-
[https://github.com/OWASP/owasp-masvs/edit/master/Document/0x03-Using_the_MASVS.md#L46](https://github.com/OWASP/owasp-masvs/edit/master/Document/0x03-Using_the_MASVS.md#L46)
"Most attackers are look…
ghost updated
7 years ago
-
Continuing from last week:
Re 1.2: Nit: maybe "checked" instead of "tested"? I.e. I suppose it's enough to check CVE db for known vulnerabilities?
Re 1.7: Not sure if I understand this. Is this …
-
Hi,
I think Jeroen was adding the following two items in the MASVS Data Storage Chapter:
2.12 If a remote locking mechanism exists, local storage is wiped upon locking.
2.13 The app enforces …
-
The link to the MASVS Github repo is broken on https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide. It points to https://github.com/OWASP/owasp-mstg rather than https://github.com/OWAS…
-
Not sure if this is the best way to give feedback, but I figured I'd start an issue with a couple of things I noticed reading the introduction. In many cases I don't have any concrete suggestions on h…
-
(I hope you don't hate me yet)
4.2: Why do they have to be short-lived? Many large applications right now use long-lived tokens (log in once and use the application essentially forever), such as Fa…
-
I think this section is suffering from not having "sensitive data" defined. If "sensitive data" is referring to credentials only, then I guess most of the requirements make sense. If sensitive data is…
-
Could you pls. elaborate this requirement ?
-
Hi,
I think we are missing a requirement in "V2: Data Storage and Privacy requirements", which is to not store sensitive data in cleartext. In the first requirement we are only talking about credenti…
-
Another item for discussion: one thing that can often help for high risk applications is to educate users not to keep the app on their phone if they don't need it and make sure you always log out. Sho…