search

appdefensealliance / ASA-WG

3 stars 6 forks source link

Mobile App Profile 1.1.1.1: Too narrow verification procedure and evidence #33

Closed zka-nord closed 2 months ago

zka-nord commented 3 months ago

The audit part of 1.1.1.1 is defined as:

1.1.1.1 The app shall securely store sensitive data.

This is a broad statement about all the data that the app stores. However, the Evidence and Verification parts focus only on external storage which is just a subset of the main audit item

Evidence

L1: Attachment of the Android Manifest. If sensitive data is being written to external storage, provide the name and screenshot from a design document explaining how the data is encrypted.

Verification

L1

The Android Manifest does not declare the use of external storage. Or, if sensitive data is being written to external storage, confirm the crypto implementation meets the baseline crypto requirements by reviewing the relevant screenshot from the design document. L2

Output of the analysis shows that the app does not write and store unencrypted and sensitive data in external storage. Or, if sensitive data is being written to external storage, verify that the crypto implementation meets the baseline crypto requirements.

These sections need to be expanded to include local storage as well.

gagnonca commented 3 months ago

Hey @zka-nord, same comment as #38. For this requirement data stored in the app sandbox does not require additional encryption. In order to avoid versioning issues we link to v1.7 of the MASTG for Test Procedures, which was the latest available on github at the time this standard was being developed. Would swapping the link to the latest MASTG make this more clear as it now includes a note:

NOTE: For MASVS L1 compliance, it is sufficient to store data unencrypted in the application's internal storage directory (sandbox).

zka-nord commented 3 months ago

Hey @gagnonca. Yes, it would be more clear. Still, if I understand correctly, there is a correlation between L1/L2 of App Defense Alliance Mobile Application Specification (ADAMAS) and L1/L2 of MASTG. In this case, L1 is good (no required encryption for sandbox data), but L2 in ADAMAS does not cover sandbox data and L2 in MASTG still does. If this is done intentionally I would recommend changing (narrowing down) the audit parameter to something like this: 1.1.1.1 The app shall securely store sensitive data in external storage

brooked218 commented 2 months ago

spec has been updated with suggested language