Add Location-related requirements

OWASP / owasp-masvs

The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security.

https://mas.owasp.org/

Creative Commons Attribution Share Alike 4.0 International

2.06k stars 437 forks source link

Add Location-related requirements #131

Closed commjoen closed 5 years ago

commjoen commented 6 years ago

The MASVS currently has the focus on securing the data of the user. Next would be to secure the context of a user. Part of that should include the location-related context. We need to:

reassure that, when the location is involved as a factor, it cannot easily be faked.
reassure that, when the location is involved, the location data is similarly protected as other data.

sushi2k commented 6 years ago

Is this really sth we are considering (or even reliable) on an app level? This might need to be tracked on the API endpoint and trigger alarms via Push Notification/Email if someone is trying to login/triggering functions from a country where the user definitely cannot be at the moment. But it's a good idea, I am just not sure in which category it would fit in best. Maybe "V4-Authentication_and_Session_Management_Requirements.md"?

sushi2k commented 6 years ago

Wouldn't this be part of 4.11? It doesn't clearly cover your suggestion, but maybe we adjust this requirement instead of creating a new one?

4.11	The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block specific devices.

commjoen commented 6 years ago

Not so sure about it, i rather have it as a separate item. See for instance the pokemon games where users try to spoof their location to cheat the game (and there are quiet some similar games/ideas in there). Next, think about navigation apps which are cheated in order to steer a user to a wrong place.

commjoen commented 5 years ago

Meeting notes:

given the current complexities of location services (E.g. in terms of the threats" gps and their counterbeacons/jammers, network spoofers, Bluetooth beacon copies and their controls on a platform level basis) we are not able to have proper countermeasures on an application level basis. This needs resolution at the vendor/platform level and is out of our control.
further controsl about unrealistic movemvent of a user should be implemented in the backend. Note that this is already part of the MSTG (at 4.11 and a few other places).
we can close the issue.