Difference between revisions of "Native App Security"
From MgmtWiki
(→Organizational Support) |
|||
Line 24: | Line 24: | ||
* Joint use [[Native App]]s are provide to some industries for all to use. It makes the trust decision by the user much more difficult. | * Joint use [[Native App]]s are provide to some industries for all to use. It makes the trust decision by the user much more difficult. | ||
===Organizational Support=== | ===Organizational Support=== | ||
− | * Rules for apps installed on Apple devices | + | * Rules for apps installed on Apple devices (not clear) |
* Rules for apps installed on Android devices <ref name='android'></ref> | * Rules for apps installed on Android devices <ref name='android'></ref> | ||
* Rules for apps installed on Windows devices are of two types, but it is not clear how the user could possibly distinguish, so the concept has not been helpful. | * Rules for apps installed on Windows devices are of two types, but it is not clear how the user could possibly distinguish, so the concept has not been helpful. | ||
+ | |||
==References== | ==References== | ||
<references /> | <references /> |
Revision as of 11:51, 21 September 2018
Contents
Full Title and Meme
An application that is installed on a user's computing device with full power to act as the user.
Context
- The day when a personal computer was for running application for the user is long gone, never to return.
- Today a personal computer depends on cloud based service for nearly all of its functionality.
- Some of those sites are willing to use a trusted User Agent, typically a web browser from a well-known and trusted vendor for rendering its content.
- The first of the Laws of Security tell us that when an attacker gets to run their code on your computer, it is not longer just your computer any longer.
- For the case where the user is not forced to allow an application to run on their personal device, see the page Web Site Security.
- Android App list of Data Categories that require User Consent. https://support.google.com/googleplay/answer/6270602?hl=en
- Apple iPhone App Requesting Permission: https://developer.apple.com/design/human-interface-guidelines/ios/app-architecture/requesting-permission/
- Apple iPhone app Requesting Authorization to use System Features: https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy
- Apple CKContainer manages all attempts to access user data on the device or in iCloud. https://developer.apple.com/documentation/cloudkit/ckcontainer
- Windows (UWP) settings are on all Windows 10 computer, but do not seem to be shown anywhere on the web. Just navigate start -> settings -> privacy -> app settings.
Problems
- One of the worst case scenarios for Native App security is that of payments made directly to a user's bank account.
- In Open Banking it is proposed that a payment initiator and a bank can both have Native Apps running where the payment initiator app asks the banking app on the same device for permission to remove money from the user's account.
Solutions
- The Native App exposes its name and the web site that backs it in a manner that allows the user to make a meaningful trust decision.
- Joint use Native Apps are provide to some industries for all to use. It makes the trust decision by the user much more difficult.
Organizational Support
- Rules for apps installed on Apple devices (not clear)
- Rules for apps installed on Android devices [1]
- Rules for apps installed on Windows devices are of two types, but it is not clear how the user could possibly distinguish, so the concept has not been helpful.
References
- ↑ 1.0 1.1 Handling Android App Links. https://developer.android.com/training/app-links/
Other References
- The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of web site software.
- ISACs are member-driven organizations, delivering all-hazards threat and mitigation information to asset owners and operators.
- Native App
- Native App Privacy