CRYPTO: Export and import crypto regulations

[julepka]

Updated CRYPTO section with information about export and import regulations for cryptography, describing why it matters for mobile apps. Added references to guidelines from Apple and Google and to governmental websites with the related information.

These changes were discussed with @sushi2k and @vixentael in a separate doc.

• Your contribution is written in the 2nd person (e.g. you)
• Your contribution is written in an active present form for as much as possible.
• You have made sure that the reference section is up to date (e.g. please add sources you have used, make sure that the references to MITRE/MASVS/etc. are up to date)
• Your contribution has proper formatted markdown and/or code
• Any references to website have been formatted as [TEXT](URL “NAME”)
• You verified/tested the effectiveness of your contribution (e.g.: is the code really an effective remediation? Please verify it works!)

[cpholguera]

Thanks a lot for adding the new content. Please take a look at the comment. I hope you can help us close that issue. Let me gladly know if you have any questions ☺️

[cpholguera]

Could you please make this a test case covering MSTG-ARCH-12?

Also please consider including the points within this issue: #1491

[julepka]

@cpholguera I see that #1491 is more about user privacy while this PR is for CRYPTO section that doesn't relate to private user data. I can add a reference to the MSTG-ARCH-12 the same way it is done for Cryptography References above. I believe it will look consistent and nice.

Yeah, I don't think it is a proper place to cover the whole topic of MSTG-ARCH-12. In general, it seems to me that having a separate chapter for ARCH requirements can be very helpful. Some information from other chapters can be moved to ARCH and that should simplify the MSTG structure in general.

[cpholguera]

I see the issue now, so actually we'd have to see if we need to add crypto to MSTG-ARCH-12 or to have a new MSTG-CRYPTO requirements for this. We'll discuss this and let you know ;)

[cpholguera]

Good news, we're considering a new MASVS-CRYPTO-5 covering this:

The app should comply with cryptography laws and regulations.

[cpholguera]

@julepka, for this we should see how we can actually test it.

• On iOS we can check if the app includes ITSEncryptionExportCompliance, so we could verify that in the Info.plist. Maybe we can also verify in the AppStore?
• What about Android? They don't provide many details. Could you help us finding out how we could test this for Android apps?

Thank you!

[cpholguera]

Update: we already discussed this and we won't add a requirement. It's a purely operational thing, required as part of the publishing process so there's no way around it. Even if an app would not comply/declare this properly, that does not imply a vulnerability.

We still see this as a "reminder" in the MSTG, as you already nicely did in this PR (maybe we only need to relocate it, but you already put all needed info).

Once we publish MASVS-CRYPTO you still have the chance to comment on this if you want.

Thanks again @julepka!

[cpholguera]

Short update: we're still on it, this needs some more discussion since it might add a new MASVS requirement :)

[cpholguera]

Hi @julepka, just to let you know: we did not forget about this PR. We're taking it into account regarding the new big refactoring of the MASVS. Thanks for your patience!

[cpholguera]

• Encryption Control (France)
• World map of encryption laws and policies

[cpholguera]

Sorry for the long wait @julepka! Thank you so much for this! We'll be happy to keep getting feedback from you for the MASVS refactoring and hope you'll want to get involved in the MSTG refactoring as well (expected beginning of next year) :)

[julepka]

Oh, nice! Thanks @cpholguera
I hope situation in my country, Ukraine, will get better soon and I will be able to participate in MASVS and MSTG much more. But I'm monitoring the refactoring progress and it looks great :)

[cpholguera]

Thank you so much @julepka we hope the same ❤️