New weaknesses regarding 3rd party libs #11
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| --- | ||
| title: Sensitive Data Leaked via Embedded Libraries | ||
| id: MASWE-xxxA | ||
| alias: data-leak-libraries | ||
| platform: [android, ios] | ||
| profiles: [P] | ||
| mappings: | ||
| masvs-v2: [MASVS-PLATFORM-3, MASVS-STORAGE-2] | ||
| cwe: [200, 359] | ||
| draft: | ||
| description: Embedded third-party libraries (e.g. analytics, advertising, or crash reporting) can leak sensitive data to external services. Review the usage of embedded libraries to ensure they do not leak sensitive data outside of the expected SLA. This targets user Privacy. MASWE-0076 tests security. | ||
| status: placeholder | ||
|
|
||
| --- |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| --- | ||
| title: Dependencies Know to be Malicious | ||
Diolor marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| id: MASWE-xxxB | ||
| alias: data-leak-malicious-libraries | ||
| platform: [android, ios] | ||
| profiles: [L1,L2] | ||
| mappings: | ||
| masvs-v2: [MASVS-PLATFORM-3, MASVS-STORAGE-2] | ||
|
|
||
| cwe: [200, 359] | ||
| draft: | ||
| description: Embedded third-party libraries known to be malicious can leak sensitive data to external services. These libraries have access to e.g. ApplicationContext on Android or the full app memory on iOS. This gives them access to read data stored on the disk or in memory and thus could act as an insider threat within the app's process and boundaries. Apply supply chain security best practices to ensure the integrity of embedded libraries such as SBOM checks. | ||
|
Collaborator
There was a problem hiding this comment. The fact that the library/SDK is malicious should be irrelevant as weaknesses are generic. The focus here should be put on the fact that the app includes libraries/SDKs already known to be malicious. Regardless of what exactly they do. Those "bad" things they do should be all covered by other weaknesses. |
||
| status: placeholder | ||
|
|
||
| --- | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed in our previous call, this can be removed. The fact that the responsible component is an SDK vs the main app binary is typically not relevant at the MASWE level. This is very intentional, otherwise we'd have to duplicate most of the weaknesses.
This weakness should be covering for this topic:
https://mas.owasp.org/MASWE/MASVS-PRIVACY/MASWE-0112/
Title and content may be updated (on a separate PR) to reflect both collection and sharing.