Add Tests and Demos about "Sensitive Data Stored Unencrypted via DataStore" #3540
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cpholguera
reviewed
Nov 27, 2025
cpholguera
reviewed
Nov 27, 2025
Comment on lines
22
to
39
| ### Static Analysis | ||
| 1. Obtain the application package (e.g., APK file) using @MASTG-TECH-0003. | ||
| 2. Use a static analysis technique (@MASTG-TECH-0014) to identify references to DataStore APIs such as: | ||
| - `androidx.datastore.preferences.preferencesDataStore` | ||
| - `androidx.datastore.core.DataStore` (or usage of generated Proto classes). | ||
| - `dataStore.edit`, `updateData`, or `write` operations. | ||
| 3. Inspect the code to determine whether: | ||
| - sensitive data is stored using the default, unencrypted implementation. | ||
| - a secure mechanism (e.g., applying an `EncryptedFile.Builder` for Preferences DataStore or using an encrypted custom serializer for Proto DataStore) is explicitly applied to the sensitive fields. | ||
|
|
||
| ### Dynamic Analysis | ||
| 1. Install and run the app on a rooted or emulated device (@MASTG-TECH-0005). | ||
| 2. Trigger app functionality that processes or stores sensitive data. | ||
| 3. Access the app’s private storage (typically `/data/data/<package_name>/datastore/`) and locate the DataStore files. This requires accessing the app data directories (@MASTG-TECH-0008). File names usually end with: | ||
| - `.preferences_pb` (Preferences DataStore) | ||
| - `.proto` (Proto DataStore) | ||
| 4. Extract the DataStore files from the device using @MASTG-TECH-0003. | ||
| 5. Inspect the file content using a suitable tool, applying the technique for Dynamic Analysis (@MASTG-TECH-0015) to confirm whether sensitive data is stored in plaintext. *Note: Proto DataStore files require a Proto decoder for inspection.* |
Collaborator
There was a problem hiding this comment.
For all the new PRs:
We require separate tests.
See for example:
- https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0300/ (based on sast)
type: [static] - https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0301/ (based on hooking)
type: [dynamic](you can skip this type, if you want) - https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0302/ (based on file system pull)
type: [dynamic, filesystem]
cpholguera
changed the title
macik09
force-pushed
the
feature/mastg-datastore-clean
branch
from
7e31c5f to
57ed186
Compare
macik09
force-pushed
the
feature/mastg-datastore-clean
branch
from
57ed186 to
4a930bc
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR closes #3449
Description
This PR introduces a new demo and finalizes the corresponding test for the MASVS-STORAGE requirement concerning unencrypted data persistence.
This submission specifically addresses data persistence via Jetpack DataStore by adding MASTG-DEMO-0069 and finalizing MASTG-TEST-0305.
The demo proves that sensitive PII (Email) and a secret (Password/Token) are stored in plaintext within the application's DataStore files (.preferences_pb or .proto). This occurs when developers fail to implement an explicit encryption layer, confirming the weakness MASWE-0006.
The included run.sh script demonstrates that these sensitive contents are trivially accessible from the app's private sandbox on a privileged device.
[x] I have read the contributing guidelines.