sushi2k
commented
7 years ago When I was adding this requirement to the MASVS I was only thinking about syncing data on the OS level, meaning backups to the Google/iOS cloud and I still think that this should be a test case on it's own.
We could simply add one work to the requirement to make it more clear:
2.3 No sensitive data is synced with platform cloud storage.
I would not extend this test case to all other kind of clouds, as they are needed by the App to work properly and it's also more secure to store sensitive data in the cloud as on the local device. Also checking the communication for sensitive data for 3rd parties, through usage of libraries is also covered in:
2.4 No sensitive data is sent to third parties.
If you guys agree, I would also not change the test case in the MSTG.
I will have a detailed look in Issue 75 latest next week. Thanks
muellerberndt
Hi guys,
Here's an issue for discussion - see also MASVS issue #75.
OMTG-DATAST-003: Test for Sensitive Data in Cloud Storage
This only talks about backup to the cloud via the default OS facilities. However the requirement in the MASVS is "No sensitive data is synced with cloud storage", which pertains to any form of cloud storage. We should probably do two things:
Make the requirement more specific in the MASVS. It doesn't make sense to forbid all kinds of cloud storage? Are we talking about third-party clouds like AWS, or about what exactly?
Adapt the test case in the MSTG to fit the revised requirement.
There's a couple of other requirements that we need to review, please have a look at the remaining feedback in MASVS issue #75. as well @sushi2k @litsnarf