MASTG-TEST-0090: Testing File Integrity Checks
This test will be updated soon
The test can be used in its current form, but it will receive a complete overhaul as part of the new OWASP MASTG v2 guidelines.
Help us out by submitting a PR for: MASTG v1->v2 MASTG-TEST-0090: Testing File Integrity Checks (ios)
Overview¶
Application Source Code Integrity Checks:
Run the app on the device in an unmodified state and make sure that everything works. Then apply some patches to the executable (e.g. see Injecting Frida Gadget into an IPA Automatically), re-sign the app ( Signing IPA files), and run it.
The app should respond in some way. For example by:
- Alerting the user and asking for accepting liability.
- Preventing execution by gracefully terminating.
- Securely wiping any sensitive data stored on the device.
- Reporting to a backend server, e.g, for fraud detection.
Work on bypassing the defenses and answer the following questions:
- Can the mechanisms be bypassed trivially (e.g., by hooking a single API function)?
- How difficult is identifying the detection code via static and dynamic analysis?
- Did you need to write custom code to disable the defenses? How much time did you need?
- What is your assessment of the difficulty of bypassing the mechanisms?
File Storage Integrity Checks:
Go to the app data directories as indicated in Accessing App Data Directories and modify some files.
Next, work on bypassing the defenses and answer the following questions:
- Can the mechanisms be bypassed trivially (e.g., by changing the contents of a file or a key-value pair)?
- How difficult is obtaining the HMAC key or the asymmetric private key?
- Did you need to write custom code to disable the defenses? How much time did you need?
- What is your assessment of the difficulty of bypassing the mechanisms?