Port MASTG-TEST-0081 (by @Guardsquare) (OWASP#3034)

* Port MASTG-TEST-0081 * fix test ID * add overview and re-use prev. overview for the recommendation * fix md lint --------- Co-authored-by: Carlos Holguera <[email protected]>
titze · Nov 6, 2024 · 24809dc · 24809dc
1 parent 7d2c88f
commit 24809dc
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 0 deletions.
diff --git a/techniques/ios/MASTG-TECH-0112.md b/techniques/ios/MASTG-TECH-0112.md
@@ -0,0 +1,20 @@
+---
+title: Obtaining the Code Signature Format Version
+platform: ios
+---
+
+To extract the code signature format version from a signed binary, you can use @MASTG-TOOL-0114.
+
+The version is obtained by calling `codesign -dv` and identifying the value of `v` in the `CodeDirectory` row:
+
+```bash
+$ codesign -dv MASTestApp.app
+Executable=/Users/user/MASTestApp.app
+Identifier=org.owasp.mastestapp.MASTestApp-iOS
+Format=Mach-O universal (armv7 arm64)
+CodeDirectory v=20400 size=404674 flags=0x0(none) hashes=12635+7 location=embedded
+Signature size=4858
+...
+```
+
+In this case the version is 20400, since the output contains `v=20400`.
diff --git a/tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0220.md b/tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0220.md
@@ -0,0 +1,28 @@
+---
+platform: ios
+title: Usage of Outdated Code Signature Format
+id: MASTG-TEST-0220
+type: [static]
+weakness: MASWE-0104
+---
+
+## Overview
+
+On iOS, code signatures verify the integrity and authenticity of an app's binary, preventing unauthorized modifications and ensuring that the app is trusted by the operating system. Apple regularly updates its [code signature formats](https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format) to enhance cryptographic strength and improve protection against tampering.
+
+Using an outdated code signature format may expose the app to security risks, as older formats may lack support for current cryptographic standards and may be more vulnerable to manipulation. Adopting the latest code signature format helps maintain app integrity and ensures compatibility with the latest security features in iOS.
+
+## Steps
+
+1. Extract the package as described in @MASTG-TECH-0058.
+2. Obtain the version of the code signature format as described in @MASTG-TECH-0112.
+
+## Observation
+
+The output should contain the version of the code signature format.
+
+## Evaluation
+
+The test fails if the version is below the [recommended one](https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format "Apple Developer").
+
+Ensure that the app is using the [latest code signing format](https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format "Apple Developer"). You can retrieve the signing certificate format with @MASTG-TECH-0112. This will ensure that the integrity of the app is protected according to the latest cryptographic standards, preventing tampering with the app binary and ensuring that the unmodified copy is distributed to users.
diff --git a/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md b/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md
@@ -7,6 +7,8 @@ platform: ios
 title: Making Sure that the App Is Properly Signed
 masvs_v1_levels:
 - R
+covered_by: [MASTG-TEST-0220]
+status: deprecated
 ---
 
 ## Overview