Add playful description for MobileApp AA4 card#2113
Conversation
SachinAditya
requested review from
cw-owasp,
rewtd and
sydseter
as code owners
|
Hi @sydseter 👋 |
|
Remember to keep it real. Have a look at the STRIDE example for AA2 and AA3 I just released. Lets keep it consistent. |
|
have a look at the mastg mapping references. They should guve a good idea what to write under “What are we going to do about it?” |
This update revises the AA4 Mobile App card description to better align with the STRIDE examples used in AA2 and AA3. The previous version was adjusted to reduce playful language and focus on realistic attacker behavior, specifically request interception and tampering due to missing server-side validation and authorization. The goal is consistency in tone, structure, and STRIDE interpretation across the Mobile App Authentication & Authorization cards.
This update refines the Mobile App AA4 card description to align with the recently released STRIDE examples for AA2 and AA3. The original version was adjusted to reduce playful language and focus on a realistic attack scenario involving request interception and tampering. A new “What are we going to do about it?” section was added, guided by the OWASP Mobile Application Security Testing Guide (MASTG), to provide clear, high-level mitigation guidance. The goal of these changes is to ensure consistency in tone, structure, and STRIDE interpretation across the Mobile App Authentication & Authorization cards on the Cornucopia website.
|
Thanks for the guidance @sydseter 👍 |
This change updates the AA4 Mobile App card to follow the STRIDE-first structure used in Cornucopia. Previously, the description started with an attacker scenario. It now explicitly states that the issue falls under the Tampering category in the STRIDE threat modeling framework, matching the structure of the referenced STRIDE example cards. Earlier updates added realistic attack context and a “What are we going to do about it?” section based on MASTG guidance. These changes were made to keep AA4 consistent with the AA2 and AA3 card format and the Adam Shostack threat modeling approach.
|
Thanks for the clarification. I’ve updated AA4 to use a STRIDE-first structure, aligned with the example cards you referenced, and kept the rest consistent with AA2 and AA3. Please let me know if this looks correct now. |
…n” vs “could”), and clarified client-side authentication and keystore misuse scenarios in line with the referenced MASTG guidance.
…n” vs “could”), and clarified client-side authentication and keystore misuse scenarios in line with the referenced MASTG guidance.
|
I’ve updated AA4 to fully align with the STRIDE-first structure, corrected “can” vs “could”, and clarified the mobile-specific trust boundaries. The text now explicitly covers client-side authentication scenarios (hardware-backed keystores/keychains, CryptoObject misuse, exception handling) and backend authorization where applicable, in line with the referenced MASTG guidance. Please let me know if this now meets the expected framing. |
|
sir done please have a check and let me known if is it anything else will want to edit |
|
This looks great now! Remember to add yourself to the contributor list! |
2 participants
This pull request adds a playful, scenario-based description for the Mobile App Edition AA4 card on the Cornucopia website.
Card: AA4 – Authentication & Authorization
STRIDE category: Tampering
Content is aligned with MASVS / MASTG and the physical Cornucopia cards
Tone and structure follow the existing AA2 / AA3 card descriptions
Website description added via explanation.md (no technical notes modified)
Fixes #2109