Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port MASTG-TEST-0082 (by @appknox) #3097

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Port MASTG-TEST-0082 (by @appknox) #3097

wants to merge 1 commit into from
+27 −0

Conversation

jeel38
Copy link
Collaborator

@jeel38 jeel38 commented Dec 16, 2024

closes #3010

cpholguera
cpholguera requested changes Dec 18, 2024
View reviewed changes
tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x82.md

## Steps

1. Run a static analysis using @MASTG-TOOL-0111 to extract entitlements from the binary to check the value of the `get-task-allow` key and is set to `true`.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prefer to use the technique instead of specific tools in TESTS

https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0111/

Also, let's do the evaluation (check for true, in this case) later.

Suggested change
1. Run a static analysis using @MASTG-TOOL-0111 to extract entitlements from the binary to check the value of the `get-task-allow` key and is set to `true`.
1. Use @MASTG-TECH-0111 to extract entitlements from the binary and obtain the value of the `get-task-allow` key.

tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x82.md
## Steps

1. Run a static analysis using @MASTG-TOOL-0111 to extract entitlements from the binary to check the value of the `get-task-allow` key and is set to `true`.
2. Run a [dynamic analysis](../../../techniques/ios/MASTG-TECH-0084.md) using @MASTG-TOOL-0057.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The static analysis step should be enough. However, you still can refer to this TECH. See overview

tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x82.md

## Observation

The entitlement get-task-allow is false, and anti-reverse engineering measures prevent debugger attachment attempts.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The entitlement get-task-allow is false, and anti-reverse engineering measures prevent debugger attachment attempts.
The output contains the value of the `get-task-allow` entitlement.

tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x82.md

## Evaluation

The test fails as the entitlement get-task-allow is true, allowing debugger attachment.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The test fails as the entitlement get-task-allow is true, allowing debugger attachment.
The test fails if the `get-task-allow` entitlement is `true`.

tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x82.md

## Overview

The test evaluates whether an iOS application is configured to allow debugging. If an app is debuggable, attackers can leverage debugging tools to reverse-engineer the application, analyse its runtime behaviour, and potentially compromise sensitive data or functionality.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The test evaluates whether an iOS application is configured to allow debugging. If an app is debuggable, attackers can leverage debugging tools to reverse-engineer the application, analyse its runtime behaviour, and potentially compromise sensitive data or functionality.
The test evaluates whether an iOS application is configured to allow debugging. If an app is debuggable, attackers can leverage debugging tools (see @MASTG-TECH-0084) to analyse the runtime behaviour of the app, and potentially compromise sensitive data or functionality.

@cpholguera
Copy link
Collaborator

First round of review done. Please remember to include a demo using https://github.com/cpholguera/MASTestApp-iOS

Thanks a lot @jeel38!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpholguera cpholguera cpholguera requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
changes-requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

MASTG v1->v2 MASTG-TEST-0082: Testing whether the App is Debuggable (ios)
2 participants
@jeel38 @cpholguera