-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
56 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| --- | ||
| platform: ios | ||
| title: Possible Leakage of Sensitive Data via UIPasteboard | ||
| id: MASTG-TEST-0x73-1 | ||
| type: [static] | ||
| weakness: MASWE-0053 | ||
| threat: [user] | ||
| --- | ||
|
|
||
| ## Overview | ||
|
|
||
| The systemwide general pasteboard can be obtained by the [`generalPasteboard`](https://developer.apple.com/documentation/uikit/uipasteboard/1622106-generalpasteboard "UIPasteboard generalPasteboard") function. The general pasteboard enables easy sharing of information between apps. However, it can also leak sensitive data, since every app and [potentially even other devices](https://developer.apple.com/documentation/uikit/uipasteboard#3671087 "UIPasteboard") can request the contents. Since iOS 16.0 this requires user interaction. | ||
|
|
||
| When you are dealing with sensitive data, usage of the general pasteboard should be avoided. This static test case identifies whether the app uses the general keyboard. | ||
|
|
||
| ## Steps | ||
|
|
||
| 1. Extract the package as described in @MASTG-TECH-0058. | ||
| 2. Perform static analysis as described in @MASTG-TECH-0066 or if the code is not available look for calls to | ||
| `UIPasteboard.generalPasteboard` using @MASTG-TECH-0076. | ||
|
|
||
| ## Observation | ||
|
|
||
| The code or disassembly could contain calls to `UIPasteboard.generalPasteboard`. | ||
|
|
||
| ## Evaluation | ||
|
|
||
| The test fails if there are calls to `UIPasteboard.generalPasteboard` and sensitive data is written into the resulting object with [`addItems`](https://developer.apple.com/documentation/uikit/uipasteboard/1622101-additems "Apple Developer"), [`setItems`](https://developer.apple.com/documentation/uikit/uipasteboard/1829417-setitems "Apple Developer"), [`setData`](https://developer.apple.com/documentation/uikit/uipasteboard/1622075-setdata "Apple Developer") or [`setValue`](https://developer.apple.com/documentation/uikit/uipasteboard/1622079-setvalue "Apple Developer"). | ||
|
|
||
| The usage of the general systemwide pasteboard should be avoided when dealing with sensitive data. Prefer using a | ||
| [custom app pasteboard](https://developer.apple.com/documentation/uikit/uipasteboard/1622087-withuniquename "Apple Developer") instead. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| --- | ||
| platform: ios | ||
| title: Leakage of Sensitive Data via UIPasteboard | ||
| id: MASTG-TEST-0x73-2 | ||
| type: [dynamic] | ||
| weakness: MASWE-0053 | ||
| threat: [user] | ||
| --- | ||
|
|
||
| ## Overview | ||
|
|
||
| The systemwide general pasteboard can be obtained by the [`generalPasteboard`](https://developer.apple.com/documentation/uikit/uipasteboard/1622106-generalpasteboard "UIPasteboard generalPasteboard") function. The general pasteboard enables easy sharing of information between apps. However, it can also leak sensitive data, since every app and [potentially even other devices](https://developer.apple.com/documentation/uikit/uipasteboard#3671087 "UIPasteboard") can request the contents. Since iOS 16.0 this requires user interaction. | ||
|
|
||
| When you are dealing with sensitive data, usage of the general pasteboard should be avoided. This dynamic test case identifies not only whether the app uses the general pasteboard but also if sensitive data is passed into it. | ||
|
|
||
| ## Steps | ||
|
|
||
| 1. Apply @MASTG-TECH-0067 or @MASTG-TECH-0079 to trace calls to [`addItems`](https://developer.apple.com/documentation/uikit/uipasteboard/1622101-additems "Apple Developer"), [`setItems`](https://developer.apple.com/documentation/uikit/uipasteboard/1829417-setitems "Apple Developer"), [`setData`](https://developer.apple.com/documentation/uikit/uipasteboard/1622075-setdata "Apple Developer") or [`setValue`](https://developer.apple.com/documentation/uikit/uipasteboard/1622079-setvalue "Apple Developer") on objects obtained from calling [`generalPasteboard`](https://developer.apple.com/documentation/uikit/uipasteboard/1622106-generalpasteboard "Apple Developer"). | ||
|
|
||
| ## Evaluation | ||
|
|
||
| The test fails if sensitive data (possibly entered during dynamic analysis) is traced during a write operation. | ||
|
|
||
| The usage of the general systemwide pasteboard should be avoided when dealing with sensitive data. Prefer using a | ||
| [custom app pasteboard](https://developer.apple.com/documentation/uikit/uipasteboard/1622087-withuniquename "Apple Developer") instead. |