commjoen
commented
5 years ago Open commjoen opened 5 years ago
commjoen
commented
5 years ago commjoen
commented
5 years ago @sushi2k : i guess we can do the same for Android right?
sushi2k
commented
5 years ago Definitely worth mentioning it and describe how to test for it. I also just thought 0x05h and 0x06h is the best place for it, but which MASVS requirement does it touch? Nothing in V6: Platform Interaction Requirements covers it actually https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md. Need to think about which requirement it is related to.
| Maybe this might be best? 2.7 | No sensitive data, such as passwords or pins, is exposed through the user interface. |
|---|
commjoen
commented
5 years ago I guess so :) , that sounds like a good requirement to base it on :)
commjoen
commented
5 years ago And do the same for android in this ticket :).
cpholguera
commented
4 years ago Some refs:
cpholguera
commented
4 years ago Will be assigned to @0x10f2c (still has to be invited)
0x10f2c
commented
3 years ago Hi all, so this got solved on the Android side; I guess the discussion now is if this should be done for the iOS side or not.
On the iOS side each notification is treated as private to the originating app. I guess we could still mention that sensitive information shouldn't be in notifications anyway as someone could see it on the lock screen assuming notifications are not hidden?
Happy to hear some thoughts and action this.
One thing we might want to add to the MSTG is that we should, optionally, try to limit the information shared through notifications when they have a high confidentiality.