[UNDER REVIEW] 0x5d Data Classification Policy - What is sensitive information?

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).

https://mas.owasp.org/

Creative Commons Attribution Share Alike 4.0 International

11.74k stars 2.32k forks source link

[UNDER REVIEW] 0x5d Data Classification Policy - What is sensitive information? #424

Closed sushi2k closed 7 years ago

sushi2k commented 7 years ago

-- TODO: What is sensitive information? Need to be described, ideally defined by the customer (data classification policy).

sushi2k commented 7 years ago

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04-Testing-Processes-and-Techniques.md#classification-of-data

anantshri commented 7 years ago

first 2 paragraph are a bit too dense. (too many words per line), if we can do something about it then it will be good.

sushi2k commented 7 years ago

Thanks ananthshri. Just shortened the sentences. Let me know what you think.

pmilosev commented 7 years ago

I just read the section and it looks quite OK to me - short and clear. Just wondering why there is only 'data in transit' and 'data at rest' mentioned. Shouldn't there also be 'data in use' added to the list ?

AlexCline commented 7 years ago

A few suggestions for sensitive information that is commonly used in apps:

Add 'session tokens' to the list of authentication information. Session tokens are stored in-app rather than credentials, so it's important to protect them on-device since they can be used for session fixation attacks.
Add 'device identifier' and 'location information' to the list of personally identifiable information. Pending regulations in the EU require that this information be protected, and it's easy to misuse this type of information.