Difference between revisions of "Native App Security"
From MgmtWiki
(→Organizational Support) |
(→Solutions) |
||
Line 23: | Line 23: | ||
** Apple has not released any plans to improve app naming security as of 2018-09-21. | ** Apple has not released any plans to improve app naming security as of 2018-09-21. | ||
* Joint use [[Native App]]s are provide to some industries for all to use. It makes the trust decision by the user much more difficult. | * Joint use [[Native App]]s are provide to some industries for all to use. It makes the trust decision by the user much more difficult. | ||
+ | * Same Site was designed to help, but [https://outlook.live.com/mail/inbox/id/AQQkADAwATExAGMzNy1iY2JmLWIwYmYtMDACLTAwCgAQAHD5YNrixl9FqyVrfekhw50%3D as of (2018-09-21) it not consistently applied]. | ||
===Organizational Support=== | ===Organizational Support=== | ||
* Rules for apps installed on Apple devices (not clear) | * Rules for apps installed on Apple devices (not clear) |
Revision as of 11:54, 21 September 2018
Contents
Full Title and Meme
An application that is installed on a user's computing device with full power to act as the user.
Context
- The day when a personal computer was for running application for the user is long gone, never to return.
- Today a personal computer depends on cloud based service for nearly all of its functionality.
- Some of those sites are willing to use a trusted User Agent, typically a web browser from a well-known and trusted vendor for rendering its content.
- The first of the Laws of Security tell us that when an attacker gets to run their code on your computer, it is not longer just your computer any longer.
- For the case where the user is not forced to allow an application to run on their personal device, see the page Web Site Security.
- Android App list of Data Categories that require User Consent. https://support.google.com/googleplay/answer/6270602?hl=en
- Apple iPhone App Requesting Permission: https://developer.apple.com/design/human-interface-guidelines/ios/app-architecture/requesting-permission/
- Apple iPhone app Requesting Authorization to use System Features: https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy
- Apple CKContainer manages all attempts to access user data on the device or in iCloud. https://developer.apple.com/documentation/cloudkit/ckcontainer
- Windows (UWP) settings are on all Windows 10 computer, but do not seem to be shown anywhere on the web. Just navigate start -> settings -> privacy -> app settings.
Problems
- One of the worst case scenarios for Native App security is that of payments made directly to a user's bank account.
- In Open Banking it is proposed that a payment initiator and a bank can both have Native Apps running where the payment initiator app asks the banking app on the same device for permission to remove money from the user's account.
Solutions
- The Native App exposes its name and the web site that backs it in a manner that allows the user to make a meaningful trust decision.
- Joint use Native Apps are provide to some industries for all to use. It makes the trust decision by the user much more difficult.
- Same Site was designed to help, but as of (2018-09-21) it not consistently applied.
Organizational Support
- Rules for apps installed on Apple devices (not clear)
- Rules for apps installed on Android devices [1]
- Rules for apps installed on Windows devices are of two types, but it is not clear how the user could possibly distinguish, so the concept has not been helpful.
References
- ↑ 1.0 1.1 Handling Android App Links. https://developer.android.com/training/app-links/
Other References
- The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of web site software.
- ISACs are member-driven organizations, delivering all-hazards threat and mitigation information to asset owners and operators.
- Native App
- Native App Privacy