Skip to content

MASTG-TEST-0300: References to APIs for Storing Unencrypted Data in Private Storage

Overview

This test checks whether the app writes unencrypted sensitive data to private storage. It focuses on:

  • APIs that persist data in the app sandbox directories, including Foundation FileManager methods, low-level POSIX and BSD file I/O calls and high-level APIs such as UserDefaults, Core Data and SQLite wrappers.
  • Keychain APIs used to:
    • store sensitive data directly within the Keychain
    • manage keys from the Keychain (that could be used to encrypt data before writing to private storage).

Steps

  1. Use Exploring the App Package to extract the relevant binaries from app package.
  2. Use Static Analysis on iOS to look for the relevant APIs in the app binaries.

Observation

The output should contain:

  • A list of locations where the app writes or may write data to private storage.
  • A list of locations where the app uses Keychain APIs, including access control and accessibility attributes.

Evaluation

The test case fails if the sensitive data is not encrypted before being written to private storage or the Keychain API isn't used to store the sensitive data.

Best Practices

MASTG-BEST-0024: Store Data Encrypted in App Sandbox Directory