Port MASTG-TEST-0058 (by @guardsquare)

tests-beta/ios/MASVS-STORAGE/MASTG-TEST-0215.md

@@ -2,19 +2,17 @@
 platform: ios
 title: Sensitive Data Not Excluded From Backup
 id: MASTG-TEST-0215
-type: [static, filesystem]
+type: [static]
 weakness: MASWE-0004
 ---
 
 ## Overview
 
-This test verifies whether your app correctly instructs the system to exclude sensitive files from backups.
-
-Files in the `/tmp` and `/Library/Caches` subdirectories of the app container are excluded from iCloud Backups. For files and directories in any other locations within the app container, iOS provides the [`isExcludedFromBackup`](https://developer.apple.com/documentation/foundation/urlresourcevalues/1780002-isexcludedfrombackup) API to guide the system not to back up a given file or directory. However, this API [does not guarantee guarantee the actual exclusion](https://developer.apple.com/documentation/foundation/optimizing_your_app_s_data_for_icloud_backup/#3928527):
+This test verifies whether your app uses `isExcludedFromBackup` API to instructs the system to exclude sensitive files from backups. This API [does not guarantee guarantee the actual exclusion](https://developer.apple.com/documentation/foundation/optimizing_your_app_s_data_for_icloud_backup/#3928527). According to the documentation:
 
 > "The `isExcludedFromBackup` resource value exists only to provide guidance to the system about which files and directories it can exclude; it's not a mechanism to guarantee those items never appear in a backup or on a restored device."
 
-Therefore, the only way to properly protect your files from a backup is to encrypt them.
+In this test, we identify all locations where you use the `isExcludedFromBackup` API to expose files that might end up in the backup, even though you don’t want them to.
 
 ## Steps
 

tests-beta/ios/MASVS-STORAGE/MASTG-TEST-0x58.md

@@ -0,0 +1,26 @@
+---
+platform: ios
+title: Data In Keychain Not Excluded From Backup On Another Device
+id: MASTG-TEST-0x58
+type: [dynamic]
+weakness: MASWE-0004
+---
+
+## Overview
+
+This test verifies whether your app correctly use the Keychain to exclude sensitive data from backups.
+
+An app can restrict the data access to the current device with [kSecAttrAccessibleWhenUnlockedThisDeviceOnly](https://developer.apple.com/documentation/security/ksecattraccessiblewhenunlockedthisdeviceonly) flag. However, if you back up and restore on the same device, this data will also be restored. Therefore, it only prevents the data from being transferred to another device. Apple discourages storing large amounts of data in the Keychain, so it’s best to store only an encryption key there and keep the rest of the files in the filesystem.
+
+## Steps
+
+1. Use [iTunes or Finder](https://support.apple.com/en-us/120001) to back up the iPhone and restore it on another device.
+2. Review data in Keychain with @MASTG-TECH-0061
+
+## Observation
+
+The output should contain a list of items in the Keychain.
+
+## Evaluation
+
+The test case fails if you find data you intended to restrict to the current device only, but it’s accessible on another device.

tests/ios/MASVS-STORAGE/MASTG-TEST-0058.md

@@ -7,6 +7,8 @@ platform: ios
 title: Testing Backups for Sensitive Data
 masvs_v1_levels:
 - L2
+status: deprecated
+covered_by: [MASTG-TEST-0215, MASTG-TEST-0x58]
 ---
 
 ## Overview

weaknesses/MASVS-STORAGE/MASWE-0004.md

@@ -31,8 +31,10 @@ iOS and Android automatically back up app data to cloud services, and users can
 - **Local Backups**: Users can back up their devices to local systems (e.g., laptops). If local backups are stored unencrypted or not securely handled, attackers could tamper with this data.
 - **Device-To-Device Transfer**: Transferring data between devices (e.g., via iCloud or Google's device-to-device migration tools) enables an attacker to perform similar attacks.
 
-## Mitigations
+## Mitigation
 
-- Exclude sensitive files from backups using platform-specific attributes, such as `android:allowBackup` or `BackupAgent` with `excludeFromBackup` for Android. On iOS, API such as `NSURLIsExcludedFromBackupKey` [doesn't guarantee](https://developer.apple.com/documentation/foundation/optimizing_your_app_s_data_for_icloud_backup/#3928527) exclusion from the backup. Therefore, you should encrypt your data instead.
-- Store sensitive data in locations excluded from backups by default, like the Keychain or `Library/Caches` on iOS.
-- Encrypt sensitive data before storage to ensure confidentiality, even if it gets backed up.
+- On Android, exclude sensitive files from backups using platform-specific attributes, such as `android:allowBackup` or `BackupAgent` with `excludeFromBackup` for Android.
+- On iOS, API such as `NSURLIsExcludedFromBackupKey` [doesn't guarantee](https://developer.apple.com/documentation/foundation/optimizing_your_app_s_data_for_icloud_backup/#3928527) exclusion from the backup. Therefore, you should encrypt your data instead.
+- On iOS, you can store data inside the Keychain with [kSecAttrAccessibleWhenUnlockedThisDeviceOnly](https://developer.apple.com/documentation/security/ksecattraccessiblewhenunlockedthisdeviceonly) flag. This flag restricts data access to the current device only. However, if you back up and restore on the same device, this data will also be restored. Therefore, it only prevents the data from being transferred to another device. Apple discourages storing large amounts of data in the Keychain, so it’s best to store only an encryption key there and keep the rest of the files in the filesystem
+- On iOS, you can store files at `Library/Caches`. This directory is excluded from the backup but the system may delete content of this directory when low on disk space.
+- Encrypting sensitive data before storing it ensures confidentiality, even if the data is included in backups.