V2.5 - Verify that the clipboard is deactivated on text fields that may contain sensitive data.

[fevertree]

As long as applications allow users to authenticate via password, users should be allowed to paste in passwords from clipboard. Unique passwords for each and every service that a person uses is considered to be an industry standard recommendation. By not allowing a user to paste in their password, the MASVS goes against this practice.

[Sjord]

The attack vector here is that all apps on the phone can read the clipboard (article, PoC). I think disallowing paste on passwords inputs is not a solution to this. Users only notice this when they try to paste, when they already have copied the password to the clipboard. Also, I think this could be a consideration for the user between convenience and security: whether he uses the same password for everything, uses a password manager with copy-paste, or memorizes 50 passwords of the top of his head.

[sushi2k]

Agree with both of you. Disallowing this in a password field will make the user not happy and when he copies a password, credit card number etc and finds out that he is not allowed to paste it in it's already to late.
As always it's a balance between security and convenience for the user.
Due to the fact that the clipboard is accessible systemwide on Android and iOS, it's definitely an attack vector, especially for malware on Android. The MASVS should not be seen as a list that you need to implement but a consistent and mature list that gives you requirements that might be applicable to your app. If you implement them or not is your decision and there might always be good reasons for both, it should just be documented and agreed by all involved parties (business, developers etc).

[fevertree]

The attack vector of other applications being able to read the clipboard hadn't occurred to me, and is indeed a serious concern for the user. As a security tester one of my recommendations here would be to to at least supplement the password authentication some sort of MFA.

[sushi2k]

The requirement is addressing sensitive data in general. So can be of course the password, but also credit card data, username or other PII.

2FA is available in another requirement:

4.9 - A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced.

[fevertree]

Sounds good. Closing the issue!

[konanpen]

The 4.9 - A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced covers only the password or authentication of the user. What about other PII data which may be stored in the clipboard. I believe the clipboard requirement should be included in the new verification standard.

[cpholguera]

Hi @konanpen, the next version of the MASVS has a PLATFORM control addressing this situation:

"The app uses the user interface securely."

The MASTG will contain all the specifics in the form of a collection of tests. One of them will cover this specific topic. It will be up to you to apply it to an app or not. That would depend on the threat model of the app.