Port MASTG-TEST-0080: Testing Enforced Updating (ios) and MASTG-TEST-0036: Testing Enforced Updating (android) #3048
Conversation
|
The Evaluation doesn't give 100% certainty, so I don't know how to write this down. Do we add a disclaimer? |
| ## Steps | ||
|
|
||
| 1. Examine the startup flow of the application. Identify if the application calls out to a backend with the application's version information included. | ||
| 2. Examine if the application can handle a specific response from the backend indicating that the application must be updated. For example, the application might evaluate the response from the backend and show a specific error message. Note that the error message can also come from the backend, so the lack of a custom error message in the application does not mean that the feature isn't implemented. |
There was a problem hiding this comment.
Perhaps this part should be clarified? Perhaps it could be written like this:
- Examine if the application can handle a specific response from the backend indicating that the application must be updated. For example by showing or evaluating an error message retrieved from an API or the mobile application.
|
|
||
| ## Evaluation | ||
|
|
||
| The test case fails if the application does not contain any logic to handle a forced application update. Additionally, the test case fails if the application informs the user that they must update, but the user can ignore the prompt and still use the application. |
There was a problem hiding this comment.
I feel the evaluation contradict the observation a bit.
cpholguera
changed the title
cpholguera
changed the title
|
@cpholguera i can review the pull request, pls assign. |
|
|
||
| ## Overview | ||
|
|
||
| When a vulnerability is found in the app, it should be possible to force the user to update the application to continue using it. |
There was a problem hiding this comment.
The overview is not matching the testcase description.
| ## Steps | ||
|
|
||
| 1. Obtain a MitM position between the application and its backend (see @MASTG-TECH-0011). | ||
| 2. Identify if version information is sent to the backend. This can be as part of a header, the URL, a URL parameter or the HTTP body. |
There was a problem hiding this comment.
Test to verify if user can bypass or circumevent the update prompt by cancelling the update is missing. Also add to use older version of application.
|
|
||
| ## Observation | ||
|
|
||
| The server responds differently to older versions. |
There was a problem hiding this comment.
Observation should be based on the demo output.
There was a problem hiding this comment.
The definition of the Observation has nothing to do with the demo/s. The demos may not yet exist as is the case here.
See https://docs.google.com/document/d/1EMsVdfrDBAu0gmjWAUEs60q-fWaOmDB5oecY9d9pOlg/edit?usp=drivesdk
Observation
This is the output you get after executing all steps. It serves as evidence.
Examples: method trace for specific APIs, network traffic trace filtered in some way, hooking events containing sensitive data (indicating which APIs handle that data).
It should start with “The output should contain …”.
Example:
## Observation
The output should contain a **list of locations where insecure random APIs are used**.
| ## Steps | ||
|
|
||
| 1. Examine the startup flow of the application. Identify if the application calls out to a backend with the application's version information included. | ||
| 2. Examine if the application can handle a specific response from the backend indicating that the application must be updated. For example, the application might evaluate the response from the backend and show a specific error message. Note that the error message can also come from the backend, so the lack of a custom error message in the application does not mean that the feature isn't implemented. |
There was a problem hiding this comment.
The described test case is a dynamic test, for static test it should be using r2.
There was a problem hiding this comment.
Tests do not use any specific tools. They must link to techniques. Demos do use specific tools.
|
|
||
| ## Evaluation | ||
|
|
||
| The test case fails if the application does not contain any logic to handle a forced application update. Additionally, the test case fails if the application informs the user that they must update, but the user can ignore the prompt and still use the application. |
There was a problem hiding this comment.
The evaluation should be based on demo and the result from its observations.
There was a problem hiding this comment.
Not correct, see other related comments.
|
|
||
| ## Observation | ||
|
|
||
| The application contains specific logic to handle a force-update event. The user may be able to ignore the prompt and continue using the application, or they may be unable to use the application without updating. |
There was a problem hiding this comment.
As explained above the observation should be based on result from demo app using decomplied binary.
There was a problem hiding this comment.
Not correct, see other related comments.
|
@ScreaMy7 This applies to all current and future PR reviews. Please use the suggestions when reviewing, unless it isn't possible for some reason (for example, if a file is missing and needs to be added). This speeds up the review process for both parties. In this case, since I have access, I went ahead and made the necessary changes myself to speed up the process even more, but the regular procedure would be to make suggestions and allow the author to review and incorporate them (unless they disagree, of course). Thank you. |
- Clarify Overview sections: include Play In-App Updates details for Android and CFBundle/version retrieval for iOS. - Expand and standardize Steps: add specific static and dynamic analysis guidance (MITM, dynamic instrumentation, tech refs). - Improve Observation: list expected artifacts (network trace, method trace), - Improve Evaluation: spell out failure criteria, and add "Additional Verification" steps for manual checks. - Normalize wording, fix typos, and align examples across Android and iOS test files.
…and StoreKit - Add iTunes Search API lookup checks and parsing (resultCount, results[0].version, results[0].trackViewUrl) to dynamic and static tests - Expand instrumentation guidance to include parsing logic, UIApplication.open, and SKStoreProductViewController - Improve observations and verification steps (include lookup stubbing/replay and iTunes lookup-related evaluation)
…okup / StoreKit details - Rewrote guidance to explain iOS has no built-in enforced-update API and outline developer responsibilities - Added App Store Lookup API example endpoint and description of how to compare versions - Documented SKStoreProductViewController and App Store URL alternatives for update UX - Mentioned common open-source libraries and linked to App Store Connect / Review Guidelines - Emphasized backend/API lifecycle considerations and testing of older app versions
…tes API; add AppUpdateManager, update modes, usage, and backend-gated flow recommendations
There was a problem hiding this comment.
This test is also being added in https://github.com/OWASP/mastg/pull/3462/files#diff-a9d53408e3663c96701c37c093b01bd6f1a167e734915d13c6f1cdc2a6a02bf0
Let's make sure that any final content from here is added as suggestions to that PR or the test is removed from that PR and only added in this one.
|
|
||
| Keep in mind that updating the app does not resolve vulnerabilities residing on backend systems. A secure update mechanism should complement proper API and service lifecycle management. Similarly, if users are not forced to update, test older app versions against your backend and apply API versioning and deprecation policies to maintain security and stability across all supported releases. | ||
|
|
||
| ## Google Play In‑App Updates API |
There was a problem hiding this comment.
Thank you for submitting a Pull Request to the OWASP MASTG. Please make sure that:
If your PR is related to an issue. Please end your PR test with the following line:
This PR closes #2988 and closes #2994