-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CRYPTO: Export and import crypto regulations #1885
CRYPTO: Export and import crypto regulations #1885
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot for adding the new content. Please take a look at the comment. I hope you can help us close that issue. Let me gladly know if you have any questions
@@ -199,3 +199,15 @@ In larger organizations, or when high-risk applications are created, it can ofte | |||
- MSTG-CRYPTO-2: "The app uses proven implementations of cryptographic primitives." | |||
- MSTG-CRYPTO-3: "The app uses cryptographic primitives that are appropriate for the particular use-case, configured with parameters that adhere to industry best practices." | |||
- MSTG-CRYPTO-4: "The app does not use cryptographic protocols or algorithms that are widely considered deprecated for security purposes." | |||
|
|||
## Cryptography Regulations |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please make this a test case covering MSTG-ARCH-12?
Also please consider including the points within this issue: #1491
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cpholguera I see that #1491 is more about user privacy while this PR is for CRYPTO section that doesn't relate to private user data. I can add a reference to the MSTG-ARCH-12 the same way it is done for Cryptography References
above. I believe it will look consistent and nice.
Yeah, I don't think it is a proper place to cover the whole topic of MSTG-ARCH-12. In general, it seems to me that having a separate chapter for ARCH requirements can be very helpful. Some information from other chapters can be moved to ARCH and that should simplify the MSTG structure in general.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see the issue now, so actually we'd have to see if we need to add crypto to MSTG-ARCH-12 or to have a new MSTG-CRYPTO requirements for this. We'll discuss this and let you know ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good news, we're considering a new MASVS-CRYPTO-5 covering this:
The app should comply with cryptography laws and regulations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@julepka, for this we should see how we can actually test it.
- On iOS we can check if the app includes
ITSEncryptionExportCompliance
, so we could verify that in the Info.plist. Maybe we can also verify in the AppStore? - What about Android? They don't provide many details. Could you help us finding out how we could test this for Android apps?
Thank you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update: we already discussed this and we won't add a requirement. It's a purely operational thing, required as part of the publishing process so there's no way around it. Even if an app would not comply/declare this properly, that does not imply a vulnerability.
We still see this as a "reminder" in the MSTG, as you already nicely did in this PR (maybe we only need to relocate it, but you already put all needed info).
Once we publish MASVS-CRYPTO you still have the chance to comment on this if you want.
Thanks again @julepka!
Short update: we're still on it, this needs some more discussion since it might add a new MASVS requirement :) |
Hi @julepka, just to let you know: we did not forget about this PR. We're taking it into account regarding the new big refactoring of the MASVS. Thanks for your patience! |
- [Export compliance overview (Apple)](https://help.apple.com/app-store-connect/#/dev88f5c7bf9 "Export compliance overview") | ||
- [Export compliance (Google)](https://support.google.com/googleplay/android-developer/answer/113770?hl=en "Export compliance") | ||
- [Encryption and Export Administration Regulations (USA)](https://www.bis.doc.gov/index.php/policy-guidance/encryption "Encryption and Export Administration Regulations") | ||
- [Encryption Control (France)](https://www.ssi.gouv.fr/en/regulation/cryptology/ "Encryption Control") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Co-authored-by: Jeroen Beckers <me.githbub@dauntless.be>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the long wait @julepka! Thank you so much for this! We'll be happy to keep getting feedback from you for the MASVS refactoring and hope you'll want to get involved in the MSTG refactoring as well (expected beginning of next year) :)
Oh, nice! Thanks @cpholguera |
Thank you so much @julepka we hope the same ❤️ |
Updated CRYPTO section with information about export and import regulations for cryptography, describing why it matters for mobile apps. Added references to guidelines from Apple and Google and to governmental websites with the related information.
These changes were discussed with @sushi2k and @vixentael in a separate doc.