Reino: Security Features

Segurança de software não é o mesmo que software de segurança. Aqui, estamos interessados em tópicos como autenticação, controle de acesso, confidencialidade, criptografia e gestão de privilégios.

Privacy Violation: Health Information

Abstract

A função identificada não trata as informações de saúde devidamente. Este programa poderia comprometer a privacidade do usuário.

Explanation

Vazamentos de informações de saúde privadas ocorrem quando:

1. As informações de saúde do usuário são inseridas no programa.

2. Os dados são gravados em um local externo, como o console, o sistema de arquivos ou a rede.
Exemplo 1: O código a seguir recupera o tipo sanguíneo do usuário do armazenamento HealthKit e o envia para um servidor enquanto o registra em log no dispositivo. Embora muitos desenvolvedores confiem nos arquivos de log como um local de armazenamento seguro para todos e quaisquer dados, eles não devem ser implicitamente confiáveis, especialmente quando a privacidade é uma preocupação.


    ...
    HKHealthStore healthStore = new HKHealthStore();
    HKBloodTypeObject blood = healthStore.GetBloodType(null);

    NSLog("%@", blood.BloodType);

	var urlWithParams = String.format(TOKEN_URL, block.BloodType);
	var responseString = await client.GetStringAsync(urlWithParams);
    ...

Observação: A API Apple Logging, que tem um nível inferior em relação à função NSLog, permite que um desenvolvedor crie um aplicativo que pode ler todos os logs no dispositivo (mesmo quando eles não são proprietários dos outros aplicativos).

Outras áreas de interesse para manter a privacidade dos dados do usuário surgem quando um dispositivo é perdido ou roubado. Uma vez em poder de um dispositivo iOS, um invasor pode acessar uma grande quantidade de dados conectando o dispositivo via USB. Arquivos como listas de propriedade iOS (iOS Property Lists, plists) e bancos de dados SQLite são facilmente acessados e podem revelar informações pessoais. Como regra geral, os detalhes de saúde privados não devem ser armazenados sem proteção no sistema de arquivos.

Exemplo 2: Este código adiciona um tipo sanguíneo do usuário à lista de padrões do usuário e os armazena imediatamente em um arquivo plist.


    ...
    HKHealthStore healthStore = new HKHealthStore();
    HKBloodTypeObject blood = healthStore.GetBloodType(null);

    // Add blood type to user defaults
	NSUserDefaults.StandardUserDefaults.SetString(blood.BloodType, "bloodType");
    ...

Em resposta ao tratamento inadequado dos dados privados, a coleta e o gerenciamento de dados privados estão se tornando cada vez mais regulamentados. Em relação às informações de saúde, uma organização pode ser obrigada a cumprir um ou mais dos seguintes regulamentos federais e estaduais:

- Safe Harbor Privacy Framework [2]

- Gramm-Leach Bliley Act (GLBA) [3]

- Health Insurance Portability and Accountability Act (HIPAA) [4]

- California SB-1386 [5]

Apesar dessas normas, violações de privacidade continuam a ocorrer com uma frequência alarmante.

References

[1] Privacy Initiatives U.S. Federal Trade Commission

[2] Safe Harbor Privacy Framework U.S. Department of Commerce

[3] Financial Privacy: The Gramm-Leach Bliley Act (GLBA) Federal Trade Commission

[4] Health Insurance Portability and Accountability Act (HIPAA) U.S. Department of Human Services

[5] California SB-1386 Government of the State of California

[6] Standards Mapping - Common Weakness Enumeration CWE ID 359

[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200

[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200

[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200

[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200

[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000169, CCI-000196, CCI-000197, CCI-001199, CCI-001312, CCI-001314

[12] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AU-12 Audit Generation (P1), IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1), SI-11 Error Handling (P2)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AU-12 Audit Record Generation, IA-5 Authenticator Management, SC-28 Protection of Information at Rest, SI-11 Error Handling

[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)

[16] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage

[17] Standards Mapping - OWASP Mobile 2024 M6 Inadequate Privacy Controls

[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-2, MASVS-STORAGE-1

[19] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.2.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.2.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.2.1

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.2.1

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 4.2.2, Requirement 8.3.1

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.1, Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 4.2.2, Requirement 8.3.1

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[58] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.dataflow.dotnet.privacy_violation_health_information

Abstract

A função identificada não trata as informações de saúde devidamente. Este programa poderia comprometer a privacidade do usuário.

Explanation


    ...
    HKHealthStore *healthStore = [[HKHealthStore alloc] init];
    HKBloodTypeObject *blood = [healthStore bloodTypeWithError:nil];

    NSLog(@"%@", [blood bloodType]);

    NSString *urlWithParams = [NSString stringWithFormat:TOKEN_URL, [blood bloodType]];

    NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:urlWithParams]];
    [request setHTTPMethod:@"GET"];
    [[NSURLConnection alloc] initWithRequest:request delegate:self];
    ...


    ...
    HKHealthStore *healthStore = [[HKHealthStore alloc] init];
    HKBloodTypeObject *blood = [healthStore bloodTypeWithError:nil];

    // Add blood type to user defaults
    [defaults setObject:[blood bloodType] forKey:@"bloodType"];

    [defaults synchronize];
    ...