Comments (6)
sushi2k
commented on August 21, 2024
When I was adding this requirement to the MASVS I was only thinking about syncing data on the OS level, meaning backups to the Google/iOS cloud and I still think that this should be a test case on it's own.
We could simply add one work to the requirement to make it more clear:
2.3 No sensitive data is synced with platform cloud storage.
I would not extend this test case to all other kind of clouds, as they are needed by the App to work properly and it's also more secure to store sensitive data in the cloud as on the local device. Also checking the communication for sensitive data for 3rd parties, through usage of libraries is also covered in:
2.4 No sensitive data is sent to third parties.
If you guys agree, I would also not change the test case in the MSTG.
I will have a detailed look in Issue 75 latest next week. Thanks
from owasp-mastg.
muellerberndt
commented on August 21, 2024
As far as I can see in the test case this only pertains to backup to cloud storage (through platform mechanisms). Isn't this then already covered by 2.9 - "No sensitive data is included in backups"? The test case also appears to check only for the allowBackup="true" attribute?
from owasp-mastg.
sushi2k
commented on August 21, 2024
You are right. I will merge this. Makes no sense to have two separate test cases for this.
from owasp-mastg.
muellerberndt
commented on August 21, 2024
Alright, so we only need the "backup" requirement then? So I'll remove this entirely from the MASVS.
from owasp-mastg.
sushi2k
commented on August 21, 2024
Ok
from owasp-mastg.
sushi2k
commented on August 21, 2024
Will update the MSTG test cases soon so they are aligned with MASVS. Will close this now.
from owasp-mastg.
Related Issues (20)
- [TOOL] Corellium
- [TOOL] APKEnum HOT 1
- [TOOL] patch-apk HOT 2
- [TOOL] Android-CertKiller
- [TOOL] AndroBugs_Framework
- [TOOL] Quark
- [TOOL] reFlutter HOT 2
- [TOOL] Frida Codeshare HOT 1
- [TOOL] General cleanup HOT 2
- [TOOL] Checksec
- Add Android Demo APKs GitHub Action
- 💲🎉 New Donation
- Update MAS Adoption section for ADA
- [Tool] Add Binwalk
- Add missing reference to bytecode viewer and add missing tool files
- New Dart calling convention
- [TOOL] NoPE Proxy HOT 2
- News aren't displayed properly
- [MASTG-TOOL-0110] Add semgrep to tools
- Add Additional CWE mappings to MASWE HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-mastg.