MASTG-TEST-0215: Sensitive Data Not Marked For Backup Exclusion

Overview¶

This test verifies whether your app uses the isExcludedFromBackup API to instruct the system to exclude sensitive files from backups. This API does not guarantee the actual exclusion. According to the documentation:

"The isExcludedFromBackup resource value exists only to provide guidance to the system about which files and directories it can exclude; it's not a mechanism to guarantee those items never appear in a backup or on a restored device."

In this test, we identify all locations where the isExcludedFromBackup API is used to mark files that might still end up in a backup.

Note: Files stored in an app's /tmp and /Library/Caches directories are excluded from iCloud backups. These directories are intended for temporary or cache data, and the system may automatically delete their contents at any time to free up space. Therefore, you don't need to mark these files with isExcludedFromBackup. For more details, see the Apple documentation.

Steps¶

Run a static analysis tool such as radare2 for iOS on the app binary, or use a dynamic analysis tool like Frida for iOS, and look for uses of the isExcludedFromBackup API.

Observation¶

The output should contain the disassembled code of the functions using isExcludedFromBackup, and, if possible, the list of affected files.

Evaluation¶

The test fails if the isExcludedFromBackup API is used and any of the affected files are considered sensitive.

For any sensitive files found, in addition to using isExcludedFromBackup, make sure to encrypt them, as isExcludedFromBackup does not guarantee exclusion.

Mitigations¶

Exclude Sensitive Information from Backups

Demos¶

MASTG-DEMO-0019: Uses of isExcludedFromBackupKey with r2