iOS and Android: improve platform interaction on notifications

[commjoen]

One thing we might want to add to the MSTG is that we should, optionally, try to limit the information shared through notifications when they have a high confidentiality.

[commjoen]

https://developer.apple.com/notifications/

[commjoen]

@sushi2k : i guess we can do the same for Android right?

[sushi2k]

Definitely worth mentioning it and describe how to test for it. I also just thought 0x05h and 0x06h is the best place for it, but which MASVS requirement does it touch? Nothing in V6: Platform Interaction Requirements covers it actually https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md. Need to think about which requirement it is related to.

Maybe this might be best?

2.7	No sensitive data, such as passwords or pins, is exposed through the user interface.

[commjoen]

I guess so :) , that sounds like a good requirement to base it on :)

[commjoen]

And do the same for android in this ticket :).

[cpholguera]

Some refs:

• https://www.securitynewspaper.com/2019/08/28/wamr-app-lets-you-recover-whatsapp-deleted-messages-but-you-lose-your-privacy/
• https://developer.android.com/reference/android/service/notification/NotificationListenerService
• https://play.google.com/store/apps/details?id=com.drilens.wamr&hl=en_US

[cpholguera]

Will be assigned to @0x10f2c (still has to be invited)

[0x10f2c]

Hi all, so this got solved on the Android side; I guess the discussion now is if this should be done for the iOS side or not.

On the iOS side each notification is treated as private to the originating app. I guess we could still mention that sensitive information shouldn't be in notifications anyway as someone could see it on the lock screen assuming notifications are not hidden?

Happy to hear some thoughts and action this.