Add other connectivity related requirements

OWASP / owasp-masvs

The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security.

https://mas.owasp.org/

Creative Commons Attribution Share Alike 4.0 International

2.06k stars 437 forks source link

Add other connectivity related requirements #132

Closed commjoen closed 5 years ago

commjoen commented 6 years ago

The MASVS currently has the focus on securing the data of the user. Next would be to secure the context of a user. Part of that should include the secondary type of connectionst. We need to:

reassure that, when NFC is involved, that it is used securely
reassure that, when Bluetooth is involved, that it is used securely

sushi2k commented 6 years ago

We could create two additional requirement that summarises: a) if data is handled securely when the app is using NFC or Bluetooth to send/exchange such data (this would be part of "V2: Data Storage and Privacy Requirements") b) if the connection itself via NFC and Bluetooth is established in a secure way (might best fit into "V6: Platform Interaction Requirements").

commjoen commented 6 years ago

This sounds like a plan 👍 . I would say: let's start changing stuff after the 1.1.2 is done for the MASVS and the 1.1.0 is done for the MSTG.

commjoen commented 5 years ago

Meeting notes:

it would be better to have a testcase for MSTG‑ARCH‑3 in whcih we explain what the risks are with bluetooth and nfc (and keep the payload encryption in mind as a more important requirement.)
course of action: extend testcase MSTG-ARCH-3 and when MASVS 1.2 is released, extend this based on payload encryption.

FOR NOW: move this to the MSTG issue list as well.

commjoen commented 5 years ago

Further taken care off at https://github.com/OWASP/owasp-mstg/issues/1493