Suggestions for Chapter 8 Resilliency Against RE

[HenryHoggard]

Few suggestions for chapter 8.

| 8.10 | MSTG‑RESILIENCE‑10 | The app utilises, and responds to system APIs that report on harmful applications and tampering of the device. | ✓ |

Add requirements for iOS DeviceCheck and Android SafetyNet detection & reporting.

| 8.11 | MSTG‑RESILIENCE‑11 | Upon detection of tampering of the app or device, sensitive data is wiped from the app. | ✓ |

If sensitive data is not wiped from the application sandbox when the application detects tampering or a rooted device, it can still be stolen by attackers or malware.

| 8.12 | MSTG‑RESILIENCE‑12 | The app detects, and responds to, tampering of the system to weaken security. | ✓ |

This requirement is overkill for most apps so perhaps make it optional if you use it. Some example techniques that highly secure applications use within this category are as follows:

• Check that sensitive file directories, or system partitions have not been changed to "rw"
• Checking that the kernel hasn't been modified or that custom kernel modules haven't been added (since this can provide root access, hooking & debug capabilities etc), This requires building a dataset of known defaults, using data sources such as https://census.tsyrklevich.net/
• Checking that protections such as SELinux, havent been disabled
• Checking that secure boot hasnt been disabled
• Checking that ADB USB debugging isn't enabled
• Checking that the system setting allow app installs from untrusted sources isnt enabled

[commjoen]

Hi @henryhoggard, sorry for the slow response. As I have no laptop till monday due to my holidays my response is a little slower. We will get back at this beginning of next week.

[commjoen]

Hi @HenryHoggard , back again, now with a laptop ;-). Thank you for your suggestions! It's good to see caring people respond to the requirements within this project. As a general response to your feedback: the MASVS tries to be as technology independent as possible. Instead, the technology-dependent translation of these requirements are further detailed at the MSTG . Therefore most of your suggestions can be best filed at the MSTG. Maybe it is a good idea to check what is already in the MSTG, and then file issues for missing items? Let me know if that works for you .

As for the overkill item: we do not say that any of the Resilience items are mandatory: instead a party can select any of these requirements when they think that they matter based on their threatmodel. Therefore, we do not automatically recommend that everybody should incorporate it. We are thinking of making this more clear by adding a better intro and perhaps even better clustering as payload encryption might be added as well (both with a lot of consequences).

[commjoen]

Does this answer your suggestions a bit?