[MSTG-STORAGE-12] Add Privacy Labels and Rework Privacy Chapter #1988

cpholguera · 2021-11-24T11:40:17Z

Closes #1967 and:

I proposed a more adequate title, since the file was named 0x04i-Testing-user-interaction.md and the chapter titled “Testing User Education”. I think that “Testing User Privacy Protection” reflects better the topic addressed here, being user education part of it.

I also included a disclaimer, an overview where I tried to present the topic by parts and introduce some concepts as well as the new stuff (Google and Apple labels) and of course the Test Cases.

There’s one Test Case with 2 tests inside. I’m trying here to shape it to the new approach we’re taking with the requirement.

In the future, once we decided how we want to shape the MSTG we could maybe introduce test case IDs. There will be one file/folder per MASVS-ID containing several tests.

## Testing MASVS-STORAGE-XX
### [TC-1] Testing User Education on Data Privacy on the App Marketplace
### [TC-2] Testing User Education on Security Best Practices
...
### [TC-X] Testing User Education on Data Privacy via Data Auditing APIs
### [TC-X] Testing Developer Compliance for Data Privacy
### [TC-X] Testing Developer Compliance for Data Privacy Best Practices
...

This way we have concrete atomic tests that we can parse. (similar to the Test Case column in the new spreadsheets; that column could be generated automatically next time 😉 )

…esting

Document/0x04i-Testing-user-interaction.md

sushi2k · 2021-11-25T23:45:15Z

Document/0x04i-Testing-user-interaction.md

+- [Enable the App Privacy Report](https://developer.apple.com/documentation/network/privacy_management/inspecting_app_activity_data) from the iOS settings (iOS 15.2 and higher) to monitor app activity data. After using the app extensively, you can save the report as JSON file containing a collection of dictionaries of different types. Parse for the `type: "access"` to inspect all data access by category (camera, contacts, etc.) and the `type: "networkActivity"` to examine all network accesses.
+
+
+These are some examples of common violations that you should report:


How would this work in real-life for the user and for us during verification?
Would we verify that a one-time pop-up is explaining this (which will be anyway coming when accessing camera, contacts etc due to approving the permission), so the additional information is needed? Or would we simply verify the nutrition / data safety labels?
Where would it be defined that something is sensitive data, like An app that records a user’s screen and doesn't treat this data as personal or sensitive data subject to this policy. This is defined by the developer in the app? What would be the testing process, the tester would run app activity https://developer.apple.com/documentation/network/privacy_management/inspecting_app_activity_data and then we check it against the privacy policy?

I think it's quite a few options we are listing above, so we might want to clarify a bit further and give some more guidance, otherwise it might be a bit overwhelming what to do now exactly.

Since we're testing MSTG-STORAGE-12:

The app educates the user about the types of personally identifiable information processed, as well as security best practices the user should follow in using the app.

I think the testing strategy for now should be:

look at if and what the app declares it collects/shares (in the App Store iOS Privacy Details and in Google Play Safety Section).

check if the app is at least doing everything it could be doing to inform the user:

using prominent in-app disclosure of data access, collection, use, and sharing.

using the "App Tracking Transparency Framework" / "Data Access Auditing".

I'm going to reflect this on this sub-section (now there's more info than required). We should address that but as part of other test cases / requirements.

Co-authored-by: Sven <sven@bsddaemon.org>

…ction

…enhance-storage-2