Conversation
Abhi1366-create
requested review from
cw-owasp,
rewtd and
sydseter
as code owners
|
@Abhi1366-create that is a really funny scenario. I like it! But.... What you are describing is web app authentication by pass, not mobile application bypass. You should read the following pages: https://mas.owasp.org/MASTG/tests/android/MASVS-CODE/MASTG-TEST-0034/ These describe how the instrumentation can allow a user access to a mobile device where sensitive information is stored on the device (not in the cloud). Which is the scenario we are looking at here. Besides that, your example is quite good. |
|
Thanks for the clarification — that makes sense. I've updated the scenario to focus on mobile object persistence and local tampering, aligned with the MASTG guidance you shared. Let me know if this better reflects the intended threat model. |
|
|
||
|
|
||
|
|
||
| What can go wrong? |
There was a problem hiding this comment.
You forgot to format this into a h3 headline. See the text you removed.
There was a problem hiding this comment.
Make sure you don’t remove the headlines. Add them back where appropriate please.
Abhi1366-create
force-pushed
the
mobile-aa7
branch
2 times, most recently
from
d50240c to
e84af43
Compare
Abhi1366-create
force-pushed
the
mobile-aa7
branch
from
e84af43 to
c20202f
Compare
|
@Abhi1366-create one pf your commits are unverified. Please make sure they all have a verified signature. |
| @@ -1,11 +1,104 @@ | |||
| ## Scenario: Abdullah can bypass authentication by altering the usual process sequence or flow, or by undertaking the process in incorrect order, or by manipulating date and time values used by the app, or by using valid features for unintended purposes | |||
| \### Scenario | |||
There was a problem hiding this comment.
There is a strange backward slash before all the headlines? Is there a purpose behind this?
3 participants
This PR adds a playful scenario, STRIDE classification, and mitigation guidance for the MobileApp AA7 card.
Follows the tone and structure of AA2 and AA3.