MASTG-TEST-0079: Testing Object Persistence

This test will be updated soon

The test can be used in its current form, but it will receive a complete overhaul as part of the newOWASP MASTG v2 guidelines.

Overview¶

All different flavors of object persistence share the following concerns:

If you use object persistence to store sensitive information on the device, then make sure that the data is encrypted: either at the database level, or specifically at the value level.
Need to guarantee the integrity of the information? Use an HMAC mechanism or sign the information stored. Always verify the HMAC/signature before processing the actual information stored in the objects.
Make sure that keys used in the two notions above are safely stored in the KeyChain and well protected. See the chapter "Data Storage on iOS" for more details.
Ensure that the data within the deserialized object is carefully validated before it is actively used (e.g., no exploit of business/application logic is possible).
Do not use persistence mechanisms that useRuntime Reference to serialize/deserialize objects in high-risk applications, as the attacker might be able to manipulate the steps to execute business logic via this mechanism (see the chapter "iOS Anti-Reversing Defenses" for more details).
Note that in Swift 2 and beyond, aMirror can be used to read parts of an object, but cannot be used to write against the object.

There are several ways to perform dynamic analysis:

For the actual persistence: Use the techniques described in the "Data Storage on iOS" chapter.
For the serialization itself: Use a debug build or use Frida / objection to see how the serialization methods are handled (e.g., whether the application crashes or extra information can be extracted by enriching the objects).