Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

V2.5 - Verify that the clipboard is deactivated on text fields that may contain sensitive data. #106

Closed
fevertree opened this issue Jul 12, 2017 · 5 comments

Comments

@fevertree
Copy link

commented Jul 12, 2017

As long as applications allow users to authenticate via password, users should be allowed to paste in passwords from clipboard. Unique passwords for each and every service that a person uses is considered to be an industry standard recommendation. By not allowing a user to paste in their password, the MASVS goes against this practice.

@Sjord

This comment has been minimized.

Copy link
Contributor

commented Jul 12, 2017

The attack vector here is that all apps on the phone can read the clipboard (article, PoC). I think disallowing paste on passwords inputs is not a solution to this. Users only notice this when they try to paste, when they already have copied the password to the clipboard. Also, I think this could be a consideration for the user between convenience and security: whether he uses the same password for everything, uses a password manager with copy-paste, or memorizes 50 passwords of the top of his head.

@sushi2k

This comment has been minimized.

Copy link
Collaborator

commented Jul 12, 2017

Agree with both of you. Disallowing this in a password field will make the user not happy and when he copies a password, credit card number etc and finds out that he is not allowed to paste it in it's already to late.
As always it's a balance between security and convenience for the user.
Due to the fact that the clipboard is accessible systemwide on Android and iOS, it's definitely an attack vector, especially for malware on Android. The MASVS should not be seen as a list that you need to implement but a consistent and mature list that gives you requirements that might be applicable to your app. If you implement them or not is your decision and there might always be good reasons for both, it should just be documented and agreed by all involved parties (business, developers etc).

@fevertree

This comment has been minimized.

Copy link
Author

commented Jul 12, 2017

The attack vector of other applications being able to read the clipboard hadn't occurred to me, and is indeed a serious concern for the user. As a security tester one of my recommendations here would be to to at least supplement the password authentication some sort of MFA.

@sushi2k

This comment has been minimized.

Copy link
Collaborator

commented Jul 12, 2017

The requirement is addressing sensitive data in general. So can be of course the password, but also credit card data, username or other PII.

2FA is available in another requirement:

4.9 - A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced.

@fevertree

This comment has been minimized.

Copy link
Author

commented Jul 13, 2017

Sounds good. Closing the issue!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.