search

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
https://mas.owasp.org/
Creative Commons Attribution Share Alike 4.0 International
11.64k stars 2.3k forks source link

iOS 12: make sure you only use identifierForVendor and instanceID #1161

Closed commjoen closed 5 years ago

commjoen commented 5 years ago

Check the MSTG and make sure we only identify using : https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor

See https://developer.apple.com/documentation/devicecheck as well

commjoen commented 5 years ago

] 9. MSTG: Update how we cover app-device identification: Covered in the mstg wrongly: MSTG‑STORAGE‑10: https://github.com/OWASP/owasp-mstg/blob/4d9938a3d767f56387fb2586886664aab89419e6/Document/0x04e-Testing-Authentication-and-Session-Management.md#testing-login-activity-and-device-blocking-mstgauth11, but we do cover instanceID and identifierforVendor in different pages. Let;s make sure we open up an issue where verification is set straight with modern standards & create a requirement for V6 as jotted down by Sven

commjoen commented 5 years ago

Fixed in #1412