Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[MASWE-0001, MASWE-0027, MASWE-0108] MAS Risks and Tests (PREVIEW DRAFT) #2518

Merged
merged 55 commits into from
Feb 14, 2024
+1,254 −9
Merged

[MASWE-0001, MASWE-0027, MASWE-0108] MAS Risks and Tests (PREVIEW DRAFT) #2518

Changes from 1 commit
Commits
Show all changes
55 commits
Select commit Hold shift + click to select a range
b65abc8
first draft
cpholguera Oct 13, 2023
2eb330e
add mitigation
cpholguera Oct 13, 2023
db1b5df
update mitigations and risks
cpholguera Oct 14, 2023
87693b9
fixes for Sensitive Data in Network Traffic
cpholguera Oct 27, 2023
844af15
add new sample tests
cpholguera Oct 27, 2023
93b3555
new structure for risks and tests
cpholguera Dec 9, 2023
79c2d4d
Add content to all risk.md files and delete unused risk files
cpholguera Dec 9, 2023
c6c9b12
remove tests folders
cpholguera Jan 5, 2024
7232276
rename mitigation files
cpholguera Jan 5, 2024
f12dcb7
remove mappings/owasp-masvs for all risks. It will be automatically g…
cpholguera Jan 5, 2024
0fdb602
remove mappings/owasp-masvs for all risks. It will be automatically g…
cpholguera Jan 9, 2024
30967a4
First draft - Risk and Test update for Android logging
sushi2k Jan 12, 2024
452a1a4
fix test aliases and add missing
cpholguera Jan 13, 2024
6a5af6b
Add secure random number generation and update insecure random usage …
cpholguera Jan 13, 2024
8ffffd0
Merge branch 'mastg-risks-and-tests' of https://github.com/OWASP/owas…
cpholguera Jan 13, 2024
a5fa9c8
Remove "Modes of Introduction" section from risk.md files
cpholguera Jan 13, 2024
25d9660
Update method tracing in Android techniques
cpholguera Jan 13, 2024
42c6b3a
Fix method trace link in test.md
cpholguera Jan 13, 2024
65348aa
Update CWE mappings in risk.md files to be a list of IDs
cpholguera Jan 13, 2024
f30bc9c
Update test type to be a list. Updated platform specific mitigations …
cpholguera Jan 13, 2024
d133445
Add prerequisites folder with 2 examples
cpholguera Jan 13, 2024
ca13fb0
Refactor insecure random API test case. Link to existing prerequisite…
cpholguera Jan 13, 2024
d93ccfd
Add content to the static analysis technique for Android apps
cpholguera Jan 13, 2024
7c1fc10
Update insecure random API link and method trace links to techniques
cpholguera Jan 13, 2024
4226549
Update insecure random number generator rule in MASVS-CRYPTO
cpholguera Jan 14, 2024
b7e5084
Update content in insecure random test examples and add SARIF. Add su…
cpholguera Jan 14, 2024
086d0b9
update with example
sushi2k Jan 15, 2024
a638776
Merge branch 'mastg-risks-and-tests' of https://github.com/OWASP/owas…
sushi2k Jan 15, 2024
40be282
Update test case
sushi2k Jan 15, 2024
6c4abef
update frida-trace
sushi2k Jan 15, 2024
c8a0a62
add example for frida-trace
sushi2k Jan 15, 2024
1263af8
updated tests according to the latest guidelines
cpholguera Jan 15, 2024
80c2d88
delete empty risk files
cpholguera Jan 15, 2024
03d4e96
fix for android-data-in-logs-semgrep
cpholguera Jan 15, 2024
ae25710
remove mstg- rules
cpholguera Jan 15, 2024
e9366b7
delete empty test files
cpholguera Jan 15, 2024
7034415
Move the test android-data-in-traffic-capture from NETWORK-1 to PRIVA…
cpholguera Jan 16, 2024
ab8ecd0
update insecure network comm risk
cpholguera Jan 19, 2024
9e95276
update current example risks
cpholguera Jan 19, 2024
3e5a694
fix other risks metadata
cpholguera Jan 19, 2024
4b03f0e
leave only 3 example risks
cpholguera Jan 19, 2024
0fe2c5c
rm initial tests
cpholguera Jan 19, 2024
c3e48f5
add privacy risk
cpholguera Jan 19, 2024
8ceb0b6
remove initial examples
cpholguera Jan 19, 2024
186d731
update privacy example
cpholguera Jan 19, 2024
9b2e9cd
update privacy example
cpholguera Jan 19, 2024
0a04b97
update example and technique
cpholguera Jan 19, 2024
689d06d
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into ma…
cpholguera Jan 21, 2024
6d80dc7
Update android-data-in-logs-frida/example-1
cpholguera Jan 24, 2024
374b9ab
rm -q option
cpholguera Feb 2, 2024
05f2112
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into ma…
cpholguera Feb 7, 2024
96dd1c5
add test overviews
cpholguera Feb 14, 2024
8a239b3
Update .vscode/settings.json to disable GitHub code scanning
cpholguera Feb 14, 2024
74ec6e8
Remove example-2 for logging APIs
cpholguera Feb 14, 2024
d62ff0a
fix 400 link
cpholguera Feb 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
add privacy risk
@cpholguera
cpholguera committed Jan 19, 2024
commit c3e48f55c0fc652e933814ac81daad3baf21ad44
47 changes: 0 additions & 47 deletions risks/MASVS-NETWORK/1-secure-traffic/insecure-net-comm/risk.md
View file

This file was deleted.

43 changes: 43 additions & 0 deletions risks/MASVS-PRIVACY/1-data-minimization/sensitive-data-in-network-traffic/risk.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
---
title: Sensitive Data in Network Traffic
alias: sensitive-data-in-network-traffic
platform: ["android", "ios"]
profiles: ["P"]
mappings:
- masvs-v1: [MSTG-NETWORK-1]
- masvs-v2: [MASVS-PRIVACY-1]
- cwe: [359]
---

## Overview

Sensitive data in network traffic refers to the transmission of personal or confidential information over the network in a manner that could be intercepted and accessed by unauthorized parties. While the data may be sent using secure protocols such as HTTPS, the primary concern is the appropriateness and necessity of the data being shared or collected.

The risk is not in the security of the transmission method, but in the privacy implications of the data being transmitted. This could include personal user information, location data, usage patterns, or any other information that could compromise user privacy.

## Modes of Introduction

This risk can be introduced in various scenarios, including:

- Over-collection of user data beyond the app's functional requirements.
- Transmission of detailed user location or behavior analytics without proper anonymization.
- Sharing sensitive information with third-party services (e.g., analytics, advertising networks) without user consent.
- Unnecessary collection of identifiers like IMEI, email, or phone numbers.

## Impact

The impact of exposing sensitive data in network traffic includes:

- **Violation of User Privacy**: Users may not be aware that their personal information is being transmitted, leading to privacy infringement.
- **Compliance and Legal Risks**: Breach of data protection laws and regulations (like GDPR), resulting in legal consequences and fines.
- **Loss of User Trust**: Users losing trust in the application, leading to reputational damage and potential loss of business.

## Mitigations

To mitigate this risk, consider the following strategies:

- Minimize the collection of user data to what is strictly necessary for app functionality.
- Implement and strictly enforce data privacy policies, including user consent for data collection and sharing.
- Use anonymization techniques for user data that is transmitted for analytics or other secondary purposes.
- Regularly review and audit data transmitted over the network to ensure it aligns with privacy policies and user expectations.
- Provide clear user-facing privacy settings, allowing users to control what data is shared.