bmt 0.9.0 → 0.10.0

data/lib/data/0.10/methodologies/mobile_ios.json

@@ -0,0 +1,438 @@
+{
+  "metadata": {
+    "title": "iOS",
+    "release_date": "2025-11-19T00:00:00+00:00",
+    "description": "Bugcrowd iOS testing methodology",
+    "vrt_version": "1.17"
+  },
+  "content": {
+    "steps": [
+      {
+        "key": "architecture_design_and_threat_modelling",
+        "title": "Architecture, Design and Threat Modelling",
+        "description": "",
+        "type": "checklist",
+        "items": [
+          {
+            "key": "search_engine_discovery",
+            "title": "Conduct Search Engine Discovery and Reconnaissance for Information Leakage",
+            "description": "Identify all the endpoints and domains used in the application. Search for network diagrams, source code, configurations, privileged credentials, and error messages.",
+            "caption": "",
+            "tools": "Google Dorking, Manual Review, Static analysis using MobSF, jadx, Hopper",
+            "references": "https://mas.owasp.org/checklists/"
+          },
+          {
+            "key": "server_fingerprinting",
+            "title": "Fingerprint Servers and Endpoints Used by the Target Application",
+            "description": "Find the version and type of running server/endpoint to determine known vulnerabilities and the appropriate exploits (relevant for non-HTTP services as well).",
+            "caption": "",
+            "tools": "Manual Review",
+            "references": "https://mas.owasp.org/checklists/"
+          },
+          {
+            "key": "third_party_library_identification",
+            "title": "Determine Third Party Libraries Included in the Application",
+            "description": "Identify and fingerprint third-party libraries included embedded into the application package, checking for known vulnerabilities (CVEs) and ensuring they are recent versions. OS libraries are out of scope.",
+            "caption": "",
+            "tools": "Embedded Service Review, Manual Review",
+            "references": "https://mas.owasp.org/checklists/"
+          },
+          {
+            "key": "api_endpoint_identification",
+            "title": "Identify All API Endpoints",
+            "description": "Use static analysis to discover hidden endpoints. Perform API testing during dynamic analysis.",
+            "caption": "",
+            "tools": "MobSF, jadx, Hopper",
+            "references": "https://mas.owasp.org/checklists/"
+          }
+        ]
+      },
+      {
+        "key": "data_storage_and_privacy",
+        "title": "Data Storage and Privacy",
+        "description": "",
+        "type": "checklist",
+        "items": [
+          {
+            "key": "local_storage_sensitive_data",
+            "title": "Test Local Storage for Sensitive Data",
+            "description": "Verify that sensitive data stored locally is properly protected and not exposed.",
+            "caption": "",
+            "tools": "Manual Review using ssh, ADB",
+            "references": "https://mas.owasp.org/checklists/"
+          },
+          {
+            "key": "logs_sensitive_data",
+            "title": "Test Logs for Sensitive Data",
+            "description": "Check that sensitive information is not logged or, if logged, is properly protected.",
+            "caption": "",
+            "tools": "ADB, Xcode, Manual Review",
+            "references": "https://mas.owasp.org/checklists/"
+          },
+          {
+            "key": "third_party_data_sharing",
+            "title": "Determine Whether Sensitive Data Is Shared with Third Parties via SDKs or Frameworks",
+            "description": "Assess whether sensitive data is unintentionally shared with third parties through embedded SDKs or frameworks.",
+            "caption": "",
+            "tools": "Manual Analysis",
+            "references": "https://mas.owasp.org/checklists/"
+          },
+          {
+            "key": "notification_data_sharing",
+            "title": "Determine Whether Sensitive Data Is Shared with Third Parties via Notifications",
+            "description": "Verify that sensitive data is not disclosed through notifications or is properly masked.",
+            "caption": "",
+            "tools": "Notification Analysis, Manual Review",
+            "references": "https://mas.owasp.org/checklists/"
+          },
+          {
+            "key": "keyboard_cache_disabled",
+            "title": "Determine Whether the Keyboard Cache Is Disabled for Text Input Fields",
+            "description": "Ensure that keyboard cache is disabled for input fields containing sensitive data.",
+            "caption": "",
+            "tools": "Keyboard Cache Review, Manual Analysis",
+            "references": "https://mas.owasp.org/checklists/"
+          },
+          {
+            "key": "backups_sensitive_data",
+            "title": "Test Backups for Sensitive Data",
+            "description": "Check that backups do not contain sensitive data or that such data is securely protected in backups.",
+            "caption": "",
+            "tools": "Backup Analysis Tools, Manual Review",
+            "references": "https://mas.owasp.org/checklists/"
+          },
+          {
+            "key": "memory_sensitive_data",
+            "title": "Test Memory for Sensitive Data",
+            "description": "Verify that sensitive data is not exposed in memory or is protected if it is. Note: This is only relevant for apps dealing with secrets/cipher keys and may require advanced analysis.",
+            "caption": "",
+            "tools": "Memory Analysis Tools, Manual Review",
+            "references": "https://mas.owasp.org/checklists/"
+          },
+          {
+            "key": "device_access_policy",
+            "title": "Testing the Device-Access-Security Policy",
+            "description": "Assess the security policies in place for device access and ensure they are properly enforced. Note: On iOS, the application's ability to govern the user's device configuration is limited.",
+            "caption": "",
+            "tools": "Device Security Policy Review, Manual Analysis",
+            "references": "https://mas.owasp.org/checklists/"
+          }
+        ]
+      },
+      {
+        "key": "cryptography",
+        "title": "Cryptography",
+        "description": "",
+        "type": "checklist",
+        "items": [
+          {
+            "key": "symmetric_crypto",
+            "title": "Test Symmetric Cryptography",
+            "description": "Verify that symmetric cryptographic algorithms used in the app are secure and implemented correctly.",
+            "caption": "",
+            "tools": "Cryptography Analysis Tools, Manual Review",
+            "references": "https://mas.owasp.org/checklists/"
+          },
+          {
+            "key": "crypto_algorithm_configuration",
+            "title": "Review the Configuration of Cryptographic Standard Algorithms",
+            "description": "Ensure that cryptographic standard algorithms are configured according to industry best practices.",
+            "caption": "",
+            "tools": "Configuration Review Tools, Manual Analysis",
+            "references": "https://mas.owasp.org/checklists/"
+          },
+          {
+            "key": "random_number_generation",
+            "title": "Test Random Number Generation",
+            "description": "Verify that any random number generation used for cryptographic purposes (e.g., key generation, nonce creation, tokens) relies on secure system-provided APIs or other approved cryptographic random functions. This check does not apply to non-cryptographic randomness (e.g. UI effects, game logic, shuffling, etc.).",
+            "caption": "",
+            "tools": "Random Number Generators, Manual Review",
+            "references": "https://mas.owasp.org/checklists/"
+          },
+          {
+            "key": "key_usage_purposes",
+            "title": "Verify the Purposes of Keys",
+            "description": "Verify that cryptographic keys are used for their intended purposes and are managed properly.",
+            "caption": "",
+            "tools": "Key Management Tools, Manual Review",
+            "references": "https://mas.owasp.org/checklists/"
+          },
+          {
+            "key": "key_reuse",
+            "title": "Test for Cryptographic Key Reuse",
+            "description": "Ensure that high-security cryptographic keys (e.g., wallet keys) are not reused for low-security cipher tasks.",
+            "caption": "",
+            "tools": "Key Management Tools, Manual Review",
+            "references": "https://mas.owasp.org/checklists/"
+          }
+        ]
+      },
+      {
+        "key": "authentication_and_session_management",
+        "title": "Authentication and Session Management",
+        "description": "",
+        "type": "checklist",
+        "items": [
+          {
+            "key": "remote_service_authentication",
+            "title": "Test Remote Service Authentication",
+            "description": "If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint.",
+            "caption": ""
+          },
+          {
+            "key": "secure_session_token_generation",
+            "title": "Test for Secure Session and Token Generation",
+            "description": "Validate that both stateful session identifiers and stateless tokens are securely generated (e.g., randomly generated, signed with a secure algorithm) by the remote endpoint.",
+            "caption": ""
+          },
+          {
+            "key": "remote_endpoint_terminate",
+            "title": "Ensure the Remote Endpoint Terminates Session on Log Out",
+            "description": "The remote endpoint terminates the existing session when the user logs out. Beware potential external provider limitations (e.g., cloud services) where sessions may not immediately terminate and may be out of the clients control",
+            "caption": ""
+          },
+          {
+            "key": "password_policy_exists",
+            "title": "Review Password Policy",
+            "description": "A password policy exists and is enforced at the remote endpoint.",
+            "caption": ""
+          },
+          {
+            "key": "remote_endpoint_implementation_mechanism",
+            "title": "Test Login Functionality Against Brute-Force Attacks",
+            "description": "The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times. Check for rate-limiting, WAF implementation, or similar mechanisms",
+            "caption": ""
+          },
+          {
+            "key": "session_invalidated_at_remote_endpoint",
+            "title": "Test Session Timeout",
+            "description": "Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire. This should be applied based on the usage context of the application (e.g. apps handling highly sensitive data such as banking apps should have a much shorter timeout compared to a social media app).",
+            "caption": ""
+          },
+          {
+            "key": "biometric_authentication",
+            "title": "Review Biometric Authentication",
+            "description": "Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns true or false). Instead, it is based on unlocking the keychain/keystore.",
+            "caption": ""
+          },
+          {
+            "key": "second_factor_authentication",
+            "title": "Test Multifactor Authentication",
+            "description": "Check whether a secure method of multi-factor authentication is available and enforced where relevant (apps dealing with highly sensitive data)",
+            "caption": ""
+          },
+          {
+            "key": "sensitive_transaction_setup_authentication",
+            "title": "Review Sensitive Transactions",
+            "description": "Sensitive transactions require step-up authentication.",
+            "caption": ""
+          },
+          {
+            "key": "inform_user_login_activities",
+            "title": "Ensure Login Activity Functionality Exists",
+            "description": "The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block specific devices. This check is primarily focused on apps dealing with personal/sensitive data",
+            "caption": ""
+          }
+        ]
+      },
+      {
+        "key": "network_communication",
+        "title": "Network Communication",
+        "description": "",
+        "type": "checklist",
+        "items": [
+          {
+            "key": "data_encryption_on_network",
+            "title": "Test for Encrypted Communicatons",
+            "description": "Data is encrypted on the network using TLS. The secure channel is used consistently throughout the app.",
+            "caption": ""
+          },
+          {
+            "key": "tls_settings_best_practices",
+            "title": "Review TLS Settings",
+            "description": "The TLS settings are in line with current best practices, or as close as possible if the mobile operating system does not support the recommended standards.",
+            "caption": ""
+          },
+          {
+            "key": "remote_endpoint_certificate",
+            "title": "Review Certificates",
+            "description": "The app verifies the X.509 certificate of the remote endpoint when the secure channel is established. Only certificates signed by a trusted CA are accepted.",
+            "caption": ""
+          },
+          {
+            "key": "app_certification",
+            "title": "Analyze Certificate Verification",
+            "description": "The app either uses its own certificate store, or pins the endpoint certificate or public key, and subsequently does not establish connections with endpoints that offer a different certificate or key, even if signed by a trusted CA.",
+            "caption": ""
+          },
+          {
+            "key": "insecure_communication_channel",
+            "title": "Test for Insecure Communication Channels",
+            "description": "The app doesnt rely on a single insecure communication channel (email or SMS) for critical operations, such as enrollments and account recovery. This is highly dependent on the use-case of the application, primarily applicable to applications handling sensitive or personal information",
+            "caption": ""
+          },
+          {
+            "key": "app_dependency_on_connectivity_and_library",
+            "title": "Check App Connectivity and Security Libraries",
+            "description": "The app only depends on up-to-date connectivity and security libraries. On iOS, this is almost always the case.",
+            "caption": ""
+          },
+          {
+            "key": "secure_update_channel",
+            "title": "Validate Secure Update Channels",
+            "description": "Ensure that in-app updates are downloaded over secure, authenticated channels and verified for integrity (e.g., signature checks). This is only relevant in very limited cases, such as when the an app is enterprise-distributed or apps that download executable content to run in interpreted environments (e.g. Javascript in a webview, Lua scripts). In these cases, the integrity and authenticity of these downloads should be reviewed.",
+            "caption": "",
+            "tools": "Burp Suite, Charles Proxy, Traffic Inspection",
+            "references": "https://mas.owasp.org/checklists/"
+          }
+        ]
+      },
+      {
+        "key": "platform_interaction",
+        "title": "Platform Interaction",
+        "description": "",
+        "type": "checklist",
+        "items": [
+          {
+            "key": "minimum_set_of_permission",
+            "title": "Review App Permissions",
+            "description": "The app only requests the minimum set of permissions necessary.",
+            "caption": ""
+          },
+          {
+            "key": "external_source_input_validation",
+            "title": "Test Input Validation",
+            "description": "All inputs from external sources and the user are validated and if necessary sanitized. This includes data received via the UI, IPC mechanisms such as intents, custom URLs, and network sources.",
+            "caption": ""
+          },
+          {
+            "key": "sensitive_functionality_via_url_schemes",
+            "title": "Review URL Scheme Implementations",
+            "description": "The app does not export sensitive functionality via custom URL schemes, unless these mechanisms are properly protected.",
+            "caption": ""
+          },
+          {
+            "key": "export_sensitive_functionality_through_ipc",
+            "title": "Review IPC Implementations",
+            "description": "The app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly protected.",
+            "caption": ""
+          },
+          {
+            "key": "javascript_disabled",
+            "title": "Test Javascript in WebViews",
+            "description": "JavaScript is disabled in WebViews unless explicitly required.",
+            "caption": ""
+          },
+          {
+            "key": "webview_minimum_set_of_protocol_handlers",
+            "title": "Review WebView Protocol Handler Configuration",
+            "description": "WebViews are configured to allow only the minimum set of protocol handlers required (ideally, only https is supported). Potentially dangerous handlers, such as file, tel and app-id, are disabled.",
+            "caption": ""
+          },
+          {
+            "key": "webview_within_app_javascript_render",
+            "title": "Validate Secure WebView JavaScript-to-Native Interactions",
+            "description": "If native methods of the app are exposed to a WebView, verify that the WebView only renders JavaScript contained within the app package.",
+            "caption": ""
+          },
+          {
+            "key": "object_deserialization",
+            "title": "Review Object Deserialization",
+            "description": "Object deserialization, if any, is implemented using safe serialization APIs.",
+            "caption": ""
+          },
+          {
+            "key": "runtime_permission_enforcement",
+            "title": "Analyze Runtime Permission Enforcement",
+            "description": "Compare declared permissions with those used at runtime to detect excessive privilege or permission abuse.",
+            "caption": "",
+            "tools": "Runtime Analysis Tools, Logcat Monitoring",
+            "references": "https://mas.owasp.org/checklists/"
+          },
+          {
+            "key": "jailbreak_root_policy_enforcement",
+            "title": "Test Jailbreak/Root Policy Enforcement",
+            "description": "Ensure that the application not only detects rooted/jailbroken devices but also enforces security restrictions accordingly.",
+            "caption": "",
+            "tools": "Magisk, Frida, RootBeer, Manual Review",
+            "references": "https://mas.owasp.org/checklists/"
+          },
+          {
+            "key": "security_controls_error_handling",
+            "title": "Review Error Handling",
+            "description": "Error handling logic in security controls denies access by default",
+            "caption": ""
+          }
+        ]
+      },
+      {
+        "key": "code_quality_and_build_settings",
+        "title": "Code Quality and Build Settings",
+        "description": "",
+        "type": "checklist",
+        "items": [
+          {
+            "key": "valid_certificate_sign",
+            "title": "Review App Signing Certificate",
+            "description": "The app is signed and provisioned with a valid certificate, and the private key is properly protected.",
+            "caption": ""
+          },
+          {
+            "key": "built_in_release_mode",
+            "title": "Verify App is Built in Release Mode",
+            "description": "The app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable).",
+            "caption": ""
+          },
+          {
+            "key": "debugging_symbol",
+            "title": "Check for Left Over Debugging Symbols",
+            "description": "Debugging symbols should have been removed from native binaries.",
+            "caption": ""
+          },
+          {
+            "key": "debugging_and_verbose_errors",
+            "title": "Check for Left Over Debug Code",
+            "description": "Debugging code should have been removed, and the app does not log verbose errors or debugging messages.",
+            "caption": ""
+          },
+          {
+            "key": "third_party_vulnerability_check",
+            "title": "Review Third-Party Components For Known Vulnerabilities",
+            "description": "All third-party components used by the mobile app, such as libraries and frameworks, are identified, and checked for known vulnerabilities.",
+            "caption": ""
+          },
+          {
+            "key": "exception_handling",
+            "title": "Review Exception Handling",
+            "description": "The app catches and handles possible exceptions.",
+            "caption": ""
+          },
+          {
+            "key": "memory_allocation",
+            "title": "Review Memory Allocation",
+            "description": "In unmanaged code, memory is allocated, freed and used securely.",
+            "caption": ""
+          },
+          {
+            "key": "free_security_features_offered_by_toolchain",
+            "title": "Ensure All Offered Security Features are Activated",
+            "description": "Free security features offered by the toolchain, such as byte-code minification, stack protection, PIE support and automatic reference counting, are activated.",
+            "caption": ""
+          }
+        ]
+      },
+      {
+        "key": "upload_logs",
+        "title": "Upload logs",
+        "description": "This should include all associated traffic associated to the in-scope targets.",
+        "type": "large_upload"
+      },
+      {
+        "key": "executive_summary",
+        "title": "Executive summary",
+        "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
+        "type": "executive_summary"
+      }
+    ]
+  }
+}

metadata

@@ -1,17 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: bmt
 version: !ruby/object:Gem::Version
-  version: 0.9.0
+  version: 0.10.0
 platform: ruby
 authors:
 - Federico Tagliabue
 - Andy White
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2025-09-15 00:00:00.000000000 Z
+date: 2026-02-18 00:00:00.000000000 Z
 dependencies: []
-description:
+description: 
 email:
 - federico.tagliabue@bugcrowd.com
 - arcwhite@arcwhite.org
@@ -24,33 +24,23 @@ files:
 - lib/bmt/methodology.rb
 - lib/bmt/step.rb
 - lib/bmt/version.rb
-- lib/data/0.1/mappings/templates.json
-- lib/data/0.1/mappings/templates.schema.json
-- lib/data/0.1/methodologies/active_directory.json
-- lib/data/0.1/methodologies/ai_llm.json
-- lib/data/0.1/methodologies/api_testing.json
-- lib/data/0.1/methodologies/binaries.json
-- lib/data/0.1/methodologies/internal_network.json
-- lib/data/0.1/methodologies/mobile_android.json
-- lib/data/0.1/methodologies/mobile_ios.json
-- lib/data/0.1/methodologies/network.json
-- lib/data/0.1/methodologies/template.json
-- lib/data/0.1/methodologies/website_testing.json
-- lib/data/0.1/schema.json
-- lib/data/0.9/mappings/templates.json
-- lib/data/0.9/mappings/templates.schema.json
-- lib/data/0.9/methodologies/active_directory.json
-- lib/data/0.9/methodologies/ai_llm.json
-- lib/data/0.9/methodologies/api_testing.json
-- lib/data/0.9/methodologies/binaries.json
-- lib/data/0.9/methodologies/hardware_testing.json
-- lib/data/0.9/methodologies/internal_network.json
-- lib/data/0.9/methodologies/mobile_android.json
-- lib/data/0.9/methodologies/mobile_ios.json
-- lib/data/0.9/methodologies/network.json
-- lib/data/0.9/methodologies/template.json
-- lib/data/0.9/methodologies/website_testing.json
-- lib/data/0.9/schema.json
+- lib/data/0.10/mappings/templates.json
+- lib/data/0.10/mappings/templates.schema.json
+- lib/data/0.10/methodologies/active_directory.json
+- lib/data/0.10/methodologies/ai_llm.json
+- lib/data/0.10/methodologies/api_testing.json
+- lib/data/0.10/methodologies/binaries.json
+- lib/data/0.10/methodologies/cloud_config_aws.json
+- lib/data/0.10/methodologies/cloud_config_azure.json
+- lib/data/0.10/methodologies/cloud_config_gcp.json
+- lib/data/0.10/methodologies/hardware_testing.json
+- lib/data/0.10/methodologies/internal_network.json
+- lib/data/0.10/methodologies/mobile_android.json
+- lib/data/0.10/methodologies/mobile_ios.json
+- lib/data/0.10/methodologies/network.json
+- lib/data/0.10/methodologies/template.json
+- lib/data/0.10/methodologies/website_testing.json
+- lib/data/0.10/schema.json
 homepage: https://github.com/bugcrowd/bmt-ruby
 licenses:
 - MIT
@@ -60,7 +50,7 @@ metadata:
   source_code_uri: https://github.com/bugcrowd/bmt-ruby
   bug_tracker_uri: https://github.com/bugcrowd/bmt-ruby/issues
   rubygems_mfa_required: 'true'
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -75,8 +65,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
-signing_key:
+rubygems_version: 3.0.3.1
+signing_key: 
 specification_version: 4
 summary: Ruby wrapper for Bugcrowd's Methodology Taxonomy
 test_files: []