4

The MASVS states in section "V6: Platform Interaction Requirements" MSTG-PLATFORM-11:

Verify that the app prevents usage of custom third-party keyboards whenever sensitive data is entered.

There are no references for test cases or similar and when I am thinking of Android it seems impossible, to force this behaviour. In my understanding, no third party keyboards should be permitted, when entering something like a password. That means, that when under Android you have a third party keyboard installed (Google Keyboard, SwiftKey, ...) every app fails this test.

How to you deal with this test case? When does an app pass / fail this test?

schroeder
  • 123,438
  • 55
  • 284
  • 319
rumpel
  • 228
  • 1
  • 5
  • 1
    Plus, not allowing a third-party keyboard could be a big accessibility issue (e.g. assume the user is blind but interacts with the system through a custom keyboard) – Ángel Aug 27 '20 at 17:14

1 Answers1

2

So this is an L2 requirement that only is relevant if your threatmodel asks for it (See MASVS introduction) (when eavesdropping at keystrokes or forwarding the information you enter would cause a real problem for instance). In its current form/shape it seems only applicable to iOS.

It could be passed on android as well by just creating your own keypad for a pin for instance (Which was the original V9.1 requirement in an older version of the MASVS). In that case you should be able to resolve accessibility issues as well by means of a proper custom keypad with assistance implemented into it.

Jeroen
  • 121
  • 3