Skip to content

Revise test case for undeclared PII in network traffic #3486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+4 −4
Open

Revise test case for undeclared PII in network traffic #3486

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions tests-beta/android/MASVS-PRIVACY/MASTG-TEST-0206.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
platform: android
title: Sensitive Data in Network Traffic Capture
title: Undeclared PII in Network Traffic Capture
id: MASTG-TEST-0206
type: [dynamic, network]
weakness: MASWE-0108
Expand All @@ -15,7 +15,7 @@ profiles: [P]

Attackers may capture network traffic from Android devices using an intercepting proxy, such as @MASTG-TOOL-0079, @MASTG-TOOL-0077, or @MASTG-TOOL-0097, to analyze the data being transmitted by the app. This works even if the app uses HTTPS, as the attacker can install a custom root certificate on the Android device to decrypt the traffic. Inspecting traffic that is not encrypted with HTTPS is even easier and can be done without installing a custom root certificate for example by using @MASTG-TOOL-0081.

The goal of this test is to verify that sensitive data is not being sent over the network, even if the traffic is encrypted. This test is especially important for apps that handle sensitive data, such as financial or health data, and should be performed in conjunction with a review of the app's privacy policy and the App Store Privacy declarations.
The goal of this test is to verify that sensitive data, specifically PII, is not being sent over the network, even if the traffic is encrypted. This test is especially important for apps that handle sensitive data, such as financial or health data, and should be performed in conjunction with a review of the app's privacy policy and the Data Safety section declarations in Google Play (if the app is published there).

## Steps

Expand All @@ -25,10 +25,10 @@ The goal of this test is to verify that sensitive data is not being sent over th

## Observation

The output should contain a network traffic sensitive data log that includes the decrypted HTTPS traffic.
The output should contain a network traffic log that includes the decrypted HTTPS traffic.

## Evaluation

The test case fails if you can find the sensitive data you entered in the app that is not stated in the App Store Privacy declarations.
The test case fails if you can find the PII you entered in the app that is not declared in the app's Data Safety section in Google Play (if applicable) and/or in its privacy policy.

Note that this test does not provide any code locations where the sensitive data is being sent over the network. In order to identify the code locations, you can use static analysis tools like @MASTG-TOOL-0110 or dynamic analysis tools like @MASTG-TOOL-0031.
Loading