Port MASTG-TEST-0072: Testing App Extensions (iOS) to v2

[Copilot]

This PR closes #2964

Description

Ports MASTG-TEST-0072 "Testing App Extensions" from v1 (MSTG-PLATFORM-4) to v2 (MASVS-PLATFORM-1), focusing on App Groups data sharing between iOS app extensions and their containing apps.

Changes

• MASTG-TEST-0291 (static/manual): Verifies app extensions presence, inspects Info.plist for extension types and supported data types, checks App Groups entitlements, and reviews code for shared storage API usage
• MASTG-TEST-0292 (dynamic): Runtime monitoring of shared data access via Frida hooks on UserDefaults, FileManager, and NSPersistentContainer APIs
• MASTG-BEST-0025: Best practices for securing App Groups data (encryption, minimizing sharing, Keychain usage, file protection, integrity validation)
• MASTG-DEMO-0068: Comprehensive demonstration showing App Groups data sharing detection with Swift code samples, configuration files (Info.plist, entitlements), static analysis script, and evaluation of sensitive data in shared storage
• Deprecated v1 test with proper metadata pointing to new tests

Test Structure

Both tests map to MASWE-0053 (IPC/data sharing) with L1/L2 profiles, reference existing techniques (MASTG-TECH-0058, MASTG-TECH-0076, MASTG-TECH-0086), and include prerequisite for identifying sensitive data.

Demo Structure

MASTG-DEMO-0068 provides a working example demonstrating:

• Swift code using UserDefaults(suiteName:) and FileManager.containerURL(forSecurityApplicationGroupIdentifier:) to share data
• Share Extension configuration showing NSExtensionPointIdentifier and NSExtensionActivationRule
• App Groups entitlement configuration
• Automated static analysis detecting sensitive data (emails, tokens, API keys) in shared storage
• Complete evaluation explaining the security implications

---

[x] I have read the contributing guidelines.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>MASTG v1->v2 MASTG-TEST-0072: Testing App Extensions (ios)</issue_title>
<issue_description>
Create a new MASTG v2 test covering for":

• Title: Testing App Extensions
• ID: MASTG-TEST-0072
• Link: https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0072/
• Platform: ios
• MASVS v1: ['MSTG-PLATFORM-4']
• MASVS v2: ['MASVS-PLATFORM-1']

Follow the guidelines
</issue_description>

<agent_instructions>While doing this task, follow the instructions in .github/instructions/porting-mastg-v1-tests-to-v2.instructions.md</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes MASTG v1->v2 MASTG-TEST-0072: Testing App Extensions (ios) #2964

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[cpholguera]

@copilot please also create at least demo for this test

[Copilot]

@copilot please also create at least demo for this test

Created MASTG-DEMO-0068 demonstrating App Groups data sharing detection. The demo includes:

• Swift code sample showing insecure data sharing via shared UserDefaults and shared container
• Configuration files (Info.plist, entitlements) for a Share Extension
• Static analysis script detecting App Groups usage and sensitive data
• Complete evaluation showing why the test fails

Commit: d71aaa2