MASVS v2.0.0 Release Candidate (RC) #679
Replies: 2 comments 1 reply
-
Hi @cpholguera , sorry for the late comment. But it seems it is the last available day for this ;) I have just realized that MSTG-STORAGE-12 has been removed completely. I understand that App Privacy (data sharing) aspect will be addressed. But what about IMHO, this topic deserves a dedicated category since the users' mistakes, or rather their exploits via fishing and social engineering, are the weakest chain in the app cybersecurity link today. |
Beta Was this translation helpful? Give feedback.
-
Closed for comments. Thanks everyone and if you have any questions please feel free to reach out anytime. |
Beta Was this translation helpful? Give feedback.
-
With the MASVS refactoring we set a couple of goals:
The new release candidate includes a lot of news for the MASVS. In this post we present you the work we've done for the MASVS Release Candidate (MASVS v2.0.0 RC), what has changed in comparison to MASVS Refactoring Beta Proposal (MASVS v2.0.0 beta) and present the next steps of the MAS project.
About the MASVS Release Candidate
A lot has changed in the MASVS since we started with the refactoring back in July 2021 and finished collecting feedback in September 2022. To produce this new iteration of the MASVS refactoring we have done the following:
Apart from being extremely insightful, this exercise has allowed us to provide you with an even cleaner version of the MASVS which is designed to remain as a timeless baseline for mobile app security and leave the heavy lifting to the MASTG which will become more dynamic and allow for more specific and flexible testing.
Check our latest talks in the MAS website for more details: https://mas.owasp.org/talks/
Why are there no levels in the new MASVS RC controls? Introducing Profiles:
The Levels you already know (L1, L2 and R) will be fully reviewed and backed up with a corrected and well-documented threat model.
Enter MAS Profiles: We move the levels to the MASTG tests so that for the same control we can evaluate different situations (e.g. in STORAGE-1 it’s ok to use internal storage for L1 but L2 needs more). This might result in different tests according to the required profile.
Transition time: before releasing the final MASVS v2.0.0 we'll try to map all the new proposed test cases to the new profiles (at least L1 and L2) so that even if the MASTG refactoring is not complete you will be able to know what you should test for and you'll be able to find most of the tests already in the MASTG (at least in the current format).
Changelog
These notes reflect the changes made to the MASVS Refactoring Beta Proposal (MASVS v2.0.0 beta) to turn it into the MASVS Release Candidate (MASVS v2.0.0 RC) after addressing all comments, requested changes and concerns.
MASVS-ARCH
No changes.
MASVS-STORAGE
MASVS-CRYPTO
MASVS-AUTH
No changes.
MASVS-NETWORK
MASVS-PLATFORM
MASVS-CODE
MASVS-RESILIENCE
MASVS-RESILIENCE will introduce four strategies on how to apply these controls:
Summary of MASVS v1.4.2 Removed Controls
MSTG-STORAGE-10
This should be part of the Architecture and Design phase of the app and is mitigated by following proper secure coding design.
In addition to that, it requires a rooted/jailbroken device and if that's the case, you can already extract the data from memory when / if it becomes available.
MSTG-STORAGE-12
Removed since the assumption is that following the rest of the MASVS should be enough to cover for all baseline privacy concerns. For more please check the MASTG chapter on privacy.
MSTG-STORAGE-13
This should be part of the Architecture and Design phase of the app and is mitigated by following proper secure coding design.
The app developers might decide to:
A) Exclusively retrieve data from a remote endpoint and make it only reside in the app volatile memory.
B) or store sensitive data only locally encrypted and never in a remote endpoint.
C) Hybrid (most common)
Regardless of the option, the MASVS-STORAGE protects local data at rest which is stored in the mobile device.
MSTG-STORAGE-15
Removed because it's considered covered by MASVS-STORAGE-1 (RC): we consider that properly encrypting data means that even if it's not deleted on uninstall/after excessive auth-fails it will be safe.
MSTG-AUTH-2
Removed because this is clearly a task to be fulfilled by the remote endpoint and cannot be properly tested from the app side (the remote endpoint must enforce it).
The app side could be considered covered by MASVS-AUTH-1 (RC).
MSTG-AUTH-5
Removed because this is clearly a task to be fulfilled by the remote endpoint and cannot be properly tested from the app side (the remote endpoint must enforce it).
The app side could be considered covered by MASVS-AUTH-1 (RC).
MSTG-AUTH-6
Removed because this is clearly a task to be fulfilled by the remote endpoint and cannot be properly tested from the app side (the remote endpoint must enforce it).
MSTG-AUTH-7
Removed because this is clearly a task to be fulfilled by the remote endpoint and cannot be properly tested from the app side (the remote endpoint must enforce it).
The app side could be considered covered by MASVS-AUTH-3 (RC).
MSTG-AUTH-11
Removed because this is clearly a task to be fulfilled by the remote endpoint and cannot be properly tested from the app side (the remote endpoint must enforce it).
MSTG-NETWORK-5
Removed because this is clearly a task to be fulfilled by the remote endpoint and cannot be properly tested from the app side (the remote endpoint must enforce it). It's covered in ASVS 2.5.6.
MSTG-CODE-6
This should be part of the Architecture and Design phase of the app and is mitigated by following proper secure coding design.
MSTG-CODE-7
This should be part of the Architecture and Design phase of the app and is mitigated by following proper secure coding design.
MSTG-RESILIENCE-7
This can be applied not only to techniques meant to detect dynamic analysis and tampering but also to those meant to impede comprehension. Therefore, it's covered now as a strategy that will be explained in the MASTG.
Next Steps
~ Carlos Holguera, Sven Schleier and Jeroen Beckers, the OWASP MAS Team ~
Beta Was this translation helpful? Give feedback.
All reactions