Closed sushi2k closed 5 years ago
I interpret 7.8 as being about native vulnerabilities like buffer overflows & double-frees, and not about data/information leakage ? This is not covered by 2.10 and 7.3.
I would say this is about sane memory management. It will require work in both platforms when coding in C(++)...
True, that makes sense. So also applicable for Android with the NDK. So the requiremenet should stay in.
Seeing that we all have slightly differing ideas on what this requirement is about : What exactly do we mean by "Unmanaged Code" in a mobile context? When I research online, most of what I find pertains to Microsoft technology, C#, .NET, Mono, .... That last one would be relevant in a Xamarin-based app, but I'm not sure if that's what was envisioned when writing this requirement?
Agree with Jeroen, "unmanaged code" should be defined as C/C++ code base, which can also be the NDK on Android. Maybe we change the requirement to this, to make it more clear:
In unmanaged code (C/C++), memory is allocated, freed and used securely.
And also agree with TheDauntless that in this context it is then about buffer overflow vulnerabilities etc.
It seems checking for these vulnerabilities is already described in the MSTG: https://github.com/OWASP/owasp-mstg/blob/1b27e5338a882a6887fc3cddd2907b90472ebd48/Document/0x04h-Testing-Code-Quality.md#memory-corruption-bugs
I believe objective-c has a wrapper to do the same thing, and in some apps the developer made jni wrappers to call those functions as well. So this might limit it again too much?
Op 24 jul. 2018, om 01:27 heeft Sven notifications@github.com het volgende geschreven:
Agree with Jeroen, "unmanaged code" should be defined as C/C++ code base, which can also be the NDK on Android. Maybe we change the requirement to this, to make it more clear:
In unmanaged code (C/C++), memory is allocated, freed and used securely.
And also agree with TheDauntless that in this context it is then about buffer overflow vulnerabilities etc.
It seems checking for these vulnerabilities is already described in the MSTG: https://github.com/OWASP/owasp-mstg/blob/1b27e5338a882a6887fc3cddd2907b90472ebd48/Document/0x04h-Testing-Code-Quality.md#memory-corruption-bugs
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
Given this, we can close the issue right?
I just realised that we didn't describe MASVS 7.8 "In unmanaged code, memory is allocated, freed and used securely." in neither the Android nor iOS section of the MSTG.
I would propose to remove 7.8, as we also have the following 2 requirements that are covering it:
2.10 | The app does not hold sensitive data in memory longer than necessary, and memory is cleared explicitly after use. 7.3 | Debugging symbols have been removed from native binaries.
Any thoughts on this?