Skip to content

Port MASTG-TEST-0067: Testing Endpoint Identity Verification (iOS) to v2 #3522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

Port MASTG-TEST-0067: Testing Endpoint Identity Verification (iOS) to v2 #3522

wants to merge 6 commits into from
+226 −0

Conversation

Copy link
Contributor

Copilot AI commented Nov 16, 2025
edited
Loading

This PR closes #3446

Description

Ports MASTG-TEST-0067 (Testing Endpoint Identity Verification) from v1 to v2 format for iOS platform.

New v2 test (tests-beta/ios/MASVS-NETWORK/MASTG-TEST-0067.md):

  • Maps to MASWE-0052 (certificate validation weakness, consistent with Android network tests)
  • Profiles: L1, L2
  • Type: static, dynamic
  • References best practice: MASTG-BEST-0025
  • Covers three attack vectors:
    • ATS exceptions in Info.plist (global disables, insecure domain configs)
    • Lower-level networking APIs bypassing ATS (CFStream, BSD Sockets, Network framework)
    • Custom URLSessionDelegate implementations that bypass certificate checks
  • References: @MASTG-KNOW-0071 (ATS), @MASTG-TECH-0092 (Info.plist), @MASTG-TECH-0058 (reverse engineering), @MASTG-TECH-0062 (network interception)
  • Testing approach: static analysis of config/code + dynamic traffic interception with/without proxy certificates

V1 test deprecation (tests/ios/MASVS-NETWORK/MASTG-TEST-0067.md):

  • Added deprecation metadata pointing to v2 test

New best practice (best-practices/MASTG-BEST-0025.md): "Properly Configure App Transport Security"

  • Explains ATS security features and benefits
  • Provides guidance on minimizing ATS exceptions
  • Shows secure vs insecure configuration examples
  • References official Apple documentation

New demo (demos/ios/MASVS-NETWORK/MASTG-DEMO-0068): "Insecure App Transport Security Configuration"

  • Demonstrates Info.plist with NSAllowsArbitraryLoads enabled (fails MASTG-TEST-0067)
  • Includes working run.sh script to extract ATS configuration
  • Provides clear evaluation of security implications
  • References MASTG-BEST-0025

[x] I have read the contributing guidelines.

Original prompt

This section details on the original issue you should resolve

<issue_title>MASTG v1->v2 MASTG-TEST-0067: Testing Endpoint Identity Verification (ios)</issue_title>
<issue_description>
Create a new MASTG v2 test covering for":

Follow the guidelines
</issue_description>

<agent_instructions>While doing this task, follow the instructions in .github/instructions/porting-mastg-v1-tests-to-v2.instructions.md</agent_instructions>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 4 commits November 16, 2025 13:59
@cpholguera
Create MASTG-TEST-0067 v2 test for iOS endpoint identity verification
bbdfb15 
Co-authored-by: cpholguera <29175115+cpholguera@users.noreply.github.com>
@cpholguera
Update MASTG-TEST-0067 to use correct tool references
e62a759 
Co-authored-by: cpholguera <29175115+cpholguera@users.noreply.github.com>
@cpholguera
Final validation complete for MASTG-TEST-0067
3d2258f 
Co-authored-by: cpholguera <29175115+cpholguera@users.noreply.github.com>
@cpholguera
Remove npm package files (build artifacts)
33fe193 
Co-authored-by: cpholguera <29175115+cpholguera@users.noreply.github.com>
Copilot AI changed the title [WIP] Add MASTG v2 test for endpoint identity verification Port MASTG-TEST-0067: Testing Endpoint Identity Verification (iOS) to v2 Nov 16, 2025
Copilot AI requested a review from cpholguera November 16, 2025 14:06
Copilot finished work on behalf of cpholguera November 16, 2025 14:06
@cpholguera
Copy link
Collaborator

cpholguera commented Nov 16, 2025

@copilot please also create a best practice file and at least one demo for this test.

@cpholguera
Add best practice and demo for MASTG-TEST-0067
349d260 
- Created MASTG-BEST-0025: Properly Configure App Transport Security
- Created MASTG-DEMO-0068: Insecure App Transport Security Configuration
- Updated MASTG-TEST-0067 to reference the new best practice

Co-authored-by: cpholguera <29175115+cpholguera@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Nov 16, 2025

@copilot please also create a best practice file and at least one demo for this test.

Done! I've added:

Best Practice (MASTG-BEST-0025): "Properly Configure App Transport Security"

  • Explains how to use ATS securely
  • Provides guidance on minimizing exceptions
  • Shows secure vs insecure configuration examples

Demo (MASTG-DEMO-0068): "Insecure App Transport Security Configuration"

  • Demonstrates Info.plist with NSAllowsArbitraryLoads enabled
  • Includes working run.sh script
  • Shows clear evaluation of the security issue

The test now references the best practice. Commit: 349d260

Copilot finished work on behalf of cpholguera November 16, 2025 14:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cpholguera cpholguera Awaiting requested review from cpholguera

At least 1 approving review is required to merge this pull request.

Assignees

@cpholguera cpholguera

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

MASTG v1->v2 MASTG-TEST-0067: Testing Endpoint Identity Verification (ios)

2 participants

@cpholguera