Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Port MASTG-TEST-0055 (by @guardsquare) #3054

Open
wants to merge 9 commits into
base: master
Choose a base branch
from

Conversation

serek8
Copy link
Collaborator

@serek8 serek8 commented Nov 7, 2024

This PR closes #2934

@serek8 serek8 marked this pull request as ready for review November 7, 2024 12:09
@serek8
Copy link
Collaborator Author

serek8 commented Nov 7, 2024

We still need to find an appropriate MASWE for this test

@TheDauntless TheDauntless reopened this Nov 7, 2024
- [`UITextAutocorrectionTypeNo`](https://developer.apple.com/documentation/uikit/uitextautocorrectiontype/uitextautocorrectiontypeno)
- [`secureTextEntry`](https://developer.apple.com/documentation/uikit/uitextinputtraits/1624427-securetextentry)

If the app uses Storyboards or XIB files, check whether the UI elements such as `UITextFields`, `UITextViews`, and `UISearchBars` use the `UITextAutocorrectionTypeNo` attribute.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can this really be tested by just having the IPA?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no easy way to get it from a built IPA file. I am afraid we can only review the source code, or use dynamic analysis to hook an init function of TextField? Do you want me to create a dynamic test for it?

Comment on lines 13 to 16
The following attributes, if present, will prevent the caching mechanism for text inputs:

- [`UITextAutocorrectionTypeNo`](https://developer.apple.com/documentation/uikit/uitextautocorrectiontype/uitextautocorrectiontypeno)
- [`secureTextEntry`](https://developer.apple.com/documentation/uikit/uitextinputtraits/1624427-securetextentry)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we require both? We need to explain this better, either here or in the evaluation using some examples maybe.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I clarified it in the last commit, please have a look


1. Reset your iOS device keyboard cache by navigating to `Settings > General > Reset > Reset Keyboard Dictionary`.
2. Exercise the application and identify the functionalities that allow users to enter sensitive data.
3. Use @MASTG-TECH-0052 to retrieve the keyboard cache file with the extension `.dat` at `/private/var/mobile/Library/Keyboard/` and its subdirectories.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

was this working? which iOS version was it?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it worked on iOS 15.4.1 iPhone XS. The file is /private/var/mobile/Library/Keyboard/en-dynamic.lm.
It's not very consistent though. I can't find there all suggestions that my keyboard cached(yes I restarted my device).


This test checks whether the keyboard cache contains sensitive data from the target app.

## Steps
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this test really useful/meaningful/valuable?

cc @TheDauntless

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After thinking it over again, I am not sure about value of these tests:

  • Inspecting /private/var/mobile/Library/Keyboard/en-dynamic.lm isn't consistent. Typing a password with autocorrection doesn't consistently put it to the database. Therefore, it's even difficult to get a True Positive.
  • Static search for UITextAutocorrectionTypeNo and secureTextEntry is also difficult if an app uses Storyboard. It'd be easier in SwiftUI but this is not a big percentage of apps yet. Even if it was possible for all apps, I am not sure if testing of usage of these APIs would be practical and sufficient.

In general, it's difficult to test for this weakness statically because we don't know what data is sensitive and where it's typed. Therefore, I suggest we:

  1. Remove the test for testing /private/var/mobile/Library/Keyboard
  2. Remove the static search for UITextAutocorrectionTypeNo and secureTextEntry
  3. Create a dynamic test with Frida that intercepts text from all inputs that don't have UITextAutocorrectionTypeNo or secureTextEntry, and let the user review this list afterwards.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update: will try to recursively iterate the UI elements dynamically with Frida.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

MASTG v1->v2 MASTG-TEST-0055: Finding Sensitive Data in the Keyboard Cache (ios)
3 participants