[Question] Does MASTG-TEST-0058 excludeFromBackup recommendation contradict MASTG-TEST-0215?

[Evylon]

MASTG Chapter

MASTG-TEST-0058.md Static Analysis

File Line Number

22

Context

The description recommends to use the isExcludedfromBackupKey system property. But according to MASTG-TEST-0215 using that very flag is a security vulnerability.

[Evylon]

Hi, I'm new here. Thanks for all your work, it's really amazing! I just watched the talk from t2con2024 and then looked into the iOS tests. Maybe I misunderstood something but I think the recommendation from the first test is in contradiction with the newer test. I tried joining you slack to reach out about this, but I was unable to join. In the invitation link it requires me to specify an @owasp.com or @owasp.org email, which I do not have.

[cpholguera]

Please try again to join using this link which is also now updated in our contact page:

https://join.slack.com/t/owasp/shared_invite/zt-30tg8azbk-F_bBrBLhIB~BAavbs0aJQA

[cpholguera]

Hi @Evylon, and welcome to the MAS project!

There are several things to consider:

• We are transitioning the MASTG from version 1 to version 2.
• Tests with IDs below 0200 are v1: these are in some cases outdated and as soon as they are updated they will show the "deprecation status" and a "deprecation banner".
• Tests with IDs above 0200 are v2: these are the new versions of the v1 tests, reviewed by experts and improved in terms of structure, scope and consistency.

MASTG-TEST-0058 (MASTG v1, old)

MASTG-TEST-0058 is a v1 test and may contain inaccurate or outdated information. In this case, the test states "You can use the NSURLIsExcludedFromBackupKey ... to exclude files and directories from backups."

• If an app doesn't use it, that does not imply a vulnerability.
• At the time of the writing of the test this was the general recommendation.

MASTG-TEST-0215 (MASTG v2, new)

Includes current and more accurate information and provides a link to the iOS documentation where Apple explains that this method doesn't guarantee the actual exclusion.

Quote from the iOS docs: "The isExcludedFromBackup resource value exists only to provide guidance to the system about which files and directories it can exclude; it’s not a mechanism to guarantee those items never appear in a backup or on a restored device."

• Relying on this method alone is not recommended, but if an application uses it, it's not a vulnerability.
• If the file to be protected contains sensitive data and is "protected" using this method alone, instead of using this method and encryption, that could be considered a vulnerability.
• MASTG-TEST-0215 will receive a new update soon (which will also deprecated the old v1 test). See https://github.com/OWASP/owasp-mastg/pull/3039/files