[Phase 1] Refactor 0x06f-Testing-Local-Authentication.md

[cpholguera]

1. Go through each test case (1 MR per chapter)

2. Extract any general information and put it to the theory overview

   • Each chapter must have a “## Overview” section and then several “## Testing …(MSTG-XXX-YY)” sections

   • Strategy 1: move theory to chapter overview

   • Strategy 2: move theory to general chapter overview

3. Only leave a test description on each test (see notes)

Notes:

• Follow the style guide
• If it helps you may already “pre-split” some tests by using:
  • “### “ subsections (example)
  • or “-” bullet point lists if there’s not enough details yet (example, right before the linked test there’s a list with several “- Check …”).

[AndreMCCarvalho]

I was wondering about the scope of the MASTG-AUTH-7: I think the dynamic analysis approach is quite good and very realistic, however for the static analysis I'm not sure if it fits the mobile aspect of the guide. The frameworks mentioned are usually used as backends and as far as I know OWASP has a security guide dedicated to backends. This seems to be a bit of a stretch for a mobile guide. The only scenario I think it could be used is to ensure the APP is setting a timeout for the token in case the authentication backend allows such configuration. Opinions?

[cpholguera]

We completely agree @AndreMCCarvalho and that's why we will be updating this chapter after the MASVS Refactoring. Are you aware of that? I'd recommend taking a look at it, this is the one for the MASVS-AUTH category:

https://github.com/OWASP/owasp-masvs/discussions/649

If you also open the linked spreadsheet you'll see all the details and draft for new tests (titles only). These should be all mobile only.

Thank you!