Update MASWE-0002 #3114

TheDauntless · 2025-01-15T13:20:06Z

This MASWE would fit the insecure usage of keychain too.

cpholguera · 2025-01-15T13:29:06Z

weaknesses/MASVS-STORAGE/MASWE-0002.md

@@ -22,6 +22,7 @@ draft:
  - improperly configured FileProvider (Android)
  - Avoid the deprecated MODE_WORLD_WRITEABLE and MODE_WORLD_READABLE modes for IPC files, see https://developer.android.com/privacy-and-security/security-tips#internal-storage. They don't provide the ability to limit data access to particular applications, and they don't provide any control of data format. If you want to share your data with other app processes, consider using a content provider instead, which offers read and write permissions to other apps and can make dynamic permission grants on a case-by-case basis.
 status: draft
+  - Keychain items protected with weak protections such as kSecAttrAccessibleAlways, kSecAttrAccessibleAfterFirstUnlock, kSecAttrAccessibleWhenUnlocked


Specify that this is exclusively for iOS and applies to arbitrary data and not crypto keys as part of this weakness. Something like that to make the separation of concerns between weaknesses clear.

Update MASWE-0002.md

12220c5

TheDauntless requested a review from cpholguera January 15, 2025 13:22

cpholguera requested changes Jan 15, 2025

View reviewed changes

cpholguera changed the title ~~Update MASWE-0002.md~~ Update MASWE-0002 Jan 16, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update MASWE-0002 #3114

Update MASWE-0002 #3114

TheDauntless commented Jan 15, 2025

cpholguera Jan 15, 2025

Update MASWE-0002 #3114

Are you sure you want to change the base?

Update MASWE-0002 #3114

Conversation

TheDauntless commented Jan 15, 2025

cpholguera Jan 15, 2025

Choose a reason for hiding this comment