immuni-documentation icon indicating copy to clipboard operation
immuni-documentation copied to clipboard

Published 20 hours ago verified publisher icon immuni-app

[Security] Threat model

Open realeroberto opened this issue 4 years ago • 1 comments

Is a formal threat model under development? Immuni being a de facto strategic asset for Italy, it would be great if the development team or, even better, a third party could provide one.

@eutopian-eu

realeroberto avatar Jun 04 '20 22:06 realeroberto

As of now, in these repos the only formal discussion of threat modeling is in the context of data integrity and protection of data in-flight (and mitigations against Repudiation, or otherwise analysis of data by a third party via side channels or traffic analysis), as outlined by their Application Security Description and measures for traffic analysis mitigation.

I concur in the fact that a proper formalization of the threat model would be interesting to look at, especially because of the sensitive nature of the application, and the peculiarities of the Exposure Notification framework's threat model.

PastNullInfinity avatar Jun 05 '20 08:06 PastNullInfinity