Multi-User Application on Single User Device Platform

[ncoblentzsps]

Hello,

I'm currently evaluating an application that allows multiple users log in to a sensitive application and it retains their account information and activity in a SQLite database on the device (Android and iOS). When users switch from one profile to another, the application prompts them for local authentication using a 4 digit PIN (unique to each user) or biometrics and then gives them access to their existing data as well as their authenticated session to interact with the server. Some of the issues I'm documenting include the fact that the database containing sensitive data exists on the device at all and is encrypted with a symmetric key that's located on the file system along side the database - and I think all of this is covered well in MASVS.

What I'm not sure is covered is the developers facilitating a multi-user experience on a shared device that's designed only to support a single user security model. Let me explain more. If biometrics is enabled for three different individuals to log in to this application through local authentication, all three users can access all three accounts because the application has no way of differentiating between one user's fingerprint versus another. or the KeyStore/KeyChain does not differentiate between one users' secret data and another. If you can unlock the device, you can use whatever is in the KeyStore/KeyChain. I wonder if there should be an item in this standard that addresses trying to use this single user operating system on a shared device with multiple users who all want to keep their data segmented from each other. What do you think?

Thanks,
Nick