From 707f046d637fb78f69c46598207f1c4888f465e2 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Thu, 18 Jan 2024 11:32:04 +0100 Subject: [PATCH] add privacy controls --- controls/MASVS-PRIVACY-1.md | 13 +++++++++++++ controls/MASVS-PRIVACY-2.md | 11 +++++++++++ controls/MASVS-PRIVACY-3.md | 9 +++++++++ controls/MASVS-PRIVACY-4.md | 9 +++++++++ 4 files changed, 42 insertions(+) create mode 100644 controls/MASVS-PRIVACY-1.md create mode 100644 controls/MASVS-PRIVACY-2.md create mode 100644 controls/MASVS-PRIVACY-3.md create mode 100644 controls/MASVS-PRIVACY-4.md diff --git a/controls/MASVS-PRIVACY-1.md b/controls/MASVS-PRIVACY-1.md new file mode 100644 index 000000000..8f13f0688 --- /dev/null +++ b/controls/MASVS-PRIVACY-1.md @@ -0,0 +1,13 @@ +# MASVS-PRIVACY-1 + +## Control + +The app minimizes access to sensitive data and resources. + +## Description + +Apps should only request access to the data they absolutely need for their functionality and always with informed consent from the user. This control ensures that apps practice data minimization and restricts access control, reducing the potential impact of data breaches or leaks. + +Furthermore, apps should share data with third parties only when necessary, and this should include enforcing that third-party SDKs operate based on user consent, not by default or without it. Apps should prevent third-party SDKs from ignoring consent signals or from collecting data before consent is confirmed. + +Additionally, apps should be aware of the 'supply chain' of SDKs they incorporate, ensuring that no data is unnecessarily passed down their chain of dependencies. This end-to-end responsibility for data aligns with recent SBOM regulatory requirements, making apps more accountable for their data practices. diff --git a/controls/MASVS-PRIVACY-2.md b/controls/MASVS-PRIVACY-2.md new file mode 100644 index 000000000..b01d587c0 --- /dev/null +++ b/controls/MASVS-PRIVACY-2.md @@ -0,0 +1,11 @@ +# MASVS-PRIVACY-2 + +## Control + +The app prevents identification of the user. + +## Description + +Protecting user identity is crucial. This control emphasizes the use of unlinkability techniques like data abstraction, anonymization and pseudonymization to prevent user identification and tracking. + +Another key aspect addressed by this control is to establish technical barriers when employing complex 'fingerprint-like' signals (e.g. device IDs, IP addresses, behavioral patterns) for specific purposes. For instance, a fingerprint used for fraud detection should be isolated and not repurposed for audience measurement in an analytics SDK. This ensures that each data stream serves its intended function without risking user privacy. diff --git a/controls/MASVS-PRIVACY-3.md b/controls/MASVS-PRIVACY-3.md new file mode 100644 index 000000000..a7608be07 --- /dev/null +++ b/controls/MASVS-PRIVACY-3.md @@ -0,0 +1,9 @@ +# MASVS-PRIVACY-3 + +## Control + +The app is transparent about data collection and usage. + +## Description + +Users have the right to know how their data is being used. This control ensures that apps provide clear information about data collection, storage, and sharing practices, including any behavior a user wouldn't reasonably expect, such as background data collection. Apps should also adhere to platform guidelines on data declarations. diff --git a/controls/MASVS-PRIVACY-4.md b/controls/MASVS-PRIVACY-4.md new file mode 100644 index 000000000..45bc96662 --- /dev/null +++ b/controls/MASVS-PRIVACY-4.md @@ -0,0 +1,9 @@ +# MASVS-PRIVACY-4 + +## Control + +The app offers user control over their data. + +## Description + +Users should have control over their data. This control ensures that apps provide mechanisms for users to manage, delete, and modify their data, and change privacy settings as needed (e.g. to revoke consent). Additionally, apps should re-prompt for consent and update their transparency disclosures when they require more data than initially specified.