Closed zka-nord closed 2 months ago
Hey @zka-nord, same comment as #38. For this requirement data stored in the app sandbox does not require additional encryption. In order to avoid versioning issues we link to v1.7 of the MASTG for Test Procedures, which was the latest available on github at the time this standard was being developed. Would swapping the link to the latest MASTG make this more clear as it now includes a note:
NOTE: For MASVS L1 compliance, it is sufficient to store data unencrypted in the application's internal storage directory (sandbox).
Hey @gagnonca. Yes, it would be more clear. Still, if I understand correctly, there is a correlation between L1/L2 of App Defense Alliance Mobile Application Specification (ADAMAS) and L1/L2 of MASTG. In this case, L1 is good (no required encryption for sandbox data), but L2 in ADAMAS does not cover sandbox data and L2 in MASTG still does. If this is done intentionally I would recommend changing (narrowing down) the audit parameter to something like this: 1.1.1.1 The app shall securely store sensitive data in external storage
spec has been updated with suggested language
The audit part of 1.1.1.1 is defined as:
This is a broad statement about all the data that the app stores. However, the Evidence and Verification parts focus only on external storage which is just a subset of the main audit item
Verification
These sections need to be expanded to include local storage as well.