rooted or jailbroken device requirement

OWASP / owasp-masvs

The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security.

https://mas.owasp.org/

Creative Commons Attribution Share Alike 4.0 International

2.01k stars 431 forks source link

rooted or jailbroken device requirement #104

Closed Sjord closed 7 years ago

Sjord commented 7 years ago

There are two requirements regarding jailbroken devices:

6.9: The app detects whether it is being executed on a rooted or jailbroken device. Depending on the business requirement, users are warned, or the app is terminated if the device is rooted or jailbroken.
8.1: The app detects, and responds to, the presence of a rooted or jailbroken device either by alerting the user or terminating the app.

I think these are too similar. Should one of these be deleted? Which one?

sushi2k commented 7 years ago

You are right, they indeed sound the same.

I think the intention of splitting it originally was to have requirement 6.9 that is checking for "basic" root/jailbreak detection that is doing at least one check for it, like checking for the existence of /sbin/su or other files. 8.1 should have at least two checks or a more sophisticated root/jailbreak detection, like a mixture of file existence checks and checking of running processes (like ssh).

I think we should make this more clear in 8.1, like:

"The app detects, and responds to, the presence of a rooted or jailbroken device either by alerting the user or terminating the app through implementing at least two different detection mechanisms."

Sjord commented 7 years ago

As far as I understand it, you don't want to run the app on a rooted device to prevent the owner of that device from tampering with your application. In that case I think it would best fit in chapter 8, under "Impede Dynamic Analysis and Tampering".

That would remove it from MASVS-L1 and leave it only in MASVS-R. I don't really understand what this means, but that could influence the decision.

I don't think it makes sense to have a basic check and an advanced check. The requirement is to detect this, and how well this is done is up to the implementation. Root detection can't be made watertight anyway.

sushi2k commented 7 years ago

Get your point and makes sense. In this case we should get rid of 6.9 and also merge the test cases in the MSTG, as there is now one root/jailbreak test case in "Testing Platform Interaction" and a much more detailed test case in "Testing-Resiliency-Against-Reverse-Engineering".

Otherwise it's really confusing to separate like this. @b-mueller: Are you ok with this, or what do you think?

sushi2k commented 7 years ago

done https://github.com/OWASP/owasp-masvs/commit/23fca822cbde6fddf9c1df42af9ff361b5b753a1