Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRYPTO: Export and import crypto regulations #1885

Merged
merged 4 commits into from
Jun 30, 2022
Merged

CRYPTO: Export and import crypto regulations #1885

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f9d1cea
add info about crypto regulations
julepka Mar 26, 2021
7fec466
removed trailing space
julepka Mar 26, 2021
8faf540
add reference to MSTG-ARCH-12
julepka Mar 30, 2021
55e3f29
Update Document/0x04g-Testing-Cryptography.md
cpholguera Jun 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions Document/0x04g-Testing-Cryptography.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,3 +199,17 @@ In larger organizations, or when high-risk applications are created, it can ofte
- MSTG-CRYPTO-2: "The app uses proven implementations of cryptographic primitives."
- MSTG-CRYPTO-3: "The app uses cryptographic primitives that are appropriate for the particular use-case, configured with parameters that adhere to industry best practices."
- MSTG-CRYPTO-4: "The app does not use cryptographic protocols or algorithms that are widely considered deprecated for security purposes."

## Cryptography Regulations
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please make this a test case covering MSTG-ARCH-12?

Also please consider including the points within this issue: #1491

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cpholguera I see that #1491 is more about user privacy while this PR is for CRYPTO section that doesn't relate to private user data. I can add a reference to the MSTG-ARCH-12 the same way it is done for Cryptography References above. I believe it will look consistent and nice.

Yeah, I don't think it is a proper place to cover the whole topic of MSTG-ARCH-12. In general, it seems to me that having a separate chapter for ARCH requirements can be very helpful. Some information from other chapters can be moved to ARCH and that should simplify the MSTG structure in general.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see the issue now, so actually we'd have to see if we need to add crypto to MSTG-ARCH-12 or to have a new MSTG-CRYPTO requirements for this. We'll discuss this and let you know ;)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good news, we're considering a new MASVS-CRYPTO-5 covering this:

The app should comply with cryptography laws and regulations.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@julepka, for this we should see how we can actually test it.

  • On iOS we can check if the app includes ITSEncryptionExportCompliance, so we could verify that in the Info.plist. Maybe we can also verify in the AppStore?
  • What about Android? They don't provide many details. Could you help us finding out how we could test this for Android apps?

Thank you!

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update: we already discussed this and we won't add a requirement. It's a purely operational thing, required as part of the publishing process so there's no way around it. Even if an app would not comply/declare this properly, that does not imply a vulnerability.

We still see this as a "reminder" in the MSTG, as you already nicely did in this PR (maybe we only need to relocate it, but you already put all needed info).

Once we publish MASVS-CRYPTO you still have the chance to comment on this if you want.

Thanks again @julepka!


When you upload the app to the App Store or Google Play, your application is typically stored on a US server. If your app contains cryptography and is distributed to any other country, it is considered a cryptography export. It means that you need to follow US export regulations for cryptography. Also, some countries have import regulations for cryptography.

### References

- MSTG-ARCH-12: "The app should comply with privacy laws and regulations."
- [Complying with Encryption Export Regulations (Apple)](https://developer.apple.com/documentation/security/complying_with_encryption_export_regulations "Complying with Encryption Export Regulations")
- [Export compliance overview (Apple)](https://help.apple.com/app-store-connect/#/dev88f5c7bf9 "Export compliance overview")
- [Export compliance (Google)](https://support.google.com/googleplay/android-developer/answer/113770?hl=en "Export compliance")
- [Encryption and Export Administration Regulations (USA)](https://www.bis.doc.gov/index.php/policy-guidance/encryption "Encryption and Export Administration Regulations")
- [Encryption Control (France)](https://www.ssi.gouv.fr/en/regulation/cryptology/ "Encryption Control")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cpholguera marked this conversation as resolved.
Show resolved Hide resolved
- [World map of encryption laws and policies](https://www.gp-digital.org/WORLD-MAP-OF-ENCRYPTION/)