| A | B | C | D | E | F | G | H | ||
|---|---|---|---|---|---|---|---|---|---|
1 |  | MASVS-CRYPTO v2.0.0 RC | |||||||
2 | MASVS-ID | Control | Description | MASVS v1.4.2 Coverage | Proposed Test Cases subject to change, open for feedback | ||||
3 | |||||||||
4 | MASVS-CRYPTO-1 | The app employs current strong cryptography and uses it according to industry best practices. | Cryptography plays an especially important role in securing the user's data- even more so in a mobile environment, where attackers having physical access to the user's device is a likely scenario. This control covers general cryptography best practices, which are typically defined in external standards. | MSTG-CODE-1, MSTG-CRYPTO-1, MSTG-CRYPTO-2, MSTG-CRYPTO-3, MSTG-CRYPTO-4, MSTG-CRYPTO-6 | - Check for weak or broken cryptography - Check for cryptography that are widely considered deprecated - Check for use of proprietary or non-standard cryptography (not recommended) - Check for 3rd party Crypto Implementations - Check for Insecure use of SecurityProvider - Check for general industry bad crypto practices (specifically key management will be covered in MASVS-CRYPTO-2) - Check for insecure Random usage - Check for hardcoded keys being used - Check for platform bad crypto practices - Check if the app uses the latest available signing scheme | ||||
5 | MASVS-CRYPTO-2 | The app performs key management according to industry best practices. | Even the strongest cryptography would be compromised by poor key management. This control covers the management of cryptographic keys throughout their lifecycle, including key generation, storage and protection. | MSTG-CRYPTO-1, MSTG-CRYPTO-5, MSTG-RESILIENCE-10, MSTG-STORAGE-1 | - Check for weak key gen - Check for weak key derivation - Check for lack of key rotation - Check for key reuse - Check key cryptography usage - Check for key protection in transport - Check for key protection at rest - Check for hardcoded keys - Check for keys in platform keystore - Check for older KeyStore Implementations - Check for keys encrypted with key from platform keystore - Check for imported keys - Check for exported keys - Check key exclusion from backup - Check key eligibility for restoration to a new device / device binding - Check for remote KMS usage - Check Hardware-backed vs StrongBox/SE - Check for keys generated and kept in the iOS SE or Android TEE - Check for key attestation - Check if key accessible from a background process - Check key availability relative to the lock state of the device, temporal validity interval - Check if key demands User Presence, application-specific password | ||||
6 | |||||||||
7 | |||||||||
8 | |||||||||
9 | |||||||||
10 | |||||||||
11 | |||||||||
12 | |||||||||
13 | |||||||||
14 | |||||||||
15 | |||||||||
16 | |||||||||
17 | |||||||||
18 | |||||||||
19 | |||||||||
20 | |||||||||
21 | |||||||||
22 | |||||||||
23 | |||||||||
24 | |||||||||
25 | |||||||||
26 | |||||||||
27 | |||||||||
28 | |||||||||
29 | |||||||||
30 | |||||||||
31 | |||||||||
32 | |||||||||
33 | |||||||||
34 | |||||||||
35 | |||||||||
36 | |||||||||
37 | |||||||||
38 | |||||||||
39 | |||||||||
40 | |||||||||
41 | |||||||||
42 | |||||||||
43 | |||||||||
44 | |||||||||
45 | |||||||||
46 | |||||||||
47 | |||||||||
48 | |||||||||
49 | |||||||||
50 | |||||||||
51 | |||||||||
52 | |||||||||
53 | |||||||||
54 | |||||||||
55 | |||||||||
56 | |||||||||
57 | |||||||||
58 | |||||||||
59 | |||||||||
60 | |||||||||
61 | |||||||||
62 | |||||||||
63 | |||||||||
64 | |||||||||
65 | |||||||||
66 | |||||||||
67 | |||||||||
68 | |||||||||
69 | |||||||||
70 | |||||||||
71 | |||||||||
72 | |||||||||
73 | |||||||||
74 | |||||||||
75 | |||||||||
76 | |||||||||
77 | |||||||||
78 | |||||||||
79 | |||||||||
80 | |||||||||
81 | |||||||||
82 | |||||||||
83 | |||||||||
84 | |||||||||
85 | |||||||||
86 | |||||||||
87 | |||||||||
88 | |||||||||
89 | |||||||||
90 | |||||||||
91 | |||||||||
92 | |||||||||
93 | |||||||||
94 | |||||||||
95 | |||||||||
96 | |||||||||
97 | |||||||||
98 | |||||||||
99 | |||||||||
100 | |||||||||