Safe Standard App
Tlhahisoleseding ya Sehlahiswa
Litlhaloso
- Lebitso la Sehlahiswa: CSA's Safe App Standard
- Phetolelo: 1.0
- Letsatsi la ho lokolloa: Pherekhong 10, 2024
Mabapi le Maemo
The CSA's Safe App Standard ke sete ea litataiso le molemo ka ho fetisisa
mekhoa ea ho kenya ts'ebetsong melao ea ts'ireletso ea netefatso ka
lisebelisoa tsa mohala. E ikemiselitse ho netefatsa netefatso e sireletsehileng
mekhoa le ho sireletsa data ea bohlokoa ho tsoa phihlellong e sa lumelloeng. The
maemo a ntlafatsoa ka ho buisana le mekhatlo e fapaneng
le litsebi lefapheng la cybersecurity.
Sepheo, Bophara, le Bamameli ba Reriloeng
Sepheo sa CSA's Safe App Standard ke ho fana ka
bahlahisi ba nang le likhothaletso le mekhoa e metle ea ho e sebelisa
Litaolo tse sireletsehileng tsa netefatso lits'ebetsong tsa mehala. Tekanyetso
e sebetsa ho bahlahisi le mekhatlo e amehang ho
nts'etsopele ea lits'ebetso tsa mehala tse hlokang netefatso. Eona
e etselitsoe ho matlafatsa ts'ireletso ka kakaretso ea netefatso
sebetsa le ho sireletsa lekunutu la basebelisi.
Tsebiso le Tataiso ea Moetsi
The CSA's Safe App Standard e fana ka tataiso ho ba ntlafatsang ka
ho kenya tshebetsong ditaolo tsa tshireletso tsa netefatso. E totobatsa ho
bohlokoa ba ho latela mekhoa e metle ea indasteri le ho netefatsa hore
ts'ebetsong e sireletsehileng ea mekhoa ea ho netefatsa. Bahlahisi
e lokela ho bua ka litekanyetso tsa tataiso e felletseng mabapi le ts'ebetsong
litaolo tsa ts'ireletso tse khothalelitsoeng.
Litlhaloso tsa Litokomane le Litšupiso tsa Normative
The CSA's Safe App Standard e kenyelletsa litlhaloso tsa litokomane le
litšupiso tse tloaelehileng tse fanang ka tlhaloso ea mantsoe a sebelisitsoeng
le ho bua ka litekanyetso le litataiso tse ling tsa indasteri.
Bahlahisi ba lokela ho bua ka litlhaloso le litšupiso tsena bakeng sa a
kutloisiso e betere ea maemo.
Litaelo tsa Tšebeliso ea Sehlahisoa
Netefatso
Netefatso ke karolo ea bohlokoa ea mehala e mengata
lits'ebetso. E netefatsa boitsebahatso ba basebelisi, bareki,
lisebelisoa, le lisebelisoa pele li fana ka phihlello ho tse khethehileng
mehloli kapa ho dumella diketso tse itseng. The CSA's Safe App Standard
e fana ka likhothaletso le mekhoa e metle ea ho kenya ts'ebetsong e bolokehileng
ditaolo tsa netefatso.
Litaolo tsa Tšireletso
The CSA's Safe App Standard e kenyelletsa tse latelang
ditaolo tsa tshireletso tsa netefatso:
| ID | Taolo |
|---|---|
| AUTHN-BP01 | Sesebelisoa se sebelisa Multi-Factor Authentication (MFA) ho netefatsa ditransekshene tse kotsi haholo. |
| AUTHN-BP02 | Laola tlhaloso |
| AUTHN-BP03 | Laola tlhaloso |
| AUTHN-BP04 | Laola tlhaloso |
| AUTHN-BP05 | Laola tlhaloso |
| AUTHN-BP06 | Laola tlhaloso |
AUTHN-BP01 – Multi-Factor Authentication (MFA)
Ka mokhoa o tloaelehileng oa ho netefatsa ntho e le 'ngoe, basebelisi
hangata o hloka feela ho kenya Ntho eo Ue Tsebang (joalo ka mabitso a basebelisi
le diphasewete). Leha ho le joalo, MFA e eketsa likarolo tsa netefatso ea boitsebiso
ka ho hloka lintlha tse ling tse kang Ntho-U-Have le
Ntho e 'ngoe-U-U. Sena se etsa hore ho be thata le ho feta ho ba nang le lonya
batšoantšisi ho sekisetsa litlaleho le ho ntlafatsa ts'ireletso e akaretsang ea
tshebetso ya netefatso.
Tataiso ea Phethahatso
Bahlahisi ba lokela ho kenya tšebetsong Step-up MFA, e hlokang
boemo bo eketsehileng ba netefatso bakeng sa ditransekshene tse kotsi haholo. The
CSA's Safe App Standard e beha MFA e latelang pele
metsoako:
- Ntho eo Ue Tsebang
- Ntho eo U nang le eona
- Ntho e 'ngoe-U-U
Lipotso tse atisang ho botsoa (FAQ)
P: Sepheo sa Maemo a Sireletsehileng a CSA ke afe?
A: Sepheo sa CSA's Safe App Standard ke ho fana ka
bahlahisi ba nang le likhothaletso le mekhoa e metle ea ho e sebelisa
Litaolo tse sireletsehileng tsa netefatso lits'ebetsong tsa mehala.
P: Ke batho bafe ba reretsoeng ho sebelisa CSA's Safe App
Tekanyetso?
A: The CSA's Safe App Standard e reretsoe bahlahisi le
mekhatlo e amehang ho nts'etsopele ea lisebelisoa tsa mohala
tse hlokang netefatso.
P: Melemo ea ho kenya tšebetsong Multi-Factor ke efe
Netefatso (MFA)?
A: Ho kenya ts'ebetsong MFA ho eketsa likarolo tsa netefatso ea boitsebiso, ho etsa
ho phephetsa ho feta hore batšoantšisi ba lonya ba sekisetse litlaleho le
ho matlafatsa ts'ireletso e akaretsang ea ts'ebetso ea netefatso.
1
CSA's Safe App Standard Version 1.0 E lokollotsoe ka la 10 Pherekhong 2024
2
Ka Therisano le:
Mokhatlo oa Libanka Singapore, Komiti e Emeng ea Komiti ea Cyber Deloitte Asia Boroa-bochabela Boeletsi ba Kotsi Ernst & Young Advisory Pte. Ltd. KPMG in Singapore Lazada Microsoft Singapore PricewaterhouseCoopers Risk Services Pte. Ltd.
Boitlhaloso:
Ho ile ha buisanoa le mekhatlo ena ka Maemo bakeng sa maikutlo le maikutlo mabapi le taolo ea ts'ireletso, tlhaloso ea taolo ea ts'ireletso, le litataiso tsa ts'ebetso ea tekheniki. Ho isa tekanyong e lumelletsoeng tlas'a molao, CSA, le baeletsi ba kantle ba ke ke ba jara boikarabello bakeng sa liphoso, liphoso le/kapa tse sieo tse teng mona kapa bakeng sa tahlehelo kapa tšenyo ea mofuta ofe kapa ofe (ho kenyeletsoa tahlehelo efe kapa efe ea phaello, khoebo, kamohelo kapa botumo. , le/kapa tshenyeho efe kapa efe e kgethehileng, ka tsietsi, kapa e tlamang) mabapi le tshebediso efe kapa efe kapa ho itshetleha ka Maemo ana. Mekhatlo e nts'etsang lits'ebetso tsa mehala, bafani ba lits'ebeletso le bahlahisi ba eletsoa ho nahana ka moo Tekanyetso e ka sebelisoang maemong a bona a ikhethileng ho fumana likeletso tsa bona tsa molao le/kapa tsa botekgeniki mabapi le litaba le/kapa ts'ebetsong ea likhothaletso ho Mekhatlo e Tloaelehileng e nts'etsang mehala ea thekeng. lits'ebetso, bafani ba lits'ebeletso le bahlahisi ba lokela ho sebelisa kahlolo ea botsebi ha ba sebelisa likhothaletso tse ho Maemo, 'me ba nahane hore na ho hlokahala mehato e meng mabapi le maemo a bona a ikhethileng.
3
Litaba
Ka Therisano le: …………………………………………………………………………………………………………………………………………… …………………………………………………………………………………………………………………………………………. 3 Mabapi le Maemo………………………………………………………………………………………………………………………… Sebaka, le Bamameli ba Reretsweng …………………………………………………………………………………………………………………………………………………………………………… …………………………………………………………………………………. 3 Litlhaloso tsa Litokomane le Litšupiso tsa Normative ……………………………………………………………………………………… ………………………………………………………………………………………… 6
AUTHN-BP01 ……………………………………………………………………………………………………………………………. 11 AUTHN-BP01a …………………………………………………………………………………………………………………………. 13 AUTHN-BP01b ………………………………………………………………………………………………………………………. 14 AUTHN-BP01c………………………………………………………………………………………………………………….. 15
AUTHN-BP02 ……………………………………………………………………………………………………………………………. 16 AUTHN-BP03 ……………………………………………………………………………………………………………………………. 17
AUTHN-BP03a ………………………………………………………………………………………………………………………. 18 AUTHN-BP03b …………………………………………………………………………………………………………………………. 19 AUTHN-BP04 ……………………………………………………………………………………………………………………………. 20 AUTHN-BP05 ……………………………………………………………………………………………………………………………. 21 AUTHN-BP06 ……………………………………………………………………………………………………………………………. 22 …………………………………………………………………………………………………………………………………………………… ……….. 23 2. Tumello ……………………………………………………………………………………………………………………… ….. 24 AUTHOR-BP01 ……………………………………………………………………………………………………………………………… .. 25 AUTHOR-BP02 ……………………………………………………………………………………………………………………………. . 26 MONGOLI-BP03 ………………………………………………………………………………………………………….. 27 AUTHOR-BP04 ………………………………………………………………………………………………………………………….. 28 ……………………………………………………………………………………………………………………………………………………… …….. 29 3. Data Storage (Data-at-Rest) ………………………………………………………………………………………… …. 30 STORAGE-BP01 …………………………………………………………………………………………………………………………. 31 STORAGE-BP02 …………………………………………………………………………………………………………………………. 32 STORAGE-BP02a ……………………………………………………………………………………………………………………. 33 STORAGE-BP02b ………………………………………………………………………………………………………………………. 34 STORAGE-BP03 …………………………………………………………………………………………………………………………. 35 …………………………………………………………………………………………………………………………………………………… ……….. 36 4. Anti-Tampering & Anti-Reversing………………………………………………………………………………………..37 RESILIENCE-BP01 …………………… ……………………………………………………………………………………………………. 38 RESILIENCE-BP02 ………………………………………………………………………………………………………………………. 39
4
RESILIENCE-BP03 ………………………………………………………………………………………………………………………. 41 RESILIENCE-BP04 ………………………………………………………………………………………………………………………. 42 RESILIENCE-BP05 ………………………………………………………………………………………………………………………. 43 RESILIENCE-BP06 …………………………………………………………………………………………………………………………. 44 RESILIENCE-BP07 ………………………………………………………………………………………………………………………. 45 Litšupiso……………………………………………………………………………………………………………………………………
5
Mabapi le Maemo
Selelekela The Safe App Standard ke tekanyetso e khothaletsoang bakeng sa lits'ebetso tsa mehala (lisebelisoa), e ntlafalitsoeng ke Cyber Security Agency ea Singapore (CSA), ka lipuisano le balekane ba indasteri ho tsoa mekhatlong ea lichelete, mekhatlo ea theknoloji, lifeme tsa boeletsi le mekhatlo ea mmuso. Fetileview Sepheo sa Tekanyetso ke ho hlahisa melao-motheo e khothaletsoang ea litaolo tsa tshireletso bakeng sa bahlahisi ba lisebelisoa tsa mehala le bafani ba litšebeletso tseo ba lokelang ho li latela. Sena se tla etsa bonnete ba hore lits'ebetso tsohle tsa lehae li latela taolo e ts'oanang ea ts'ireletso bakeng sa lits'ebetso tsa mehala, ka hona ho phahamisa maemo a ts'ireletso ea lits'ebetso tse amohetsoeng le tse entsoeng Singapore.
Sepheo, Bophara, le Bamameli ba Reriloeng
Tokomane ena e etselitsoe ho fana ka likhothaletso le litlhahiso ho ba ntlafatsang ho ba thusa ho kenya tšebetsong mesebetsi ea ts'ireletso lits'ebetsong tsa bona. Litlhahiso le litlhahiso tse joalo li reretsoe ho thusa ba ntlafatsang ho fokotsa litšokelo tse ngata tsa cybersecurity le ho sireletsa lits'ebetso tsa bona ho qhekella tsa morao-rao tsa mobile le malware. Likahare mona ha li tlame, ha li fanoe ka mabaka a sa tšepahaleng 'me li reretsoe ho fana ka tsebo ka tlhaho,' me ha lia rereloa ho tsebahatsa litšokelo tse ka bang teng ka cybersecurity kapa ho hlakisa ka botlalo lits'ebetso kapa lits'ebetso tseo bahlahisi ba lokelang ho li etsa ho rarolla kapa ho thibela joalo. matshoso. Mofuta oa 1 oa litataiso tsa Safe App Standard le litaolo tsa ts'ireletso li tla shebana haholo le ho fana ka litataiso tsa ts'ireletso ho baetsi ba lits'ebetso tse kotsi haholo ho loantša malware a morao-rao le scam e bonoang tikolohong ea litšokelo ea Singapore. Leha ho le joalo, litaolo tsena tsa ts'ireletso le tsona li ka u tsoela molemo le ho kengoa ts'ebetsong ke lits'ebetso tse ling. Ho khothaletsoa hore bahlahisi bohle ba leke ho kenya tšebetsong mehato ena bakeng sa ts'ireletso e ntlafalitsoeng ea lisebelisoa tsa mehala. Le hoja Tekanyetso ena e na le moo ho shebiloeng teng, liphetoho tsa nako e tlang li tla holisa ho rarolla mekhoa e metle ea ts'ireletso le litataiso bakeng sa stack eohle ea mobile app.
6
Tsebiso le Tataiso ea Moetsi
Ena ke tokomane e phelang e tla lebisoa ho review le ho nchafatsoa nako le nako. Joalo ka litekanyetso tse ling tse ngata tse hlophisitsoeng, Safe App Standard ke tokomane e phelang e tla nchafatsoa khafetsa ho tsamaisana le maemo a hajoale le a fetohang a ts'okelo le li-vector tse ncha tsa tlhaselo. Ka kopo, sheba li-CSA websebaka sa marang-rang hore u lule u nchafalitsoe ka mofuta oa morao-rao oa Safe App Standard le ho feto-fetola mehato ea ts'ireletso le litaolo ka nepo. Tekanyetso ena e lokela ho baloa 'moho 'me ha e nke sebaka, ea fapana, kapa e nkela sebaka sa molao, taolo, kapa litlamo tse ling le mesebetsi ea baetsi le bafani ba lits'ebetso, ho kenyeletsoa le ba tlas'a Cybersecurity Act 2018, le melao efe kapa efe ea tlatsetso, melaoana ea ts'ebetso, maemo a tshebetso, kapa ditaelo tse ngotsweng tlasa moo. Ts'ebeliso ea tokomane ena le ts'ebetsong ea likhothaletso tse mona le tsona ha li lokolle kapa ho lokolla mohlahisi le mofani oa lisebelisoa ho tsoa litlamong kapa mesebetsing e joalo. Likahare tsa tokomane ena ha lia rereloa ho ba setatemente se nang le matla a molao kapa ho nka sebaka sa likeletso tsa molao kapa tse ling tsa litsebi. Tataiso ea motsweletsi mabapi le moralo wa tshireletso wa Safe App Standard Bakeng sa tshebediso e bonolo, batsweletsi ba lokela ho ela hloko hore Phetolelo ya 1 ya Safe App Standard e shebane le dikarolo tse latelang tsa bohlokwa, mme tokomane ka boyona e ka arolwa ka dikarolo tse latelang:
· Netefatso · Authorization · Data Storage (Data-at-Rest) · Anti-Tamper & Anti-Reversing Libaka tsena tsa bohlokoa li kenyelelitsoe ho netefatsa maemo a ts'ireletso ea app ea mohala khahlano le li-vector tse tloaelehileng tsa tlhaselo tse sebelisoang ke baetsi ba lonya tikolohong ea rona ea tikoloho. Safe App Standard e fana ka taolo e hlakileng le e khuts'oane ea taolo ea ts'ireletso, litataiso, le mekhoa e metle bakeng sa ho matlafatsa ts'ireletso ea lits'ebetso tsa mehala tse fanang ka kapa tse lumellang ts'ebetso e kotsi haholo.
7
Litlhaloso tsa Litokomane le Litšupiso tsa Normative
Litlhaloso tsa Litokomane Tse latelang ke tse ling tsa litlhaloso tseo bahlahisi le babali ba lokelang ho li hopola ha ba sebelisa tokomane ena: Boitsebiso bo Bohlokoa Boitsebiso ba mosebedisi bo kang Personal Identifiable Information (PII) le boitsebiso ba netefatso bo kang matshwao, dinotlolo tsa encryption, diphasewete tsa nako e le nngwe, data ya biometric , li-tokens tsa tšireletso, litifikeiti, joalo-joalo. Lichelete tse kotsi haholo ke tse kenyeletsang:
· Liphetoho mesebetsing ea lichelete ba bang ba peleamptse kenyeletsang empa ha li felle feela ho ngolisoeng ha lintlha tsa motho oa boraro, keketseho ea moeli oa phetisetso ea letlole, jj.
· Ho qalisoa ha litšebelisano tsa lichelete ba bang ba peleamptse kenyeletsang empa ha li felle feela ho litšebelisano tsa lichelete tsa boleng bo phahameng, phetisetso ea lichelete tsa boleng bo phahameng, lik'hamphani tsa likarete tsa marang-rang, ho fumana chelete ka ho toba, mesebetsi ea polokelo ea chelete, le li-top-ups, joalo-joalo.
· Liphetoho ho litlhophiso tsa ts'ireletso ea ts'ebeliso ea ba bang ba peleamptse ling tsa sena li kenyelletsa empa ha li felle feela ho tima mekhoa ea netefatso, ho nchafatsa li-tokens tsa dijithale kapa lintlha, jj.
Litaolo tsa ts'ireletso Mehato ea ts'ebetso kapa ea tekheniki e khothaletsoang tokomaneng ena e lokelang ho kengoa ts'ebetsong ho laola, ho beha leihlo, le ho fokotsa bofokoli bo ka bang teng kapa liketsahalo tsa ts'ireletso. Litaolo tsena tsa ts'ireletso li na le li-ID tse latelang tse khomaretsoeng ho tsona, mohlala, AUTHN-BP01, AUTHOR-BP01, STORAGE-BP01, RESILIENCE-BP01. Litšupiso tse Tloaelehileng The Safe App Standard e supa maemo a indasteri ho tsoa ho Open Web Morero oa Tšireletso ea Kopo (OWASP), European Union Agency for Network and Information Security (ENISA) le Tefo ea Card Industry Data Security Standard (PCI DSS). Lethathamo la litšupiso ke le latelang:
· OWASP's MASVS (Mobile Application Security Verification Standard) · OWASP's MASTG (Mobile Application Security Testing Guide) · ENISA's Secure Development Guidelines (SSDG) · PCI DSS' Mobile Payment Acceptance Guidelines for Developers
8
9
1. Netefatso
Selelekela
Netefatso ke karolo ea bohlokoa lits'ebetsong tse ngata tsa mobile. Lisebelisoa tsena hangata li sebelisa mefuta e fapaneng ea netefatso, ho kenyeletsoa li-biometric, li-PIN, kapa lijenereithara tsa khoutu ea netefatso ea lintlha tse ngata. Ho netefatsa hore mochini oa netefatso o bolokehile ebile oa kengoa ts'ebetsong ho latela mekhoa e metle ea indasteri ho bohlokoa ho netefatsa boitsebiso ba mosebelisi.
Ka ho kenya ts'ebetsong litaolo tse matla tsa ts'ireletso bakeng sa netefatso, bahlahisi ba ka etsa bonnete ba hore basebelisi ba netefalitsoeng feela, bareki, lits'ebetso le lisebelisoa ba ka fihlella lisebelisoa tse itseng kapa ho etsa liketso tse itseng. Ka litaolo tse sireletsehileng tsa netefatso, ba ntlafatsang le bona ba ka fokotsa kotsi ea phihlello ea data ntle le tumello, ho boloka botšepehi ba data e hlokolosi, ho boloka lekunutu la basebelisi le ho sireletsa ts'ebetso ea ts'ebetso e kotsi haholo.
Litaolo tse sehlopheng sena li ikemiselitse ho khothaletsa litaolo tsa netefatso tseo sesebelisoa se lokelang ho li sebelisa ho sireletsa data ea bohlokoa le ho thibela phihlello e sa lumelloeng. E boetse e fa bahlahisi mekhoa e metle ea ho kenya tšebetsong litaolo tsena tsa ts'ireletso.
taolo ea ts'ireletso
ID
Taolo
AUTHN-BP01 AUTHN-BP01a AUTHN-BP01b AUTHN-BP01c AUTHN-BP02 AUTHN-BP03 AUTHN-BP03a AUTHN-BP03b AUTHN-BP04 AUTHN-BP05 AUTHN-BP06
Sebelisa Multi-Factor Authentication ho netefatsa transaction e kotsi haholo. Etsa bonnete ba Ntho-U-Tseba e le e 'ngoe ea lintlha tsa MFA. Kenya Ntho e 'ngoe-U-Na le netefatso e le e' ngoe ea lintlha tsa MFA. Kenyelletsa Ntho e 'ngoe-U-Na u netefalitsoe e le e' ngoe ea lintlha tsa MFA. Sebelisa lintlha tse ipapisitseng le maemo ho netefatsa. Kenya tshebetsong netefatso ya seshene e bolokehileng. Kenya ts'ebetso ea netefatso e bolokehileng. Kenya ts'ebetso ea netefatso e sireletsehileng e se nang naha. Kenya ts'ebetso e sireletsehileng ea nako nakong ea ho tsoa, ho se sebetse, kapa ho koaloa ha sesebelisoa. Kenya ts'ireletso ea brute force bakeng sa netefatso. Kenya tšebetsong mokhoa oa ho netefatsa botšepehi ba transaction.
10
AUTHN-BP01
Taolo
Sesebelisoa se sebelisa Multi-Factor Authentication (MFA) ho netefatsa litšebelisano tse kotsi haholo.
Tlhaloso
Ka mokhoa o tloaelehileng oa netefatso ea ntho e le 'ngoe, basebelisi ba hloka feela ho kenya Ntho e itseng-U Tseba1 joalo ka mabitso a basebelisi le li-password. Leha ho le joalo, haeba ntlha ena e le 'ngoe e hloleha kapa e sekiselitsoe, ts'ebetso eohle ea netefatso e ka ba kotsing ea litšokelo.
MFA ke ts'ebetso ea netefatso e eketsang likarolo tsa netefatso ea boitsebiso, e sa hlokeng Ntho-U-Tseba feela empa hape le Ntho-U-Have2 le Something-You-Are3. Ho kenya ts'ebetsong MFA ho etsa hore ho be thata le ho feta ho batšoantšisi ba lonya ho senya li-account le ho matlafatsa ts'ireletso ea kakaretso ea ts'ebetso ea netefatso.
Tataiso ea ts'ebetsong
Bahlahisi ba lokela ho sebelisa Step-up MFA. Ke mofuta o ikhethileng oa MFA moo sesebelisoa se kenyelletsang leano la netefatso le hlokang boemo bo eketsehileng ba netefatso, haholo ha ho leka lits'ebetso tse kotsi haholo.
Bahlahisi ba lokela ho etelletsa pele metsoako e latelang ea MFA ka tatellano ea 1, 2, 3, le 4, ka khetho ea 1 e le khetho e sireletsehileng ka ho fetisisa.
Lintlha / Kgetho Ntho-O-Tseba Se seng Seo-O Nang le sona
· Software token · Hardware token · SMS OTP Something-You-Are
1
2
3
4
1 Ntho eo U-U-Tsebang e bua ka eona tlhahisoleseling eo mosebelisi a e tsebang, joalo ka PIN (Personal Identification Number), password, kapa pattern, joalo-joalo. e hlahisa mangolo a netefatso, a ka kenyelletsang Li-password tsa Nako e le 'Ngoe (OTPs). Examplintlha tsa matšoao a joalo li kenyelletsa li-tokens tsa software, li-tokens tsa hardware, le SMS OTP. 3 Something-You-Are e bua ka li-identifiers tsa biometric, moo litšoaneleho tse ikhethang tsa 'mele tsa mosebelisi li sebelisetsoang ho netefatsa, joalo ka menoana, lisebelisoa tsa retina, ho lemoha sefahleho, kapa ho tseba lentsoe.
11
Bahlahisi ba eletsoa ka matla hore ba se itšetlehe ka li-SMS le lengolo-tsoibila la OTP e le mocha oa netefatso bakeng sa litšebelisano tse kotsi haholo. Haeba o sa khone, ho bohlokoa ho kenya ts'ebetsong ntlha ea biometric kapa ntlha e eketsehileng ea netefatso mmoho le SMS OTP le lengolo-tsoibila la OTP. Lintho tseo u lokelang ho li ela hloko
· Ho khothaletsoa ka matla ho khetha litharollo tse kantle ho sethala ha ho khoneha. · Bahlahisi ba lokela ho netefatsa hore bonyane ntlha e le 'ngoe ea MFA e netefalitsoe ka lehlakoreng la bareki, le bohle
tse ling li netefalitsoe ka lehlakoreng la seva. Maemong ao netefatso e netefalitsoeng ka lehlakoreng la bareki, haholo-holo bakeng sa Android, sebelisa khoutu e thehiloeng ho Trusted Execution Environment (TEE). · Taolo ena ea ts'ireletso e hlalositsoe ho litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
o OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 21.
o OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 51, 56. o MAS Technology Management Risk Management Guidelines (2021), leq. 34, 50. o ENISA Smartphone Secure Development Guidelines (2016), pg. 11.
12
AUTHN-BP01a Control Sesebelisoa se sebelisa netefatso ea Ntho-U-Tseba e le e 'ngoe ea lintlha tsa MFA. Tlhaloso Ntho e 'ngoe-U-U-Itse e emela karolo ea motheo ea netefatso ea boitsebiso e kenyelletsang tlhahisoleseding e tsejoang feela ke mosebedisi, joalo ka PIN (Personal Identification Number), password, pattern, joalo-joalo Ho phethahatsa Ntho-U-Tseba e le e' ngoe ea lintlha tsa MFA e tiisang. boemo ba mantlha ba netefatso ea boitsebiso ka ho hloka hore basebelisi ba fane ka lintlha tse ikhethileng tse amanang le liakhaonto tsa bona. Ke ntlha ea bohlokoa molaong oa "Ho hong-U-U-Tseba, Ntho-U-Na le Ntho-Uena," ho kenya letsoho leanong le pharaletseng le le sebetsang la ts'ireletso ea mekhahlelo e mengata. Tataiso ea ts'ebetsong Baetsi ba lokela ho latela litataiso tse latelang ho theheng li-password tse matla le tse sireletsehileng:
· Netefatsa hore bonyane bo bolelele ba password ba litlhaku tse 12 kapa ho feta. · Kenyelletsa motsoako oa litlhaku tse kholo le tse nyane, linomoro, le litlhaku tse khethehileng tse lekanyelitsoeng ho
~`! @#$%^&*()_-+=:;,.? Bahlahisi ba boetse ba lokela ho lemoha le ho qoba maraba a tloaelehileng ho theheng password:
• Qoba ho sebelisa mantsoe a ka lekanyetsoang, lipoleloana, kapa metsoako. · Qoba ho kenyelletsa lintlha tsa hau. • Qoba litlhaku tse latellanang (mohlala, “123456”) kapa litlhaku tse pheta-phetoang (mohlala, “aaaaa”). Lintho tseo u lokelang ho li ela hloko · Bahlahisi ba tlameha ho kenya ts'ebetsong phetisetso ea lintlha ho thepa ea mokhatlo feela kapa haeba ho se na.
Ho kenngwa tshebetsong ha MFA qetellong ya mosebedisi, mohlala, e fetotsweng selemo le selemo kapa ho ya ka nako e loketseng. · Taolo ena ea ts'ireletso e hlalositsoe ho litekanyetso tse ling. Ka kopo sheba (li) litokomane
e fanoe ka: o MAS Technology Risk Management Guidelines (2021), pg. 34. o ENISA Smartphone Secure Development Guidelines (2016), pg. 10.
13
AUTHN-BP01b Control Sesebelisoa se sebelisa Ntho e 'ngoe-U-Na le netefatso e le e' ngoe ea lintlha tsa MFA. Tlhaloso Ntho eo U Nang le eona e hloka hore basebelisi ba netefatse ka sesebelisoa sa sebele, app, kapa tokene e hlahisang mangolo a netefatso, a ka kenyelletsang Li-passwords tsa Nako e le 'Ngoe (OTPs). Examplintlha tsa matšoao a joalo li kenyelletsa li-tokens tsa software, li-tokens tsa hardware, le SMS OTP. Ho kenya ts'ebetsong ntho eo u nang le eona e le e 'ngoe ea lintlha tsa MFA ho eketsa ho rarahana ho ts'ebetso ea netefatso ka ho hloka ho ba le ntho e tšoarehang, ho fokotsa haholo monyetla oa phihlello e sa lumelloeng. Ke ntlha ea bohlokoa molemong oa "Ntho-U-Tseba, Ntho eo U Nang le Eng, le Ntho-U-O," ho kenya letsoho leanong le felletseng le le sebetsang la ts'ireletso ea mekhahlelo e mengata. Tataiso ea ts'ebetsong Bahlahisi ba lokela ho sebelisa OTP ea nako bakeng sa li-tokens tsa software, li-tokens tsa hardware le SMS OTP. Litataiso tse latelang li lokela ho lateloa:
· OTP e lokela ho sebetsa bakeng sa lilemo tse sa feteng 30. · OTP e kentsoeng ka phoso ka mor'a liteko tse 3 e lokela ho felloa ke matla, le nako ea mosebelisi
e tlameha ho hlakoloa kapa ho hanoa. Lintho tseo u lokelang ho li ela hloko
· Taolo ena ea ts'ireletso e hlalositsoe ho litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho: o OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 56-57. o Litaelo tsa Tsamaiso ea Kotsi ea Theknoloji ea MAS (2021), leq. 50, 51. o ENISA Smartphone Secure Development Guidelines (2016), pg. 10.
14
AUTHN-BP01c
Laola Sesebelisoa se sebelisa ho netefatsa Ntho e 'ngoe-U-Are e le e' ngoe ea lintlha tsa MFA.
Tlhaloso Ntho-O-Are e hloka hore basebelisi ba netefatse ka li-identifiers tsa biometric tse kang likhatiso tsa menoana, lisebelisoa tsa retina, kapa temoho ea sefahleho. Ho kenya tšebetsong Ntho-U-Are e le e 'ngoe ea lintlha tsa MFA ho eketsa ntlha ea netefatso ea motho ka mong le eo ho leng thata ho e etsa. E fana ka mokhoa o matla oa ho netefatsa boitsebiso ba mosebedisi ho feta Ntho eo U-U-Tsebang le Ntho-U-Na le lintlha, e fokotsang kotsi ea ho fihlella ntle le tumello. Ke ntlha ea bohlokoa molemong oa "Ntho-U-U-Tseba, Ntho-U-Na le Ntho-Uena," ho kenya letsoho leanong le felletseng le le sebetsang la ts'ireletso ea mekhahlelo e mengata. Tataiso ea ts'ebetsong Baetsi ba ts'ebetsong ba tlameha ho kenya tšebetsong netefatso ea biometric ka lehlakoreng la seva ba sebelisa sethala se tšepahalang sa boitsebiso ba biometric joalo ka Singpass. Leha ho le joalo, haeba ho sa khonehe, bahlahisi ba lokela ho kenya tšebetsong netefatso ea biometric lehlakoreng la bareki ka mekhoa ea sesebediswa ea Trusted Execution Environments (TEEs) joalo ka CryptoObject le Android Protected Confirmation bakeng sa lits'ebeletso tsa Android kapa Keychain bakeng sa iOS. Lintho tseo u lokelang ho li ela hloko
· Basebelisi ba tlameha ho fokotsa tšebetso ea lits'ebetso ho lisebelisoa tse se nang hardware Trusted Executed Environment (TEE) kapa biometrics. Bakeng sa mohlalaample, lisebelisoa tsa Android tse haellang TEE li ka bonoa ho sebelisoa "isInsideSecureHardware" Android API.
· Bahlahisi ba tlameha ho etsa hore netefatso ea biometric e se sebetse haeba liphetoho li etsahala mochining oa biometric, joalo ka ho kenya mongolo oa menoana e ncha sesebelisoa. Li-platform tsa iOS le tsa Android li tšehetsa ho beha senotlolo sa app crypto ho felloa ke nako ka lebaka la liphetoho tse joalo.
· Taolo ena ea ts'ireletso e hlalositsoe ho litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho: o OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 227233, 422-426. o Litaelo tsa Tsamaiso ea Kotsi ea Theknoloji ea MAS (2021), leq. 51. o ENISA Smartphone Secure Development Guidelines (2016), pg. 11, 26.
15
AUTHN-BP02
Laola Sesebelisoa se sebelisa lintlha tse ipapisitseng le maemo ho netefatsa. Tlhaloso Mabaka a ipapisitseng le maemo a hlahisa likarolo tse matla joalo ka sebaka sa mosebelisi le litšobotsi tsa sesebelisoa. Le ha MFA e fana ka tšireletso e matla ka ho hloka lintlha tse ngata tsa netefatso, ho kenyelletsa lintlha tse thehiloeng ho maemo ho theha ts'ebetso ea netefatso e felletseng le e feto-fetohang e ka fanang ka melemo e eketsehileng ho sebetsana le likotsi tse tsoelang pele tsa phihlello e sa lumelloeng. Ho kenya ts'ebetsong lintlha tse ipapisitseng le maemo ho fokotsa ho ts'epa lintlha tse sa fetoheng, ho etsa hore ho be thata ho baetsi ba lonya ho leka ho fihlella ntle le tumello. Tataiso ea ho kenya tšebetsong Basebelisi ba tlameha ho nahana ka lintlha tse latelang ho netefatsa boitsebiso ba mosebelisi:
· Geolocation: Lumella ho kena ho ipapisitsoe le sebaka sa 'nete sa lefats'e sa sesebelisoa se sebelisang GPS, Wi-Fi, kapa IP address geolocation.
· Mofuta oa Sesebelisoa: Lumella ho fihlella ho ipapisitse le litšobotsi tsa sesebelisoa. mohlala, boholo ba skrine bo ka tseba hore na sesebelisoa ke smartphone kapa tablet.
Lintho tseo u lokelang ho li ela hloko Taolo ena ea ts'ireletso e boleloa ka litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 56, 58. · ENISA Smartphone Secure Development Guidelines (2016), pg. 11.
16
AUTHN-BP03
Laola Sesebelisoa se sebelisa netefatso e sireletsehileng ea nako. Tlhaloso Netefatso e bolokehileng ea seshene e netefatsa taolo e matla ea nako bakeng sa netefatso e tiileng le e se nang naha. Mananeo a sa laoleheng hantle, ho sa tsotelehe hore na sesebelisoa se latela mekhoa ea netefatso ea stateful4 kapa stateless5, e ka lebisa lits'okelong tsa ts'ireletso joalo ka phihlello e sa lumelloeng, ho koeteloa ha seshene, kapa ho tloloa ha data. Ho kenya tšebetsong netefatso e bolokehileng ea nako bakeng sa linako tsa maemo a holimo ho sebelisa li-identifiers tse sireletsehileng tsa nako, puisano e patiloeng le linako tse nepahetseng ho thibela phihlello e sa lumelloeng. Bakeng sa netefatso e se nang naha, e netefatsa hore li-tokens ke tamper-resistant, ho boloka botšepehi ba netefatso ntle le ho itšetleha ka polokelo ea lehlakore la seva. Tataiso ea ts'ebetsong Baetsi ba ts'ebetsong ba tlameha ho kenya ts'ebetso ea netefatso e sireletsehileng ea nako ka ho sebelisa mekhoa e latelang e metle bakeng sa mekhoa ea netefatso ea maemo a holimo (AUTHN-BP03a) le e se nang naha (AUTHN-BP03b) bakeng sa linako. Lintho tseo u lokelang ho li ela hloko Taolo ena ea ts'ireletso e boleloa ka litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 51-55. · MAS Technology Management Risk Management Guidelines (2021), leq. 51. · ENISA Smartphone Secure Development Guidelines (2016), pg. 10.
4 Netefatso e hlakileng e bua ka taolo ea maemo a seshene ka lehlakoreng la seva, hangata e hlokang tšebeliso ea li-identifiers tsa nako. 5 Netefatso e se nang naha e bolela tsamaiso ea linako ntle le ho boloka lintlha tse amanang le basebelisi lehlakoreng la seva.
17
AUTHN-BP03a Control Sesebelisoa se sebelisa netefatso e bolokehileng. Tlhaloso Netefatso e bolokehileng e kenyelletsa ho sireletsa le ho boloka linako tse tsitsitseng. Le hoja netefatso e hlakileng e fana ka phihlelo ea mosebedisi ka linako tsohle, e ka ba kotsing ea litšokelo tse fapa-fapaneng tsa tšireletso, tse kang batšoantšisi ba lonya ba lekang ho utsoa litlhaloso tsa nako. Ho kenya ts'ebetsong netefatso e bolokehileng e sireletsang liak'haonte tsa mosebelisi ho tsoa phihlellong e sa lumelloeng le likotsing tse ka bang teng tse amanang le taolo ea nako ntle le ho beha tekatekano lipakeng tsa ts'ebeliso le ts'ireletso. Tataiso ea ts'ebetsong Basebelisi ba lokela ho tseba lintlha tsa morao-rao tsa seva tse pepesang tlhahisoleseling kapa mesebetsi ea bohlokoa. Bahlahisi ba boetse ba tlameha ho sebelisa mekhoa e metle ea netefatso ea seshene e latelang:
· Hana likopo ka li-ID kapa li-tokens tsa nako tse sieo kapa tse sa sebetseng. · Hlahisa li-ID tsa Session ka mokhoa o sa reroang ka lehlakoreng la seva ntle le ho li kopanya ho URLs. · Ntlafatsa ts'ireletso ea li-ID tsa Session ka bolelele bo nepahetseng le entropy, e leng ho etsang hore ho hakanya ho be thata. · Fapanyetsana li-ID tsa Session feela ka likhokahano tse sireletsehileng tsa HTTPS. Qoba ho boloka li-ID tsa nako sebakeng sa polokelo e tsitsitseng. Netefatsa li-ID tsa linako bakeng sa phihlello ea mosebelisi ho likarolo tse khethehileng tsa app. · Emisa linako ka lehlakoreng la seva, u hlakole tlhahisoleseling ha nako e felile kapa ha u tsoa. Lintho tseo u lokelang ho li ela hloko Haeba u belaela, nahana ka ho sebelisa liforomo le liprothokholo tse tšepahalang tsa netefatso. Taolo ena ya tshireletso e hlalositsoe ho litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho: · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 52.
18
AUTHN-BP03b Control Sesebelisoa se sebelisa netefatso e sireletsehileng e se nang naha. Tlhaloso Netefatso e sireletsehileng e se nang naha e kenyelletsa mekhoa e bolokehileng ea tokens bakeng sa netefatso e sebetsang le e mpe. Le hoja netefatso e se nang naha e fana ka melemo, e ka ba kotsing ea litšokelo tsa ts'ireletso tse kang ho iketsa mosebedisi haeba li-tokens li sa hlahisoa ka mokhoa o sireletsehileng, li fetisoa le ho bolokoa. Ho kenya ts'ebetsong netefatso e sireletsehileng ea naha ho netefatsa hore tokene e 'ngoe le e' ngoe ea netefatso e ts'oaroa ka mokhoa o sireletsehileng ha e ntse e kotula melemo ea ts'ebetso e ntle le ho hlaka, ho fokotsa kotsi ea phihlello e sa lumelloeng. Tataiso ea ts'ebetsong Baetsi ba ts'ebetso ba tlameha ho sebelisa mekhoa e metle ea netefatso ea seshene e latelang:
· Hlahisa li-tokens ka lehlakoreng la seva ntle le ho li kopanya ho URLs. · Ntlafatsa ts'ireletso ea li-tokens ka bolelele bo nepahetseng le entropy, ho thatafalletsa ho nahana. · Fapanyetsana li-tokens feela ka likhokahano tse sireletsehileng tsa HTTPS. Netefatsa hore ha ho na data ea bohlokoa, joalo ka PII, e kentsoeng ka har'a li-tokens. • Qoba ho boloka li-tokens sebakeng sa polokelo e tsitsitseng. · Netefatsa li-tokens bakeng sa phihlello ea mosebelisi ho likarolo tse khethehileng tsa app. · Emisa li-tokens ka lehlakoreng la seva, u hlakole tlhahisoleseling ka nako kapa ha u tsoa. · Saena li-tokens tsa Cryptographically u sebelisa algorithm e sireletsehileng, ho qoba ts'ebeliso ea li-algorithms tse se nang thuso. Lintho tseo u lokelang ho li ela hloko · Haeba u belaela, nahana ka ho sebelisa liforomo le liprothokholo tse tšepahalang tsa netefatso. · Taolo ena ea tshireletso e hlalositsoe ho litekanyetso tse ling. Ka kopo sheba (li) litokomane
e fanoe ka: o OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 52-53.
19
AUTHN-BP04
Laola Sesebelisoa se sebelisa pheliso ea nako e sireletsehileng nakong ea ho tsoa, ho se sebetse kapa ho koaloa ha sesebelisoa. Tlhaloso Ho felisoa ka mokhoa o sireletsehileng ho tiisa hore ho koaloa ka katleho ha linako tsa basebelisi. Maemong a kang ho tsoa, ho se sebetse, kapa maemo a ho koaloa ha lisebelisoa, ho na le monyetla oa hore baetsi ba lonya ba ka sebelisa monyetla ofe kapa ofe oa ho fihlella haeba linako li sa laoloe ka nepo. Ho kenya ts'ebetsong ho felisoe ha nako e sireletsehileng nakong ea ho tsoa, ho se sebetse kapa ho koaloa ha lits'ebetso ho ka fokotsa haholo kotsi ea phihlello e sa lumelloeng ka ho emisa mananeo a basebelisi le ho sireletsa tlhahisoleseling hore e se fihle ho batho ba sa lumelloeng. Tataiso ea ho kenya tšebetsong Basebelisi ba tlameha ho netefatsa basebelisi ka mor'a ho tsoa, ho se sebetse ha app, ho se sebetse, ho se sebetse, ho felloa ke nako ka botlalo, kapa ho koala ka tšohanyetso/ho qobella. Basebelisi ba boetse ba lokela ho hlahisa li-identifiers tsa nako e ncha ho seva neng le neng ha basebelisi ba nyolohela boemong bo bocha ba netefatso ho thibela ho lokisoa ha nako. Lintho tseo u lokelang ho li ela hloko
· Basebelisi ba tlameha ho etsa bonnete ba hore ho felisoa ha seshene ho kenyelletsa ho hlakola kapa ho hlakola tumello ea li-tokens tse bolokiloeng sebakeng sa heno kapa li-identifiers tsa nako.
· Bahlahisi ba lokela ho lekola boleng ba nako ea ho se sebetse ho latela kotsi le mofuta oa litšebeletso tsa lichelete.
· Taolo ena ea ts'ireletso e hlalositsoe ho litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho: o OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 55-56, 58. o MAS Technology Management Risk Management Guidelines (2021), leq. 51. o ENISA Smartphone Secure Development Guidelines (2016), pg. 11.
20
AUTHN-BP05
Laola Sesebelisoa se sebelisa ts'ireletso e matla bakeng sa netefatso. Tlhaloso Litlhaselo tse matla tsa matla li kenyelletsa liteko tsa boiketsetso le tse hlophisitsoeng tsa ho hakanya lintlha tsa mosebelisi, mohlalaample, ka ho leka mefuta e fapaneng ea li-usernames le li-password ho fumana phihlello e sa lumelloeng. Tšireletso ea matla e thibela palo ea batho ba lekang ho kena ka nako e itseng. Ho kenya ts'ireletso e matla bakeng sa netefatso ho ka fokotsa haholo kotsi ea phihlello e sa lumelloeng, ho sireletsa liakhaonto tsa basebelisi le ho boloka ts'ebetso ea netefatso. Litlhahiso tsa ts'ebetsong Bahlahisi ba tlameha ho kenya ts'ebetsong mekhoa e metle ka mekhoa e latelang e metle:
· Kenya tšebetsong licheke tsa anti-automation. ‣ Sebelisa sekhahla sa ho leka ho kena. Kenyelletsa tieho e ntseng e eketseha ea nako (mohlala, metsotsoana e 30, motsotso o le mong, metsotso e 1, 2.
metsotso) bakeng sa liteko tsa ho kena. · Qoba ho koaloa ha li-account. Lintho tseo u lokelang ho li ela hloko · Bahlahisi ba lokela ho hlokomela hore mekhoa eohle ea MFA e kotsing ea matla a sehlōhō. · Bahlahisi ba tlameha ho fana ka mabaka a ho notleloa ha akhaonto le ho fana ka mekhoa e fumanehang
bakeng sa basebelisi ho inetefatsa le ho tlosa senotlolo. Examptse kenyeletsang ho letsetsa mohala oa thuso kapa ho sebelisa netefatso ea biometric. · Taolo ena ea ts'ireletso e hlalositsoe ho litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
o ENISA Smartphone Secure Development Guidelines (2016), pg. 10, 16.
21
AUTHN-BP06
Laola Sesebelisoa se sebelisa mokhoa oa ho netefatsa botšepehi ba transaction. Tlhaloso Le hoja netefatso e netefatsa boitsebiso ba mosebedisi, ha e felise monyetla oa liketso tsa bolotsana nakong ea ts'ebetso ea transaction. Mekhoa ea ho netefatsa botšepehi ba transaction ke mesebetsi e thusang ea ts'ireletso e fang basebelisi nako le lisebelisoa ho sebetsana le bomenemene bo ka bang teng. Ho kenya tshebetsong mokgwa wa netefatso ya botshepehi ba diterasekishene ho netefatsa hore kgwebisano ka nngwe e hlahlojwa ka botlalo ho netefatsa bonnete le bonnete ba yona. Tataiso ea ho kenya ts'ebetsong Baetsi ba ka kenya tšebetsong mekhoa e latelang e khothalelitsoeng:
· Qala mohala oa netefatso / netefatso. · Fana ka nalane ea khoebo ea nako ea nnete. · Kenya ts'ebetsong nako ea ho phomola ea lihora tse 12 ho isa ho tse 24. · Thibela ditransekshene tsa mose ho mawatle ka boikgethelo; thusa feela ka MFA. Lintho tseo u lokelang ho li ela hloko Taolo ena ea ts'ireletso e boleloa ka litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho: · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 57-58.
22
23
2. Ho fana ka tumello
Selelekela
Tšireletso ea tumello e sebetsa hammoho le tšireletso ea netefatso. Ts'ireletso ea tumello lits'ebetsong tsa mehala ke mokhoa oa bohlokoa oa ts'ireletso kaha o hlalosa hore na ke mang ea ka fumanang lisebelisoa ka har'a sesebelisoa. E theha litsamaiso tse hlophisitsoeng le ho netefatsa litokelo tsa phihlello ea basebelisi ka har'a sesebelisoa.
Bahlahisi ba ka etsa bonnete ba hore ke basebelisi ba lumelletsoeng feela, bareki, lits'ebetso le lisebelisoa ba ka fihlelang lisebelisoa tse itseng kapa ba etsa liketso tse itseng ka ho kenya tšebetsong taolo e matla ea tumello le litlhophiso tsa tumello. Ka taolo ea tumello, bahlahisi ba ka boela ba fokotsa kotsi ea phihlello ea data e sa lumelloeng, ho boloka botšepehi ba lintlha tsa bohlokoa, ho boloka lekunutu la basebelisi le ho sireletsa botšepehi ba mesebetsi e kotsi haholo. Leha ts'ebetso ea mekhoa ena e tlameha ho ba pheletsong e hole, ho bohlokoa ka ho tšoanang hore sesebelisoa se lehlakoreng la bareki se latele mekhoa e nepahetseng ho netefatsa ts'ebeliso e sireletsehileng ea liprothokholo tse amehang tsa tumello.
Litaolo tse sehlopheng sena li fana ka tumello ea taolo ea ts'ireletso eo sesebelisoa se lokelang ho e sebelisa ho sireletsa lintlha tsa lekunutu le ho thibela ho kena ntle ho tumello. E boetse e fa bahlahisi mekhoa e metle e nepahetseng mabapi le mokhoa oa ho kenya tšebetsong litaolo tsena tsa ts'ireletso.
taolo ea ts'ireletso
ID
Taolo
AUTHOR-BP01 Kenya ts'ebetsong tumello ea lehlakore la seva.
AUTHOR-BP02 Kenya tshebetsong tumello ya bareki ka ho tlama sesebediswa.
AUTHOR-BP03 Tsebisa basebelisi ka litumello tsohle tse hlokahalang pele ba qala ho sebelisa sesebelisoa.
MONGOLI-BP04
Tsebisa basebelisi ka lits'ebetso tsohle tse kotsing e kholo tse lumelletsoeng le tse phethiloeng.
24
MONGOLI-BP01
Laola Sesebelisoa se sebelisa tumello ea lehlakore la seva. Tlhaloso Tumello ea lehlakore la seva e bolela ho netefatsa le ho fana ka tumello ho basebelisi kapa lits'ebetso ka seva kapa seva ea tumello. Sena se tiisa hore liqeto le litumello tsa taolo ea phihlello li laoloa le ho sebelisoa ka lehlakoreng la seva ho fapana le moreki. Ka ho kenya tšebetsong tumello ea lehlakore la seva, bahlahisi ba fokotsa menyetla ea bahlaseli ba lonya ho tampkapa u fete mehato ea ts'ireletso ho sesebelisoa ho fumana phihlello e sa lumelloeng ea data ea bohlokoa (ke hore, li-PII le lintlha tsa Tiiso). Tataiso ea ts'ebetsong Bahlahisi ba tlameha ho kenya tšebetsong tumello ea lehlakore la seva kamora netefatso e atlehileng, pele ba fana ka tumello ea phihlello. Basebelisi ba tlameha ho netefatsa hore basebelisi ba fuoa monyetla oa ho kena ho latela lintlha tse latelang:
· Karolo e abetsoeng ka litumello: Netefatsa hore basebelisi ba ka etsa feela mesebetsi e amanang le boikarabello ba bona.
· Mabaka a maemo: Maemo a phihlello a matla joalo ka Nako ea Phihlello le Tlhahlobo ea Boitšoaro.
Lintho tseo u lokelang ho li ela hloko Taolo ena ea ts'ireletso e boleloa ka litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 50-55, 58. · PCI Mobile Payment Acceptance Guidelines Security v2.0.0 (2017), pg. 10. · ENISA Smartphone Secure Development Guidelines (2016), pg. 10-11.
25
MONGOLI-BP02
Laola Sesebelisoa se sebelisa tumello ea bareki ka ho tlama sesebediswa.
Tlhaloso
Tumello ea lehlakore la bareki ke mokhoa oa ho laola litumello tsa phihlello ka har'a sesebelisoa sa mohala. Sena se kotsi kaha ho itšetleha ka lehlakore la bareki ho ka pepesetsa lits'ebetso likotsing joalo ka phihlello e sa lumelloeng le bomenemene bo ka bang teng.
Haeba khoebo ea app e sebetsa (mohlala, li-software tokens) e hloka tumello ho tsoa ho bareki, ho tlama sesebediswa (mokgwa wa tshireletso o amahanyang ditumello tsa ho fihlella ditokelo ho sesebediswa se itseng) ho kgothaletswa. Ka ho kenya tšebetsong tlamo ea lisebelisoa, lits'ebetso li ka netefatsa boitsebiso ba sesebelisoa le ho theha tšepo. Sena se fokotsa likotsi tse amanang le phihlello e sa lumelloeng mme se boloka tsela e sireletsehileng, e tšepahalang lipakeng tsa lisebelisoa, lits'ebetso le li-server.
Tataiso ea ts'ebetsong
Basebelisi ba tlameha ho theha tlamahano lipakeng tsa lits'ebetso le sesebelisoa ha boitsebiso ba mosebelisi bo sebelisoa lekhetlo la pele sesebelisoa sa mohala se sa ngolisoang.
Bahlahisi ba boetse ba tlameha ho netefatsa hore lisebelisoa:
· Sheba bakeng sa liphetoho ho sesebelisoa ho tloha nakong ea ho qetela ea ho sebetsa. · Sheba bakeng sa liphetoho ho matšoao a boitsebiso ba sesebelisoa. · Sheba hore sesebelisoa se tsamaisang sesebelisoa se maemong a sireletsehileng (mohlala, ha ho na jailbreaking kapa rooting). Tse ka holimo ke tse ling feela tsa khaleampmekhoa e metle e sebelisoang ke indasteri. Ha ecosystem ea lisebelisoa tsa mehala e ntse e fetoha, mekhoa ena e kanna ea felloa ke nako. Ka hona, bahlahisi ba tlameha ho lula ba tseba mekhoa ea morao-rao ea indasteri ea ho netefatsa tlamo ea lisebelisoa. Lintho tseo u lokelang ho li ela hloko
Ho netefatsa lisebelisoa ho lisebelisoa tsa Android, baetsi ba ka:
* Fumana li-identifiers tse ikhethileng joalo ka IMEI kapa Android ID. · Fumana lintlha tsa moaho. · Ntlafatsa likarolo tsa khale tsa OS API, joalo ka Google's SafetyNet.
Ho netefatsa sesebelisoa ho lisebelisoa tsa iOS, bahlahisi ba ka:
+ Ntlafatsa lits'ebeletso tsa lehae tsa OS, joalo ka ID ea sesebelisoa sa Apple ka UIDevice.
Taolo ena ea tshireletso e hlalositsoe ho litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 316-317, 516. · MAS Technology Management Risk Management Guidelines (2021), leq. 51, 56.
26
MONGOLI-BP03
Laola Sesebelisoa se tsebisa basebelisi ka litumello tsohle tse hlokahalang pele ba qala ho sebelisa sesebelisoa. Tlhaloso Litumello tse hlokehang ke litokelo le bokhoni bo ikhethileng boo sesebelisoa se bo kopang ho sesebelisoa sa mehala. Litumello tsena li hlalosa hore na ke lisebelisoa life kapa mesebetsi eo sesebelisoa e ka e fihlelang ho lisebelisoa tsa basebelisi. Ba bang ba examptse kenyeletsang, empa ha li felle feela, khamera, maekerofounu, sebaka, joalo-joalo. Ka ho kenya tšebetsong litsebiso tse nepahetseng tse tsebisang basebelisi hore na litumello li kopuoa joang, bahlahisi ba ka thibela basebelisi ho fana ka tumello e feteletseng ba sa tsebe, e leng se ka lumellang batšoantšisi ba lonya ho sebelisa bofokoli. le ho utsoa lintlha tsa bohlokoa (ke hore, li-PII le Boitsebiso ba Tiiso). Litsebiso tse joalo li tla boela li lumelle basebelisi ho etsa liqeto tse nang le tsebo mabapi le lisebelisoa tseo ba li kenyang. Tataiso ea ho kenya tšebetsong Basebelisi ba lokela ho sebelisa tlhokomeliso ea In-App (In-App) ho kopa tumello ea basebelisi. Basebelisi ba boetse ba tlameha ho netefatsa hore Litsebiso/Litemoso ha li hlahise lintlha tsa bohlokoa. Lintho tseo u lokelang ho li ela hloko Basebelisi ba tlameha ho kopa litumello tse hlokahalang bakeng sa ts'ebetso ea sesebelisoa. Taolo ena ea tshireletso e hlalositsoe ho litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 56, 58. · ENISA Smartphone Secure Development Guidelines (2016), pg. 8, 18, 28. · Apple Developer Guide on Privacy, https://developer.apple.com/design/human-interface-
tataiso/lekunutu (Jan 2024). · Tataiso ea Moetsi oa Android mabapi le Lekunutu, https://developer.android.com/quality/privacy-and-
tshireletso (Jan 2024).
27
MONGOLI-BP04
Laola Sesebelisoa se tsebisa basebelisi ka lits'ebetso tsohle tse kotsing e kholo tse lumelletsoeng le ho phetheloa.
Tlhaloso Haeba sesebelisoa se na le ts'ebetso ea transaction e kotsi haholo, basebelisi ba lokela ho tsebisoa hang hang ha khoebo e lumelloe 'me e phethiloe. Ka ho kenya tšebetsong taolo ena, bahlahisi ba ka etsa bonnete ba hore basebelisi ba hlokomelisoa hang-hang ha litšebelisano tse kotsi li se li lumeletsoe 'me li phethiloe e le hore ba tle ba tsebe ho tseba litšebelisano tse ka bang teng tsa bolotsana kapele kamoo ho ka khonehang.
Tataiso ea ts'ebetsong Baetsi ba lokela ho sebelisa mekhoa e latelang ho lemosa basebelisi:
· Litlhokomeliso tse ka hare ho ts'ebeliso (In-App). · Litsebiso tsa lengolo-tsoibila. · Litsebiso tsa Tšebeletso ea Molaetsa o Mokhutšoane (SMS). Basebelisi ba boetse ba tlameha ho netefatsa hore Litsebiso/Litemoso ha li hlahise lintlha tsa bohlokoa.
Tse ka holimo ke tse ling feela tsa khaleamptse ling tsa mekhoa e metle ea tsebiso e sebelisoang ke indasteri. Ha ecosystem ea lisebelisoa tsa mehala e ntse e fetoha, mekhoa ena e kanna ea felloa ke nako. Ka hona, bahlahisi ba lokela ho lula ba tseba mekhoa e metle ea morao-rao ea indasteri ho tsebisa basebelisi ka litšebelisano tse ka bang kotsi tse lumelletsoeng le tse phethiloeng.
Lintho tseo u lokelang ho li ela hloko Basebelisi ba tlameha ho kopa litumello tsa bohlokoa feela bakeng sa ts'ebetso ea sesebelisoa.
Taolo ena ea tshireletso e hlalositsoe ho litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
· MAS Technology Management Risk Management Guidelines (2021), leq. 52. · PCI Mobile Payment Acceptance Security Guidelines v2.0.0 (2017), pg. 10. · ENISA Smartphone Secure Development Guidelines (2016), pg. 8. · Apple Developer Guide on Privacy, https://developer.apple.com/design/human-interface-
tataiso/lekunutu (Jan 2024). · Tataiso ea Moetsi oa Android mabapi le Lekunutu, https://developer.android.com/quality/privacy-and-
tshireletso (Jan 2024).
28
29
3. Polokelo ea Lintlha (Data-at-Rest)
Selelekela
Tshireletso ya Polokelo ya Ditaba bakeng sa ho phomola e amana le ho sireletsa botshepehi le lekunutu la data e hlokolosi (ke hore, PIIs le data ya netefatso) e bolokilweng sebakeng sa hao ho sesebediswa se lehlakoreng la moreki le ka thoko ho seva sa app ha e sa sebelisoe kapa hona ho fetisoa. Sena se kenyelletsa mekhoa e metle, mehato ea ts'ireletso le mekhoa ea ho patala e sebelisoang ho boloka data e bolokiloeng litsing tsa polokelo ea litaba, files, li-cache, memori, le Tikoloho e Tšeptjoang ea Phethahatso (TEE) lisebelisoa tsa mehala le libaka tse tšoanang ho li-server tsa app.
Basebelisi ba ka etsa bonnete ba hore lintlha tsa mosebelisi lia bolokoa le ho sireletsoa ka ho kenya ts'ebetsong litaolo tse matla tsa ts'ireletso bakeng sa ho boloka data ha u phomotse. Litaolo tse nepahetseng tsa ho phomola ha data li boetse li netefatsa hore sesebelisoa se ka fokotsa likotsi tsa phihlello e sa lumelloeng, ho sekisetsa lisebelisoa, ho ka ba le liphoso tsa data, le ho lutla ha data le ho matlafatsa ts'ireletso ea sesebelisoa.
Litaolo tse latelang li netefatsa hore data efe kapa efe e bolokiloeng ka boomo ke sesebelisoa e sirelelitsoe ka ho lekaneng, ho sa tsotelehe hore na sebaka se lebisitsoeng ke sefe. E boetse e akaretsa ho lutla ka boomo ka lebaka la tšebeliso e fosahetseng ea li-API kapa bokhoni ba sistimi.
taolo ea ts'ireletso
ID
Taolo
STORAGE-BP01 Boloka lintlha tsa bohlokoa tse hlokahalang feela bakeng sa transaction.
STORAGE-BP02 Kenya ts'ebetsong polokelo e sireletsehileng ea data ea bohlokoa.
STORAGE-BP02a Boloka lintlha tsa bohlokoa ka mokhoa o sireletsehileng ka lehlakoreng la seva.
POLOKO-BP02b
Boloka lintlha tsa bohlokoa ka mokhoa o sireletsehileng ka lehlakoreng la bareki ho Tikoloho e Tšeptjoang ea Phethahatso (TEE).
STORAGE-BP03 Hlakola lintlha tsa bohlokoa ha u sa hloke.
30
POLOKO-BP01
Laola Sesebelisoa se boloka data ea bohlokoa e hlokahalang feela bakeng sa transaction. Tlhaloso Boitsebiso bo hlokolosi bo hlalosoa e le boitsebiso ba mosebedisi (li-PII) le boitsebiso ba netefatso (mohlala, mangolo-tsoibila, linotlolo tsa ho ngolla, joalo-joalo) Basebelisi ba tlameha ho boloka feela lintlha tsa bohlokoa tse hlokahalang bakeng sa lits'ebetso tsa khoebo ea liapp. Ho bokella lintlha tse sa hlokahaleng ho eketsa litlamorao tsa litlolo tse ka bang teng tsa ts'ireletso, ho etsa hore sesebelisoa e be sepheo se khahlang bakeng sa libapali tse lonya. Ka ho kenya ts'ebetsong taolo ena ea ts'ireletso, bahlahisi ba ka etsa bonnete ba hore ho pepeseha ho lekanyelitsoe ho data e hlokahalang bakeng sa mesebetsi e itseng ea khoebo, ho fokotsa tšusumetso ha ho na le phihlello e sa lumelloeng kapa tlōlo ea molao. Tataiso ea ts'ebetsong Batšehetsi ba lokela ho hlophisa lintlha tse sebelisoang ke sesebelisoa ho latela maemo a kutlo a mokhatlo le ho ipapisitse le litlhokahalo tsa molao. Basebelisi ba tlameha ho latela litataiso tse latelang ho boloka lintlha tse thathamisitsoeng e le tsa bohlokoa:
1. Kenya ts'ebetsong tharollo e sireletsehileng ea polokelo e thehiloeng ho kutloisiso ea eona ho lehlakoreng la bareki / lehlakoreng la seva. 2. Sebelisa mehato ea ts'ireletso ea data (mohlala, tokening, hashing with salt, encrypting) 3. Hlakola lintlha tsa bohlokoa ha ho sa hlokahale. Lintho tseo u lokelang ho li ela hloko Taolo ena ea ts'ireletso e boleloa ka litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho: · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 190, 398. · MAS Technology Management Risk Management Guidelines (2021), leq. 9-10, 36, 38. · ENISA Smartphone Secure Development Guidelines (2016), pg. 6.
31
POLOKO-BP02
Laola Sesebelisoa se sebelisa polokelo e sireletsehileng ea data e hlokolosi. Tlhaloso: Polokelo e bolokehileng bakeng sa lits'ebetso tsa mehala e bolela ho kenya ts'ebetsong mekhoa le litloaelo tsa ho sireletsa data ea bohlokoa e bolokiloeng lisebelisoa tsa mohala le li-server ho tsoa phihlellong e sa lumelloeng, bosholung kapa t.ampering. Sena se kenyelletsa mekhoa e metle joalo ka encryption, hashing, tokenisation, le taolo e nepahetseng ea phihlello. Ka ho kenya ts'ebetsong polokelo e sireletsehileng, bahlahisi ba ka fokotsa khahlanong le phihlello e sa lumelloeng, ho sekisetsa lisebelisoa, ho ka ba le litlolo tsa data le ho lutla ha data. Tataiso ea ts'ebetsong Baqapi ba lokela ho kenya ts'ebetsong tharollo e sireletsehileng ea polokelo e tsamaellanang le kutloisiso ea data. Basebelisi ba boetse ba lokela ho etelletsa taelo e latelang pele bakeng sa tharollo e sireletsehileng ea polokelo (ho tloha ho data e hlokolosi ho isa ho data e bobebe haholo):
1. Lehlakore la seva (lintlha tsohle tse hlokolosi li lokela ho bolokoa ka lehlakoreng la seva). 2. Lehlakore la bareki ka hare ho Tikoloho ea Phethahatso e Tšeptjoang (maemong ao lehlakore la seva le seng joalo
ho khoneha, boloka lintlha tsohle tsa bohlokoa ka lehlakoreng la bareki TEE). Lintho tseo u lokelang ho li ela hloko Taolo ena ea ts'ireletso e boleloa ka litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 17-18. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 190-203, 398-
406. · ENISA Smartphone Secure Development Guidelines (2016), pg. 06-07.
32
POLOKO-BP02a
Taolo
Sesebelisoa se boloka data ea bohlokoa ka mokhoa o sireletsehileng lehlakoreng la seva.
Tlhaloso
Ho boloka data ea bohlokoa ka lehlakoreng la seva ho bolela ho boloka data ho li-server kapa li-database tse hole. Mokhoa o joalo o theha tikoloho e betere ea ho sireletsa data ho tsoa phihlellong e sa lumelloeng kapa litlolong, ho nolofalletsa taolo ea phihlello e sireletsehileng haholoanyane, likhetho tsa ho kenya ts'ebetsong mehato e betere ea ts'ireletso joalo ka li-encryption tse rarahaneng le litokisetso tsa lintlafatso tse potlakileng tsa ts'ireletso.
Ka ho kenya ts'ebetso ea polokelo ea data e hlokolosi ka lehlakoreng la seva, bahlahisi ba ka fokotsa khahlano le likotsi tsa tlhaho tsa polokelo ea data ea lehlakoreng la bareki, kaha polokelo ea lehlakore la bareki e kotsing ea mekhoa ea ts'ebeliso ea polokelo ea data eo hangata e sebelisoang ke batšoantšisi ba lonya litsotsi tsa mehala.
Tataiso ea ts'ebetsong
Bahlahisi ba tlameha ho sebelisa bonyane 1 ea mehato e latelang ea ts'ireletso ea data:
1. Bakeng sa li-passwords feela, bahlahisi ba ka sebelisa hashing ka salt6. Sebakeng sa ho boloka li-password tsa 'nete, matsoai a ikhethang a hlahisoa ebe a kopantsoe le li-password, ho etsa li-hashes tse letsoai.
2. Bahlahisi ba ka encrypt7 data ea bohlokoa e nang le litekanyetso tsa ho ngolla joalo ka AES-128. 3. Bahlahisi ba ka kenya ts'ebetsong tokenisation8 ka tokenisation e ikemetseng kapa tokenisation
tšebeletso, ho tlosa lintlha tsa bohlokoa ka li-tokens moo ho khonehang. Ntle le moo, bahlahisi ba lokela ho etsa bonnete ba hore tokenisation e bolelele bo lekaneng le ho rarahana (e tšehelitsoe ke cryptography e bolokehileng) e ipapisitseng le kutloelo-bohloko ea data le litlhoko tsa khoebo.
Tse ka holimo ke tse ling feela tsa khaleampmekhoa e metle e sebelisoang ke indasteri. Ha ecosystem ea lisebelisoa tsa mehala e ntse e fetoha, mekhoa ena e metle e kanna ea felloa ke nako. Ka hona, bahlahisi ba tlameha ho latela mekhoa e metle ea morao-rao ea indasteri ea ho boloka data ea bohlokoa ka mokhoa o sireletsehileng ka lehlakoreng la seva.
Lintho tseo u lokelang ho li ela hloko
Taolo ena ea tshireletso e hlalositsoe ho litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 19-20. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 71-77, 219-227,
416-421. · MAS Technology Management Risk Management Guidelines (2021), leq. 30, 36-37, 39. · PCI Mobile Payment Acceptance Security Guidelines v2.0.0 (2017), pg. 9. · ENISA Smartphone Secure Development Guidelines (2016), pg. 6-9.
6 Hashing ka letsoai e sebelisoa ho eketsa ts'ireletso ka ho etsa hore ho be thata ho bahlaseli ho hlalosa lintlha tsa mantlha tsa bohlokoa. Boemong ba ho boloka phasewete kapa ho tsoa ho linotlolo, bahlahisi ba lokela ho sebelisa lits'ebetso tsa tsela e le 'ngoe kapa mekhoa e liehang ea hash, joalo ka PBKDF2, bcrypt, kapa scrypt. 7 Encryption e sebelisoa ho fetola data hore e be sebopeho se sa baleheng, ho netefatsa hore leha e ka fihleloa ntle le tumello, data ea bohlokoa e lula e le lekunutu. 8 Tokenisation e sebelisoa ho beha data ea bohlokoa sebakeng sa li-tokens ho fokotsa kotsi ea ho pepeseha ha data e hlokolosi.
33
POLOKO-BP02b
Taolo
Sesebelisoa se boloka lintlha tsa bohlokoa ka mokhoa o sireletsehileng lehlakoreng la bareki sebakeng se Tšeptjoang sa Phethahatso (TEE).
Tlhaloso
The Trusted Execution Environment (TEE) ke sebaka se ka thoko ka har'a hardware ea sesebelisoa sa mohala kapa meralo ea processor e fanang ka tikoloho e sireletsehileng haholo bakeng sa ho boloka data ea bohlokoa le ho etsa ts'ebetso e hlokolosi kapa ea bohlokoa. E etselitsoe ho sireletsa data ea bohlokoa, linotlolo tsa cryptographic le lits'ebetso tsa bohlokoa ho tsoa ho phihlello e sa lumelloeng kapa tampering. Haeba mesebetsi ea khoebo ea app e hloka ho bolokoa ha data ea bohlokoa ka lehlakoreng la moreki, ho khothaletsoa ho e boloka ho TEE ea sesebelisoa.
Ka ho kenya ts'ebetsong polokelo e nepahetseng ea data ea bohlokoa ho TEE-lehlakoreng la bareki, bahlahisi ba ka fokotsa litšokelo tse tsoang ka har'a sesebelisoa se senyehileng le ho tsoa ho baetsi ba lonya ba kantle. Polokelo e joalo e ka boela ea fokotsa phihlello e sa lumelloeng ea data e hlokolosi ea mosebelisi ho app le ho thibela linotlolo life kapa life tsa encryption hore li utsuoe.
Tataiso ea ts'ebetsong
Bahlahisi ba lokela ho boloka lintlha tsa bohlokoa ka mokhoa o sireletsehileng ka lehlakoreng la bareki sebakeng sa Trusted Execution Environment (TEE) joalo ka TrustZone ea ARM ea Android, Apple's Secure Enclave.
Basebelisi le bona ba tlameha ho boloka lenane le latelang la lintlha tse hlokolosi ho TEE:
· Litlhaloso tsa biometric. · Li-tokens tsa netefatso. · Linotlolo tsa Cryptographic ka har'a sistimi e sireletsehileng ea taolo ea linotlolo joalo ka Android Keystore, iOS
Keychain.
Tse ka holimo ke tse ling feela tsa khaleamplintlha tsa seo baetsi ba data ba lokelang ho se boloka ho TEE. Ha ecosystem ea lisebelisoa tsa mehala e ntse e fetoha, bahlahisi ba lokela ho sebelisa bolokolohi ba ho boloka data efe kapa efe eo ba bonang e hlokahala hore e bolokoe ho TEE.
Lintho tseo u lokelang ho li ela hloko
Bakeng sa lisebelisoa tse se nang li-TEE tsa Hardware, bahlahisi ba ka nahana ka ts'ebeliso ea li-TEE tse fumanehang.
Ntle le moo, ba ntlafatsang ba ka nahana ho tima sesebelisoa kapa ho tima lits'ebetso tse kotsi haholo tsa app, kaha sesebelisoa se nkuoa se sa sireletseha bakeng sa lits'ebetso tse kotsi haholo.
Taolo ena ea tshireletso e hlalositsoe ho litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 19-20. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 75, 93, 194-200. · MAS Technology Management Risk Management Guidelines (2021), leq. 51. · PCI Mobile Payment Acceptance Security Guidelines v2.0.0 (2017), pg. 07-09, 14. · ENISA Smartphone Secure Development Guidelines (2016), pg. 10.
34
POLOKO-BP03
Taolo
Sesebelisoa se hlakola data ea bohlokoa ha e sa hlokahala.
Tlhaloso
Ho phumula lintlha tsa bohlokoa ho bolela mokhoa oa ho tlosa kapa ho hlakola litaba tsa lekunutu, tsa lekunutu kapa tsa lekunutu ka ho sa feleng lisebelisoa tsa polokelo, li-server kapa datha. Ts'ebetso ena e netefatsa hore data ea bohlokoa e tlositsoe ka mokhoa o ke keng oa hlakoloa 'me e ke ke ea fumaneha, ea khutlisoa, ea pepesoa ka phoso, kapa ea nchafatsoa ke batho ba sa lumelloeng kapa ka mekhoa ea ho khutlisa data.
Ka ho kenya ts'ebetso ena, bahlahisi ba ka fokotsa fensetere eo ho eona bahlaseli ba ka sebelisang bofokoli ho utsoa lintlha tsa bohlokoa.
Tataiso ea ts'ebetsong
Bahlahisi ba tlameha ho sebelisa mekhoa e latelang ea ts'ireletso ea polokelo e phehellang:
* Hlakola li-cookies tse bolokiloeng ha sesebelisoa se felisitsoe kapa sebelisa polokelo ea li-cookie ka memoring. · Tlosa lintlha tsohle tsa bohlokoa mabapi le ho tlosoa ha app. · Tlosa polokelongtshebetso yohle ka bowena files e nang le data ea bohlokoa (mohlala, iOS WebView caches) ho tloha
the file tsamaiso ha mesebetsi e amanang le khoebo e khaotsa ho ba teng.
Tse ka holimo ke tse ling feela tsa khaleampmekhoa e metle e sebelisoang ke indasteri. Ha ecosystem ea lisebelisoa tsa mehala e ntse e fetoha, mekhoa ena e kanna ea felloa ke nako. Kahoo, bahlahisi ba lokela ho latela mekhoa e metle ea indasteri ea ho hlakola lintlha tsa bohlokoa ha li sa hlokehe.
Lintho tseo u lokelang ho li ela hloko
Basebelisi ba tlameha ho ela hloko ho latela litekanyetso tse amoheloang ke batho ba bangata le melao e nepahetseng ea ho boloka lintlha ho kenyelletsa empa e sa felle feela ho:
· Molao oa Tšireletso ea Lintlha tsa Botho (PDPA) · Molao oa Kakaretso oa Tšireletso ea Boitsebiso (GDPR) · Tekanyetso ea Tšireletso ea Boitsebiso ba Karete ea Tefo (PCI DSS)
Taolo ena ea tshireletso e hlalositsoe ho litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 199, 206-214, 403-414.
· MAS Technology Management Risk Management Guidelines (2021), leq. 39. · ENISA Smartphone Secure Development Guidelines (2016), p. 07, 09-10.
35
36
4. Anti-Tampering & Anti-Reversing
Selelekela
Khahlano le TampLitaolo tsa ts'ireletso tsa ering le Anti-Reversing ke mehato e meng eo bahlahisi ba ka e sebelisang ho loantša litlhaselo tse lekang ho tamplisebelisoa tsa boenjiniere kapa tsa morao. Ka ho kenya tšebetsong likarolo tseo ka bobeli, bahlahisi ba eketsa mekhahlelo e mengata ea ts'ireletso lits'ebetsong, e leng ho etsang hore ho be thata le ho feta ho batšoantšisi ba lonya ho atleha ho t.amper kapa reverse engineer apps, e ka hlahisang:
· Ho utsuoa kapa ho sekisetsa thepa ea bohlokoa ea khoebo joalo ka melao-motheo, liphiri tsa khoebo, kapa lintlha tsa bohlokoa,
· Litahlehelo tsa lichelete tsa basebelisi ba sebelisang sesebelisoa bakeng sa lits'ebetso tse kotsi haholo, · Litahlehelo tsa lichelete tsa mekhatlo ka lebaka la tahlehelo ea lekeno kapa ketso ea molao, · Tšenyo ea lebitso la khoebo ka lebaka la phatlalatso e mpe kapa ho se khotsofale ha bareki.
Litaolo li etsa bonnete ba hore lits'ebetso li sebetsa ho li-platform tse tšepahalang, li thibela tampe sebetsa ka nako ea ho sebetsa le ho netefatsa bots'epehi ba lits'ebetso tsa lits'ebetso. Ho feta moo, litsamaiso li sitisa kutloisiso ka ho etsa hore ho be thata ho bahlaseli ho tseba hore na lisebelisoa li sebetsa joang.
taolo ea ts'ireletso
ID
Taolo
RESILIENCE-BP01 Saena ka setifikeiti ho tsoa mabenkeleng a semmuso a lisebelisoa.
RESILIENCE-BP02 Kenya ts'ebetsong ts'ebetso ea chankana/motso oa ho lemoha. RESILIENCE-BP03 Kenya ts'ebetsong ho lemoha emulator.
RESILIENCE-BP04 Kenya ts'ebetsong ho lemoha ha malware.
RESILIENCE-BP05 Kenya ts'ebetsong mekhoa e khahlanong le hook.
RESILIENCE-BP06 Kenya ts'ebetsong e koahelang, e hole viewing, le mehato ea li-screenshot.
MAMELLO-BP07
Kenya ts'ebetsong ea anti-keystroke kapa anti-keylogger khahlano le likonopo tsa batho ba bang.
37
MAMELLO-BP01
Taolo
Sesebelisoa ke khoutu e saenneng ka litifikeiti tse tsoang mabenkeleng a molao a lisebelisoa.
Tlhaloso
Lisebelisoa hangata li qhekelloa ke libapali tse lonya 'me li ajoa ka likanale tse sa laoleheng ka thata. Ho saena app e nang le litifikeiti tse fanoeng ke mabenkele a molao a liapp ho tiisetsa OS ea mobile le basebelisi hore sesebelisoa sa mohala se tsoa mohloling o netefalitsoeng.
Ho kenya ts'ebetsong ho saena khoutu ho thusa litsamaiso tsa ts'ebetso ho tseba hore na li lumella software ho sebetsa kapa ho e kenya ho latela li-signature kapa litifikeiti tse sebelisoang ho saena khoutu. Sena se thusa ho thibela ho kenya le ho sebelisa lisebelisoa tse ka bang kotsi. Ho feta moo, ho saena khoutu ho boetse ho thusa ka netefatso ea bots'epehi, kaha li-signature li tla fetoha haeba sesebelisoa se bile t.ampered le.
Tataiso ea ts'ebetsong
Basebelisi ba tlameha ho saena lits'ebetso tsa bona ka li-certification. Karolo ena e fana ka mohlalaamptse ling tsa mokhoa oa ho etsa sena ka li-platform tse peli tse tsebahalang haholo tsa iOS le Android.
Bakeng sa Lebenkele la App la Apple, e ka etsoa ka ho ingolisa ho Apple Developer Program le ho theha kopo ea ho saena setifikeiti ho portal ea nts'etsopele. Bahlahisi ba ka ingolisa bakeng sa Lenaneo la Moetsi oa Apple mme ba ka supa tataiso e latelang ea moqapi bakeng sa ho saena khoutu tlasa lintho tseo u lokelang ho li ela hloko.
Bakeng sa Android, ho na le mefuta e fapaneng ea mabenkele a App. Bakeng sa Lebenkele la Google Play, e ka etsoa ka ho hlophisa ho saena ha Play App e leng tlhokahalo ea ho ajoa ka Lebenkele la Google Play. Bakeng sa tlhaiso-leseling e batsi mabapi le mokhoa oa ho etsa joalo, bahlahisi ba ka etela tataiso ea mohlahlami oa Android tlasa lintho tseo u lokelang ho li ela hloko.
Bakeng sa mabenkele a mang a molao, sheba litataiso tsa bona tse fapaneng mabapi le ho saena khoutu ea mohloli oa lisebelisoa. Lintho tseo u lokelang ho li ela hloko Taolo ena ea ts'ireletso e boetse ke ea bohlokoa bakeng sa ho phatlalatsa lits'ebetso mabenkeleng a molao a liapp, ka hona, khothaletso ke hore sesebelisoa sa hau se saennoe ka setifikeiti ho tsoa mabenkeleng a molao a liapp. Taolo ena ea tshireletso e hlalositsoe ho litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
· Apple Developer Programme Guide for Code Saena, https://developer.apple.com/support/code-signing (Jan 2024).
· Tataiso ea Moetsi oa Android mabapi le Lekunutu, https://developer.android.com/quality/privacy-andsecurity (Jan 2024).
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 325-326, 522523.
· ENISA Smartphone Secure Development Guidelines (2016), pg. 21.
38
MAMELLO-BP02
Taolo
Sesebelisoa se sebelisa ho phatloha ha chankana kapa ho lemoha metso.
Tlhaloso
Lisebelisoa tse metse ka metso le tse robehileng chankaneng hangata li nkoa li sa sireletseha. Lisebelisoa tse metse ka metso kapa tse robehileng chankaneng li lumella basebelisi ho fumana litokelo tse phahameng, tse nolofalletsang ho qoba tšireletso le meeli ea OS. Litokelo tse joalo tse phahameng li ka ba tse sa bolokehang bakeng sa lits'ebetso kaha litokelo tsena li lumella batšoantšisi ba lonya ho sebelisa bofokoli, ho utsoa lintlha, ho laola lisebelisoa tsa basebelisi le ho etsa mekitlane ea bolotsana.
Ka ho kenya ts'ebetsong ts'ebetso ea chankana kapa ho lemoha metso, ba ntlafatsang ba ka thibela liketso tse boletsoeng ka holimo hore li se ke tsa etsahala, ba sireletsa thepa ea bohlale ea li-app, ba netefatsa botsitso ba lits'ebetso le ho thibela ho feta ha lisebelisoa tsa in-app.
Tataiso ea ts'ebetsong
Bahlahisi ba lokela ho kenya ts'ebetsong ts'ebetso ea chankana kapa ho lemoha metso ka ho kenya tšebetsong licheke tse latelang ho sesebelisoa sa bona sa lisebelisoa tsa Android:
1. Sheba bakeng sa superuser kapa SU binary. 2. Fumana motso file liphetoho tsamaisong. 3. Sheba bakeng sa ditiriso metse ka metso. 4. Hlahloba ho hlaphoheloa tloaelo. 5. Sheba tšebeliso e sa sireletsehang ea API.
Bahlahisi ba lokela ho kenya ts'ebetsong ts'ebetso ea chankana kapa ho lemoha metso ka ho kenya tšebetsong licheke tse latelang ho sesebelisoa sa bona bakeng sa lisebelisoa tsa iOS:
1. Fumana tšebeliso ea li-API tse thibetsoeng. 2. Batla li-tweaks tsa jailbreak joaloka li-mods. 3. Batla mabenkele a seng molaong a li-app, mohlala, hlahloba ho saena Cydia App Store. 4. Batla liphetoho tsa kernel. 5. Hlahloba botšepehi ba ba bohlokoa file litsamaiso. 6. Sebelisa lilaebrari tsa mokha oa boraro tse etselitsoeng ho bona sesebelisoa tampho kheloha.
Tse ka holimo ke tse ling feela tsa khaleamptse ling tsa licheke tsa mekhoa e metle tse sebelisoang ke indasteri. Ha ecosystem ea lisebelisoa tsa mehala e ntse e fetoha, licheke tsena li kanna tsa felloa ke nako. Ka hona, bahlahisi ba lokela ho latela mekhoa e metle ea morao-rao ea indasteri ea ho kenya ts'ebetsong ts'ebetso ea chankana kapa ho lemoha metso.
39
Lintho tseo u lokelang ho li ela hloko Taolo ena ea ts'ireletso e boleloa ka litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 31. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 319-320, 5069,
518-519. · MAS Technology Management Risk Management Guidelines (2021), leq. 50. · ENISA Smartphone Secure Development Guidelines (2016), pg. 11, 23.
9 https://github.com/crazykid95/Backup-Mobile-Security-Report/blob/master/Jailbreak-Root-DetectionEvasion-Study-on-iOS-and-Android.pdf
40
MAMELLO-BP03
Taolo
Sesebelisoa se sebelisa tlhahlobo ea emulator.
Tlhaloso
Li-Emulators ke lisebelisoa tse sebelisoang ho lekola lits'ebetso tsa mehala ka ho lumella mosebelisi ho lekola sesebelisoa sa thekeng ho mefuta e fapaneng ea mehala le lisebelisoa tse etsisoang. Leha e le thuso bakeng sa tlhahlobo, lits'ebetso ha lia lokela ho itumella ho kenngoa ho liemulator kantle ho tikoloho ea nts'etsopele.
Ka ho kenya ts'ebetso ea ho lemoha emulation, bahlahisi ba ka thibela batšoantšisi ba lonya ho etsa tlhahlobo e matla, ho theola, ho lokisa liphoso, ho kenya lisebelisoa, ho hoka, le tlhahlobo ea fuzz sesebelisoa se etsisoang seo ba ka se laolang. Ka ho etsa joalo, bahlahisi ba ka thibela libapali tse lonya ho fumana bofokoli ka har'a sesebelisoa bakeng sa tšebeliso.
Tataiso ea ts'ebetsong
Bahlahisi ba lokela ho sebelisa leano le latelang la ho lemoha ho tseba likarolo tsa tharollo e sebelisoang hangata. Litlhahiso tse ling tsa lintho tseo u lokelang ho li hlahloba ke:
· Lekola tšebeliso ea betri. · Hlahloba linakoamps le lioache. · Lekola mekhoa e mengata ea ho ama. · Hlahloba memori le tshekatsheko ya tshebetso. · Etsa licheke tsa marang-rang. · Hlahloba hore na ke hardware-based. · Sheba hore na OS e thehiloe ho eng. · Hlahloba menoana ea sesebelisoa. · Hlahloba litlhophiso tsa ho haha. · Sheba lits'ebeletso le lits'ebetso tsa emulator.
Tse ka holimo ke tse ling feela tsa khaleamptse ling tsa licheke tsa mekhoa e metle tse sebelisoang ke indasteri. Ha ecosystem ea lisebelisoa tsa mehala e ntse e fetoha, licheke tsena li kanna tsa felloa ke nako. Ka hona, bahlahisi ba tlameha ho latela mekhoa e metle ea indasteri ea morao-rao ea ho kenya tšebetsong tlhahlobo ea emulator. Lintho tseo u lokelang ho li ela hloko Taolo ena ea ts'ireletso e boleloa ka litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 31-32. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 325, 521.
41
MAMELLO-BP04
Taolo
Sesebelisoa se sebelisa ho lemoha anti-malware.
Tlhaloso
Lisebelisoa tsa Malware li ntse li sebelisoa haholo ke batšoantšisi ba lonya joalo ka vector ho nyenyefatsa lisebelisoa tsa mehala tsa basebelisi kaha lisebelisoa tse joalo li fa basebelisi monyetla o hlokahalang ho etsa mesebetsi ea letsatsi le letsatsi. Lisebelisoa tsa Malware haholo-holo li sebelisa likarolo tsa sideloading e le mocha oa ho etsa hore basebelisi ba kenye malware lisebelisoa tsa bona.
Ka ho kenya ts'ebetsong bokhoni ba ho lemoha bo khahlanong le malware ho app ka nako ea ts'ebetso, bahlahisi ba ka thibela basebelisi ho sebelisoa hampe ka malware le ho ba kotsing ea OS, ho utsoa lintlha, ho laola sesebelisoa, le ho etsa litšebelisano tsa bolotsana.
Tataiso ea ts'ebetsong
Bahlahisi ba lokela ho kenya tšebetsong bokhoni ba ho lemoha bo khahlanong le malware lits'ebetsong tsa bona. Sena se ka etsoa ka mekhoa e fapaneng, empa ha se felle feela ho:
· Kenyelletsa Runtime-Application-Self-Protection (RASP) Software Development Kit (SDK) lits'ebetsong tsa bona.
* Sebelisa li-SDK tsa RASP ho lekola le ho bona lits'ebetso tsa malware ka nako. · Hlahloba le ho thibela likoahelo. · Thibela ho tobetsa. · Thibela ho hokahana le memori ea app.
Tse ka holimo ke tse ling feela tsa khaleamptse ling tsa licheke tsa mekhoa e metle tse sebelisoang ke indasteri. Ha ecosystem ea lisebelisoa tsa mehala e ntse e fetoha, licheke tsena li kanna tsa felloa ke nako. Ka hona, bahlahisi ba tlameha ho latela mekhoa ea morao-rao ea indasteri ea ho kenya ts'ebetsong ts'ebetso ea anti-malware.
Lintho tseo u lokelang ho li ela hloko
Haeba ho fumanoa mofuta ofe kapa ofe oa lonya, ba ntlafatsang ba lokela ho koala sesebelisoa mme ba fe mosebelisi lintlha tse hlokahalang mabapi le hore na hobaneng sesebelisoa se timiloe, 'me ba khothaletse mosebelisi ho ntša (li)app tse kotsi sesebedisweng sa bona.
Ntle le moo, bahlahisi ba lokela ho hlokomelisa mosebelisi, le ho tima lits'ebetso tse kotsi haholo ho sesebelisoa ho fihlela mosebelisi a lokisa lisebelisoa tse mpe. Taolo ena ea tshireletso e hlalositsoe ho litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 31. · MAS Technology Management Risk Management Guidelines (2021), leq. 40, 49. · ENISA Smartphone Secure Development Guidelines (2016), pg. 23.
42
MAMELLO-BP05
Taolo
Sesebelisoa se sebelisa mekhoa e khahlanong le hook.
Tlhaloso
Hook e bolela mokhoa o sebelisoang ke bahlaseli ho thibela kapa ho fetola boitšoaro ba sesebelisoa sa mohala nakong ea ts'ebetso. Sena se kenyelletsa ho kenya kapa ho hokela tšebetsong ea ts'ebetso ea app ho beha leihlo mesebetsi ea eona, ho fetola boitšoaro ba eona, ho kenya khoutu e kotsi kapa ho fetola mekhoa e teng ea likhoutu ho sebelisa likotsi.
Ka ho kenya ts'ebetsong mekhoa e khahlanong le hook ho li-apps, bahlahisi ba ka thibela litlhaselo tse ka holimo hore li se ke tsa etsahala le ho thibela ho fihlella ho sa lumelloeng, ho sireletsa ts'ebetso ea ts'ebetso e kotsi, ho lemoha le ho thibela t.ampliteko tsa ho lokisa le ho lokisa, ho boloka thepa ea bohlale le ho boloka ts'epahalo ea app.
Tataiso ea ts'ebetsong
Bahlahisi ba lokela ho kenya tšebetsong mohlala o latelangample mekhoa ea ho fokotsa khahlanong le litlhaselo tsa hook:
· Kenya ts'ireletso ho thibela liente tsa khoutu. · Kenya ts'ireletso ho thibela mokhoa oa ho hokella ka ho thibela liphetoho ho sesebelisoa
khoutu ea mohloli (bobeli ho moreki le seva). · Kenya ts'ireletso ho thibela ts'ebetso ea likhoutu tse fetotsoeng ho sesebelisoa sa hau. · Kenya ts'ireletso ho thibela phihlello ea memori le taolo ea mohopolo bakeng sa sesebelisoa sa hau. · Phethahatsa tamper resistant algorithms kapa anti-tampering SDKs (tseo hangata li tsejoang e le
Runtime-Application-Self-Protection SDKs). * Lekola liparamente tse sa sireletsehang joalo ka li-API le liparamente tse sa sebetseng.
Tse ka holimo ke tse ling feela tsa khaleamptse ling tsa licheke tsa mekhoa e metle tse sebelisoang ke indasteri. Ha ecosystem ea lisebelisoa tsa mehala e ntse e fetoha, licheke tsena li kanna tsa felloa ke nako. Ka hona, bahlahisi ba tlameha ho latela mekhoa e metle ea morao-rao ea indasteri ea ho kenya ts'ebetsong mekhoa e khahlanong le hook. Lintho tseo u lokelang ho li ela hloko Taolo ena ea ts'ireletso e boleloa ka litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 31. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 135-140, 189,
318-319, 339-340, 390, 520. · MAS Technology Management Risk Management Guidelines (2021), leq. 56. · ENISA Smartphone Secure Development Guidelines (2016), pg. 23, 26.
43
MAMELLO-BP06
Taolo
Sesebelisoa se sebelisa sekoaelo, se hole viewing, le mehato ea li-screenshot.
Tlhaloso
Lintlha tse hlokolosi li ka nkuoa kapa tsa rekotoa ntle le tumello e hlakileng ea mosebelisi ha sesebelisoa se rekota skrineng, se bonts'a skrini kapa se sebetsa ka ho fetelletseng. Bakeng sa mohlalaampLe:
* Litlhaselo tsa Overlay li thetsa basebelisi ka ho theha lesela la fake le etsisang lits'ebetso tse tšepahalang, ka sepheo sa ho utsoa data ea bohlokoa.
· Hole viewLitlhaselo tsa ing li kenyelletsa phihlello e sa lumelloeng ea skrineng sa sesebelisoa, e lumellang bahlaseli ho kotula lintlha tsa bohlokoa ba le hole.
· Litlhaselo tsa skrini li etsahala ha batšoantšisi ba lonya ba hapa skrine ea sesebelisoa ntle le tumello ea mosebelisi, ba ntša lintlha tsa bohlokoa.
Ho kenya ts'ebetsong koanela, hole viewMehato ea ho thibela le ho nka skrini e ka etsa bonnete ba hore lintlha tsa bohlokoa li lula li sireletsehile, lekunutu la basebelisi le bolokoa 'me lintlha tsa bohlokoa li sirelelitsoe khahlanong le tahlehelo kapa tšebeliso e mpe.
Tataiso ea ts'ebetsong
Bahlahisi ba lokela ho kenya tšebetsong anti-tampering le anti-malware e hlahloba ka RASP SDKs ho thibela lits'ebetso tse mpe ho sebelisa likoahelo, le hole. viewka liketso.
Bakeng sa linepe, bahlahisi ba ka sebelisa folakha ea FLAG_SECURE bakeng sa lits'ebetso tsa Android le lifolakha tse ts'oanang tsa iOS ho thibela bokhoni bohle ba skrini ha ba sebelisa sesebelisoa. Leha ho le joalo, ha re re mesebetsi ea khoebo e hloka bokhoni ba ho nka skrini (mohlala, Ho nka skrini sa transaction e phethiloeng ea PayNow). Boemong bo joalo, khothaletso ke ho tima bokhoni ba skrini bakeng sa li-skrini kapa maqephe a kenyelletsang data ea bohlokoa (PII le Data Authentication).
Basebelisi ba ka boela ba nahana ka ho kenya mask ka lintlha tse hlokolosi le li-skrini tsa sensor ha app e le ka morao.
Lintho tseo u lokelang ho li ela hloko
Ba bang ba exampLintlha tse ling mabapi le hore na u ka tima matla ana a skrineng a kenyelletsa empa ha a felle feela ho: Maqephe a ho kena, maqephe a Tiiso ea Multi-Factor, Lintlha tsa Tšireletso, le PII e fetolang maqephe, joalo-joalo.
Taolo ena ea tshireletso e hlalositsoe ho litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 31. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 166-168, 257,
259, 265-267, 366, 480-481. · MAS Technology Management Risk Management Guidelines (2021), leq. 56. · ENISA Smartphone Secure Development Guidelines (2016), pg. 8.
44
MAMELLO-BP07
Taolo
Sesebelisoa se sebelisa anti-keystroke capturing kapa anti-keylogger khahlano le likonopo tsa mokha oa boraro.
Tlhaloso
Ho nka keystroke le keylogging ke mekhoa eo libapali tse lonya li e sebelisang ho beha leihlo, ho rekota le ho rekota linotlolo tse hatisitsoeng ho keyboard ntle le tsebo le tumello ea mosebelisi. Sena se lumella ho rengoa ha lifate le ho hapa lintlha tse ka bang kotsi (ke hore, PII le Boitsebiso ba netefatso).
Ka ho kenya ts'ebetsong li-countermeasures tsa keystroke le keylogging, bahlahisi ba ka thibela tahlehelo e sa hlokahaleng ea data e hlokolosi. Haholo-holo, taolo ena e shebile lisebelisoa tsa Android, kaha keyboard ea lehae ea lisebelisoa tsa Android e ka fetoloa. Liphetoho tse joalo li ka pepesetsa lits'ebetso bofokoli ba ts'ireletso kaha tsela e tšepahalang lipakeng tsa li-keyboard le lisebelisoa li na le mekha e sa tšepahaleng lipakeng tsa tsona.
Tataiso ea ts'ebetsong
Basebelisi ha baa lokela ho lumella likonopo tse sa sireletsehang tsa batho ba bang hore li sebelisoe bakeng sa lintho tse kentsoeng tse ka 'nang tsa e-na le lintlha tsa bohlokoa. Keybhoto e sireletsehileng ea in-app e ratoa bakeng sa likenyeletso tse joalo.
Ka ho kenya ts'ebetsong keyboard ea in-app, bahlahisi ba ka laola moo data ea ho rema lifate e eang teng, 'me ba fokotsa kotsi ea li-keyboards tse sa sireletsehang tsa batho ba bang tse sebetsang e le li-keylogger ho tšoara likonopo.
Hammoho le ho sebelisa likonopo tsa ka har'a app, batsweletsi ba lokela ho kenya tshebetsong ditlhahiso tse latelang bakeng sa ho kenya tse hlokang boitsebiso bo hlokolosi (ke hore, PII le Boitsebiso ba Tiiso): Tlosa ho lokisa, ho tlatsa, ho itlhahisa, ho seha, ho kopitsa le ho beha bakeng sa ditshebetso/kapa ditshebediso tse nang le boitsebiso ba bohlokwa. .
Lintho tseo u lokelang ho li ela hloko Ba bang ba exampLintlha tse ling tse lokelang ho sebelisa likonopo tsa in-app li kenyelletsa empa li sa felle feela ho kena, ho kenya OTP, kapa lintlha tse ling tsa netefatso, jj.
Taolo ena ea ts'ireletso le mekhoa e metle e shebane haholo le lisebelisoa tsa Android. Sepheo se seholo ke ho netefatsa tšireletso ea tsela e tšeptjoang. Kaha Android ha e fane ka mokhoa oa ho qobella ts'ebeliso ea likonopo tsa khale/tse tšeptjoang, baetsi ba lisebelisoa ba tlameha ho kenya ts'ebetsong keyboard ho netefatsa hore li-keyboards tse sa sireletsehang tsa batho ba bang ha li kenye lintlha.
Ho kenya tshebetsong keyboard e sireletsehileng ya ka hare ho app ha ho fokotse dikotsi tse amanang le sesebediswa se senyehileng.
Taolo ena ea tshireletso e hlalositsoe ho litekanyetso tse ling. Ka kopo sheba (li) litokomane tse fanoeng ho:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 31. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 203, 214-215,
257, 259, 400, 414-415. · MAS Technology Management Risk Management Guidelines (2021), leq. 56. · ENISA Smartphone Secure Development Guidelines (2016), pg. 08, 23.
45
Litšupiso
S/N 1
2
3
4
5
6 7
Tokomane ea OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 MAS Technology Risk Management Guidelines, PCI Mobile Payment Acceptance Security Guidelines v2.0.0 ENISA Smartphone Secure Development Guidelines Android Developers Apple Developer Documentation
Mohloli oa OWASP
OWASP
MAS
PCI-DSS
ENISA
Android Apple
E ngotsoe ka 2023
2023
2021
2017
2016
2024 2024
46
Litokomane / Lisebelisoa
 |
CSA Safe Standard App [pdf] Bukana ea Mosebelisi Safe Standard App, Safe Standard, App |
