search

OWASP / owasp-masvs

The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security.
https://mas.owasp.org/
Creative Commons Attribution Share Alike 4.0 International
2.01k stars 431 forks source link

Missing a requirement "Verify that no sensitive data is stored unencrypted." #31

Closed sushi2k closed 7 years ago

sushi2k commented 7 years ago

Hi,

I think we are missing a requirement in "V2: Data Storage and Privacy requirements", which is to not store sensitive data in cleartext. In the first requirement we are only talking about credentials and keys, but there might be a lot of other sensitive information that need to be identified and the applicable security controls need to applied to them too.

So we should have another requirement like "Verify that no sensitive data is stored unencrypted.".

Or am I missing something and this is already covered somewhere else?

https://github.com/OWASP/owasp-masvs/blob/master/Document/0x07-V2-Data_Storage_and_Privacy_requirements.md

muellerberndt commented 7 years ago

Hi Sven,

V2.1 covers all forms of sensitive data.

“Verify that system credential storage facilities are used appropriately to store sensitive data, such as user credentials or cryptographic keys.”                                                                                                                                                                                                                                

From: Sven notifications@github.com Reply-To: OWASP/owasp-masvs reply@reply.github.com Date: Wednesday, October 19, 2016 at 10:00 AM To: OWASP/owasp-masvs owasp-masvs@noreply.github.com Subject: [OWASP/owasp-masvs] Missing a requirement "Verify that no sensitive data is stored unencrypted." (#31)

Hi,

I think we are missing a requirement in "V2: Data Storage and Privacy requirements", which is to not store sensitive data in cleartext. In the first requirement we are only talking about credentials and keys, but there might be a lot of other sensitive information that need to be identified and the applicable security controls need to applied to them too.

So we should have another requirement like "Verify that no sensitive data is stored unencrypted.".

Or am I missing something and this is already covered somewhere else?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

sushi2k commented 7 years ago

Ok. Somehow I thought this test case really covers only credentials and keys. Can we change the wording of this requirement slightly, by deleting the "credential" so it's only system storage facilities? Then I think it's more clear that we are not only talking about things like the KeyChain and that it also includes all other storage facilities like an encrypted SQLite DB.

“Verify that system storage facilities are used appropriately to store sensitive data, such as user credentials or cryptographic keys.”

muellerberndt commented 7 years ago

"System storage facilities" is not enough though because then you could use any system storage facility? If you're storing any that's sensitive it must be stored in the Keychain or Keystore (which are meant for credential storage).

muellerberndt commented 7 years ago

E.g. if you'd save credit card data you'd have to use the credential storage facilities as well. And you'd be kind of abusing them of course.

sushi2k commented 7 years ago

Ok. Think I got it now. So we have requirement V2.1, with "credential storage facilities" which implies that all sensitive data is encrypted by using the KeyStore. Then this encrypted data can also be stored in SharedPreferences or a SQLite database which is not an issue anymore as it is encrypted with native methods. Correct?

What about encrypted SQLite databases, is this then also in the category of "credential storage facilities" as you need a password to decrypt the database?

commjoen commented 7 years ago

Hi @sushi2k , again V2.1 seems not to be really clear, same as in #44... @b-mueller : I think we have to reformulate this item. After all: I think you can only use the system-specific protection to store key-materials. They then are a root of trust to store other materials encrypted with them. (Ofcourse, the iOS keychain is an exception here). But I would not trust the SQLite database (use SQLCipher instead! or an encrypted Realm database). I think that we should say that:

Would that make more sense?

Note that the last one gives some overhead. But I rather have overhead then somebody putting financial transactions unencrypted in my banking app ;-).

muellerberndt commented 7 years ago

-> Keying materials should always be stored in the credential storage facilities. -> Sensitive information, if stored on the device, should be encrypted with the keying materials stored on either the server (l4) or on the credential storage facilities (l2-l3).

I think these two cover it perfectly.