Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

V2.5 - Verify that the clipboard is deactivated on text fields that may contain sensitive data. #106

Closed
fevertree opened this issue Jul 12, 2017 · 7 comments

Comments

@fevertree
Copy link

As long as applications allow users to authenticate via password, users should be allowed to paste in passwords from clipboard. Unique passwords for each and every service that a person uses is considered to be an industry standard recommendation. By not allowing a user to paste in their password, the MASVS goes against this practice.

@Sjord
Copy link
Contributor

Sjord commented Jul 12, 2017

The attack vector here is that all apps on the phone can read the clipboard (article, PoC). I think disallowing paste on passwords inputs is not a solution to this. Users only notice this when they try to paste, when they already have copied the password to the clipboard. Also, I think this could be a consideration for the user between convenience and security: whether he uses the same password for everything, uses a password manager with copy-paste, or memorizes 50 passwords of the top of his head.

@sushi2k
Copy link
Collaborator

sushi2k commented Jul 12, 2017

Agree with both of you. Disallowing this in a password field will make the user not happy and when he copies a password, credit card number etc and finds out that he is not allowed to paste it in it's already to late.
As always it's a balance between security and convenience for the user.
Due to the fact that the clipboard is accessible systemwide on Android and iOS, it's definitely an attack vector, especially for malware on Android. The MASVS should not be seen as a list that you need to implement but a consistent and mature list that gives you requirements that might be applicable to your app. If you implement them or not is your decision and there might always be good reasons for both, it should just be documented and agreed by all involved parties (business, developers etc).

@fevertree
Copy link
Author

The attack vector of other applications being able to read the clipboard hadn't occurred to me, and is indeed a serious concern for the user. As a security tester one of my recommendations here would be to to at least supplement the password authentication some sort of MFA.

@sushi2k
Copy link
Collaborator

sushi2k commented Jul 12, 2017

The requirement is addressing sensitive data in general. So can be of course the password, but also credit card data, username or other PII.

2FA is available in another requirement:

4.9 - A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced.

@fevertree
Copy link
Author

Sounds good. Closing the issue!

@konanpen
Copy link

konanpen commented Dec 2, 2022

The 4.9 - A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced covers only the password or authentication of the user. What about other PII data which may be stored in the clipboard. I believe the clipboard requirement should be included in the new verification standard.

@cpholguera
Copy link
Collaborator

Hi @konanpen, the next version of the MASVS has a PLATFORM control addressing this situation:

"The app uses the user interface securely."

The MASTG will contain all the specifics in the form of a collection of tests. One of them will cover this specific topic. It will be up to you to apply it to an app or not. That would depend on the threat model of the app.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants