search

OWASP / owasp-masvs

The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security.
https://mas.owasp.org/
Creative Commons Attribution Share Alike 4.0 International
2.01k stars 431 forks source link

V2.1 - Secure Storage of Sensitive Data #9

Closed muellerberndt closed 7 years ago

muellerberndt commented 7 years ago

"2.1 Verify that secure credential storage facilities are used to store sensitive data, such as user credentials or cryptographic keys."

This is supposed to cover ALL sensitive data. The question is, do we also allow the use of other encryption methods besides the standard iOS Keychain and Android KeyStore APIs? Wouldn't any symmetric crypto have to rely on hardcoded keys, which is forbidden by V3.1?

sushi2k commented 7 years ago

I would definitely say yes, that other encryption methods should be allowed besides keychain. There might still be cases where storing data in a SQLite database might be more feasible, therefore usage of a library like SQLCipher to encrypt the database can also be applicable. If something like SQLCipher is used the problem is of course where to store the key, that might be violating V3.1. But there can still be two solutions besides having a hardcoded key that would not violate V3.1:

Besides that White Box cryptography controls can be applied for symmetric keys, which can be another requirement for cryptography that might be applicable to Level 3 or 4.

muellerberndt commented 7 years ago

Ok, that makes sense. I like the part with the PIN requirement, and we also need minimum requirements for the PIN. Using something “the user knows” is really the only way to do it.

From: Sven notifications@github.com Reply-To: OWASP/owasp-masvs reply@reply.github.com Date: Thursday, September 15, 2016 at 9:24 AM To: OWASP/owasp-masvs owasp-masvs@noreply.github.com Cc: Bernhard Mueller bernhard.mueller11@gmail.com, Author author@noreply.github.com Subject: Re: [OWASP/owasp-masvs] V2.1 - Secure Storage of Sensitive Data (#9)

I would definitely say yes, that other encryption methods should be allowed besides keychain. There might still be cases where storing data in a SQLite database might be more feasible, therefore usage of a library like SQLCipher to encrypt the database can also be applicable. If something like SQLCipher is used the problem is of course where to store the key, that might be violating V3.1. But there can still be two solutions besides having a hardcoded key that would not violate V3.1:

· Store the key on the server and not locally and only retrieve the key when data needs to be decrypted. This has of course the downside that the App might mot be usable when being offline.

· Ask the user for a PIN/Password that is part of the secret to decrypt the data. This might be prone to brute forcing if the PIN/Password is weak.

Besides that White Box cryptography controls can be applied for symmetric keys, which can be another requirement for cryptography that might be applicable to Level 3 or 4.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

muellerberndt commented 7 years ago

Closed together with issue #10.