Apply suggestions from code review

Co-authored-by: Carlos Holguera <[email protected]>
OWASP · Nov 7, 2024 · 6bc39aa · 6bc39aa
1 parent a5636b0
commit 6bc39aa
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md b/tests-beta/android/MASVS-RESILIENCE/MASTG-TEST-0x38.md
@@ -9,9 +9,11 @@ weakness: MASWE-0104
 
 ## Overview
 
-Applications need to be properly signed to safeguard their integrity and protect them from tampering. Android has evolved its signing schemes over time to enhance security, with newer versions offering more robust mechanisms. Check [APK Signing Schemes](../../../Document/0x05a-Platform-Overview.md#signing-process) for more details.
+Not using newer APK signing schemes means that the app lacks the enhanced security provided by more robust, updated mechanisms.
 
-This test checks if the insecure v1 signature scheme is enabled for applications targeting Android 7.0 (API level 24) and above.
+This test checks if the outdated v1 signature scheme is enabled. The v1 scheme is vulnerable to certain attacks, such as the "Janus" vulnerability ([CVE-2017-13156](https://nvd.nist.gov/vuln/detail/CVE-2017-13156)), because it does not cover all parts of the APK file, allowing malicious actors to potentially **modify parts of the APK without invalidating the signature**. Relying solely on v1 signing therefore increases the risk of tampering and compromises app security.
+
+To learn more about APK Signing Schemes, see [this document](../../../Document/0x05a-Platform-Overview.md#signing-process).
 
 ## Steps
 
@@ -24,7 +26,9 @@ The output should contain the value of the `minSdkVersion` attribute and the use
 
 ## Evaluation
 
-The test case fails if the app targets Android 7.0 (API level 24) and above, and only the v1 signature scheme is enabled.
+The test case fails if the app has a `minSdkVersion` attribute of 24 and above, and only the v1 signature scheme is enabled.
+
+To mitigate this issue, ensure that the app is signed with at least the v2 or v3 APK signing scheme, as these provide comprehensive integrity checks and protect the entire APK from tampering. For optimal security and compatibility, consider using v3, which also supports key rotation. Optionally, you can add v4 signing to enable faster [incremental updates](https://developer.android.com/about/versions/11/features#incremental) in Android 11 and above, but v4 alone does not provide security protections and should be used alongside v2 or v3.
 
 The signing configuration can be managed through Android Studio or the `signingConfigs` section in `build.gradle` or `build.gradle.kts`. To activate both the v3 and v4 schemes, the following values must be set:
 
@@ -41,5 +45,3 @@ android {
   }
 }
 ```
-
-Note that APK v4 signing is optional and the lack of it does not represent a vulnerability. It is meant to allow developers to quickly deploy large APKs using the [ADB Incremental APK installation](https://developer.android.com/about/versions/11/features#incremental) in Android 11 and above.