-
Another item for discussion: one thing that can often help for high risk applications is to educate users not to keep the app on their phone if they don't need it and make sure you always log out. Sho…
-
Hi, one thing that could work for L4 applications, is that for certain risky activities, the user should do a step-up authentication (using a mobile pin or a fingerprint, or something else). Should th…
-
"2.1 Verify that secure credential storage facilities are used to store sensitive data, such as user credentials or cryptographic keys."
This is supposed to cover ALL sensitive data. The question …
-
https://github.com/sushi2k/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verificiation_Requirements.md#requirements
Following comments for discussion:
- 3.6: As far as I understand, Oracle Pa…
-
In the guide we created in Google Docs we had also references to CWE and the OWASP Mobile Top 10. I think we should continue this, to reference properly to a common vulnerability type or weakness if o…
-
3.3: This may be necessary to interact with other applications/systems. E.g. if the application is using a (standard) protocol that uses SHA1 in some place, it wouldn't be compliant with this standard…
-
Guys, should the requirements be platform specific? IMHO it should not. For instance I would change the following requirement and make it generic.
`9.2 On Android, verify that the release bytecod…
-
On iOS, some implementations of the software protection requirements in L3-L4 will cause issues with Apple's approval process. How do we tackle this problem?
Some ideas:
- Get details on what's allo…
-
Hello,
I was reading your requirements and i found them quite good.
I m working on contactless payment, for mobile and we have some security requirements that implies that even the execution has to…
-
Following comment:
7.2: Does this requirement refer to local logging? If so, why should the app log detailed error messages locally? If they are stored locally they are more or less useless. If there…