Mobile App Profile 2.1.1.1: Too narrow verification procedures

[zka-nord]

Very similar to https://github.com/appdefensealliance/ASA-WG/issues/33 - the Verification procedures cover only external storage when testing procedure referenced in L2 covers local storage as well

Test Procedure

L1

Review provided evidence for adherence with requirements. L2

Follow the testing procedures outlined in MASTG-TEST-00052. Verification

L1

The app does not use UIDocumentPickerViewController. If sensitive data is being written to external storage, confirm the crypto implementation meets the baseline >>>>>GDCALERT:undefined internal link (link text: "crypto requirements"). Did you generate a TOC?>>>>>crypto requirements by reviewing the relevant screenshot from the design document. L2

Output of the analysis shows that the app does not write and store unencrypted and sensitive data in external storage. If sensitive data is being written to external storage, verify that the crypto implementation meets the >>>>>GDCALERT:undefined internal link (link text: "baseline crypto requirements"). Did you generate a TOC?>>>>>baseline crypto requirements.

[gagnonca]

Hey @zka-nord, thank you for taking the time to review the Mobile Profile and provide feedback.

For this requirement data stored in the app sandbox does not require additional encryption. In order to avoid versioning issues we link to v1.7 of the MASTG for Test Procedures, which was the latest available on github at the time this standard was being developed. Would swapping the link to the latest MASTG for this and 1.1.1.1 (#33) help make this more clear as it now includes a note:

NOTE: For MASVS L1 compliance, it is sufficient to store data unencrypted in the application's internal storage directory (sandbox).