Skip to content

Milestones

List view

  • - If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. - If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials. - If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. - The remote endpoint terminates the existing session when the user logs out. - A password policy exists and is enforced at the remote endpoint. - The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times. - Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire.

    No due date
  • ## What are the requirements proposed? - [ ] Implement secure storage mechanisms (_e.g._ [KeyStore](https://developer.android.com/training/articles/keystore)) - [ ] No PII is stored outside of the application's container. - [ ] Sensitive data is not exposed to any external processes (logs, external storage, SD-card, IPC, etc.). [MSTG-Storage-3](https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05d-testing-data-storage#testing-logs-for-sensitive-data-mstg-storage-3), [4](https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05d-testing-data-storage#determining-whether-sensitive-data-is-sent-to-third-parties-mstg-storage-4), [6](https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05d-testing-data-storage#determining-whether-sensitive-stored-data-has-been-exposed-via-ipc-mechanisms-mstg-storage-6) - [ ] Keyboard Cache disabled for sensitive data. [MSTG-Storage-5](https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05d-testing-data-storage#determining-whether-the-keyboard-cache-is-disabled-for-text-input-fields-mstg-storage-5) - [ ] Sensitive data should not be exposed to the user without validation (CC, user profile, etc.). Passwords, pins, and tokens should in no way be present on the interface. [MSTG-Storage-7](https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05d-testing-data-storage#checking-for-sensitive-data-disclosure-through-the-user-interface-mstg-storage-7) ## What does threat does these requirements tackle? Exposure of sensitive data to malicious applications and actors that could have access to the phone. ## What are the references being used for these requirements? [MASVS V2: Data Storage and Privacy Requirements](https://github.com/OWASP/owasp-masvs/blob/master/Document/0x07-V2-Data_Storage_and_Privacy_requirements.md) General [Android Data Security](https://developer.android.com/topic/security/data) General [Data Storage Guidance](https://developer.android.com/training/data-storage) in classes.

    No due date