New Risk for OWASP#2541

risks/MASVS-STORAGE/backup-unencrypted/README.md

@@ -0,0 +1,38 @@
+# MASTG Backup Risks Folder Structure
+
+This folder contains structured information for managing backup risks on Android and iOS platforms according to MASTG guidelines.
+
+## Structure Overview
+
+- `risk.md`: Contains a detailed overview of the unencrypted backup risk, its impact, modes of introduction, and migration strategies.
+- `android-backup-unencrypted-use`: For Android applications using unencrypted backups.
+  - `rules`: YAML files for static analysis checks.
+  - `example`: Java and XML examples demonstrating risks and mitigation techniques.
+- `ios-backup-unencrypted-use`: For iOS applications at risk of including sensitive data in unencrypted backups.
+  - `rules`: detect_sensitive_data_storage.yaml: A Semgrep rule to identify potential storage of sensitive data in ways that might be included in backups. Encourages review to ensure data is encrypted and properly excluded from backups.
+  - `example`: SensitiveDataStorageExample.swift: Demonstrates handling of data in ways that could be included in unencrypted backups, along with techniques to exclude or encrypt such data properly.
+  - `run.sh`: Script to facilitate running static analysis against the Swift example code, providing findings that highlight areas needing secure data handling attention.
+
+## Running the Examples and Rules
+
+### Android
+
+1. **Static Analysis Rules**:
+   - Use tools like Semgrep with the provided YAML rules to automatically scan your Android project for potential backup risks.
+   - Command example: `semgrep -f path/to/rule.yaml path/to/android/project`
+
+2. **Examples**:
+   - Review and run the example codes in your IDE or command line to understand the implications of unencrypted backups and how to mitigate them.
+   - For shell scripts, make them executable (`chmod +x script.sh`) and run them directly.
+
+### iOS
+
+1. **Review Guidelines**:
+   - Manually review your iOS project against the guidelines provided in the `rules` folder to ensure sensitive data is properly excluded from backups.
+
+2. **Examples**:
+   - Compile and run the Swift examples in Xcode to test excluding files from backups.
+   - Modify the Swift code as needed to fit the specific paths and files in your application.
+
+## Note
+These examples and rules are provided as a starting point. Always customize and extend them according to your application's specific needs and backup practices.

risks/MASVS-STORAGE/backup-unencrypted/android-backup-unencrypted-use/README.md

@@ -0,0 +1,9 @@
+Demo Java Files:
+InsecureStorageDemo.java and CloudBackupCheck.java demonstrate potential insecure storage practices that could lead to sensitive data being included in unencrypted backups. These examples align with illustrating the risk related to MASVS-STORAGE-2.
+
+Detection Rules
+- Unencrypted Android Backups: Detects when the allowBackup attribute is enabled, potentially leading to unencrypted data backups.
+- Cloud Backup of Sensitive Data: Flags potential inclusion of sensitive data in cloud backups without proper exclusion settings.
+- SharedPreferences Sensitive Data: Identifies usage of SharedPreferences to store sensitive data, which might not be encrypted by default.
+- Missing Encryption in Data Handling: Highlights instances where sensitive data might be handled without apparent encryption, indicating a potential risk.
+- External Storage Sensitive Data: Warns about writing sensitive data to external storage, which can be accessed by any app with the right permissions, without encrypting the data first.

risks/MASVS-STORAGE/backup-unencrypted/android-backup-unencrypted-use/example/DisableBackupAndroidManifest.xml

@@ -0,0 +1 @@
+allowBackup=true

risks/MASVS-STORAGE/backup-unencrypted/android-backup-unencrypted-use/example/InsecureStorageDemo.java

@@ -0,0 +1,28 @@
+// InsecureStorageDemo.java
+import android.content.Context;
+import android.content.SharedPreferences;
+import android.os.Environment;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.OutputStreamWriter;
+
+public class InsecureStorageDemo extends Context {
+    public void insecureDataStorageMethod() {
+        SharedPreferences prefs = getSharedPreferences("user_prefs", MODE_PRIVATE);
+        // Insecurely storing sensitive data in SharedPreferences without encryption
+        prefs.edit().putString("authToken", "123456789").apply();
+
+        // Attempting to store data in external storage without encryption
+        try {
+            File externalStorage = Environment.getExternalStorageDirectory();
+            File myFile = new File(externalStorage, "sensitiveData.txt");
+            FileOutputStream fos = new FileOutputStream(myFile);
+            OutputStreamWriter osw = new OutputStreamWriter(fos);
+            osw.write("Sensitive information, like passwords or personal info.");
+            osw.close();
+            fos.close();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}

risks/MASVS-STORAGE/backup-unencrypted/android-backup-unencrypted-use/example/example-1/DisableBackupAndroidManifest.xml

@@ -0,0 +1,4 @@
+<!-- SUMMARY: Demonstrates an AndroidManifest configuration that does not disable backups, leading to unencrypted backup use. -->
+<application android:allowBackup="true" ...>
+  ...
+</application>

risks/MASVS-STORAGE/backup-unencrypted/android-backup-unencrypted-use/example/example-1/checkBackupSetting.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# Check for allowBackup setting in AndroidManifest.xml
+if grep 'android:allowBackup="true"' DisableBackupAndroidManifest.xml; then
+  echo "FAIL: Unencrypted backup allowed. Set allowBackup to false."
+else
+  echo "PASS: Backup is securely configured or disabled."
+fi

risks/MASVS-STORAGE/backup-unencrypted/android-backup-unencrypted-use/example/example-2/CloudBackupCheck.java

@@ -0,0 +1,9 @@
+// SUMMARY: Example demonstrates checking if sensitive information might be backed up to the cloud without encryption.
+
+// Use SharedPreferences to store sensitive data
+SharedPreferences prefs = getSharedPreferences("user_prefs", MODE_PRIVATE);
+SharedPreferences.Editor editor = prefs.edit();
+editor.putString("authToken", "sensitive_token_here"); // Potential risk if cloud backups are enabled.
+editor.apply();
+
+// Recommendation: Exclude sensitive data from auto backups or encrypt before backup.

risks/MASVS-STORAGE/backup-unencrypted/android-backup-unencrypted-use/rules/backup-unencrypted-rule.yaml

@@ -0,0 +1,6 @@
+rules:
+  - id: android-backup-unencrypted-use
+    severity: ERROR
+    languages: [xml]
+    message: "The allowBackup attribute is set to true, allowing for potential unencrypted backups. Consider setting allowBackup to false or implementing encryption."
+    pattern: <application android:allowBackup="true" ...>

risks/MASVS-STORAGE/backup-unencrypted/android-backup-unencrypted-use/rules/cloud-backup-sensitive-data-rule.yaml

@@ -0,0 +1,8 @@
+rules:
+  - id: android-cloud-backup-sensitive-data
+    severity: WARNING
+    languages: [xml]
+    message: "Sensitive data may be included in cloud backups. Ensure that sensitive information is encrypted before being sent to the cloud."
+    patterns:
+      - pattern: <application ... android:allowBackup="true" ...>
+      - pattern-not: <meta-data android:name="com.google.android.backup.EXCLUDE" ...>

risks/MASVS-STORAGE/backup-unencrypted/android-backup-unencrypted-use/rules/external_storage_sensitive_data.yaml

@@ -0,0 +1,15 @@
+rules:
+- id: android-external-storage-sensitive-data
+  languages: [java, kotlin]
+  message: "Sensitive data detected being written to external storage, which can be accessed by any app with READ_EXTERNAL_STORAGE permission. Ensure this data is encrypted before writing or avoid using external storage for sensitive data."
+  severity: WARNING
+  patterns:
+    - pattern: |
+        new java.io.FileOutputStream(new java.io.File(android.os.Environment.getExternalStorageDirectory(), $FILENAME))
+    - pattern: |
+        new java.io.FileWriter(new java.io.File(android.os.Environment.getExternalStorageDirectory(), $FILENAME))
+  metadata:
+    category: security
+    technology: [android]
+    references:
+      - https://developer.android.com/training/data-storage

risks/MASVS-STORAGE/backup-unencrypted/android-backup-unencrypted-use/rules/missing_encryption_api_usage.yaml

@@ -0,0 +1,15 @@
+rules:
+- id: android-missing-encryption-api-usage
+  languages: [java, kotlin]
+  message: "Potential unencrypted sensitive data handling detected. Review to ensure that sensitive data is properly encrypted."
+  severity: WARNING
+  patterns:
+    - pattern-not: $ENCRYPTOR.encrypt($DATA, ...)
+    - pattern-not: $ENCRYPTOR.decrypt($DATA, ...)
+    - pattern: $PREFS.edit().putString($KEY, $VALUE)
+    - pattern: $PREFS.getString($KEY, $DEFAULT_VALUE)
+  metadata:
+    category: security
+    technology: [android]
+    references:
+      - https://developer.android.com/guide/topics/security/cryptography

risks/MASVS-STORAGE/backup-unencrypted/android-backup-unencrypted-use/rules/sharedpreferences_sensitive_data.yaml

@@ -0,0 +1,7 @@
+rules:
+- id: android-sharedpreferences-sensitive-data
+  languages: [java, kotlin]
+  message: "SharedPreferences might contain sensitive data. Ensure any stored information is not sensitive or is encrypted."
+  severity: WARNING
+  pattern: |
+    $PREFS.edit().putString($KEY, $VALUE);

risks/MASVS-STORAGE/backup-unencrypted/android-backup-unencrypted-use/run.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Define the project and rules directories
+PROJECT_DIR="./example"
+RULES_DIR="./rules"
+
+# Running Semgrep with all the rules against the project directory
+semgrep --config=$RULES_DIR/backup-unencrypted-rule.yaml \
+        --config=$RULES_DIR/sharedpreferences_sensitive_data.yaml \
+        --config=$RULES_DIR/cloud-backup-sensitive-data-rule.yaml \
+        --config=$RULES_DIR/external_storage_sensitive_data.yaml \
+        --config=$RULES_DIR/missing_encryption_api_usage.yaml \
+        $PROJECT_DIR
+
+echo "Semgrep analysis completed."

risks/MASVS-STORAGE/backup-unencrypted/ios-backup-unencrypted-use/README.md

@@ -0,0 +1,8 @@
+# Patterns of Concern
+We specifically look for the following patterns in iOS applications to ensure sensitive data is handled securely:
+
+- UserDefaults for Sensitive Data: Storing sensitive information, such as tokens or personal identifiers, in UserDefaults. This storage mechanism is not encrypted and can be easily accessed once the device is compromised.
+- FileManager for Direct File Creation: Using FileManager to directly create files without encrypting the data first. These files can be included in backups and might be accessible to attackers or through data leaks.
+- Loading Data with NSKeyedArchiver Without Secure Coding: Serializing objects using NSKeyedArchiver without requiring secure coding can lead to sensitive data being saved in an unencrypted form, posing a risk if the serialized data includes user information or credentials.
+- Core Data Persistent Stores Without Encryption: Configuring Core Data without file encryption, which can result in the database being easily accessible and readable outside of the application's secure context.
+- Disabling File Protection: Explicitly setting file protection attributes to none, thereby disabling the built-in encryption iOS provides for file storage. This makes the stored data vulnerable to unauthorized access.

risks/MASVS-STORAGE/backup-unencrypted/ios-backup-unencrypted-use/examples/SensitiveDataStorageExample.swift

@@ -0,0 +1,39 @@
+import Foundation
+import CoreData
+
+class SensitiveDataHandlingExample {
+
+    func storeUserToken() {
+        // UserDefaults storage that might be backed up
+        UserDefaults.standard.set("user_secret_token", forKey: "AuthToken")
+
+        // Direct file creation that might be included in backups
+        let sensitiveData = "Sensitive information".data(using: .utf8)!
+        FileManager.default.createFile(atPath: "SensitiveData.txt", contents: sensitiveData, attributes: nil)
+
+        // Loading data from a file, potential misuse could lead to sensitive data exposure
+        let _ = try? Data(contentsOf: URL(fileURLWithPath: "path/to/sensitive/file"), options: .dataReadingMapped)
+
+        // Reading a file into a string, potential for sensitive data exposure
+        let _ = try? String(contentsOfFile: "path/to/another/sensitive/file")
+
+        // Serializing an object without secure coding, might be insecure
+        let userPreferences = ["theme": "dark", "notificationsEnabled": true]
+        let _ = try? NSKeyedArchiver.archivedData(withRootObject: userPreferences, requiringSecureCoding: false, error: nil)
+
+        // Creating a CoreData persistent store without encryption
+        let container = NSPersistentContainer(name: "MyAppModel")
+        container.persistentStoreDescriptions.first?.setValue(FileProtectionType.none.rawValue, forKey: "NSPersistentStoreFileProtectionKey")
+
+        // Setting file attributes to disable encryption
+        let filePath = "path/to/file/that/should/be/encrypted"
+        try? FileManager.default.setAttributes([FileAttributeKey.protectionKey: FileProtectionType.none], ofItemAtPath: filePath)
+    }
+
+    func excludeFileFromBackup(filePath: String) {
+        guard let url = URL(string: filePath) else { return }
+        var resourceValues = URLResourceValues()
+        resourceValues.isExcludedFromBackup = true
+        try? url.setResourceValues(resourceValues)
+    }
+}

risks/MASVS-STORAGE/backup-unencrypted/ios-backup-unencrypted-use/rules/detect_sensitive_data_storage.yaml

@@ -0,0 +1,28 @@
+rules:
+  - id: ios-sensitive-data-storage-expanded
+    languages: [swift]
+    message: "Detect storage or handling of potentially sensitive data that might be included in backups. Review to ensure data is encrypted and properly excluded from backups."
+    severity: WARNING
+    pattern-either:
+      - pattern: |
+          UserDefaults.standard.set($VALUE, forKey: $KEY)
+      - pattern: |
+          FileManager.default.createFile(atPath: $PATH, contents: $DATA, attributes: ...)
+      - pattern: |
+          let $DATA = Data(contentsOf: $URL)
+      - pattern: |
+          let $STRING = String(contentsOfFile: $PATH)
+      - pattern: |
+          NSKeyedArchiver.archivedData(withRootObject: $OBJECT, requiringSecureCoding: false, error: $ERROR)
+      - pattern: |
+          CoreDataStack.persistentContainer.persistentStoreDescriptions.first?.setValue(false, forKey: "NSPersistentStoreFileProtectionKey")
+      - pattern: |
+          FileManager.default.setAttributes([$ATTR: FileAttributeType.protectionNone], ofItemAtPath: $PATH)
+    metadata:
+      category: security
+      technology: [ios]
+      references:
+        - "https://developer.apple.com/documentation/foundation/nsurlisexcludedfrombackupkey"
+        - "https://developer.apple.com/documentation/foundation/nskeyedarchiver"
+        - "https://developer.apple.com/documentation/coredata/protecting_data_using_encryption"
+        - "https://developer.apple.com/documentation/foundation/filemanager/1412643-setattributes"

risks/MASVS-STORAGE/backup-unencrypted/ios-backup-unencrypted-use/run.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Define paths
+RULES_DIR="./rules"
+EXAMPLE_DIR="./examples"
+
+# Placeholder for running Semgrep (or guiding manual review)
+echo "Running static analysis for iOS backup security..."
+semgrep --config=$RULES_DIR/detect_sensitive_data_storage.yaml $EXAMPLE_DIR
+
+echo "Review the guidelines in the Rules directory for manual analysis steps."

risks/MASVS-STORAGE/backup-unencrypted/risk.md

@@ -0,0 +1,41 @@
+Title: Backup Unencrypted 
+Alias: backup-unencrypted 
+Platform: [android] 
+Profiles: [L2] 
+Mappings: 
+masvs-v1: [MSTG-STORAGE-8] 
+masvs-v2: [MASVS-STORAGE-2, MASVS-PRIVACY-1] 
+mastg-v1: [MASTG-TEST-0058, MASTG-TEST-0009]
+
+
+## Overview
+Mobile applications frequently store data, whether locally on the device, in external storage, or on cloud services. This data can range from non-sensitive app preferences to highly sensitive user information or cryptographic keys. The security of this data, especially when backed up, is paramount. Unencrypted backups pose a significant risk as they can be accessed by unauthorized individuals, potentially leading to data breaches.
+
+## Impact
+An attacker with access to an application's backup file can retrieve any unencrypted data that the application has backed up. As a result, any sensitive data exposed can be used by the attacker in future attacks or be readily exploited.
+
+## Modes of Introduction
+Default Settings: Most mobile operating systems do not encrypt backups by default, leading to potential data leakage.
+Custom Solutions: Developers' custom backup solutions may not always implement encryption correctly.
+Third-party Services: Use of third-party backup services without ensuring data is encrypted before transfer.
+Development Practices: Encryption may be disabled for debugging purposes and not re-enabled for production releases.
+
+## Migration
+Encrypt Backup Data: Ensure all backup data is encrypted using strong encryption algorithms. Utilize platform features like Android's Backup Service API to encrypt data before it is backed up.
+Secure Backup Keys: Store encryption keys securely using the platform's keystore mechanisms, such as the Android Keystore, to prevent unauthorized access to encryption keys.
+Backup Access Controls: Implement strict access controls for backups, ensuring only authorized entities can access or restore the data.
+
+## References
+Android Developers Guide on Auto Backup for Apps: https://developer.android.com/guide/topics/data/autobackup#define-device-conditions 
+
+## CVEs
+CVE-2023-36620: Missing android:allowBackup="false" attribute leading to potential data exposure.
+Additional CVE examples related to backup vulnerabilities include CVE-2017-16835, CVE-2017-15340, CVE-2017-7133, and CVE-2018-4172.
+
+## Tests
+Android
+Refer to MASTG-TEST-0009 for testing backups for sensitive data on Android. Focus on ensuring the autoBackup feature's conditions are securely configured and that clientSideEncryption and deviceToDeviceTransfer options are properly utilized to safeguard the backup data.
+
+## iOS
+Refer to MASTG-TEST-0058 for guidance on testing backups for sensitive data on iOS platforms, with a particular emphasis on data protection APIs and iCloud backup settings.
+