Assurance levels for L1 and L2 should uphold the same level of security expectations. The difference between the levels are around the level of rigor testing the adherence.
1.4.1.1 L1 allows for exceptions on unencrypted connections where a use-case is provided that is reasonable; however, this is lacking for L2. I suggest we bring this carveout to L2 as well.
Assurance levels for L1 and L2 should uphold the same level of security expectations. The difference between the levels are around the level of rigor testing the adherence.
1.4.1.1 L1 allows for exceptions on unencrypted connections where a use-case is provided that is reasonable; however, this is lacking for L2. I suggest we bring this carveout to L2 as well.
https://github.com/appdefensealliance/ASA-WG/blob/main/Mobile%20App%20Profile/Mobile%20App%20Test%20Guide.md#verification-9