行動應用 App 基本資安規範 - mas.org.tw · 交易資源控管安全 ... 人之資料，包括但不限於自然人之姓名、出生年月日、國民身分證統一

App

V1.2

107 05

App

App

104 4 App V1.0

105 10 App V1.1

107 5 App V1.2

i

1. .......................................................................................................................... 1

2. .................................................................................................................. 2

3. .............................................................................................................. 3

3.1. Mobile Application ........................................................ 3

3.2. Application Store .................................................. 3

3.3. Personal Data ......................................................................... 3

3.4. Secure Sensitive Data ................................................ 3

3.5. Password .................................................................................... 3

3.6. Transaction Resource ............................................................ 4

3.7. Session Identification, Session ID .................................... 4

3.8. Server Certificate............................................................... 4

3.9. Certificate Authority .............................................................. 4

3.10. Malicious Code ............................................................... 4

3.11. Vulnerability ................................................................ 4

3.12. Library ..................................................................................... 4

3.13. Code Injection ..................................................................... 5

3.14. Mobile Operating System ........................................... 5

3.15. Mobile Resource ......................................................... 5

3.16. In-App Update ............................................. 5

3.17. Common Vulnerabilities and Exposures ................. 5

3.18. Weak Cryptographic Algorithm .............................. 5

3.19. Known Vulnerabilities ............................................ 5

3.20. Authentication ..................................................................... 5

3.21. Advanced Encryption Standard .............................. 5

3.22. Triple Data Encryption Standard .................... 6

3.23. Elliptic Curve Cryptography ................................... 6

ii

3.24. Certificate Pinning .............................................................. 6

3.25. Hash ............................................................................................. 6

3.26. Obfuscation ................................................................................. 6

3.27. Using Secure Sensitive Data ......................... 6

3.28. Log File ............................................................................. 6

3.29. Device Identifier ............................................................ 6

3.30. (Cache Files or Temporary Files) .............................................. 7

3.31. Configuration File ................................................................... 7

3.32. Encode ......................................................................................... 7

3.33. Decode ......................................................................................... 7

3.34. Payload ........................................................................................ 7

3.35. Collecting Secure Sensitive Data .................... 7

3.36. Storing Secure Sensitive Data ......................... 7

3.37. Common Vulnerability Scoring System ............. 8

3.38. (Secure Random Number Generator) ....................... 8

3.39. (Secure Domain) ....................................................................... 8

3.40. (Secure Encryption Function) ........................................... 8

4. .................................................................................................................. 9

4.1. ....................................................... 9

4.1.1. .................................................................... 9

4.1.2. ........................................................................ 9

4.1.3. .......................................................................... 11

4.1.4. .............. 11

4.1.5. ...................................................................... 12

4.2. ............................................................. 12

5. ................................................................................................ 14

6. ................................................................................................................ 15

Open Web Application Security Project (OWASP) ............................................ 15

iii

Cloud Security Alliance (CSA) ........................................................................... 15

..................................................................................................................... 15

..................................................................................................................... 15

..................................................................................................................... 15

..................................................................................................................... 16

............................................................................................................. 16

............................................................................................................. 16

............................................................. 17

......................................................................... 23

1

1.

Mobile Application, App

App

103 6 24

26 App

App 107 5

V1.2

App

App App

App App

App

2

2.

1 2

1

2

3

3.

3.1. Mobile Application

3.2. Application Store

3.3. Personal Data

International Mobile Equipment Identity, IMEI

International Mobile Subscriber Identity, IMSI

3.4. Secure Sensitive Data

3.3

3.5. Password

4

3.6. Transaction Resource

App

QRcode App

App

App

App App

3.7. Session Identification, Session ID

3.8. Server Certificate

3.9. Certificate Authority

3.10. Malicious Code

3.11. Vulnerability

3.12. Library

Function

ObjectBinary code

5

3.13. Code Injection

Command InjectionSQL Injection

3.14. Mobile Operating System

3.15. Mobile Resource

3.16. In-App Update

3.17. Common Vulnerabilities and Exposures

CVE

3.18. Weak Cryptographic Algorithm

CVE

3.19. Known Vulnerabilities

CVE

3.20. Authentication

3.21. Advanced Encryption Standard

National Institute of Standards and Technology, NIST 2001 AESAdvanced Encryption Standard FIPS PUB 197 2002

6

AES 128 Data Block 128192 256 Key SizeAES Round Number

3.22. Triple Data Encryption Standard

Triple Data Encryption Standard 64

3.23. Elliptic Curve Cryptography

1985 Neal Koblitz Victor Miller

3.24. Certificate Pinning

3.25. Hash

3.26. Obfuscation

3.27. Using Secure Sensitive Data

3.28. Log File

3.29. Device Identifier

7

International Mobile Equipment Identity, IMEIMobile Equipment Identifier, MEIDInternational Mobile Subscriber Identity, IMSIIntegrated Circuit Card Identifier, ICCIDMedia Access Control Address, MAC addressAndroid Identifier, Android IDAndroid Advertising ID, AIDiOS IFAIDIdentifier for Advertisers Identifier, IFAIDWindows Phone Device ID

3.30. (Cache Files or Temporary Files)

3.31. Configuration File

3.32. Encode

3.33. Decode

3.34. Payload

3.35. Collecting Secure Sensitive Data

3.36. Storing Secure Sensitive Data

8

3.37. Common Vulnerability Scoring System

CVSS IT National Infrastructure Advisory Council, NIACForum of Incident Response and Security Teams, FIRST 3

3.38. (Secure Random Number Generator)

ANSI X9.17

3.39. (Secure Domain)

FacebookGoogle Twitter OAuth 2.0

3.40. (Secure Encryption Function)

FIPS 140-2 Annex A

9

4.

4.1.

4.1.1.

4.1.1.1.

4.1.1.2.

4.1.1.3.

4.1.2.

4.1.2.1.

10

4.1.2.2.

4.1.2.3.

4.1.2.4.

4.1.2.5.

11

4.1.2.6.

4.1.3.

4.1.3.1.

4.1.3.2.

4.1.4.

4.1.4.1.

4.1.4.2.

12

4.1.5.

4.1.5.1.

4.1.5.2.

4.1.5.3.

4.1.1.

4.1.5.4.

4.2.

4.2.1.

4.2.2.

13

Web Service

4.2.2.1. Webview

Webview

Webview

14

5.

15

6.

Open Web Application Security Project (OWASP)

[1] Mobile App Security Checklist 0.9.3

https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide,

2017

Cloud Security Alliance (CSA)

[2] Mobile Application Security Testing Initiative,

https://www.csaapac.org/mast.html, 2016

[3] Vetting the Security of Mobile ApplicationsApp, NIST Special Publication

800-163, http://dx.doi.org/10.6028/NIST.SP.800-163, 2015

[4] Cryptographic Algorithm Validation Program (CAVP),

http://csrc.nist.gov/groups/STM/cavp/, NIST

[5] Cryptographic Module Validation Program (CMVP),

http://csrc.nist.gov/groups/STM/cmvp/, NIST

[6] Government Mobile and Wireless Security Baseline, Federal CIO Council,

https://cio.gov/wp-content/uploads/downloads/2013/05/Federal-Mobile-Security-

Baseline.pdf, 2013

[7] Smartphone Secure Development Guidelines,

https://www.enisa.europa.eu/publications/smartphone-secure-development-guidel

ines-2016, ENISA, 2017

16

[8] , YD/T 2407-2013, 2013

[9] , YD/T 2408-2013, 2013

[10] Security Guideline for using Smartphones and Tablets - Advantages for work

style innovation - [Version 1],

https://www.jssec.org/dl/guidelines2012Enew_v1.0.pdf, JSSEC, 2011

[11] ISO/IEC 27001:2013 (Information security management)

[12] ISO/IEC 20000:2011 (Information technology - Service management)

[13] ISO/IEC 19790:2012 (Information technology - Security techniques - Security

requirements for cryptographic modules)

[14] ISO/IEC 15408:2009 (Information technology - Security techniques - Evaluation

criteria for IT security)

[15] ISO/IEC 14598:2001 (Information technology - Software product evaluation)

[16] ISO/IEC TR 9126-4:2004 (Software engineering - Product quality)

[17] 104 12 30

[18] 105 3 2

17

OWASP NIST [ 1] ENISA [ 2] YD/T 2407-2013

[ 3] 4.1.1.1.

N/A Executive Summary 9. Secure software distribution

5.5.2

4.1.1.2.


5.5.4

4.1.1.3.


5.5.4

4.1.2.1.

N/A 4. Mobile App Evaluation - Privacy and Personally Identifiable Information

1. Identify and protect sensitive data

5.5.4

4.1.2.2.

V2.1: Verify that system credential storage facilities are used appropriately to store sensitive data, such as user credentials or cryptographic keys

4. Mobile App Evaluation - Privacy and Personally Identifiable Information

1. Identify and protect sensitive data

5.5.4 5.6.2

18

OWASP NIST [ 1] ENISA [ 2] YD/T 2407-2013 [ 3]

4.1.2.3.


4. Mobile App Evaluation - Protect Sensitive Data

1. Identify and protect sensitive data on the mobile device

5.6.3

4.1.2.4.

V2.6: Verify that no sensitive data is exposed via IPC mechanisms

4. Mobile App Evaluation - Protect Sensitive Data

4. Ensure sensitive data protection in transit

5.5.4 5.6.2

4.1.2.5.

V2.3: Verify that no sensitive data is shared with third parties unless it is a necessary part of the architecture

4. Mobile App Evaluation - Preserve Privacy

1. Identify and protect sensitive data on the mobile device

5.6.2

4.1.2.6.


N/A 1. Identify and protect sensitive data on the mobile device

5.6.4

19


4.1.3.1. V4.9: Verify that step-up authentication is required to enable actions that deal with sensitive data or transactions

N/A 8. Protect paid resources 5.5.4

4.1.3.2. V4.9: Verify that step-up authentication is required to enable actions that deal with sensitive data or transactions

N/A 8. Protect paid resources 5.5.4

4.1.4.1.

V4.1 : Verify that if the app provides users with access to a remote service, an acceptable form of authentication such as username/password authentication is performed at the remote endpoint

4. Mobile App Evaluation - Privacy and Personally Identifiable Information

3. Handle authentication and authorization factors securely on the device correctly

5.6.2

4.1.4.2. V5.4: Verify that the 4. Mobile App 2. User authentication, 5.5.4

20


app either uses its own certificate store, or pins the endpoint certificate or public key, and subsequently does not establish connections with endpoints that offer a different certificate or key, even if signed by a trusted CA

Evaluation Network Events

authorization and session management

4.1.5.1.

V1.7: Verify that a threat model for the mobile app and the associated remote services, which identifies potential threats and countermeasures, has been produced

4. Mobile App Evaluation: Malicious Functionality Malware Detection Communication with Known Disreputable Sites Libraries Loaded

6. Secure data integration with third party code 10. Handle runtime code interpretation

5.5.4

4.1.5.2.

V7.2: Verify that the app has been built in release mode, with

4. Mobile App Evaluation Classes Loaded

N/A 5.5.4

21


settings appropriate for a release build (e.g. non-debuggable)

4.1.5.3.

V1.2: Verify all third party components used by the mobile app, such as libraries and frameworks, are identified, and checked for known vulnerabilities

4. Mobile App Evaluation: Native Methods Libraries Loaded

6. Secure data integration with third party code

5.5.4

4.1.5.4.

V6.2: Verify that all inputs from external sources and the user are validated and if necessary sanitized. This includes data received via the UI, IPC mechanisms such as intents, custom URLs, and network sources

4. Mobile App Evaluation Input Validation

10. Handle runtime code interpretation

5.5.4

4.2.2.1. Webview N/A N/A N/A N/A

22


[ 1] Vetting the Security of Mobile ApplicationsApp, NIST Special Publication 800-163, http://dx.doi.org/10.6028/NIST.SP.800-163, 2015 [ 2] Smartphone Secure Development Guidelines, https://www.enisa.europa.eu/publications/smartphone-secure-development-guidelines-2016, ENISA, 2017 [ 3] , YD/T 2407-2013, 2013

23

4.1.1.1. 1 2

4.1.1.2. 3

4 4.1.1.3. 5

6 4.1.2.1. 7

4.1.2.2. 8

9

10

4.1.2.3. 11

12 13

24

14

15

16

17 18

4.1.2.4. 19

4.1.2.5. 20

21

4.1.2.6. 22

4.1.3.1. 23

4.1.3.2. 24 25

4.1.4.1. 26

25

4.1.4.2. 27 28 29

30

4.1.5.1.

31 32

4.1.5.2. 33

4.1.5.3. 34 4.1.1.

4.1.5.4. 35

4.2.2.1. Webview 36 Webview 37 Webview

1. 2. 3. 3.1. Mobile Application3.2. Application Store3.3. Personal Data3.4. Secure Sensitive Data3.5. Password3.6. Transaction Resource3.7. Session Identification, Session ID3.8. Server Certificate3.9. Certificate Authority3.10. Malicious Code3.11. Vulnerability3.12. Library3.13. Code Injection3.14. Mobile Operating System3.15. Mobile Resource3.16. In-App Update3.17. Common Vulnerabilities and Exposures3.18. Weak Cryptographic Algorithm3.19. Known Vulnerabilities3.20. Authentication3.21. Advanced Encryption Standard3.22. Triple Data Encryption Standard3.23. Elliptic Curve Cryptography3.24. Certificate Pinning3.25. Hash3.26. Obfuscation3.27. Using Secure Sensitive Data3.28. Log File3.29. Device Identifier3.30. (Cache Files or Temporary Files)3.31. Configuration File3.32. Encode3.33. Decode3.34. Payload3.35. Collecting Secure Sensitive Data3.36. Storing Secure Sensitive Data3.37. Common Vulnerability Scoring System3.38. (Secure Random Number Generator)3.39. (Secure Domain)3.40. (Secure Encryption Function)

4. 4.1. 4.1.1. 4.1.1.1. 4.1.1.2. 4.1.1.3.

4.1.2. 4.1.2.1. 4.1.2.2. 4.1.2.3. 4.1.2.4. 4.1.2.5. 4.1.2.6.

4.1.3. 4.1.3.1. 4.1.3.2.

4.1.4. 4.1.4.1. 4.1.4.2.

4.1.5. 4.1.5.1. 4.1.5.2. 4.1.5.3. 4.1.5.4.

4.2.

5. 6. Open Web Application Security Project (OWASP)Cloud Security Alliance (CSA)

Documents

行動應用 App 基本資安規範 - mas.org.tw · 交易資源控管安全 ... 人之資料，包括但不限於自然人之姓名、出生年月日、國民身分證統一