03.Security_Classification.md

Security classification

Security classification section contains a list and description of Netguru security levels, along with assets assigned to them. These descriptions and assignments were prepared to categorize applications according to the risk related with processed data and the way it is processed.

The purpose of the classification

Security classification is based on the risk analysis and risk assessment of the project. The main purpose of this process is to select a correct security level based on the risk resulting from the assets being used. The classification and selected level is crucial in security requirements selection process.

Levels

This section contains description of all security levels used by Netguru in Security classification. Each level consists of three parts:

• General description
• Questions
• Example apps

General description provides only basic information about a level, whereas questions and popular examples may help reviewer in visualising the range thereof.

Level 0

Level 0 describes only simple, offline applications, that do not require any input related directly with users. Applications with this level very often perform only simple, closed tasks (clock, alarm), as well as interpret some values or present hardcoded values and behaviours (RxMarbles, Libraries for developers).

Questions

• Does the application work offline?
• Does the application process only generic data (not related to user behavior)?
• Does the application require any kind of authorization or other input data related to the user?

Example apps

Calculator, simple games like 2048, Clock, Alarm, RxMarbles, libraries for developers, etc.

Level 1

This level should be applied for all applications with only basic integrations and/or processing data related or unrelated to users and their behavior. This level should be also applied to applications which are connected to any kind of public APIs or process publicly available data.

Questions

• Does the application fulfill at least one condition from Level 1?
• Does the application have access to the Internet connection (or have INTERNET permission implemented on Android)?
• Does the application handle user credentials using external tools like oAuth with WebView?
• Does the application connect to any kind of public API?
• Does the application contain keys for public or dedicated API?
• Does the application require user's credentials like email, login, password?
• Does the application gather any kind of sensitive data from device sensors such as GPS location, wireless network data, device configuration data?
• Is the application responsible for managing any kind of private messages?

Example apps

AccuWeather, Wifi Analyzer, Speedtest, Open FM (online radio app), Flashlight (Android), Google Fit, Messenger, Slack, Gmail, YouTube, Calendar, etc.

Level 2

Level 2 classifies applications that are responsible for processing data directly related to the user and his identity, with the exception of sensitive user data like medical records or bank account credentials. This level also covers applications responsible for processing commercial data and applications related to shopping but with transactions handled by third party providers – credentials related to transaction services like banks are handled outside the application.

Questions

• Does the application fulfill at least one condition from Level 2?
• Is the application responsible for any kind of commercial transactions, including the dedicated APIs, PayPal, in-app purchases, Stripe or any kind third party payment provider?
• Is the application designed for user profiling?

Example apps

Gmail, Facebook, Github, Twitter, Snapchat, Uber, Groupon, eBay, Allegro

Level 3

Level 3 should be used to classify applications responsible for handling credentials for other systems, especially money related services like banks or credit cards. This level also concerns all applications that are responsible for processing particularly sensitive data related to critical risk like military data, national security data or internal company data. Disclosure of that data may have influence not only on a particular user, group of users, clients or systems but even on global population or large number of users of multiple services.

Questions

• Does the application fulfill at least one condition from Level 3?
• Does the application have any kind of user behavior monitoring like analytics, activity data (e.g. from Google Fit API or Apple Health)?
• Is the application responsible for storing credentials to other systems?
• Is the application working as password manager?
• Is the application responsible for Bank data managing?
• Is the application handling any Credit card credentials?
• Is the application responsible for handling military data?
• Is the application responsible for handling internal corporational data?
• Is the application responsible for handling database of many users locally?

Example apps

Internal applications of large corporations or institutions, banking apps, PayPal, 1Password, KeePass etc.

Security levels specification

This specification contains a list of levels with associated assets for each one. This association is the key value of level definition. To better present levels definition, this table also contains overall risk associated with certain security levels. Furthermore, each level is applied to any asset covered by the lower level and needs to have at least one asset for a certain level to be classified with it.

Level	Overall Risk	Assets
0	Low	Data types No data types Only internal general data not related to any user (public data) Communication types No integrations or external communication Access permissions No used permissions or Android iOS none Music and the media library Speech recognition Components Only SDK components or OS elements
1	Medium	Data types Any data types from Level 0 User behavior information Public API access data Environment data Social relation data Communication types Any communication types from Level 0 Open Internet communication (e.g. HTTP) Encrypted Internet communication (e.g. HTTPs) Bluetooth communication Inter Process Communication Communication using third party providers Access permissions Any permissions from Level 0 Android iOS INTERNET ACCESS NETWORK STATE ALARM BATTERY STATE Calendar Health HomeKit Motion activity and fitness Reminders Components Any components from Level 0 Analytics engines External SDKs External libraries Android iOS Services KeyChain KeyStore Data Protection iCloud Keychain
2	High	Data types Any of data types from Level 0 and 1 Personally identifiable information Dedicated API access data Geolocation data Contact data Communication data (messages) Audiovisual data E-commerce data Transactions data User access data Communication types Any communication types from Level 0 and 1 Direct communication between devices Communication only in LAN (or through the VPN) Access permissions Any permissions from Level 0 and 1 Android iOS INTERNET CONTACTS ACCOUNTS CAMERA READ/WRITE EXTERNAL STORAGE BLUETOOTH VIDEO CAPTURE MICROPHONE PHONE STATE ACCESS COARSE/FINE LOCATION NOTIFICATION LISTENER SERVICE BODY SENSORS Bluetooth sharing Camera Contacts Location Services Microphone Photos Components Any components from Level 0 and 1 Android iOS Intents Content Providers KeyChain KeyStore BroadCast receivers Intent filters none
3	Very high	Data types User credentials Bank/credit card and financial data Money related data Communication types Any communication types from Level 0, 1 and 2 GSM communication SMS communication VPN communication VLAN communication Communication using third party providers Access permissions Any permissions from Level 0, 1 and 2 Android iOS Root access NFC SEND/RECEIVE SMS/MMS PHONE CALL Jailbreak Components Any components from Level 0, 1 and 2