Explain how you need to protect the signing key for releasing an app

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).

https://mas.owasp.org/

Creative Commons Attribution Share Alike 4.0 International

11.57k stars 2.29k forks source link

Explain how you need to protect the signing key for releasing an app #971

Closed commjoen closed 1 year ago

commjoen commented 6 years ago

Given the update in 1.1.1 of the MASVS (regarding control 7.1), we need to extend our coverage on the MSTG if it comes to securing the signing key.

Methods could include, but should not be limited to:

using hardware keys (Yubikey/etc.)
securing private key
securing keychains See http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/best_practices.doc

cldrn commented 5 years ago

Where would this sections be? I think we should definitely mention the new App Signing method hosted/managed by Google (https://support.google.com/googleplay/android-developer/answer/7384423?hl=en-GB).

commjoen commented 5 years ago

we should! 0x5a and 0x6a

commjoen commented 5 years ago

@cldrn : do you have any updates on this?

cpholguera commented 4 years ago

Hola Paulino, any news on this one? :) Thanks!

cldrn commented 4 years ago

Hi guys,

Wrapping up Q4 on the 19th and then I will be free to work on this one, the one for disabling keyboard cache in kotlin and updating the checklist in Spanish.