| A | B | C | D | E | F | G | H | I | K | L | M | N | O | P | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 |  | MASVS-PLATFORM +2 -9 ■■■■■■ | CLOSED FOR COMMENTS | Open Help | ||||||||||||
2 | # | MASVS-ID | Control | L1 | L2 | Status | Reasoning & New Focus | Test Cases | Related Standards | |||||||
3 | ||||||||||||||||
4 | 6.1 | MSTG-PLATFORM-1 | - | The app only requests the minimum set of permissions necessary. | x | x | Test | The goal of the refactor is to focus on vulnerabilities, and this is not one of them per-se. Especially with the current permission model where dangerous permissions have to be granted at runtime, the user can explicitly choose/deny what they want. The main idea is that, with many permissions, ad SDKs could abuse the obtained permissions to collect additional info. However, even without this requirement, the ad SDK would still do that. However, this might be part of a more complex attack, e.g. considering premission re-delegation. Therefore we'll keep the test cases but have them as part of the IPC control (MASVS-PLATFORM-1). | Current MSTG Test Cases: https://mobile-security.gitbook.io/mobile-security-testing-guide/?q=MSTG-PLATFORM-1 | |||||||
5 | The app only requests the minimum set of permissions necessary. | x | x | Test | 🎯 This requirement is about App Permissions. App permissions protect access to restricted data, resources and actions and must be responsibly configured. | Example Tests (non-exhaustive list): (moved to IPC) (and more, feel free to suggest ideas) | CWE: CWE-250, CWE-266, CWE-276, CWE-359 BSI: O.Plat_2, O.Plat_3, O.Plat_6 NIAP: FDP_DEC_EXT.1 ioXt: SD113 ASVS: N/A | |||||||||
6 | ||||||||||||||||
7 | ||||||||||||||||
8 | 6.2 | MSTG-PLATFORM-2 | - | All inputs from external sources and the user are validated and if necessary sanitized. This includes data received via the UI, IPC mechanisms such as intents, custom URLs, and network sources. | x | x | Moved | Covered by MASVS-PLATFORM-1 (IPC, URL schemes) and MASVS-PLATFORM-4 (UI). Since this is not an issue exclusive to PLATFORM or NETWORK. We'll probably include an MASVS-CODE control covering for validation of inputs from untrusted sources. | Current MSTG Test Cases: https://mobile-security.gitbook.io/mobile-security-testing-guide/?q=MSTG-PLATFORM-2 | |||||||
9 | Moved | |||||||||||||||
10 | ||||||||||||||||
11 | ||||||||||||||||
12 | 6.3 | MSTG-PLATFORM-3 | - | The app does not export sensitive functionality via custom URL schemes, unless these mechanisms are properly protected. | x | x | Moved | Covered now by MASVS-PLATFORM-1 | Current MSTG Test Cases: https://mobile-security.gitbook.io/mobile-security-testing-guide/?q=MSTG-PLATFORM-3 | |||||||
13 | Moved | |||||||||||||||
14 | ||||||||||||||||
15 | ||||||||||||||||
16 | 6.4 | MSTG-PLATFORM-4 MSTG-PLATFORM-3* MSTG-STORAGE-6* | - | The app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly protected. | x | x | Reworded | This will be a test in MASVS-PLATFORM-4 (previously MSTG-PLATFORM-12), which is about data privacy. | Current MSTG Test Cases: https://mobile-security.gitbook.io/mobile-security-testing-guide/?q=MSTG-PLATFORM-4 | |||||||
17 | 6.1 | MASVS-PLATFORM-1 | + | No sensitive data is exposed via unprotected IPC mechanisms. The app exposes sensitive data and/or functionality via secure IPC mechanisms. | x | x | Reworded | 🎯 This requirement is about IPC. This covers all possible IPC methods (URL-to-app, app-to-app, in-app-groups, OS-to-app), including those which are not "official" IPC methods but are incorrectly used as IPC methods. | Example Tests (non-exhaustive list): - Check for OS version enforcement (guaranteeing minimum security) - Check for URL Custom Schemes - Check for Deep Links (AppLinks/Universal) - Check for URL handling (validation) - Check for URI/File Data Sharing (content URIs, File Coordinator) - Check for IPC bad practices vs authenticated platform IPC - Check for iOS Application Components (UIActivity, App Extensions, Watch) - Check for Android Application Components (Intents, Broadcasts, Services, Content Providers) - keywords: exported, intent filters, custom component permissions, explicit/implicit, pending intents, inputs from untrusted sources - Check App Permissions - Check for OS version enforcement (guaranteeing minimum security) - Check for minimum permissions - Check for permission re-delegation - Check for permissions being directly related to the core use case - Check for usage of privacy-friendly alternatives (File picker, coarse location, etc.) - Check if runtime permissions are only requested in context - when the functionality is requested, rather than upfront during app startup (Security/Privacy) Note: add more for the "outgoing" part of IPC (and more, feel free to suggest ideas) | CWE: CWE-20, CWE-200, CWE-749, CWE-925, CWE-926, CWE-927, CWE-939 BSI: O.Plat_5, O.Plat_7, O.Plat_8, O.Plat_9 NIAP: N/A ioXt: SI111 ASVS: N/A | ||||||
18 | ||||||||||||||||
19 | ||||||||||||||||
20 | 6.5 | MSTG-PLATFORM-5 MSTG-PLATFORM-6* MSTG-PLATFORM-7* MSTG-PLATFORM-10* | - | JavaScript is disabled in WebViews unless explicitly required. | x | x | Test | This is covered now by MASVS-PLATFORM-2. | Current MSTG Test Cases: https://mobile-security.gitbook.io/mobile-security-testing-guide/?q=MSTG-PLATFORM-5 https://mobile-security.gitbook.io/mobile-security-testing-guide/?q=MSTG-PLATFORM-6 https://mobile-security.gitbook.io/mobile-security-testing-guide/?q=MSTG-PLATFORM-7 https://mobile-security.gitbook.io/mobile-security-testing-guide/?q=MSTG-PLATFORM-10 | |||||||
21 | 6.2 | MASVS-PLATFORM-2 | + | WebViews are configured securely and prevent sensitive functionality exposure. WebViews are configured securely and prevent sensitive data and/or functionality exposure. | x | x | New | 🎯 This requirement is about WebViews. WebViews must be configured securely to prevent sensitive data leakage as well as sensitive functionality exposure (e.g. via JavaScript Bridges to native code). | Example Tests (non-exhaustive list): - Check for OS version enforcement (guaranteeing minimum security) - Check for JavaScript Enabled - Check for JavaScript Bridges - Check for insufficient URL validation - Check for JavaScript from untrusted sources (relates to MASVS-CODE-6) - Check for Loading Content from untrusted Sources (restrict navigation, use SafeBrowsing) - Check for Preventing access to local content / resources (restrict content access, handlers e.g. file:// vs content://) - Check for WebView Secure Communication (TLS, mixed content, insecure handlers) - Check for Clear / Wipe WebView Sensitive data (relates to MASVS-STORAGE-4) (and more, feel free to suggest ideas) | CWE: CWE-20, CWE-200, CWE-749 BSI: O.Plat_10, O.Plat_12, O.Plat_13, O.Plat_14 NIAP: N/A ioXt: N/A ASVS: N/A | ||||||
22 | ||||||||||||||||
23 | ||||||||||||||||
24 | 6.6 | MSTG-PLATFORM-6 | - | WebViews are configured to allow only the minimum set of protocol handlers required (ideally, only https is supported). Potentially dangerous handlers, such as file, tel and app-id, are disabled. | x | x | Test | This is covered now by MASVS-PLATFORM-2. | ||||||||
25 | ||||||||||||||||
26 | ||||||||||||||||
27 | ||||||||||||||||
28 | 6.7 | MSTG-PLATFORM-7 | - | If native methods of the app are exposed to a WebView, verify that the WebView only renders JavaScript contained within the app package. | x | x | Test | This is covered now by MASVS-PLATFORM-2. | ||||||||
29 | ||||||||||||||||
30 | ||||||||||||||||
31 | ||||||||||||||||
32 | 6.8 | MSTG-PLATFORM-8 | - | Object deserialization, if any, is implemented using safe serialization APIs. | x | Moved | This should be part of MASVS-CODE. | |||||||||
33 | ||||||||||||||||
34 | ||||||||||||||||
35 | ||||||||||||||||
36 | 6.9 | MSTG-PLATFORM-9 MSTG-PLATFORM-11* MSTG-STORAGE-5* MSTG-STORAGE-7* MSTG-STORAGE-9* | - | The app protects itself against screen overlay attacks. (Android only) | x | Test | This is covered now as a test in MASVS-PLATFORM-4. | Current MSTG Test Cases: https://mobile-security.gitbook.io/mobile-security-testing-guide/?q=MSTG-PLATFORM-9 | ||||||||
37 | 6.4 | MASVS-PLATFORM-4 | + | No sensitive data is unnecessarily exposed nor can be intercepted via the user interface. | x | x | 🎯 This requirement is about the User Interface. Addresses sensitive data interception/leakage via 3rd party keyboards, notifications, screenshots, clipboard, screen overlay attack, among others. Note: this control is very context dependent since many apps will display sensitive data by design. The MASTG will take care of explaining this and specifying different criteria for e.g. L1 and L2 apps. | Example Tests (non-exhaustive list): - Check for OS version enforcement (guaranteeing minimum security) - Check for secure Text Input handling (secureText, copy/paste disabled, auto-correct, etc.) - Check tapjacking/screen overlay - Check for third party keyboards being disabled - Check notifications - relates to MASVS-STORAGE-2, e.g. stealing pending intents from notifications via notificationlistenerservice or tapjacking wire transfer UI. Move to new STORAGE-2 (leakage): - Check screenshorts (prevention & delete when backgrounding) (and more, feel free to suggest ideas) | CWE: CWE-20, CWE-200, CWE-359 BSI: O.Data_13, O.Plat_4, O.Plat_11, O.Source_3, O.Data_9, O.Data_10, O.Data_12 NIAP: N/A ioXt: SD112 ASVS: N/A | |||||||
38 | ||||||||||||||||
39 | ||||||||||||||||
40 | 6.10 | MSTG-PLATFORM-10 | - | A WebView's cache, storage, and loaded resources (JavaScript, etc.) should be cleared before the WebView is destroyed. | x | Test | This is covered now by MASVS-PLATFORM-2. | Current MSTG Test Cases: https://mobile-security.gitbook.io/mobile-security-testing-guide/?q=MSTG-PLATFORM-10 | ||||||||
41 | Merged | |||||||||||||||
42 | ||||||||||||||||
43 | ||||||||||||||||
44 | 6.11 | MSTG-PLATFORM-11 | - | Verify that the app prevents usage of custom third-party keyboards whenever sensitive data is entered (iOS only). | x | Test | This is covered now as a test in MASVS-PLATFORM-4. | Current MSTG Test Cases: https://mobile-security.gitbook.io/mobile-security-testing-guide/?q=MSTG-PLATFORM-11 | ||||||||
45 | x | Test | ||||||||||||||
46 | ||||||||||||||||
47 | ||||||||||||||||
48 | 2.8 | MSTG-STORAGE-8 | - | No sensitive data is included in backups generated by the mobile operating system. | x | Moved Reworded | We're now using the term "platform" (referring to Android and iOS operating systems) consistently, therefore we changed here "backups generated by the mobile operating system" to "platform backups" | Current MSTG Test Cases: https://mobile-security.gitbook.io/mobile-security-testing-guide/?q=MSTG-STORAGE-8 | ||||||||
49 | 6.3 | MASVS-PLATFORM-3 | + | No sensitive data is included in platform backups. | x | Moved Reworded | 🎯 This requirement is about platform Backups. The app prevents sensitive data from ending up in a backup. Apps can also craft their own backups but that's covered by MASVS-STORAGE-1, there will be an specific test for that "Check for app-crafted backups" | Example Tests (non-exhaustive list): - Check for OS version enforcement (guaranteeing minimum security) - Check for backup prevention (android:allowBackup=false) - Check for exclusion rules - Check for backup device conditions (Android) - Check for custom backup agent (Android) - Check for sensitive data in final backups - Check for file operations that reset backup exclusion, don't rely on isExcludedFromBackup (iOS) (and more, feel free to suggest ideas) | CWE: CWE-359, CWE-530 (?) BSI: O.Arch_5 NIAP: N/A ioXt: N/A ASVS: N/A | |||||||
50 | ||||||||||||||||
51 | ||||||||||||||||
52 | ||||||||||||||||
53 | ||||||||||||||||
54 | ||||||||||||||||
55 | ||||||||||||||||
56 | ||||||||||||||||
57 | ||||||||||||||||
58 | ||||||||||||||||
59 | ||||||||||||||||
60 | ||||||||||||||||
61 | ||||||||||||||||
62 | ||||||||||||||||
63 | ||||||||||||||||
64 | ||||||||||||||||
65 | ||||||||||||||||
66 | ||||||||||||||||
67 | ||||||||||||||||
68 | ||||||||||||||||
69 | ||||||||||||||||
70 | ||||||||||||||||
71 | ||||||||||||||||
72 | ||||||||||||||||
73 | ||||||||||||||||
74 | ||||||||||||||||
75 | ||||||||||||||||
76 | ||||||||||||||||
77 | ||||||||||||||||
78 | ||||||||||||||||
79 | ||||||||||||||||
80 | ||||||||||||||||
81 | ||||||||||||||||
82 | ||||||||||||||||
83 | ||||||||||||||||
84 | ||||||||||||||||
85 | ||||||||||||||||
86 | ||||||||||||||||
87 | ||||||||||||||||
88 | ||||||||||||||||
89 | ||||||||||||||||
90 | ||||||||||||||||
91 | ||||||||||||||||
92 | ||||||||||||||||
93 | ||||||||||||||||
94 | ||||||||||||||||
95 | ||||||||||||||||
96 | ||||||||||||||||
97 | ||||||||||||||||
98 | ||||||||||||||||
99 | ||||||||||||||||
100 | ||||||||||||||||