Proofreading fixes 0x04e #2278
Merged
Proofreading fixes 0x04e #2278
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Laancelot
commented
Oct 12, 2022
Document/0x04e-Testing-Authentication-and-Session-Management.md
Outdated
Show resolved
Hide resolved
Laancelot
commented
Oct 12, 2022
Document/0x04e-Testing-Authentication-and-Session-Management.md
Outdated
Show resolved
Hide resolved
cpholguera
changed the title
cpholguera
requested changes
Oct 15, 2022
There was a problem hiding this comment.
Hi @Laancelot, could you please take a look at my suggestions? We can fix this section by removing a lot of content. Thank you!
Document/0x04e-Testing-Authentication-and-Session-Management.md
Outdated
Show resolved
Hide resolved
Document/0x04e-Testing-Authentication-and-Session-Management.md
Outdated
Show resolved
Hide resolved
Document/0x04e-Testing-Authentication-and-Session-Management.md
Outdated
Show resolved
Hide resolved
Document/0x04e-Testing-Authentication-and-Session-Management.md
Outdated
Show resolved
Hide resolved
Document/0x04e-Testing-Authentication-and-Session-Management.md
Outdated
Show resolved
Hide resolved
Commit suggestion Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
Commit suggestion Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
Commit suggestion Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
Commit suggestion Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
Laancelot
commented
Oct 16, 2022
|
|
||
| In Android, the developer can use `Settings.Secure.ANDROID_ID` till Android 8.0 (API level 26) to identify an application instance. Note that starting at Android 8.0 (API level 26), `ANDROID_ID` is no longer a device unique ID. Instead, it becomes scoped by the combination of app signing key, user and device. So validating `ANDROID_ID` for device blocking could be tricky for these Android versions. Because if an app changes its signing key, the `ANDROID_ID` will change and it won't be able to recognize old users devices. Therefore, it's better to store the `ANDROID_ID` encrypted and privately in a private a shared preferences file using a randomly generated key from the `AndroidKeyStore` and preferably AES_GCM encryption. The moment the app signature changes, the application can check for a delta and register the new `ANDROID_ID`. The moment this new ID changes without a new application signing key, it should indicate that something else is wrong. | ||
| Next, the device binding can be extended by signing requests with a key stored in the `Keychain` for iOS and in the `KeyStore` in Android can reassure strong device binding. | ||
| You should also test if using different IPs, different locations and/or different time-slots will trigger the right type of information in all scenarios. | ||
|
|
||
| Lastly, the blocking of the devices should be tested, by blocking a registered instance of the app and see if it is then no longer allowed to authenticate. | ||
| Note: in case of an application which requires L2 protection, it can be a good idea to warn a user even before the first authentication on a new device. Instead: warn the user already when a second instance of the app is registered. |
There was a problem hiding this comment.
I still find that sentence unclear? Sorry
There was a problem hiding this comment.
This one "Note: in case of an application which requires L2 protection, it can be a good idea to warn a user even before the first authentication on a new device. Instead: warn the user already when a second instance of the app is registered."
There was a problem hiding this comment.
Me too, let's just remove them as I suggested in https://github.com/OWASP/owasp-mastg/pull/2278/files#r996281939. Line 561 is now taking care of this.
Removing one extra line
cpholguera
reviewed
Oct 17, 2022
Document/0x04e-Testing-Authentication-and-Session-Management.md
Outdated
Show resolved
Hide resolved
cpholguera
reviewed
Oct 17, 2022
Document/0x04e-Testing-Authentication-and-Session-Management.md
Outdated
Show resolved
Hide resolved
cpholguera
approved these changes
Oct 17, 2022
cpholguera
reviewed
Oct 17, 2022
|
With this we can merge, please take a look at the last 2 changes I've made to remove those lines. |
cpholguera
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
typos, links
Thank you for submitting a Pull Request to the OWASP MASTG. Please make sure that:
If your PR is related to an issue. Please end your PR test with the following line:
This PR closes #< insert number here >.