The clipboard is deactivated on text fields that may contain sensitive data.

No, please don't. That prevents many password managers from working (not all of them support Android 8's new APIs). So if the result is users use 12345 as a password (with the result that everyone can login) instead of a good password copied and saved from their password manager (with the potential that other apps may access it), then you've done more harm than good.

Security recommendations for Passlock, A mobile password manager application

No sensitive data should be included in backups:

Security Recommendation: It is important to avoid including sensitive data in backups to prevent unauthorized access if the backup files are compromised. I chose this recommendation because backing up sensitive data poses a security risk, especially if the backup is stored in an insecure location or if the backup process itself is vulnerable.

Beneficiary: This recommendation primarily benefits end-users, as it ensures that their sensitive data, such as passwords stored in the password manager, is not exposed in case of a backup compromise.

Source: This recommendation is derived from common security best practices for handling sensitive data and is not explicitly mentioned in the provided checklist. It aligns with general data security principles.

Implementation Timeframe: This recommendation should be implemented from the initial development stages and continuously maintained throughout the application's lifecycle. Regular audits and reviews should be conducted to ensure that sensitive data is not inadvertently included in backups.

Project Justification: In a password manager application, user credentials are highly sensitive. If included in backups, there's a risk of unauthorized access to the stored passwords. Implementing this recommendation helps safeguard user data and maintains the confidentiality and integrity of the information stored in the password manager.

Application: My team needs to ensure that sensitive data, particularly user credentials, are explicitly excluded from the backup process. This can be achieved by implementing a backup strategy that identifies and excludes sensitive data from the backup set. Regular testing and reviews of backup processes should be conducted to validate the effectiveness of the implementation.

Sensitive data should be removed from views when they're moved to the background:

Security Recommendation: This recommendation is vital to protect sensitive information from being accessed when the application is in the background. It prevents unauthorized users or malicious applications from capturing sensitive data from the application's views.

Beneficiary: This recommendation primarily benefits end-users, ensuring that their sensitive data is not exposed when the password manager application is in the background.

Source: This recommendation aligns with mobile application security best practices, and while not explicitly stated in the provided checklist, it is a common requirement for securing mobile applications.

Implementation Timeframe: This recommendation should be implemented during the development phase of the application. It is critical to the overall security posture of the password manager and should be continuously validated through testing and code reviews.

Project Justification: In a password manager application, sensitive data such as passwords should be visible only when the application is actively being used. Implementing this recommendation prevents the exposure of sensitive information if the application is minimized or running in the background.

Application: My team can implement this recommendation by ensuring that sensitive views are appropriately cleared or obscured when the application is moved to the background. This may involve implementing lifecycle event handlers to trigger the removal or obfuscation of sensitive data in the user interface when the application transitions to the background. Regular testing and code reviews are essential to verify the effectiveness of the implementation.

The app should be using proven implementations of cryptographic primitives:

Relevance of Recommendation: This recommendation is highly relevant to the project as it directly addresses the security of the password manager application by ensuring the use of reliable and secure cryptographic implementations.

Beneficiary: Both developers and end-users’ benefit. Developers gain from using established and secure cryptographic libraries, while end-users benefit from the overall security of the application.

Sources: This recommendation aligns with cryptography best practices and industry standards, ensuring that the cryptographic components employed in the application are widely recognized for their security.

Implementation Timeframe: This recommendation should be implemented from the initial development stages and continuously maintained through regular security assessments. The selection of cryptographic primitives should be revisited as technology evolves and security landscapes change.

Project Justification: Employing proven cryptographic primitives is essential to ensure the security of user data. It guards against potential vulnerabilities and exploits that may arise from using outdated or insecure cryptographic algorithms.

Application: To implement this recommendation, I would need to thoroughly research and select well-established cryptographic libraries and algorithms. Regular security assessments, audits, and updates should be conducted to ensure the ongoing reliability and security of the chosen cryptographic primitives.

Security Recommendation: Implement Secure Data Storage.

a. What is your security recommendation? Why did you choose it?

• My security recommendation is to implement secure data storage practices in the Chord Chase Music Mobile Application. I chose this recommendation because it is crucial to protect sensitive user data, such as login credentials and personal information, from unauthorized access or data breaches.

b. Who does the recommendation benefit (end-user, developer, etc.)?

• This recommendation primarily benefits the end-users of the Chord Chase Music Mobile Application. By securely storing their data, we ensure that their personal information and login credentials are protected, enhancing their trust in the app. It also benefits developers by preventing data security issues and potential legal liabilities.

1. c. If the recommendation was found somewhere other than the provided checklist, include a link to it.

• The recommendation was obtained from the provided checklist.

d. When would the recommendation have to be implemented (based on how serious the security risk is)?

• This recommendation should be implemented as a top priority, ideally at the beginning of the project. Data security is a serious concern, and any delay in implementing secure data storage practices could expose the application to serious security risks and potential data breaches.

e. Why do you think your project needs your recommendation?

• Our project, the Chord Chase Music Mobile Application, involves handling user data and potentially sensitive information. Without proper data security measures, user data may be at risk of exposure, leading to potential privacy violations and trust issues. Implementing secure data storage is essential to safeguard user information.

f. How do you think your recommendation could be applied?
To apply the recommendation for Secure Data Storage, we can:
- Implement strong encryption algorithms to protect sensitive data, such as user credentials and personal information.
- Utilize secure key management practices to safeguard encryption keys.
- Apply access controls to restrict data access to authorized personnel only.
- Regularly audit and review data storage mechanisms to identify and address security vulnerabilities.

i. How feasible would the implementation be?

• Implementing secure data storage practices is feasible but requires careful planning and attention to detail. It may involve integrating encryption libraries, implementing access controls, and following best practices for secure data handling.

Security Recommendations

What is your security recommendation? Why did you choose it?

For our security recommendation, I feel like focusing on implementing a better level of Data Storage would be the strongest addition to our application to improve the users’ experience, and ensure our application has appropriate storage to ensure our customers’ safety. The main reasons this would be the way to go is that there would be no sensitive data shared with third parties unless explicitly being asked and giving the user the choice of what to and what to not share, and having no sensitive data ever written to application logs it ensures the safety of the information if there was any type of breach. With our application being tied to the users’ account to load data, having no sensitive data exposed through the user interface, like signing in what a password or adding a payment method if needed would add a strong layer of defense. If the user resets or purchases a new phone and wants to use a backup of previous data our application will not save sensitive information, so the user will have to manually input everything again, and with it being a mobile app, having sensitive data removed when the app is running in the background will give our users’ the ease of mind with their data.

Who does the recommendation benefit (end-user, developer, etc.)?

This recommendation benefits both the user and the developer. The users’ top priority will most likely be the security and safety of their information when downloading an application, and creating an account that uses a password that stores an email address full name and possibly payment information and address, having this security feature would be a strong influence on if the user downloads our application. I also personally feel that this recommendation benefits the developer as well. Creating an application there are morals and pressure in play to make sure all of the people willing to download and try a new application are satisfied and safe. A strong and secure app will ease the developers mind knowing there are layers of defense in play to make sure people are safe and not having their information stolen and having to deal with bad reviews and emails from users asking why their information has been exposed.

When would the recommendation have to be implemented (based on how serious the security risk is)?

This recommendation should be implemented during development and ideally in the planning phase of the app. Having any type of personal information saved or used in an application is a strong security risk and needs to be implemented and tested vigorously before the app goes live.

Why do you think your project needs your recommendation?

Our project needs this recommendation because we have implemented an account that displays the name and email address currently of the user. Having any type of information saved in an account and having preferences and playlists saved should be looked at as a security risk right away and currently, we don’t have any measures in place to defend against any type of breach.

How do you think your recommendation could be applied? / How feasible would the implementation be?

We could incorporate secure data encryption and local storage, SQLite for example could be a good choice to look at as it incorporates local lightweight storage for mobile apps and has features like database encryption for 256-bit AES encryption of files. Ensuring that sensitive data is not stored or displayed without the users’ permission and giving them a clear option to set on the interface. Feasibility would require a lot of time and effort spent in research and expertise in making sure all measures are coded correctly and have been constantly tested with every change, and continued testing up until the app goes live. Doing this ensures that our users will have trust in our application and help with the success and sustainability of the app.