Android P update: Android protected confirmation

[commjoen]

A new security feature Android Protected Confirmation has arrived to Android P. This can help with non-repudiation and alike. Time to start a write up about it and see how we can best relate this to the (M)ASVS.. https://developer.android.com/preview/features/security We can update local authentication and then see how we can formalize the reasoning for non-repudiation in both the masvs and mstg. Note: we will need an issue at the MASVS in which non-repudiation is covered for med/high risk transactions/actions. (including privacy, financial, etc.)

[commjoen]

Can be derived at | **4.10** | MSTG‑AUTH‑10 | Sensitive transactions require step-up authentication. | | ✓ |, but misses actual non-repudation: see https://github.com/OWASP/owasp-masvs/issues/286

[commjoen]

As OWASP/owasp-masvs#286 is closed: let's have a look at protected confirmation if it makes sense to be part of somethig; otherwise close.

[cpholguera]

Actually maybe we can relate here to:

| **4.10** | MSTG‑AUTH‑10 | Sensitive transactions require step-up authentication. | | ✓ |

and change it to be:

| **4.10** | MSTG‑AUTH‑10 | Sensitive transactions are properly confirmed at the client side (using at least security features offered by the OS) and authenticated at the remote endpoint (step-up authentication). | | ✓ |

or shorter:

| **4.10** | MSTG‑AUTH‑10 | Sensitive transactions are properly secured between the client and the remote endpoint. | | ✓ |

In the MSTG explain:

• For client: "link to Key attestation, introduce protected confirmation (security features offered by the OS but only from Android 9 and not all devices, so it can be a suggestion but not a must-have), talk about other Local Auth methods such as simply confirmation using fingerprint etc."
• For remote endpoint: "step-up authentication" (as it is already)