search

OWASP / owasp-masvs

The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security.
https://mas.owasp.org/
Creative Commons Attribution Share Alike 4.0 International
2.07k stars 442 forks source link

Replace SafetyNet recommendations with up-to-date information #686

Closed cpholguera closed 4 months ago

cpholguera commented 1 year ago

Discussed in https://github.com/OWASP/owasp-masvs/discussions/676

Originally posted by **SirionRazzer** December 21, 2022 Since SafetyNet is deprecated (https://developer.android.com/training/safetynet/deprecation-timeline), I would like to update the relevant sections with up-to-date alternatives.This field seems to be coined as the app and device **attestation** or **integrity control**. Each major platform comes with a default solution, and there are alternative 3rd party solutions. While the features and functionality differ, the ultimate goal is to ensure that: - Requests come from your genuine app - Requests come from a genuine, untampered device Attestation helps minimize fraud both on the client and backend sides. Hence, this topic can be mapped to related ASVS requirements as this topic extends to the ASVS domain. ### Parts for removal - https://mas.owasp.org/MASTG/Android/0x05j-Testing-Resiliency-Against-Reverse-Engineering/#safetynet - https://mas.owasp.org/MASTG/Android/0x05j-Testing-Resiliency-Against-Reverse-Engineering/#safetynet-attestation ### Related MASVS 2.0 IDs - MASVS-RESILIENCE-1 - The app validates the integrity of the platform. - MASVS-RESILIENCE-2 - The app validates its integrity. ### Upsides - Protection from risky and fraudulent interactions - Reduces attack surface - Integrity verdicts can suggest the possible attack - Enrollment protection ### Downsides - It may be network dependent - May have a dependency on the integrity provider's web service, which may introduce some networking latency - May have usage quotas - Vendor-dependant platform support - Proprietary algorithms ### Providers - Apple platform: DeviceCheck or App Attest - https://developer.apple.com/documentation/devicecheck - https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity - third-party providers - Android platform: - Android with GMS: Play Integrity - https://developer.android.com/google/play/integrity/overview - Migration from SafetyNet: https://developer.android.com/google/play/integrity/migrate _There is an unofficial community discussion about the Play Integrity and its quirks and features: https://forum.xda-developers.com/t/discussion-play-integrity-api.4479337/ ._ - Android with HMS: SafetyDetect - https://developer.huawei.com/consumer/en/doc/development/Security-Guides/dysintegritydevelopment-0000001050156331 - third-party providers
EdilsonGalvao commented 1 year ago

Mr. @cpholguera

I will update it as follows below:

  1. Explaining the Safety Net deprecation and guide the reader to use Google Play Integrity.
  2. To explain a few exceptions that google can't capture (in default flow) and how can we use in our benefits.
SirionRazzer commented 1 year ago

Please, go on! I'll help you to review it and then I'll add my points :)

  1. There is a migration guide somewhere
  2. This is interesting. Which exceptions do you mean?
EdilsonGalvao commented 1 year ago

Could you open an issue in MASTG repository to remove this part? https://mas.owasp.org/MASTG/Android/0x05j-Testing-Resiliency-Against-Reverse-Engineering/#safetynet https://mas.owasp.org/MASTG/Android/0x05j-Testing-Resiliency-Against-Reverse-Engineering/#safetynet-attestation

cpholguera commented 1 year ago

Hi @EdilsonGalvao, that should be done within the same PR associated with this ticket. We don't need an additional ticket. Thank you!