Create new test and demos from the remainings of MASTG-TEST-0034 about sensitive data in serialized objects

[cpholguera]

Great work! It adds new knowledge to our guide. I would just make sure we don't lose anything from MASTG-TEST-0034.md we want to deprecate. E.g. the old test describes that a serialized objects might contain sensitive data. Let's add tests and demos for these.

Also let's make sure to keep HMAC/encryption for this:

There are a few generic remediation steps that you can always take:

Make sure that sensitive data has been encrypted and HMACed/signed after serialization/persistence. Evaluate the signature or HMAC before you use the data. See the chapter "Android Cryptographic APIs" for more details.
Make sure that the keys used in step 1 can't be extracted easily. The user and/or application instance should be properly authenticated/authorized to obtain the keys. See the chapter "Data Storage on Android" for more details.
Make sure that the data within the de-serialized object is carefully validated before it is actively used (e.g., no exploit of business/application logic).

Originally posted by @serek8 in #3418 (review)

[pranitaurlam]

Hi @cpholguera
I’m interested in working on this issue and would love to take it up if it’s available.
I’m happy to investigate and propose a fix.

If that sounds okay, could you please assign this issue to me?

Thanks!

[TheDauntless]

Hi @pranitaurlam!

Glad to hear you want to help out! Before we assign a ticket, we do need to verify that you have relevant mobile application security experience. Based on your profile and website, I don't immediately see any relevant projects? Can you share what kind of expertise you have in mobile security?

We are unfortunately forced to ask for this as we are being overrun with unverified AI generations which greatly reduce the quality of the project. Without existing experience, it's impossible to know if the AI is hallucinating or not.

[pranitaurlam]

Hi, thanks for explaining @TheDauntless that’s completely understandable.

I want to be transparent: I’m still building hands-on experience specifically in mobile application security, so I don’t yet have a dedicated mobile-security project to point to. However, I do have experience with secure coding practices, analyzing real codebases, and reasoning about security-relevant issues like validation, state handling, and failure cases.

I’m not relying on AI output blindly , I verify behaviour in the code and test changes locally. I’m happy to start with a small scoped task or investigation if that helps establish trust.

Thanks for your time.