Port MASTG-TEST-0052 (by @guardsquare)

tests-beta/ios/MASVS-STORAGE/MASTG-TEST-0x52-1.md

@@ -0,0 +1,31 @@
+---
+platform: ios
+title: Data Stored in Private Storage - Content Comparison Test
+id: MASTG-TEST-0x52-1
+type: [dynamic]
+weakness: MASWE-0006
+---
+
+## Overview
+
+This test retrieves files written to **Private Storage** regardless of the APIs used to write them. It uses a simple approach based on file retrieval from the device storage (@MASTG-TECH-0052) before and after the app is exercised to identify the files created during the app's execution and to check if they contain sensitive data.
+
+## Steps
+
+1. Start the device.
+
+2. Copy the content of app's private data directory (@MASTG-TECH-0052) to have as a reference for later analysis.
+
+3. Interact with the app to initiate filesystem writes.
+
+4. Take a second copy of the app's private data directory and diff it with the first copy to identify all files created or modified during your testing session.
+
+## Observation
+
+The output should contain a list of files that were created in the app's private storage during execution.
+
+## Evaluation
+
+The test case fails if you find any of this sensitive data.
+
+Attempt to identify and decode data that has been encoded using methods such as base64 encoding, hexadecimal representation, URL encoding, escape sequences, wide characters and common data obfuscation methods such as xoring. Also consider identifying and decompressing compressed files such as tar or zip. These methods obscure but do not protect sensitive data.

tests-beta/ios/MASVS-STORAGE/MASTG-TEST-0x52-2.md

@@ -0,0 +1,30 @@
+---
+platform: ios
+title: References to APIs for Accessing Private Storage
+id: MASTG-TEST-0x52-2
+type: [static]
+weakness: MASWE-0006
+---
+
+## Overview
+
+This test case focuses on identifying APIs that stores data in Private Storage
+
+## Steps
+
+1. Run a static analysis tool such as @MASTG-TOOL-0073 on the app binary.
+
+2. Search for APIs that indicates a use of Private Storage. This API includes:
+
+    - [UserDefaults](https://developer.apple.com/documentation/foundation/userdefaults)
+    - [documentDirectory](https://developer.apple.com/documentation/foundation/filemanager/searchpathdirectory/documentdirectory)
+    - [applicationSupportDirectory](https://developer.apple.com/documentation/foundation/filemanager/searchpathdirectory/applicationsupportdirectory)
+    - [userDomainMask](https://developer.apple.com/documentation/foundation/filemanager/searchpathdomainmask/1408037-userdomainmask)
+
+## Observation
+
+The output should contain a list locations from where the app writes data to Private Storage
+
+## Evaluation
+
+The test case fails if you find any use of these APIs on unencrypted sensitive data.

tests-beta/ios/MASVS-STORAGE/MASTG-TEST-0x52-3.md

@@ -0,0 +1,34 @@
+---
+platform: ios
+title: Secure Policy Of Data In Private Storage
+id: MASTG-TEST-0x52-3
+type: [static, dynamic]
+weakness: MASWE-0008
+---
+
+## Overview
+
+This test verifies whether the data is stored with secure policy inside the Keychain. Apple provides many policies that can enforce the user to:
+
+- authenticate with biometrics to access data ([kSecAccessControlBiometryAny](https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/biometryany))
+- set up a password on the device to store data ([kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly](https://developer.apple.com/documentation/security/ksecattraccessiblewhenpasscodesetthisdeviceonly))
+- access this data only on the current device ([kSecAttrAccessibleWhenUnlockedThisDeviceOnly](https://developer.apple.com/documentation/security/ksecattraccessiblewhenunlockedthisdeviceonly))
+- and [more](https://developer.apple.com/documentation/security/item-attribute-keys-and-values#Accessibility-Values)
+
+## Steps
+
+1. Run a static analysis (e.g. @MASTG-TOOL-0073) on the app binary, or use @MASTG-TOOL-0038 to dynamically verify the properties of the keychain items during the app runtime.
+
+2. (Static analysis only) Search for APIs that indicates a use of Keychain. This API includes:
+    - SecItemAdd
+    - SecAccessControlCreateWithFlags
+
+3. Verify whether the APIs above make use of security policies mentioned in the Overview or [Apple's documentation](https://developer.apple.com/documentation/security/item-attribute-keys-and-values#Accessibility-Values)
+
+## Observations
+
+The output should allow you to identify security policies assigned to items in the keychain.
+
+## Evaluation
+
+The test case fails if the items in the Keychain don't satisfy your app's security requirements. For example, your app might store sensitive data that you want to keep accessible only on this device. Then, such an item in the Keychain should use `kSecAttrAccessibleWhenUnlockedThisDeviceOnly`.

tests/ios/MASVS-STORAGE/MASTG-TEST-0052.md

@@ -9,6 +9,8 @@ title: Testing Local Data Storage
 masvs_v1_levels:
 - L1
 - L2
+status: deprecated
+covered_by: [MASTG-TEST-0x52-1, MASTG-TEST-0x52-2, MASTG-TEST-0x52-3]
 ---
 
 ## Overview