Closed romualdszkudlarek closed 7 years ago
@xep624 we now have a project dashboard where every section goes through a "review" and "editing" step. Network Comm. Android has been flagged as "ready for review" (it's one of the very few sections that are already complete).
@b-mueller thanks for clarification! If anything should be changed here, just pls let me know.
Some Comments:
food for thought: Should we be going all out for full https on mobile also. even if sensitive data is suppose to be sent over https if the url's are recieved from server side initially via http connection a sslstrip kind of attack is possible.
Dynamic analysis only talks about what tools to run. It would make more sense to diffferentiate between them or inform user what to look for in tools output. (I assume some or most are sef explainatory and hence details left out then that needs to be spelled out)
Static analysis: Is this the only method, what about using something like okhttp and storing sha2 hashes of cert chain in it. We are referencing this in recommendation section are we suggesting anything else is wrong and only this is the correct method?
MASVS Standard we are trying to check here is "V5.5 "The app doesn't rely on a single insecure communication channel (email or SMS) for critical operations, such as enrollments and account recovery."" then why are we considering email and SMS as 2nd factor of authentication or am i missing a point here and we only want to check that 2 different factors are used, no matter what.
Verifying the TLS Settings
Agreed. We need up-to-date recommendations as to what the actual recommended TLS settings are.
Testing Custom Certificate Stores and SSL Pinning
It's the default method. We'll need to add additional howtos for non-standard implementations such as okhttp (actually, I'm starting to see okhttp being used quite often and happen to working on an app that uses it right now, so I can add this). In general, I don't think we we demand that things must be done a particular way, if equivalent solutions exist.
Verifying that Critical Operations Use Secure Communication Channels
This is a bit of a weird requirement. The idea behind it was to require 2 extra factors be combined for things like enrollments. E.g. when the user signs up to a banking app for the first time, they should sent OTPs both via email and SMS to confirm their identify. Obviously this is not feasible in all cases. This will need some more discussion.
for cert pinning : https://developer.android.com/training/articles/security-config.html#CertificatePinning <- was looking at official documentation and this is another option suggested in it now
@xep624 can you look into the required changes?
@anantshri thanks for your comments! Here are my replies regarding each of them:
Ad "Testing for Unencrypted Sensitive Data on the Network" - I don't get your point here. SSLstrip attack is remediated in cert pinning section. The point "Testing for Unencrypted Sensitive Data on the Network" should be only focused on sniffing attacks, not on breaking weak SSL configuration.
Ad "Verifying the TLS Settings" - ok, I'll add more info about the output. @b-mueller as a recommendation regarding proper TLS implementation I point to this source https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet - do you think it is not enough? What exactly would you like to add there?
Ad "Testing Custom Certificate Stores and SSL Pinning" - thanks for the link. I'll add this method also https://developer.android.com/training/articles/security-config.html#CertificatePinning.
Ad "Verifying that Critical Operations Use Secure Communication Channels" - I understand it as at least 2 factors for critical operations should be used without differentiating which channel is more secure.
@xep624 comments below.
regarding "Testing for Unencrypted Sensitive Data on the Network" What i meant was more of a suggestion that should we reword the document to say sensitive or not all outbound / internet bound communication should be over https.
verifying the TLS Settings: if we add the output and how to make sense of that output we should be good on that part. @b-mueller you want anything more on this.
"Verifying that Critical Operations Use Secure Communication Channels" my concern was primarily that we first mark SMS and email as secure channel and then suggest that email should be send to them in combination. But i suppose what we are trying to get to here is that 2 insecure comms in combination can still be a bit more secure.
Hope this helps.
@romualdszkudlarek what kind of help you need regarding this chapter?