Add Tests and Demos about "Sensitive Data Stored Unencrypted via DataStore"#3540
Add Tests and Demos about "Sensitive Data Stored Unencrypted via DataStore"#3540macik09 wants to merge 7 commits into
Conversation
| ### Static Analysis | ||
| 1. Obtain the application package (e.g., APK file) using @MASTG-TECH-0003. | ||
| 2. Use a static analysis technique (@MASTG-TECH-0014) to identify references to DataStore APIs such as: | ||
| - `androidx.datastore.preferences.preferencesDataStore` | ||
| - `androidx.datastore.core.DataStore` (or usage of generated Proto classes). | ||
| - `dataStore.edit`, `updateData`, or `write` operations. | ||
| 3. Inspect the code to determine whether: | ||
| - sensitive data is stored using the default, unencrypted implementation. | ||
| - a secure mechanism (e.g., applying an `EncryptedFile.Builder` for Preferences DataStore or using an encrypted custom serializer for Proto DataStore) is explicitly applied to the sensitive fields. | ||
|
|
||
| ### Dynamic Analysis | ||
| 1. Install and run the app on a rooted or emulated device (@MASTG-TECH-0005). | ||
| 2. Trigger app functionality that processes or stores sensitive data. | ||
| 3. Access the app’s private storage (typically `/data/data/<package_name>/datastore/`) and locate the DataStore files. This requires accessing the app data directories (@MASTG-TECH-0008). File names usually end with: | ||
| - `.preferences_pb` (Preferences DataStore) | ||
| - `.proto` (Proto DataStore) | ||
| 4. Extract the DataStore files from the device using @MASTG-TECH-0003. | ||
| 5. Inspect the file content using a suitable tool, applying the technique for Dynamic Analysis (@MASTG-TECH-0015) to confirm whether sensitive data is stored in plaintext. *Note: Proto DataStore files require a Proto decoder for inspection.* |
There was a problem hiding this comment.
For all the new PRs:
We require separate tests.
See for example:
- https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0300/ (based on sast)
type: [static] - https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0301/ (based on hooking)
type: [dynamic](you can skip this type, if you want) - https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0302/ (based on file system pull)
type: [dynamic, filesystem]
7e31c5f to
57ed186
Compare
57ed186 to
4a930bc
Compare
There was a problem hiding this comment.
The DEMO must follow the content guidelines (https://mas.owasp.org/contributing/writing-content/mastg-demo.instructions).
For example, the "Evaluation" section should explain each relevant line of the output that is used as an evidence to give a FAIL to the test.
There was a problem hiding this comment.
This Java file does not seem to be the Java file resulting from decompiling the DEMO app. As commented previously, follow the DEMO guidelines (https://mas.owasp.org/contributing/writing-content/mastg-demo.instructions/) to provide these files accordingly.
| echo "[*] Pulling DataStore files directly from app sandbox..." | ||
| echo "--- DataStore Extracted Content ---" > "$OUTPUT_TXT_FILE" | ||
|
|
||
| # Wyciągamy wszystkie pliki bezpośrednio do strings |
There was a problem hiding this comment.
Please, provide all comments / code lines in English :)
|
|
||
| ### Sample | ||
|
|
||
| The snippet below shows sample code that uses Jetpack DataStore to store sensitive data, including PII (email) and secrets (access token or password), in **plaintext** without encryption. |
There was a problem hiding this comment.
There is an open issue #3781 that already shows the need of creating a MASTG-KNOW file that explains Android DataStore, the several storing mechanisms (I see you use two different mechanisms in this DEMO); it would be great if you create the corresponding KNOW file, using the knowledge that you already have by doing this DEMO. This is not needed for this PR and can be done later, but just in case :)
See https://mas.owasp.org/contributing/writing-content/mastg-knowledge.instructions/ for more information on how to craft KNOW files.
| title: Sensitive Data Stored Unencrypted via DataStore | ||
| platform: android | ||
| title: Static Analysis for Unencrypted Sensitive Data in DataStore | ||
| id: MASTG-TEST-0305 |
There was a problem hiding this comment.
Use a temporal ID to avoid drifts
|
|
||
| ## Overview | ||
|
|
||
| This test verifies whether the app's code uses Jetpack DataStore APIs to store sensitive data — such as tokens, passwords, or PII — without encryption. By default, both Preferences DataStore (`.preferences_pb`) and Proto DataStore (`.proto`) persist data in plaintext. |
There was a problem hiding this comment.
| This test verifies whether the app's code uses Jetpack DataStore APIs to store sensitive data — such as tokens, passwords, or PII — without encryption. By default, both Preferences DataStore (`.preferences_pb`) and Proto DataStore (`.proto`) persist data in plaintext. | |
| This test verifies whether the app's code uses [Jetpack DataStore](https://developer.android.com/jetpack/androidx/releases/datastore) APIs to store sensitive data — such as tokens, passwords, or PII — without encryption. By default, both Preferences DataStore (`.preferences_pb`) and Proto DataStore (`.proto`) persist data in plaintext. |
| ## Observation | ||
|
|
||
| - Identify DataStore files referenced in the code. | ||
| - Determine whether sensitive data is stored without encryption. |
There was a problem hiding this comment.
| - Determine whether sensitive data is stored without encryption. | |
| - Whether encryption is being applied in the code to the sensitive data before being stored. |
|
|
||
| ## Steps | ||
|
|
||
| 1. Install and run the app on a rooted or emulated device (@MASTG-TECH-0005). |
There was a problem hiding this comment.
| 1. Install and run the app on a rooted or emulated device (@MASTG-TECH-0005). |
There was a problem hiding this comment.
Starting a device is not anymore needed for the tests.
|
|
||
| 1. Install and run the app on a rooted or emulated device (@MASTG-TECH-0005). | ||
|
|
||
| 2. Trigger app functionality that processes or stores sensitive data. |
There was a problem hiding this comment.
| 2. Trigger app functionality that processes or stores sensitive data. | |
| 1. Exercise all the functionalities of the app that process or store sensitive data. |
| 3. Access the app's private storage (typically `/data/data/<package_name>/datastore/`) to locate DataStore files: | ||
| - `.preferences_pb` (Preferences DataStore) | ||
| - `.proto` (Proto DataStore) | ||
| (@MASTG-TECH-0008) |
There was a problem hiding this comment.
| 3. Access the app's private storage (typically `/data/data/<package_name>/datastore/`) to locate DataStore files: | |
| - `.preferences_pb` (Preferences DataStore) | |
| - `.proto` (Proto DataStore) | |
| (@MASTG-TECH-0008) | |
| 2. Access the app's private storage (@MASTG-TECH-0008) to locate DataStore files (normally at `/data/data/<package_name>/datastore/`): | |
| - `.preferences_pb` (Preferences DataStore) | |
| - `.proto` (Proto DataStore) |
| - `.proto` (Proto DataStore) | ||
| (@MASTG-TECH-0008) | ||
|
|
||
| 4. Extract the DataStore files to the host machine using @MASTG-TECH-0003. |
There was a problem hiding this comment.
| 4. Extract the DataStore files to the host machine using @MASTG-TECH-0003. | |
| 3. Extract the DataStore files of the app to the host machine (@MASTG-TECH-0002). |
There was a problem hiding this comment.
MASTG-TECH-0003 is about dumping the APK, but not their associated storage files.
|
|
||
| 4. Extract the DataStore files to the host machine using @MASTG-TECH-0003. | ||
|
|
||
| 5. Inspect file contents using dynamic analysis techniques (@MASTG-TECH-0015) to determine whether sensitive data is stored in plaintext. |
There was a problem hiding this comment.
| 5. Inspect file contents using dynamic analysis techniques (@MASTG-TECH-0015) to determine whether sensitive data is stored in plaintext. | |
| 4. Inspect the database content to determine if sensitive data is stored in plaintext. |
There was a problem hiding this comment.
There is not a 1:1 TECH for this step, it's better to just enforce that the databases must be inspected.
| 4. Extract the DataStore files to the host machine using @MASTG-TECH-0003. | ||
|
|
||
| 5. Inspect file contents using dynamic analysis techniques (@MASTG-TECH-0015) to determine whether sensitive data is stored in plaintext. | ||
| _Note: Proto DataStore files require a Proto decoder for inspection._ |
There was a problem hiding this comment.
It would be fine if we create a MASTG-TOOL for this purpose, I think there is not such tool right now.
There was a problem hiding this comment.
If you don't want to create the MASTG-TOOL file, you can create an issue (like this one #3728) so that we have it tracked.
There was a problem hiding this comment.
Thanks for the suggestion. I'll create an issue to keep track of it. If it doesn't get picked up by someone else and I find the time, I'll take a stab at implementing the tool myself.
| ## Observation | ||
|
|
||
| - Which DataStore files exist on the device. | ||
| - Whether sensitive data (tokens, secrets, PII) is present in plaintext or easily reversible format. |
There was a problem hiding this comment.
| - Whether sensitive data (tokens, secrets, PII) is present in plaintext or easily reversible format. | |
| - Occurrences inside the DataStore file where the sensitive data (tokens, secrets, PII) is stored in plaintext. |
|
|
||
| ## Evaluation | ||
|
|
||
| The test fails if sensitive data is stored in DataStore files without encryption and can be read in plaintext through static or dynamic analysis. |
There was a problem hiding this comment.
| The test fails if sensitive data is stored in DataStore files without encryption and can be read in plaintext through static or dynamic analysis. | |
| The test fails if sensitive data is stored in DataStore files without encryption and can be read in plaintext. |
jacobocasado
left a comment
There was a problem hiding this comment.
@macik09 Review done! Please check https://mas.owasp.org/contributing/writing-content/mastg-demo.instructions/ and also https://mas.owasp.org/contributing/writing-content/mastg-test.instructions/ (for the TEST) and ensure that they are aligned with the instructions!
Thanks!
This PR closes #3449
Description
This PR introduces a new demo and finalizes the corresponding test for the MASVS-STORAGE requirement concerning unencrypted data persistence.
This submission specifically addresses data persistence via Jetpack DataStore by adding MASTG-DEMO-0069 and finalizing MASTG-TEST-0305.
The demo proves that sensitive PII (Email) and a secret (Password/Token) are stored in plaintext within the application's DataStore files (.preferences_pb or .proto). This occurs when developers fail to implement an explicit encryption layer, confirming the weakness MASWE-0006.
The included run.sh script demonstrates that these sensitive contents are trivially accessible from the app's private sandbox on a privileged device.
[x] I have read the contributing guidelines.