From faaddee83c162d75bcd19d83b7e42e21df9bb5b5 Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Wed, 10 Sep 2025 06:27:06 +0200 Subject: [PATCH 1/2] draft MASWE-0100 --- weaknesses/MASVS-RESILIENCE/MASWE-0100.md | 37 +++++++++++++++++++---- 1 file changed, 31 insertions(+), 6 deletions(-) diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0100.md b/weaknesses/MASVS-RESILIENCE/MASWE-0100.md index 14055f5..4e9ea28 100644 --- a/weaknesses/MASVS-RESILIENCE/MASWE-0100.md +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0100.md @@ -19,12 +19,37 @@ refs: - https://github.com/iansampson/AppAttest - https://github.com/firebase/firebase-ios-sdk/blob/v8.15.0/FirebaseAppCheck/Sources/AppAttestProvider/DCAppAttestService%2BFIRAppAttestService.h - https://blog.restlesslabs.com/john/ios-app-attest -draft: - description: The app doesn't use App Attestation APIs, such as Google Play Integrity API, iOS DeviceCheck API,so the backend cannot ensure requests originate from a genuine app binary (CWE-693). This exposes the app to tampering, fraud, replay attacks, and unauthorized use of premium features. - topics: - - detection in place - - Effectiveness Assessment (e.g. bypassing the detection) -status: placeholder +status: new --- +## Overview + +Device attestation is a security mechanism that allows a mobile application or backend service to verify the integrity and trustworthiness of the environment in which the application is running. It provides cryptographic proof that the device has not been tampered with. + +In this context it need to be differentiated between attestation and assertion: + +- **Attestation** - Occurs during the registration phase, when your app initially connects to your server. +- **Assertion** - Is used during subsequent interactions, whenever the app needs to authenticate again or make further requests. + +If device attestation is used also app attestation should be considered to confirm that the application instance is genuine. App attestation provides cryptographic proof that the app instance is trustworthy and genuine. + +Attestation can be performed locally on the device or remotely through a backend service. Local checks rely on the application itself to verify system integrity, but these can be bypassed by attackers with sufficient control over the environment (e.g., through hooking and modifying the app during runtime). Server-side attestation shifts the verification to a backend service, which can make it harder for attackers to tamper with the verification logic. + +To summarize: + +- **Device attestation** confirms the environment is trustworthy. +- **App attestation** confirms the app instance is trustworthy. + +If the app doesn't use attestation APIs or services the backend cannot ensure requests originate from a genuine app binary and from a trusted platform. + +## Impact + +- **Abuse of Functionality**: Backend systems cannot distinguish between legitimate and tampered apps, enabling abuse such as fake account creation, fraud or unauthorized use of premium features. +- **App Executed in outdated Environment**: Users may run the application on outdated platforms that have no security patches installed. +- **App Executed in untrusted Environment**: Attackers may run the application on rooted or jailbroken devices without detection. + +## Mode of Introduction + +- **Weak Architecture**: The application does not include device attestation in its security model, assuming the device environment can be trusted. +- **Reliance on Weak Checks**: Instead of proper attestation, the app only performs basic root/jailbreak detection, which is easily bypassed. From 4a5a0659757159c33dfb1d6a52f4824e97806751 Mon Sep 17 00:00:00 2001 From: Sven Date: Tue, 11 Nov 2025 15:37:54 +0100 Subject: [PATCH 2/2] Update weaknesses/MASVS-RESILIENCE/MASWE-0100.md Co-authored-by: Carlos Holguera --- weaknesses/MASVS-RESILIENCE/MASWE-0100.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/weaknesses/MASVS-RESILIENCE/MASWE-0100.md b/weaknesses/MASVS-RESILIENCE/MASWE-0100.md index 4e9ea28..aad479c 100644 --- a/weaknesses/MASVS-RESILIENCE/MASWE-0100.md +++ b/weaknesses/MASVS-RESILIENCE/MASWE-0100.md @@ -49,7 +49,7 @@ If the app doesn't use attestation APIs or services the backend cannot ensure re - **App Executed in outdated Environment**: Users may run the application on outdated platforms that have no security patches installed. - **App Executed in untrusted Environment**: Attackers may run the application on rooted or jailbroken devices without detection. -## Mode of Introduction +## Modes of Introduction - **Weak Architecture**: The application does not include device attestation in its security model, assuming the device environment can be trusted. - **Reliance on Weak Checks**: Instead of proper attestation, the app only performs basic root/jailbreak detection, which is easily bypassed.