apple.com/documentation/uikit/uipasteboard/1622101-additems "Apple Developer"), [`setItems`](https://developer.apple.com/documentation/uikit/uipasteboard/1829417-setitems "Apple Developer"), [`setData`](https://developer.apple.com/documentation/uikit/uipasteboard/1622075-setdata "Apple Developer") or [`setValue`](https://developer.apple.com/documentation/uikit/uipasteboard/1622079-setvalue "Apple Developer") on objects obtained from calling [`generalPasteboard`](https://developer.apple.com/documentation/uikit/uipasteboard/1622106-generalpasteboard "Apple Developer").

## Evaluation

The test fails if sensitive data (possibly entered during dynamic analysis) is traced during a write operation.

The usage of the general systemwide pasteboard should be avoided when dealing with sensitive data. Prefer using a
[custom app pasteboard](https://developer.apple.com/documentation/uikit/uipasteboard/1622087-withuniquename "Apple Developer") instead.