Closed commjoen closed 7 years ago
Great idea. Would be an innovative thing to have in the standard. It would also be a great way to clarify the role of jailbreak detection in the lower levels, where users should be warned but not completely prevented from using the app. Shall we add this as a separate category? Maybe V9?
The MASVS has a central role into audit and requirements analysis. But in my opinion this is not a user centered checklist. All other categories are not relevant for end-users. And this new category would not be relevant for the entended public of this document. Just my opinion..
I think you should always instruct the user, as it is part of the liability-part of the app. If you do not instruct users to have a strong password, if you do not instruct them/teach them on where they should have gotten the app from, if you don't instruct them on lifecycle management, it becomes the libability of the app-provider (unless stated otherwise in a legal therm). In both cases, you should audit on this: either the app-developer showed in a statement that he is not liable, or he educates the user, together with a liability transferring statement.
I think this is one of the major difference between a web and mobile security standard: The fact that one doesn't have control over the environment in which the app is run. The configuration by the user does have a big impact so I'm very in favor of adding this. @commjoen can you come up with a draft? @stephenreda we can experiment with this on a second branch and have another discussion before we merge it.
agreeing with both your arguments @commjoen @b-mueller True about the control on the app device environment. As @b-mueller suggested, let's have some more discussions until we actually have some content
That's a good idea @commjoen! Let me know if you need some help or review, sounds like interesting test cases.
will add this soon (hope to have time during Brucon :))
All merged.
Another item for discussion: one thing that can often help for high risk applications is to educate users not to keep the app on their phone if they don't need it and make sure you always log out. Should we have these kind of "educate-the-user" controls as part of the MASVS?