Closed thec00n closed 7 years ago
muellerberndt
commented
7 years ago Theoretically yes, however the fact is that there are only 2 major mobile OSes and some of the requirements cannot easily be generalized, for example:
V6: 3.8 Verify that the app updates the Security Provider if needed (Android)
I think there's still some OS-specific stuff missing from V6 especially for Android. The question is how we deal with those?
ghost
commented
7 years ago In do agree that certain technologies are just platform specific, and we cannot be 'generic' about it. Talking about 'bytecode' doesn't make any sense for all other platforms, so why make it generic?
thec00n
commented
7 years ago @stephenreda @b-mueller : Yes they certainly are and that is the issue. My point is that we are talking about security requirements for mobile applications. They should be articulated in a way that are platform independent, note that also the ASVS does not talk about platform specifics. It merely states what design principles are necessary for secure web applications regardless of the platform. Test cases that are platform or technology specific should go into the OMTG, I think.
muellerberndt
commented
7 years ago I think generalizing the requirements makes sense, as long as nothing gets "lost" in the process. OS-specifuc test cases would be in tbe testing guide.
Get Outlook for Android
On Tue, Sep 13, 2016 at 3:36 PM +0800, "Gerhard" notifications@github.com wrote:
@stephenreda: Yes they certainly are and that is the issue. My point is that we are talking about security requirements for mobile applications. They should be articulated in a way that are platform independent, note that also the ASVS does not talk about platform specifics. It merely states what design principles are necessary for secure web applications regardless of the platform. Test cases that are platform or technology specific should go into the OMTG, I think.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
muellerberndt
commented
7 years ago I just went through the list again and there's a few more requirements I have a hard time generalizing. Examples:
| 2.8 | Verify that sensitive data does not leak via application snapshots (iOS). | 2.9 | Verify that no sensitive data is exposed via intents (Android).
One problem I see is that if we generalize this too much, it won't be that viable anymore to generate security testing checklists out of the MASVS. As a tester, I'd like to have a checklist with the right amount of detail. If it says something very generic like "Verify that sensitive data is not exposed to the OS", the list isn't very useful by itself.
Also, if I generate a checklist for iOS, I only want it to contain requirements that are valid for iOS, so that information would have to be somewhere in the requirement.
What do you think?
commjoen
commented
7 years ago We could generalize them both , but it would make it indeed harder to generate tests. Then again, 2.9 could be generalized to any IPC mechanism for instance, so that you can test for other (less advertised, nor recommended) channels too.
muellerberndt
commented
7 years ago One thing I'm sure of is that having requirements that start with "On Android..." or end with (Android) or (iOS) is not a good thing. So let's agree to generalize the requirements and relegate the OS-specific details to the testing guide?
sushi2k
commented
7 years ago @b-mueller Agree. This is a consistent approach.
muellerberndt
commented
7 years ago Resolved by generalizing all requirements.
Guys, should the requirements be platform specific? IMHO it should not. For instance I would change the following requirement and make it generic.
9.2 On Android, verify that the release bytecode has been minified with ProGuard.9.2 Verify that the release bytecode has been minified.A generic MASVS should be applicable to any mobile platform. This will have advantages, especially on how often the guide needs to be updated and how easy it will be to consume.