From e5307b919d0481decf4fb701d217868a216ad004 Mon Sep 17 00:00:00 2001 From: Margaret Fero Date: Wed, 22 May 2024 09:34:50 -0700 Subject: [PATCH 1/3] Adding initial draft of forthcoming security doc --- docs/how-to/security-tips.rst | 62 +++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 docs/how-to/security-tips.rst diff --git a/docs/how-to/security-tips.rst b/docs/how-to/security-tips.rst new file mode 100644 index 000000000..fa61c2436 --- /dev/null +++ b/docs/how-to/security-tips.rst @@ -0,0 +1,62 @@ +=== +Security Tips +=== + +This guide will walk you through some key security considerations for publishing your +first app. +.. admonition: This is a draft. + + This documentation is currently an incomplete draft, and should not be relied on + for completeness, grammar, or accuracy.. + +* Keeping Your Personal Information Private +* Protecting Your Signing Keys +* +* +* +* +* +* +* +* + +Keeping Your Personal Information Private +===================== +.. admonition: This is a draft. + + This admonition will be removed when content has been drafted and reviewed. +* The information you provide about yourself in your `pyproject.toml` file will be visible +to your users and the general public. +* Don’t use an important email for publishing +* The name you publish under will be public, and you may or may not be able to +fully remove/change it later +* Something about judicious use of path names wrt “The packages (and other various source code + and data-defining attributes) in setup.py have been replaced with a single sources key. The + paths specified in sources will be copied in their entirety into the packaged application.” +* You may wish to open the Android bundle file with an unarchiving program, open the `resources.pb`` file, +and confirm that the name appearing in the first line is the one you intend to make public. If it's not, you +can update it in `pyproject.toml`. + +Protecting Your Signing Keys +============================ + +.. admonition: This is a draft. + + This admonition will be removed when content has been drafted and reviewed. + +* Add your keystore (as generated in https://briefcase.readthedocs.io/en/stable/how-to/code-signing/android.html) + to your gitignore before generating the signing key, so you don’t accidentally disclose +* It is more important to protect the file than to change the password, but you should still change the password + * Some jurisdictions have compliance requirements wrt use of default passwords that you may run afoul of + * Post-SHAttered this is very iumportant tbh. +* Signing Certificates are intended to be used for multiple applications. However, keep in mind that users may be +able to associate your apps with each other using the signing key. This is totally fine for almost everyone, but +may be worth considering if you work on any apps of sensitive nature. + + +Section 3 +====================== + +.. admonition: This is a draft. + + This admonition will be removed when content has been drafted and reviewed. \ No newline at end of file From 690a2eaeb3665c8f0c544f1efd412cd31d4f8c8e Mon Sep 17 00:00:00 2001 From: Margaret Fero Date: Wed, 22 May 2024 11:21:39 -0700 Subject: [PATCH 2/3] Add section on protecting credentials --- docs/how-to/security-tips.rst | 47 +++++++++++++++++++---------------- 1 file changed, 26 insertions(+), 21 deletions(-) diff --git a/docs/how-to/security-tips.rst b/docs/how-to/security-tips.rst index fa61c2436..d37202dc4 100644 --- a/docs/how-to/security-tips.rst +++ b/docs/how-to/security-tips.rst @@ -1,8 +1,8 @@ === -Security Tips +Security Tips === -This guide will walk you through some key security considerations for publishing your +This guide will walk you through some key security considerations for publishing your first app. .. admonition: This is a draft. @@ -11,52 +11,57 @@ first app. * Keeping Your Personal Information Private * Protecting Your Signing Keys -* -* -* -* -* -* -* -* +* Protecting Your Credentials +* +* +* +* +* +* +* Keeping Your Personal Information Private ===================== .. admonition: This is a draft. - This admonition will be removed when content has been drafted and reviewed. + This admonition will be removed when content has been drafted and reviewed. * The information you provide about yourself in your `pyproject.toml` file will be visible to your users and the general public. * Don’t use an important email for publishing -* The name you publish under will be public, and you may or may not be able to +* The name you publish under will be public, and you may or may not be able to fully remove/change it later -* Something about judicious use of path names wrt “The packages (and other various source code - and data-defining attributes) in setup.py have been replaced with a single sources key. The +* Something about judicious use of path names wrt “The packages (and other various source code + and data-defining attributes) in setup.py have been replaced with a single sources key. The paths specified in sources will be copied in their entirety into the packaged application.” * You may wish to open the Android bundle file with an unarchiving program, open the `resources.pb`` file, -and confirm that the name appearing in the first line is the one you intend to make public. If it's not, you -can update it in `pyproject.toml`. +and confirm that the bundle name appearing in the first line is the one you intend to make public. If it's not, you +can update the bundle name in `pyproject.toml`. Protecting Your Signing Keys ============================ .. admonition: This is a draft. - This admonition will be removed when content has been drafted and reviewed. + This admonition will be removed when content has been drafted and reviewed. * Add your keystore (as generated in https://briefcase.readthedocs.io/en/stable/how-to/code-signing/android.html) to your gitignore before generating the signing key, so you don’t accidentally disclose * It is more important to protect the file than to change the password, but you should still change the password * Some jurisdictions have compliance requirements wrt use of default passwords that you may run afoul of * Post-SHAttered this is very iumportant tbh. -* Signing Certificates are intended to be used for multiple applications. However, keep in mind that users may be -able to associate your apps with each other using the signing key. This is totally fine for almost everyone, but +* Signing Certificates are intended to be used for multiple applications. However, keep in mind that users may be +able to associate your apps with each other using the signing key. This is totally fine for almost everyone, but may be worth considering if you work on any apps of sensitive nature. -Section 3 +Protecting Your Credentials ====================== .. admonition: This is a draft. - This admonition will be removed when content has been drafted and reviewed. \ No newline at end of file + This admonition will be removed when content has been drafted and reviewed. + + * iOS publishing requires a set of credentials for your app if your app requires login; these should be unique + credentials to an account used only for this purpose, and it's especially important to use a randomly-generated + password and/or unpredictable username for this account because everyone familiar with app store policies will + know there is one, and you won't be logging into it regularly which makes it especially vulnerable to ATO. From 7b70ee3ebafd279dd8567a675a59725d5e2f5b80 Mon Sep 17 00:00:00 2001 From: Margaret Fero Date: Fri, 24 May 2024 13:20:41 -0700 Subject: [PATCH 3/3] Update after IA review with @freakboy3742 and @phildini --- docs/how-to/security-tips.rst | 85 ++++++++++++++++++++--------------- 1 file changed, 49 insertions(+), 36 deletions(-) diff --git a/docs/how-to/security-tips.rst b/docs/how-to/security-tips.rst index d37202dc4..0524f2f9e 100644 --- a/docs/how-to/security-tips.rst +++ b/docs/how-to/security-tips.rst @@ -9,59 +9,72 @@ first app. This documentation is currently an incomplete draft, and should not be relied on for completeness, grammar, or accuracy.. +* Protecting Your Signing Certificates +* Publishing Process Tips +* Choosing Your Publishing Information * Keeping Your Personal Information Private -* Protecting Your Signing Keys -* Protecting Your Credentials -* -* -* -* -* -* -* +* General App Development Considerations + +Protecting Your Signing Certificates +============================ -Keeping Your Personal Information Private -===================== .. admonition: This is a draft. This admonition will be removed when content has been drafted and reviewed. -* The information you provide about yourself in your `pyproject.toml` file will be visible -to your users and the general public. -* Don’t use an important email for publishing -* The name you publish under will be public, and you may or may not be able to -fully remove/change it later -* Something about judicious use of path names wrt “The packages (and other various source code - and data-defining attributes) in setup.py have been replaced with a single sources key. The - paths specified in sources will be copied in their entirety into the packaged application.” -* You may wish to open the Android bundle file with an unarchiving program, open the `resources.pb`` file, -and confirm that the bundle name appearing in the first line is the one you intend to make public. If it's not, you -can update the bundle name in `pyproject.toml`. -Protecting Your Signing Keys +* Signing Certificates are intended to be used for multiple applications. However, keep in mind that users may be +able to associate your apps with each other using the signing key. This is totally fine for almost everyone, but +may be worth considering if you work on any apps of sensitive nature. +* It is more important to protect the file than to change the password, but you should still change the password + * Some jurisdictions have compliance requirements wrt use of default passwords that you may run afoul of + * Post-SHAttered this is very iumportant tbh. +* Add your keystore (as generated in https://briefcase.readthedocs.io/en/stable/how-to/code-signing/android.html) + to your gitignore before generating the signing key, so you don’t accidentally disclose + +Publishing Process Tips ============================ +.. admonition: This is a draft. + + This admonition will be removed when content has been drafted and reviewed. +* iOS publishing requires a set of credentials for your app if your app requires login; these should be unique + credentials to an account used only for this purpose, and it's especially important to use a randomly-generated + password and/or unpredictable username for this account because everyone familiar with app store policies will + know there is one, and you won't be logging into it regularly which makes it especially vulnerable to ATO. + +Choosing Your Publishing Information +====================== .. admonition: This is a draft. This admonition will be removed when content has been drafted and reviewed. -* Add your keystore (as generated in https://briefcase.readthedocs.io/en/stable/how-to/code-signing/android.html) - to your gitignore before generating the signing key, so you don’t accidentally disclose -* It is more important to protect the file than to change the password, but you should still change the password - * Some jurisdictions have compliance requirements wrt use of default passwords that you may run afoul of - * Post-SHAttered this is very iumportant tbh. -* Signing Certificates are intended to be used for multiple applications. However, keep in mind that users may be -able to associate your apps with each other using the signing key. This is totally fine for almost everyone, but -may be worth considering if you work on any apps of sensitive nature. +* The information you provide about yourself in your `pyproject.toml` file will be visible +to your users and the general public. + * You may wish to open the Android bundle file with an unarchiving program, open the + `resources.pb`` file,and confirm that the bundle name appearing in the first line is the one + you intend to make public. If it's not, you can update the bundle name in `pyproject.toml`. + +Keeping Your Personal Information Private +===================== +.. admonition: This is a draft. + This admonition will be removed when content has been drafted and reviewed. -Protecting Your Credentials +* Don’t use an important email for publishing +* The name you publish under will be public, and you may or may not be able to +fully remove/change it later +* Something about judicious use of path names wrt “The packages (and other various source code + and data-defining attributes) in setup.py have been replaced with a single sources key. The + paths specified in sources will be copied in their entirety into the packaged application.” and also + https://briefcase.readthedocs.io/en/stable/reference/environment.html#briefcase-home + + +General App Development Considerations ====================== .. admonition: This is a draft. This admonition will be removed when content has been drafted and reviewed. - * iOS publishing requires a set of credentials for your app if your app requires login; these should be unique - credentials to an account used only for this purpose, and it's especially important to use a randomly-generated - password and/or unpredictable username for this account because everyone familiar with app store policies will - know there is one, and you won't be logging into it regularly which makes it especially vulnerable to ATO. +* OWASP Top 10 reference with highlights about ones especially likely to matter here +* OWASP Mobile Top 10 reference with specific callouts to elemenmts likely to matter here \ No newline at end of file