Slow down attack’s on Android keystore via side channel attacks MSTG‑STORAGE‑14

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).

https://mas.owasp.org/

Creative Commons Attribution Share Alike 4.0 International

11.46k stars 2.26k forks source link

Slow down attack’s on Android keystore via side channel attacks MSTG‑STORAGE‑14 #1201

Open sushi2k opened 5 years ago

sushi2k commented 5 years ago

Describe the issue Mitigating steps to address a new attack form NCC against Qualcomm backed key stores should be added to MSTG.

https://www.nccgroup.trust/us/our-research/private-key-extraction-qualcomm-keystore/

commjoen commented 4 years ago

There are no mitigating steps apparently: only "upgrade your device"? if it only leaks ecdsa, we could recommend, for older devices that might not have been patched, to not use ecdsa keys?

sushi2k commented 4 years ago

Let's use this as an example when describing MSTG‑STORAGE‑14 in the MSTG, to demonstrate this as defense-in-depth requirements, "Android developers who use the keystore in their applications can also take advantage of the user authentication requirements and key attestation offered by the keystore." Including your suggestion to consider not using ECDSA on older devices due to this issue.

commjoen commented 4 years ago

Maybe we can extend this issue wirth the take-aways from https://android-developers.googleblog.com/2019/09/trust-but-verify-attestation-with.html?m=1 ?