Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sensitive Data Leaked via Screenshots (by @guardsquare) #3112

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Sensitive Data Leaked via Screenshots (by @guardsquare) #3112

wants to merge 9 commits into from

Conversation

serek8
Copy link
Collaborator

@serek8 serek8 commented Jan 13, 2025

This PR closes #2695

@serek8 serek8 mentioned this pull request Jan 13, 2025
Closed
@serek8 serek8 requested a review from cpholguera January 13, 2025 13:41
@serek8 serek8 changed the title Sensitive Data Leaked via Screenshots Sensitive Data Leaked via Screenshots (by @guardsquare) Jan 13, 2025
@sushi2k sushi2k requested review from sushi2k and removed request for cpholguera January 17, 2025 08:38
cpholguera
cpholguera reviewed Jan 17, 2025
View reviewed changes
weaknesses/MASVS-PLATFORM/MASWE-0055.md
- Screenshots not deleted when backgrounding
- Auto-Generated Screenshots
- https://developer.apple.com/documentation/uikit/uiscreen/2921651-iscaptured
- https://developer.apple.com/documentation/uikit/uitraitcollection/scenecapturestate
status: draft
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
status: draft
status: new

weaknesses/MASVS-PLATFORM/MASWE-0055.md
- Screenshots not deleted when backgrounding
- Auto-Generated Screenshots
- https://developer.apple.com/documentation/uikit/uiscreen/2921651-iscaptured
- https://developer.apple.com/documentation/uikit/uitraitcollection/scenecapturestate
status: draft

---

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mitigations section missing

weaknesses/MASVS-PLATFORM/MASWE-0055.md
Comment on lines -18 to -19
- Screenshots not deleted when backgrounding
- Auto-Generated Screenshots
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about these 2 topics? Shouldn't we add them as Modes of Introduction & tests?

cpholguera
cpholguera requested changes Jan 30, 2025
View reviewed changes
demos/ios/MASVS-PLATFORM/MASTG-DEMO-0021/MASTG-DEMO-0020.md
@@ -0,0 +1,30 @@
---
platform: ios
title: References to Screen Capturing API
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about?

Suggested change
title: References to Screen Capturing API
title: Uses of Screen Capturing APIs with r2

tests-beta/ios/MASVS-STORAGE/MASTG-TEST-2040.md
@@ -0,0 +1,28 @@
---
title: References to Screen Capturing API
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
title: References to Screen Capturing API
title: References to Screen Capturing APIs

tests-beta/ios/MASVS-STORAGE/MASTG-TEST-2040.md
---
title: References to Screen Capturing API
platform: ios
id: MASTG-TEST-0240
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

check file name

tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0216.md
@@ -0,0 +1,26 @@
---
title: Sensitive Data Leaked via Screenshots
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about?

Suggested change
title: Sensitive Data Leaked via Screenshots
title: References to Screen Capturing Prevention APIs

tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0216.md
platform: android
id: MASTG-TEST-0216
type: [static]
weakness: MASWE-0055
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add best-practices:

tests-beta/ios/MASVS-STORAGE/MASTG-TEST-2040.md
platform: ios
id: MASTG-TEST-0240
type: [static]
weakness: MASWE-0055
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add best-practices:

demos/android/MASVS-PLATFORM/MASTG-DEMO-0021/MASTG-DEMO-0021.md
@@ -0,0 +1,29 @@
---
platform: android
title: Sensitive Data Leaked via Screenshots
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
title: Sensitive Data Leaked via Screenshots
title: Uses of FLAG_SECURE with semgrep

demos/ios/MASVS-PLATFORM/MASTG-DEMO-0021/MASTG-DEMO-0020.md

### Evaluation

The test succeeds because the app contains API that detects screen capturing. It's difficult to say whether the app actually uses this API but its presence indicates that the developer is aware of this API.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

...or if it applies to the relevant screens (?)

tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0216.md
Comment on lines +13 to +14
- [FLAG_SECURE](https://developer.android.com/security/fraud-prevention/activities#flag_secure) - prevents screen recording
- [DETECT_SCREEN_CAPTURE](https://developer.android.com/about/versions/14/features/screenshot-detection#implementation) - detects when a screenshot is taken
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- [FLAG_SECURE](https://developer.android.com/security/fraud-prevention/activities#flag_secure) - prevents screen recording
- [DETECT_SCREEN_CAPTURE](https://developer.android.com/about/versions/14/features/screenshot-detection#implementation) - detects when a screenshot is taken
- [`FLAG_SECURE`](https://developer.android.com/security/fraud-prevention/activities#flag_secure): prevents screen recording.
- [`DETECT_SCREEN_CAPTURE`](https://developer.android.com/about/versions/14/features/screenshot-detection#implementation): detects when a screenshot is taken.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpholguera cpholguera cpholguera requested changes

@sushi2k sushi2k Awaiting requested review from sushi2k

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
changes-requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[MASWE-0055] New MASWE Weakness
2 participants
@serek8 @cpholguera