Mobile Profile 1.4.1: Difference in security expectations between L1 and L2

appdefensealliance / ASA-WG

3 stars 6 forks source link

Mobile Profile 1.4.1: Difference in security expectations between L1 and L2 #74

Closed ifoundthetao closed 1 month ago

ifoundthetao commented 1 month ago

Assurance levels for L1 and L2 should uphold the same level of security expectations. The difference between the levels are around the level of rigor testing the adherence.

1.4.1.1 L1 allows for exceptions on unencrypted connections where a use-case is provided that is reasonable; however, this is lacking for L2. I suggest we bring this carveout to L2 as well.

https://github.com/appdefensealliance/ASA-WG/blob/main/Mobile%20App%20Profile/Mobile%20App%20Test%20Guide.md#verification-9

gagnonca commented 1 month ago

iOS is the same for 2.4.1.1

https://github.com/appdefensealliance/ASA-WG/blob/main/Mobile%20App%20Profile/Mobile%20App%20Test%20Guide.md#2411-network-connections-shall-be-encrypted

ifoundthetao commented 1 month ago

Pull request to remediate issue: https://github.com/appdefensealliance/ASA-WG/pull/75