Update mitigations in MASWE-0004 #8
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Diolor
suggested changes
Sep 26, 2025
Comment on lines
37
to
43
| ## Mitigations | ||
|
|
||
| - Exclude sensitive files from backups using platform-specific attributes, such as `android:allowBackup` or `BackupAgent` with `excludeFromBackup` for Android. On iOS, API such as `NSURLIsExcludedFromBackupKey` [doesn't guarantee](https://developer.apple.com/documentation/foundation/optimizing_your_app_s_data_for_icloud_backup/#3928527) exclusion from the backup. Therefore, you should encrypt your data instead. | ||
| - Store sensitive data in locations excluded from backups by default, like the Keychain or `Library/Caches` on iOS. | ||
| - On Android, exclude sensitive files from backups using platform-specific attributes, such as `android:allowBackup` or `BackupAgent` with `excludeFromBackup` for Android. | ||
| - On iOS, API such as `NSURLIsExcludedFromBackupKey` [doesn't guarantee](https://developer.apple.com/documentation/foundation/optimizing_your_app_s_data_for_icloud_backup/#3928527) exclusion from the backup. Therefore, you should encrypt your data instead. | ||
| - On iOS, you can store data inside the Keychain with [kSecAttrAccessibleWhenUnlockedThisDeviceOnly](https://developer.apple.com/documentation/security/ksecattraccessiblewhenunlockedthisdeviceonly) flag. This flag restricts data access to the current device only. However, if you back up and restore on the same device, this data will also be restored. Therefore, it only prevents the data from being transferred to another device. Apple discourages storing large amounts of data in the Keychain, so it's best to store only an encryption key there and keep the rest of the files in the filesystem | ||
| - On iOS, you can store files at `Library/Caches`. This directory is excluded from the backup but the system may delete content of this directory when low on disk space. | ||
| - Encrypt sensitive data before storage to ensure confidentiality, even if it gets backed up. |
There was a problem hiding this comment.
Based on the contribution guidelines, the mitigations should be brief and generic. Therefore, we should rather keep it even more brief than it is. 😄
Suggested change
| ## Mitigations | |
| - Exclude sensitive files from backups using platform-specific attributes, such as `android:allowBackup` or `BackupAgent` with `excludeFromBackup` for Android. On iOS, API such as `NSURLIsExcludedFromBackupKey` [doesn't guarantee](https://developer.apple.com/documentation/foundation/optimizing_your_app_s_data_for_icloud_backup/#3928527) exclusion from the backup. Therefore, you should encrypt your data instead. | |
| - Store sensitive data in locations excluded from backups by default, like the Keychain or `Library/Caches` on iOS. | |
| - On Android, exclude sensitive files from backups using platform-specific attributes, such as `android:allowBackup` or `BackupAgent` with `excludeFromBackup` for Android. | |
| - On iOS, API such as `NSURLIsExcludedFromBackupKey` [doesn't guarantee](https://developer.apple.com/documentation/foundation/optimizing_your_app_s_data_for_icloud_backup/#3928527) exclusion from the backup. Therefore, you should encrypt your data instead. | |
| - On iOS, you can store data inside the Keychain with [kSecAttrAccessibleWhenUnlockedThisDeviceOnly](https://developer.apple.com/documentation/security/ksecattraccessiblewhenunlockedthisdeviceonly) flag. This flag restricts data access to the current device only. However, if you back up and restore on the same device, this data will also be restored. Therefore, it only prevents the data from being transferred to another device. Apple discourages storing large amounts of data in the Keychain, so it's best to store only an encryption key there and keep the rest of the files in the filesystem | |
| - On iOS, you can store files at `Library/Caches`. This directory is excluded from the backup but the system may delete content of this directory when low on disk space. | |
| - Encrypt sensitive data before storage to ensure confidentiality, even if it gets backed up. | |
| ## Mitigations | |
| - Exclude sensitive information, files, and key material from backups. | |
| - If you have to include sensitive data in backups, ensure it is encrypted with an algorithm strong enough to protect the data for its entire required lifetime, even if the backup is later compromised. |
These new points are valid and would be more fitting in the best practices
- Android best: https://mas.owasp.org/MASTG/best-practices/MASTG-BEST-0004/
- (new) iOS best: https://github.com/OWASP/mastg/pull/3039/files#r2381866022
If you could add those under best practices, it would be awesome, so we don't lose knowledge!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR closes OWASP/mastg#2931.
Description
It updates mitigations for
Port MASTG-TEST-0058: Testing Backups for Sensitive Data