Port MASTG-TEST-0056 to v2: Determining Whether Sensitive Data Is Exposed via IPC Mechanisms (ios)

[Copilot]

This PR no longer introduces a new MASTG v2 test for iOS IPC. Based on review feedback, the previous draft test coverage was considered insufficient, so the scope was adjusted to focus on theory and best-practice guidance for iOS IPC, while deferring new v2 tests to follow-up work for specific IPC mechanisms.

• No new v2 test added

  • The previously drafted tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x56.md was removed.

• No new demo added

  • The previously drafted demos/ios/MASVS-PLATFORM/MASTG-DEMO-0x56/ content was removed.

• Theory and guidance coverage retained/expanded

  • IPC background is covered through the iOS IPC knowledge pages (including existing and newly added IPC-focused knowledge content in this branch).
  • Best-practice guidance is provided in best-practices/MASTG-BEST-0x56.md, with cross-links aligned to current knowledge entries and without linking to removed draft test IDs.

• v1 deprecation update (tests/ios/MASVS-PLATFORM/MASTG-TEST-0056.md)

  • Keeps the test deprecated and updates deprecation metadata to reflect the current status:
    • status: deprecated
    • covered_by: []
    • deprecation_note explains that existing content was insufficient for direct porting and that new focused MASTG v2 tests will be created later for relevant IPC parts.

[cpholguera]

@copilot Ensure you followed the relevant instructions in .gitHub/instructions for porting and creation (for example you didn't use fake IDs and you didn't deprecate the old test)

[Copilot]

@copilot Ensure you followed the relevant instructions in .gitHub/instructions for porting and creation (for example you didn't use fake IDs and you didn't deprecate the old test)

Addressed in commit 6f54d9c.

I switched all newly added porting artifacts to fake IDs (MASTG-TEST-0x56, MASTG-DEMO-0x56, MASTG-KNOW-0x56, MASTG-BEST-0x56) and updated cross-references accordingly. I also deprecated the v1 test at tests/ios/MASVS-PLATFORM/MASTG-TEST-0056.md with status: deprecated, covered_by: [MASTG-TEST-0x56], and deprecation_note.

No UI changes were made in this PR, so no screenshot applies.

[cpholguera]

@copilot Check the latest changes in their PR and update the description. For now, we're not going to create new tests since they were insufficient. Instead, we will cover the relevant theory and best practices, and create new tests for the relevant parts in MASTG v2.

[Copilot]

@copilot Check the latest changes in their PR and update the description. For now, we're not going to create new tests since they were insufficient. Instead, we will cover the relevant theory and best...

Updated to match the latest PR scope.

The branch now reflects documentation-first coverage (theory + best practices) and no new v2 test/demo for this item right now. I also aligned best-practices/MASTG-BEST-0x56.md to remove links to removed draft IDs in commit 0ae961b.

No UI changes were made, so no screenshot applies.

[ab-rizk]

nit: You might wanna remove this link IMHO, it links to Apple's forums with the IPC tag which is not very active.

[ab-rizk]

Suggested change

	iOS does not provide a general-purpose mechanism for arbitrary third-party apps to communicate directly. Instead, apps exchange data through platform-mediated channels, user actions, shared entitlements, or network interfaces.
	iOS does not provide a general-purpose mechanism for third-party apps to communicate directly. Instead, apps exchange data through platform-mediated interfaces of varying levels of abstraction.

[ab-rizk]

nit: Maybe you wanna mention least privilege and input sanitization/validation here?

[ab-rizk]

Suggested change

	When your app exchanges data across iOS IPC channels, share the minimum amount of data for the shortest time possible. Design these flows so that intercepted, persisted, logged, indexed, donated, or forwarded payloads are low value and short lived.
	When your app exchanges data across iOS IPC channels, share the minimum amount of data for the shortest time possible. Design these flows so that intercepted payloads are low value and short lived.

[ab-rizk]

As you mention below, XPC is not usable for app-to-app communication anyway but the opposite is implied in:

Do not use low-level mechanisms such as XPC, Mach ports, or CFMessagePort as general-purpose app-to-app IPC channels for unrelated third-party iOS apps.

[ab-rizk]

You might wanna mention not storing overly sensitive data like (hashed) passwords since jailbroken devices can read the keychain of any process.

[ab-rizk]

Suggested change

For URL-based handoff, such as [custom URL schemes](https://developer.apple.com/documentation/xcode/defining-a-custom-url-scheme-for-your-app) and [Universal Links](https://developer.apple.com/documentation/xcode/supporting-universal-links-in-your-app), avoid embedding long-lived secrets, tokens, credentials, or personal data in URLs. Use one-time or short-lived references and have the receiving side redeem them through an authenticated channel.

For URL-based interfaces, such as [custom URL schemes](https://developer.apple.com/documentation/xcode/defining-a-custom-url-scheme-for-your-app) and [Universal Links](https://developer.apple.com/documentation/xcode/supporting-universal-links-in-your-app), avoid embedding long-lived secrets, tokens, credentials, or personal data in URLs. Use one-time or short-lived references and have the receiving side redeem them through an authenticated channel.

[ab-rizk]

Suggested change

	## Validate All Incoming IPC Data
	## Validate All IPC Input

[ab-rizk]

Do you wanna mention BLE and NFC here? Since they're also network-based