Merge pull request #270 from Ostorlab/feature/add-device-identifier-kb

feature: add device identifier kb

Author: Oussama-Bakri

MOBILE_CLIENT/ANDROID/_LOW/INTENT_SPOOFING/meta.json

@@ -2,7 +2,7 @@
   "risk_rating": "medium",
   "short_description": "The application is vulnerable to intent spoofing which may lead to inappropriate access like data modification, information disclosure and data injection.",
   "references": {
-    "Do not act on malicious intent (CERT Secure Coding)": "https://www.securecoding.cert.org/confluence/display/android/DRD06.+Do+not+act+on+malicious+intents",
+    "DRD06. Verify the caller of intents before acting on them": "https://wiki.sei.cmu.edu/confluence/display/android/DRD06.+Verify+the+caller+of+intents+before+acting+on+them",
     "Improper Access Control (CWE-284)": "https://cwe.mitre.org/data/definitions/284.html",
     "Intent Spoof (CAPEC-502)": "https://capec.mitre.org/data/definitions/502.html",
     "Analyzing Inter-Application Communication in Android": "https://people.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf"

MOBILE_CLIENT/COMMON/_LOW/COLLECTION_DEVICE_IDENTIFIER/description.md

@@ -0,0 +1,50 @@
+# Collection of Device Identifiers
+
+A **device identifier** is any value—hardware-based, platform-provided, or application-generated—that remains stable over time and can be used to uniquely identify a device or user across sessions. These identifiers enable device recognition and long-term correlation of activity, but also introduce significant privacy considerations.
+
+There are typically three families:
+
+## Hardware-Based Identifiers
+
+Hardware identifiers come from the device’s physical components or firmware and usually remain constant for the lifetime of the device.
+
+* **IMEI / MEID**: Unique modem identifiers historically used to identify mobile devices. Access is highly restricted on modern operating systems.
+* **Serial Number**: A unique hardware identifier assigned by the manufacturer. Generally not accessible to normal applications.
+
+## Platform-Provided Identifiers
+
+Operating systems expose identifiers with limited scope or permissions.
+
+* **Android ID**: A stable, app-scoped identifier that persists across reinstalls for the same app and signing key on modern Android versions.
+* **IDFV (Identifier for Vendor)**: An iOS identifier shared across apps belonging to the same vendor, reset only if all of the vendor’s apps are uninstalled.
+* **IDFA (Advertising Identifier)**: A user-resettable identifier used for advertising and analytics, available only with user consent under modern privacy frameworks.
+
+## Application-Generated Identifiers
+
+Applications may generate their own identifiers and store them persistently.
+
+* **Custom UUIDs**: Random identifiers stored in local storage or secure system keychains, potentially surviving app reinstalls.
+* **Derived or hashed identifiers**: Values created by combining device attributes.
+
+These identifiers function as device identifiers if they can be used to correlate user activity over time.
+
+## Privacy & Regulatory Considerations
+
+Under major privacy regulations such as **GDPR**, **CCPA**, and similar frameworks, persistent device identifiers are classified as **personal data** because they allow the identification or tracking of a user or device. Improper handling may violate:
+
+* **Data minimization**
+* **Purpose limitation**
+* **Transparency requirements**
+* **Consent obligations**
+
+Platform policies (e.g., Apple App Store, Google Play) further restrict the use of persistent identifiers for analytics, advertising, or cross-app tracking without explicit user authorization.
+
+## Security & Compliance Implications
+
+Persistent identifiers can be misused for:
+
+* Device fingerprinting  
+* Cross-app or cross-service tracking  
+* Behavioral profiling  
+
+Because of this, they require careful handling and justification for collection.

MOBILE_CLIENT/COMMON/_LOW/COLLECTION_DEVICE_IDENTIFIER/meta.json

@@ -0,0 +1,14 @@
+{
+  "risk_rating": "low",
+  "short_description": "The application collects a device identifier that can be used to track users across sessions and applications.",
+  "references": {
+    "Android Developers - Identifiers": "https://developer.android.com/training/articles/user-data-ids",
+    "Android Developers - App Set ID": "https://developer.android.com/training/articles/app-set-id",
+    "Apple Developer - Identifier for Vendor (IDFV)": "https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor"
+  },
+  "title": "Collection of Device Identifier",
+  "cvss_v3_vector": "",
+  "privacy_issue": true,
+  "security_issue": false,
+  "categories": {}
+}

MOBILE_CLIENT/COMMON/_LOW/COLLECTION_DEVICE_IDENTIFIER/recommendation.md

@@ -0,0 +1,14 @@
+## Recommendation
+
+For secure and privacy-respecting handling of persistent device identifiers, it is crucial to follow best practices that minimize tracking risks and comply with privacy regulations. Two general strategies are recommended:
+
+* **Limit Collection and Prefer Safer Identifiers**: Only collect persistent device identifiers when strictly necessary for core application functionality. Avoid hardware-based identifiers like IMEI or serial numbers unless there is a compelling operational need. When collection is required, prefer safer alternatives such as platform-approved app-scoped identifiers (e.g., Android’s App Set ID, iOS’s IDFV) or ephemeral/custom-generated UUIDs stored securely for the duration of the app lifecycle.
+
+
+* **Transparency and Consent**: Clearly document the purpose of collecting any persistent identifier. Disclose collection practices in the privacy policy and obtain user consent where legally required.
+
+* **Secure Storage**: Store any persistent identifiers securely using platform-provided secure storage mechanisms (e.g., Android Keystore, iOS Keychain). Avoid storing identifiers in plain text or in locations accessible to other apps.
+
+* **Avoid Cross-App Tracking**: Do not use persistent identifiers for advertising, analytics, or tracking across multiple apps unless explicitly allowed by platform policies and user consent.
+
+By following these best practices, applications can reduce privacy risks, comply with regulatory requirements, and maintain user trust.

MOBILE_CLIENT/COMMON/_MEDIUM/INSECURE_PASSWORD_STORAGE/meta.json

@@ -4,7 +4,7 @@
   "risk_rating": "medium",
   "references": {
     "OWASP Insecure Cryptographic Storage": "https://www.owasp.org/index.php/Top_10_2010-A7-Insecure_Cryptographic_Storage",
-    "OWASP Insecure Storage": "https://www.owasp.org/index.php/Insecure_Storage",
+    "OWASP Insecure Data Storage": "https://owasp.org/www-project-mobile-top-10/2023-risks/m9-insecure-data-storage",
     "CWE-522 Insufficiently Protected Credentials": "https://cwe.mitre.org/data/definitions/522.html",
     "CWE-312 Cleartext Storage of Sensitive Information": "https://cwe.mitre.org/data/definitions/312.html",
     "CWE-256 Plaintext Storage of a Password": "https://cwe.mitre.org/data/definitions/256.html"