search

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
https://mas.owasp.org/
Creative Commons Attribution Share Alike 4.0 International
11.46k stars 2.26k forks source link

Android Nearby Connections API #2044

Open cpholguera opened 2 years ago

cpholguera commented 2 years ago

Nearby Connections is a peer-to-peer networking API that allows apps to easily discover, connect to, and exchange data with nearby devices in real-time, regardless of network connectivity.

We don’t recommend sending messages back and forth using the Nearby server (even though it’s possible). First, the messages are not encrypted and you shouldn’t publish sensitive information through the Nearby Server. Instead, once you verify close physical proximity through the Nearby APIs, you can transition to something like Firebase Cloud Messaging (FCM) to continue the communication.

https://medium.com/androiddevelopers/better-physical-stories-with-googles-nearby-apis-280be707bbf9

Caution: While authentication is optional, connections established without authentication are insecure, and can expose devices to severe security vulnerabilities. To avoid this, always use authentication to secure your connections.

https://developers.google.com/nearby/connections/android/manage-connections

[•••] connection requests are delivered to ConnectionLifecycleCallback#onConnectionInitiated(). [•••] The connection shown in the preceding snippet is accepted automatically, but you should take further precautions when sharing sensitive data. The API provides a unique token per connection through the ConnectionInfo object of onConnectionInitiated(String endpointId, ConnectionInfo info). You may obtain the token from info.getAuthenticationDigits(). We recommend displaying the tokens to both users, so they can visually confirm they are equal. If visual confirmation isn’t feasible because the users cannot see each other’s screens, you can have one device encrypt the raw token, send it to the other device for decryption and comparison before you start sharing the sensitive content. [•••] While the two devices are connected, they can send content to each other through the sendPayload() method call and the onPayloadReceived() callback. A Payload can be anything your users want to share: streams, files, music, videos, photos, text, etc.

https://medium.com/androiddevelopers/two-way-communication-without-internet-nearby-connections-b118530cb84d

su-vikas commented 1 year ago

I will have a look at this. Let me know where should the content go.

cpholguera commented 1 year ago

Thanks @su-vikas, this should go in https://mas.owasp.org/MASTG/Android/0x05g-Testing-Network-Communication/

Please consider putting theory in the general "Overview" section and writing a test covering MSTG-NETWORK-1 (it doesn't make 100% sense according to MASVS 1.4.2 but in 2.0 this will go into MASVS-NETWORK-1)