search

OWASP / owasp-masvs

The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security.
https://mas.owasp.org/
Creative Commons Attribution Share Alike 4.0 International
2.01k stars 431 forks source link

[V7: Code quality and build setting requirements] : Verify that the app is marked as a release build. #59

Closed bugwrangler closed 7 years ago

bugwrangler commented 7 years ago

Could you pls. elaborate this requirement ?

sushi2k commented 7 years ago

I guess the main point is that once you make a release build it is signed with the actual key of the developer/company to verify the integrity of the creator of the App. If for example an APK would be shipped as debug build the key used to sign the App was coming from the IDE (Android Studio) that was used during development. Nevertheless a debug build cannot be distributed via Play Store, so creating a release build is of course mandatory if an App should be published in an official App store. The developer/company needs to be aware of this requirement to think about how to maintain his keys especially if he creates more Apps, as the signing of different Apps with the same keys also allows interaction between the Apps. Using a release build in Android also enforces pro-guard rules and optimises the APK.

See also: https://developer.android.com/studio/publish/preparing.html

bugwrangler commented 7 years ago

I feel technical term "release build" doesn't denote factual meaning. pls. look up my pull request. We should add one/two other requirements w.r.t release build concept including key used to sign build and User / enterprise certificate used for release build etc.

sushi2k commented 7 years ago

What do you think of this: https://github.com/OWASP/owasp-masvs/pull/61#discussion-diff-92522756R19

bugwrangler commented 7 years ago

Align, thx!