-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
57 additions
and
0 deletions.
There are no files selected for viewing
36 changes: 36 additions & 0 deletions
36
demos/ios/MASVS-STORAGE/MASTG-DEMO-0021/MASTG-DEMO-0022.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| --- | ||
| platform: android | ||
| title: Testing Memory for Sensitive Data | ||
| id: MASTG-DEMO-0022 | ||
| code: [swift] | ||
| test: MASTG-TEST-0x60 | ||
| --- | ||
|
|
||
| ### Sample | ||
|
|
||
| The following samples contain: | ||
|
|
||
| - The Swift code simulates retrieving a secret from a server, then stores the secret in memory. | ||
|
|
||
| {{ MastgTest.swift }} | ||
|
|
||
| ### Steps | ||
|
|
||
| 1. Install the target app on your device. | ||
| 2. Exercise it to trigger storing some information into the memory | ||
| 3. Run `run.sh` | ||
| 4. Close the app once you finish testing. | ||
|
|
||
| {{ run.sh }} | ||
|
|
||
| ### Observation | ||
|
|
||
| We can see the string from the app's memory inside `output.txt`. | ||
|
|
||
| {{ output.txt }} | ||
|
|
||
| The app keeps a reference to `MAS_API_KEY=8767086b9f6f976g-a8df76` string. | ||
|
|
||
| ### Evaluation | ||
|
|
||
| The test fails because MAS_API_KEY=8767086b9f6f976g-a8df76 is found in memory. Although our code doesn’t explicitly retain this string, the UI TextView does. This makes it challenging to completely remove strings that are currently displayed. While you might accept some strings remaining in memory, you should still monitor their presence. However, if the string isn’t displayed on the screen but still appears in memory, this test definitely fails. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| import SwiftUI | ||
|
|
||
| struct MastgTest { | ||
|
|
||
| static func mastgTest(completion: @escaping (String) -> Void) { | ||
| // Base64 of "MAS_API_KEY=8767086b9f6f976g-a8df76" | ||
| let reseponseFromServer = "TUFTX0FQSV9LRVk9ODc2NzA4NmI5ZjZmOTc2Zy1hOGRmNzY=" | ||
|
|
||
| // Decode the Base64 string and handle potential nil values | ||
| guard let decodedData = Data(base64Encoded: reseponseFromServer), | ||
| let decodedString = String(data: decodedData, encoding: .utf8) else { | ||
| completion("Error: Failed to decode Base64 string.") | ||
| return | ||
| } | ||
|
|
||
| completion("The secret in the memory held by this TextView: \(decodedString)") | ||
| } | ||
| } |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| #!/bin/bash | ||
| python3 ./fridump.py -U -s MASTestApp | ||
| cat dump/strings.txt > output.txt |