As long as applications allow users to authenticate via password, users should be allowed to paste in passwords from clipboard. Unique passwords for each and every service that a person uses is considered to be an industry standard recommendation. By not allowing a user to paste in their password, the MASVS goes against this practice.
The text was updated successfully, but these errors were encountered:
The attack vector here is that all apps on the phone can read the clipboard (article, PoC). I think disallowing paste on passwords inputs is not a solution to this. Users only notice this when they try to paste, when they already have copied the password to the clipboard. Also, I think this could be a consideration for the user between convenience and security: whether he uses the same password for everything, uses a password manager with copy-paste, or memorizes 50 passwords of the top of his head.
Agree with both of you. Disallowing this in a password field will make the user not happy and when he copies a password, credit card number etc and finds out that he is not allowed to paste it in it's already to late.
As always it's a balance between security and convenience for the user.
Due to the fact that the clipboard is accessible systemwide on Android and iOS, it's definitely an attack vector, especially for malware on Android. The MASVS should not be seen as a list that you need to implement but a consistent and mature list that gives you requirements that might be applicable to your app. If you implement them or not is your decision and there might always be good reasons for both, it should just be documented and agreed by all involved parties (business, developers etc).
The attack vector of other applications being able to read the clipboard hadn't occurred to me, and is indeed a serious concern for the user. As a security tester one of my recommendations here would be to to at least supplement the password authentication some sort of MFA.