MASVS-NETWORK Refactoring (till 31.12.21) #559
Replies: 9 comments 6 replies
-
I would suggest dropping "/or as close as possible if the mobile
operating system does not support the recommended standards/" that's
kind of MEH for a standard. Don't give old crappy OS's a free pass! =)
- Jim
|
Beta Was this translation helpful? Give feedback.
-
Just wanted to share my thought about old 5.3: The app verifies the X.509 certificate of the remote endpoint when the secure channel is established. Only certificates signed by a trusted CA are accepted. new 5.4: The app verifies the X.509 certificate of the remote endpoint(s) when the secure channel is established. Only certificates signed by a trusted Certificate Authority (CA) that are part of the system storage (or "host platform"?) are accepted. New details look Android-specific. The current wording with fewer details allows abstracting from the platform. As I know, Apple deprecated and removed Objective-C methods that allowed customization of CA certificate checks several years ago. So, iOS is always good with this requirement just because of the system design. Additional details about certificates in the system storage may sound very confusing to iOS developers. Right now such details are mentioned in Android test cases and it seems to be more convenient. I'd suggest leaving 5.3 as-is and highlighting the part about certificates in system storage in Android test cases. |
Beta Was this translation helpful? Give feedback.
-
Consider: #576 tldr: keep it abstract and let the MSTG explain how to test (c.f. https://cwe.mitre.org/data/definitions/295.html) |
Beta Was this translation helpful? Give feedback.
-
Are we sure that we want remove this requirement? I totally understand that it duplicates ASVS 2.5.6, and the plan is to make MASVS more specific to mobile. But hear me out :) From my experience, many mobile applications don't have a solid backend, but rather a bunch of services working together instead (think Firebase and Twilio as SMS provider). Thus, developers never think about their backend as a proper backend -> never use ASVS. On the other hand, account enrollment (aka user registration) is very common feature, available in most in mobile apps. This requirements covers it perfectly and emphasizes on secure user registration (and other account operations). I suggest leaving this requirement without wording change as |
Beta Was this translation helpful? Give feedback.
-
After analyzing all the feedback and giving some more thought to it we are re-releasing the proposal for the new MASVS-NETWORK requirements. This time we include a better visualization as a diff spreadsheet including:
MASVS-NETWORK Refactoring Diff Thank you very much for all the feedback you sent over all different communication channels. Please keep that coming! |
Beta Was this translation helpful? Give feedback.
-
Current proposal (see all details and explanations in the Diff spreadsheed): |
Beta Was this translation helpful? Give feedback.
-
Just wanted to ask, will we have some time to update the translation after the OWASP team comes up with the final version? And also, I think the list of links should be revisited. I see https://cwe.mitre.org/data/definitions/308.html in it that relates to single-factor auth. Its relation to Network requirements may not be straightforward. It may be better to keep the most relevant links there. |
Beta Was this translation helpful? Give feedback.
-
Closed for comments. Thanks everyone for your feedback so far! |
Beta Was this translation helpful? Give feedback.
-
We might need to add a testcase about NOT implementing this yourself. This would be in line with AUTH, where there are different testcases for using a secure protocol and choosing an industry-standard implementation. Not sure under which control to put it yet, but the structure should be consistent between AUTH and NETWORKING (and maybe some others) |
Beta Was this translation helpful? Give feedback.
-
Hello everybody,
as part of the refactoring process we decided to publish our draft of every section of the MASVS that we (@cpholguera @TheDauntless and myself) worked on.
This is based on the MASVS category "V5: Network Communication Requirements" (MASVS Version 1.3) MASVS: https://github.com/OWASP/owasp-masvs/blob/v1.3/Document/0x10-V5-Network_communication_requirements.md
Please let us know your feedback and thoughts on the Network communication requirements. Below you can find the summary of the original version, the refactoring and the proposed new requirements.
Original version
Refactoring
Note:
- Test Case: (1) Setup MITM (2) Verify if HTTP is being used and (3)intercept HTTP(S)
Test Case: (1) Setup MITM (2) Verify if Non-TLS communication is being used and (3) intercept Non-HTTP traffic
- Test Case : Check TLS version, available cipher-suites etc and also (1) Check ATS - iOS (2) Check Network Security configuration - Android (3) Check that DNS over HTTP is activated, Certificate Transparency etc. https://developer.android.com/training/articles/security-config and https://developer.apple.com/documentation/security/preventing_insecure_network_connections;
- Test Case: Test case would be covering different scenarios for malicious CAs and certificates and how the app is handling and trusting them to execute a MITM attack (e.g. checks in TrustManager in Android might be overwritten)
MSTG-CODE-5
: All third party components used by the mobile app, such as libraries and frameworks, are identified, and checked for known vulnerabilities.Proposal
Note:
Mapping between MASVS v1.3 to MASVS v2.0:
Beta Was this translation helpful? Give feedback.
All reactions