MASTG-TEST-0300: References to APIs for Storing Unencrypted Data in Private Storage
Overview¶
This test checks whether the app writes unencrypted sensitive data to private storage. It focuses on:
- APIs that persist data in the app sandbox directories, including Foundation
FileManagermethods, low-level POSIX and BSD file I/O calls and high-level APIs such asUserDefaults, Core Data and SQLite wrappers. - Keychain APIs used to:
- store sensitive data directly within the Keychain
- manage keys from the Keychain (that could be used to encrypt data before writing to private storage).
Steps¶
- Run a static analysis tool such as radare2 for iOS and look for uses of file system APIs that create or write files.
- Run a static analysis tool such as radare2 for iOS and look for uses of Keychain APIs.
Observation¶
The output should contain:
- A list of locations where the app writes or may write data to private storage.
- A list of locations where the app uses Keychain APIs, including access control and accessibility attributes.
Evaluation¶
The test case fails if the sensitive data is not encrypted before being written to private storage or the Keychain API isn't used to store the sensitive data.