[guardian-dev] Blackphone's Privacy AppStore

Nathan of Guardian nathan at guardianproject.info
Tue Mar 3 18:43:06 EST 2015


Information on how to submit your app to Blackphone's app store, and
pasted in below, the full text from their PDF
(https://blog.blackphone.ch/wp-content/uploads/2015/02/Silent-Store_Process-Requirements-Agreement-Document.pdf)
on the whole process.

You have to sign an NDA and Confidential Agreement in order to
participate.

****
https://blog.blackphone.ch/2015/02/13/silentstoreparticipation/

Dear Privacy Enthusiast,

We are delighted to welcome app developers to our privacy-first Silent
Store. We are confident this will become a premier venue for discovery
and distribution of privacy-conscious apps to enterprise and individual
customers around the world.

Our goal is to ensure that every app in Silent Store is transparent
about what it does, takes no liberties with private information already
on the device, and uses reasonable security-minded coding and
implementation practices. We want Silent Store to become the premier
destination for those apps which don’t take the easy way out. No sketchy
built-in advertising trackers. No duplicitous functions concealed from
the user. No sloppy inconsistencies between what you say your app does
vs. what it actually does when we put it under a microscope.

Silent Store will be going online soon, and we want to invite you to
submit your apps for inclusion. There are a few things we need to share
with you:

– At the outset, there is no payment option for Silent Store, so your
apps must be free to download and use. We will add payment mechanisms in
the future.
– All apps will be subjected to a vetting process, the details of which
are outlined in the document linked below.
– You must review and sign an agreement between yourself and us before
your app can be included in Silent Store.
– At launch, Silent Store will only be available to devices running
PrivatOS. In general your Android-compatible apps should work provided
they have no hard dependencies on Google Play services.
– Not all apps submitted will be accepted.

So please, download this file, read it, and when you’re ready to move to
the next step, send us an email to appstore-submissions at blackphone.ch
with the information listed below. We will review your submission per
the Process Requirements Agreement document and contact you accordingly.

– Phone Number & Time Zone
– Email Address (with PGP key if possible)
– Website
– App name and a full description of the app

Thanks very much for your interest, we look forward to building a great
community with you!

Yours in private communications,

Toby Weir-Jones

CEO Blackphone

***

NOT FOR EXECUTION!
MUTUAL NONDISCLOSURE AND CONFIDENTIALITY
AGREEMENT
This Mutual Nondisclosure and Confidentiality Agreement (the
“Agreement”) is effective as of the ________________________ 2015
(the “Effective Date”) between SGP Technologies, SA, a Switzerland
Société Anonyme
and
____________________________________________________________________________
__________________________________________.
WHEREAS, in connection with discussions about, and the evaluation and
negotiation of,
a potential business relationship or transaction between the parties to
this Agreement,
each party is prepared to furnish the other party with certain
confidential and proprietary
information on the terms set forth in this Agreement;
NOW THEREFORE, in consideration of the mutual agreements and covenants
set forth
herein, the parties agree as follows:
1. Definitions. The following terms shall have the meanings set forth
opposite such
terms:
1.1
“Affiliate” shall mean any partnership, joint venture, corporation or
other form of
enterprise, domestic or foreign, including but not limited to
subsidiaries, that directly or
indirectly, control, are controlled by, or are under common control with
a party to this
Agreement.
1.2
“Confidential Information” means information and related materials
(whether
disclosed in writing, or orally and reduced to writing promptly
thereafter) of one of the
parties to this Agreement or its Affiliates (the “Disclosing Party”) and
disclosed by the
Disclosing Party or its representative to the other party hereto (the
“Receiving Party”)
that is (a) not generally known to the public and (b) identified as
confidential (or, to a
reasonable person, would be expected to be confidential) including, but
not limited to:
financial information or projections; business trends; lists of and
information about
suppliers, dealers, potential customers, and associated statistical and
financial
information; designs, specifications and uses of products and services;
information
about clients that does not contain personally identifiable information;
industry research;
technologies and related documentation; marketing; trade secrets;
business and
strategic plans; price and cost structures; and other significant and
valuable business
information. “Confidential Information” also includes the terms of this
Agreement.
1.3
“Disclosing Party” means a party or its Affiliate or authorized
representative that
provides Confidential Information to the other party to this Agreement.
“Receiving
Party” means a party to this Agreement that receives such Confidential
Information
from the Disclosing Party.NOT FOR EXECUTION
2. Confidentiality Obligations.
2.1 Receiving Party shall:
(a) protect the confidentiality of the Confidential Information (using
in any case, not less
than the efforts such party uses to protect its own confidential
information and no less
than a reasonable degree of care), and prevent any access to or
reproduction, disclosure
or use of any of the Confidential Information other than by Receiving
Party in pursuance
of Receiving Party's business relationship or proposed business
relationship with
Disclosing Party and then only in strict compliance with the provisions
hereof and
subject to any applicable laws;
(b) disclose the Confidential Information only to those officers,
directors, shareholders,
partners, agents, attorneys, Affiliates and employees of Receiving Party
who have a
legitimate need to know such information in pursuance of Receiving
Party's business
relationship with Disclosing Party (such persons are hereinafter
collectively referred to as
“Recipients”) and, in the event the employment of any such person is
terminated, use
reasonable efforts to recover any Confidential Information in such
person's custody or
control;
(c) advise its Recipients of the confidential and proprietary nature of
the Confidential
Information and of the obligations in this Agreement and take
appropriate action by
written agreement with its Recipients to bind the Recipients to the
confidentiality
obligations under this Agreement;
(d) promptly notify Disclosing Party in writing of any unauthorized use
or disclosure of the
Confidential Information of which it has knowledge, including a detailed
description of
the circumstances of the disclosure and the parties involved and
cooperate with the
Disclosing Party to obtain the return of such Confidential Information;
and
(e) advise its affiliates, officers, employees and agents that receive
or have access to the
Confidential Information that federal and state securities laws prohibit
any person who
has material non-public information concerning the Disclosing Party from
purchasing or
selling securities of the Disclosing Party or from communicating such
information to any
other person.
2.2
Notwithstanding the provisions of Section 2.1 above, information and
materials
provided by Disclosing Party shall not be considered Confidential
Information to the
extent that: (a) such information was known by Receiving Party prior to
its disclosure
by Disclosing Party; (b) such information came into the possession of
Receiving
Party, directly or indirectly, from persons who were not under any
obligation to
maintain the confidentiality of such information; (c) such information
has become
part of the public domain through no act or fault on the part of
Receiving Party in
breach of this Agreement; or (d) such information was independently
developed by
or for Receiving Party without the use of Confidential Information and
the Receiving
Party can verify the development of such information by written
documentation.NOT FOR EXECUTION
Additionally, Receiving Party may disclose: (i) Confidential Information
where required
pursuant to legal process (e.g., subpoena, interrogatories or similar
legal process) or by
law, provided that in such instance the Receiving Party shall use best
efforts to provide
advance written notice of such event to Disclosing Party and to
reasonably cooperate
with Disclosing Party so that the Disclosing Party may seek an
appropriate protective
order or waive compliance by the Receiving Party with the provisions of
this Agreement,
or both. If, absent the entry of a protective order or receipt of a
waiver, the Receiving
Party is, in the opinion of its legal counsel, legally compelled to
disclose such
Confidential Information, the Receiving Party may disclose such
Confidential
Information to the person and to the extent required without liability
under this
Agreement provided that Receiving Party uses its best efforts to obtain
confidential
treatment for any Confidential Information so disclosed; and (ii) the
existence and
summary of this Agreement in regulatory filings as required by law,
regulation or
standard accounting rules (e.g. FASB).
2.3
Nothing herein is intended to limit or abridge the protection of trade
secrets under
applicable trade secrets law, and the protection of trade secrets by the
Receiving Party
shall be maintained as such until they otherwise fall into the public
domain.
3. Term. Receiving Party’s obligations hereunder with respect to
Confidential
Information shall terminate three (3) year after the date of disclosure
for such
Confidential Information, subject to the exceptions in Section 2.2. Any
provision which
by its terms is intended to survive termination of this Agreement,
including, but not
limited to, the provisions of Sections 1, 4, 5, 6, 7, 8 and 9 shall
survive any termination or
expiration of this Agreement.
4. No Definitive Agreement. The parties understand and agree that
nothing herein (i)
requires the disclosure of any Confidential Information by either party,
which shall be
disclosed if at all solely at the option of either such party, or (ii)
requires either party to
proceed with any proposed transaction, business relationship or joint
venture, other than
pursuant to a separate written agreement between the parties.
5. Return of Confidential Information. If either party decides not to
proceed with a
proposed business relationship or transaction, it will promptly inform
the other party of
that decision. In addition, the Disclosing Party may elect at any time
by notice to the
Receiving Party to terminate further access to and such party’s review
of the
Confidential Information. In any such case, or upon any other
termination of this
Agreement, the Receiving Party will immediately return all Confidential
Information
disclosed to it or will destroy all Confidential Information in its
possession or control,
without retaining any copy thereof. The Receiving Party shall, upon
request of the
Disclosing Party, certify in a sworn writing signed by a principal or
officer of the Receiving
Party compliance with this paragraph.
6. Equitable Relief. Receiving Party agrees that any unauthorized use of
the
Confidential Information by Receiving Party may cause Disclosing Party
irreparable harm
for which remedies at law may be inadequate. Therefore, in addition to
any other rights it
may have at law, Disclosing Party shall be entitled to seek equitable
relief.NOT FOR EXECUTION
7. Proprietary Rights and Ownership. All right, title and interest in
and to the
Confidential Information shall be and remain vested in Disclosing Party.
Nothing in this
Agreement shall grant Receiving Party any license or right of any kind
with respect to the
Confidential Information, other than to review, evaluate and use such
information solely
in pursuance of Receiving Party's business relationship or proposed
business
relationship with Disclosing Party. Receiving Party shall not modify or
create any
derivative works from the Confidential Information.
8. Acknowledgement. Both Parties acknowledge that the other party and
its Affiliates
either presently or may in the future compete in the markets served by
either party. The
Parties further acknowledge that the other Party and its Affiliates will
continue to
compete with each other without restriction if a business relationship
or transaction is
not consummated, except with respect to use of the Confidential
Information as
contemplated by this Agreement.
9. General. This Agreement constitutes the entire agreement and
understanding
between the parties with respect to the use and disclosure of the
Confidential
Information in connection with discussions about, and the evaluation and
negotiation of,
a potential business relationship or transaction between the parties,
and supersedes all
prior and contemporaneous negotiations, discussions and understandings
of the parties,
whether written or oral, with respect to such subject matter. This
Agreement shall inure
to the benefit of, and may be specifically enforced by, the Affiliates
of either party. No
waiver or modification of any of the provisions of this Agreement shall
be valid unless in
writing and signed by both parties. Receiving Party's rights and
obligations under this
Agreement cannot be assigned, subcontracted or delegated to any third
party without
Disclosing Party's prior written consent and any attempted or purported
assignment,
subcontract or delegation of this Agreement without such consent shall
be void. This
Agreement does not create any agency or partnership relationship. This
Agreement shall
in all respects be governed by and construed in accordance with Swiss
law. This
Agreement may be executed in one or more counterparts via facsimile or
otherwise, all of
which taken together shall constitute one instrument. Should any
provision of this
Agreement be determined to be void, invalid or otherwise unenforceable,
then such
determination shall not affect the remaining provisions hereof which
shall remain in full
force and effect. Both parties shall adhere to all applicable laws,
regulations, and rules
relating to the export of technical data.
INTENDING TO BE LEGALLY BOUND, the parties have executed this Mutual
Nondisclosure and Confidentiality Agreement as of the Effective Date.NOT
FOR EXECUTION
SGP Technologies, SA
SIGNED: ______________________________________________________
BY:
_______________________________________________________
SGP Technologies, SA
Recipient
SIGNED: ______________________________________
BY: __________________________________________Silent Store
Process, Requirements and Agreement Document
This PDF is indicative and not for execution.NOT FOR EXECUTION
Table of Contents
Introduction
............................................................................................................................
4
Purpose
....................................................................................................................................
4
App Submission Process
....................................................................................................
4
Why a Two-Tier System
..................................................................................................
5
Tier One – “Approved”
.....................................................................................................
6
Tier Two – “Certified”
.......................................................................................................
6
Rejection Process and Resubmission
........................................................................
6
Requirements for Approval for 2015
...............................................................................
7
Tier One Requirements - “Approved”
.........................................................................
8
BP-KV (Known Vulnerabilities)
..................................................................................
8
BP-NSP (Network Security Protocols)
.................................................................... 8
BP-TLP (Transport Layer Protection)
...................................................................... 8
BP-DL (Data Leakage)
.................................................................................................
9
BP-AA (Authentication and Authorization)
........................................................... 9
BP-DAR (Data-at-Rest Encryption)
........................................................................
9
BP-PC (Permission Checks)
....................................................................................
10
BP- PP (Privacy Policy)
..............................................................................................
10
BP-EH (Error Handling)
.............................................................................................
10
Tier Two Requirements – “Certified”
........................................................................
10
BP-BB (Bug Bounty)
...................................................................................................
10
BP-VR (Vulnerability Remediation)
........................................................................
11
BP-SC (Source Code Review)
..................................................................................
11
BP-CA (Code Analysis)
..............................................................................................
11
BP-AA (Authentication and Authorization)
......................................................... 12
BP-DL (Data Leakage)
...............................................................................................
12
BP-SH (Session Handling)
.......................................................................................
12
BP-TLP (Transport Layer Protection)
.................................................................... 13
BP- PP (Privacy Policy)
..............................................................................................
13
BP-EH (Error Handling)
.............................................................................................
13
Recommended Sources/Tools for App Developers
................................................. 14
Examples of App Submissions and Qualifications
................................................... 14
Appendix A. Submissions Checklist
..............................................................................
16
Appendix B. Developer Agreement
................................................................................
17
Definitions
.........................................................................................................................
17
Term and Termination
...................................................................................................
17
Submission by Developer
.............................................................................................
18
Validation by SGP and Developer
...............................................................................
18
Distribution by SGP
........................................................................................................
18
Developer will provide all support for Products
................................................. 18
Representations and Warranties
...............................................................................
19
Intellectual Property
......................................................................................................
19
2 | Silent StoreNOT FOR EXECUTION
License grant
...............................................................................................................
19
Reservation of rights
................................................................................................
20
Indemnification
..........................................................................................................
20
Disclaimer and Limitation of Liability
......................................................................
20
Miscellaneous
..................................................................................................................
21
3 | Silent StoreNOT FOR EXECUTION
Introduction
Consumers and enterprises that choose to use smartphones and public app
stores commonly find themselves having to choose convenience over
privacy
and security. For this reason Silent Circle and Geeksphone created the
entity
known as Blackphone. The Blackphone mission is to enable enterprises and
consumers to take control of their security and privacy when using
smartdevices and public app stores. Blackphone’s BP1 was the first step
in
creating the security and privacy ecosystem, with a local app
repository,
called the Silent Store, being part of our natural progression. Apps
located in
the Silent Store share common themes of transparency, control, security,
and
privacy.
Purpose
The purpose of the Silent Store is to be the source for Apps that embody
transparency, security, and privacy. App developers will have a platform
to
distribute useful Apps, which in turn advance Blackphone’s security and
privacy mission. As a result, enterprises and consumers are assured that
a
member of the Blackphone security staff has tested the App to validate
its
claims and alignment with the Blackphone project’s goals.
App Submission Process
In general, Apps will be admitted to the Silent Store provided they are
not
found to be inconsistent with the Blackphone project. Blackphone will
retain
sole discretion over the decision but will share its reasoning with the
authors
of any app that has been rejected.
App developers must provide the following information to be considered
for
the Silent Store:
• Valid Contact Information
o Phone Number
o Mailing Address
o Email Address (w/PGP key 1 )
o Website
o Link to Github or Public Repo if available
• Full Description of App
• Desired designation (either “Approved” or “Certified”, details below)
• List of all permissions used by App and justification for usage
• Test credentials, where applicable, to enable application testing
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1 PGP key encryption is requested to protect all e-mail communication
between Blackphone and the
developer. To learn more and generate your own keys please visit
https://www.gnupg.org/download/.
4 | Silent StoreNOT FOR EXECUTION
•
•
Privacy Policy
EULA
[Note: Please see Appendix A for a full list of assets that must be
provided for
an approved app to be made available for download in the Blackphone
Silent
Store.]
Internally, a dedicated Appraisal Team consisting of skills related to
Product
Management, Engineering, and Marketing will perform the initial
assessment
of submissions. If the Appraisal Team deems the App appropriate then the
App will be forwarded to the Technical Inspection team for final
approval.
Other teams within the company, such as Sales or Security, may consult
on
initial acceptance activities and offer opinions, but will not make the
final
decision in the preliminary stage.
If the Appraisal Team approves the “need” for the app, the security
vetting will
commence. An internal Technical Inspection team oversees the security
assessment process and must confirm the technical eligibility of the app
in
question before it can proceed to the Appraisal Team’s final review.
Criteria for
technical eligibility appear in the section titled, “Requirements for
Approval
2015.”
Figure 1 - Silent Store Submission Process
Why a Two-Tier System
While the Silent Store features all Apps that make it through the full
Appraisal
process, Blackphone determined that apps displaying an exceptional
commitment to quality and security, both in concept and coding
practices,
5 | Silent StoreNOT FOR EXECUTION
deserve recognition for the Developer’s attention to detail. The
following two
categories exist to establish this dichotomy.
Tier One – “Approved”
Apps that pass the threshold for acceptance to the Silent Store will
then be
considered Approved for download and use, and will appear in the Silent
Store.
The primary focus of the Approved category is to fill the Silent Store
with
useful Apps that are transparent with regards to user privacy and are
secure
when it comes to protecting customer data.
Tier Two – “Certified”
A Certified App must meet all of the requirements listed for an app to
be
Approved, with the addition of several requirements that scrutinize the
App’s
source code and performance quality. The App must comply with the
Certification process specified by the Blackphone Technical Inspection
team.
Technical details for meeting the requirements of either Approved or
Certified
can be found in subsequent sections of this document.
Rejection Process and Resubmission
In the event that an App is rejected for the Silent Store the Developer
will be
contacted via PGP encrypted email. The Technical Inspection team will
provide a general email response that provides the category for which
the App
failed along with public guidance as to where the App Developer may gain
insight to correct the issue.
Example:
App EX1 did not pass the Blackphone Security Inspection. Reason for
Rejection:
Insufficient Transport Layer Protection. Please Review OWASP M3
(https://www.owasp.org/index.php/Mobile_Top_10_2014-M3). Once the issue
is
resolved we would like to invite you to resubmit the App, along with
change
documentation, to the following URL (TBD).
There is no limit to the number of times a developer may resubmit an App
to
be Approved. Upon resubmission, however, the App Developer must provide
an explanation as to how the problem was resolved before the security
team
will inspect the App again. Please Note: The App will be inspected in
the
order it was received and will not receive any expedited review.
Apps that do not meet the “Certified” app requirements may be
resubmitted
one additional time in a twelve-month period without incurring any
additional
6 | Silent StoreNOT FOR EXECUTION
costs. The App Developer will receive a full report on the App detailing
the
reasons the App was rejected. During the resubmission process a
Blackphone
security engineer will provide up to two consultation sessions, not to
exceed
30 minutes each, to assist the developer pass the resubmission process.
Consultation sessions are scheduled as time permits. Prior to scheduling
a
session, the developer must complete and submit the questions found at
this
URL https://silentstore.blackphone.ch/developers Please allow at least
three
business days before scheduling after submitting to the site.
In the event that the App fails the second submission and the developer
would
like to appeal the results they must do so in writing within three
calendar days
of the notification email. The App Developer must provide a written
explanation as to why they believe they have been successful in adhering
to
the Certified App requirements. Within one month an Appeals Team will
meet
to review the appeal. The Appeals Team consists of the following:
• Chief Security Officer (Blackphone)
• Chief Architect (Blackphone)
• 3 rd Party Consultant (Selected from one of the pen testing companies
{TBD})
Results of the appeal will be provided via registered mail and delivered
to the
address provided on the Silent Store Application.
Requirements for Approval for 2015
The requirements below will be the standard for the calendar year 2015.
Our
intent is to increase the level of difficulty for each calendar year.
Requirements for the upcoming year will be posted on the Silent Store
page by
November 1 st .
The Silent Store web page will note the year in which each App was
Approved
and whether it was Certified (passed additional tests). If the App is
Certified
the date of certification as well as its expiration will be listed. If
the
certification lapses, then the App will be placed into the Approved
category for
three calendar months. During these three months, the App developer must
notify Blackphone, in writing, of their intentions to re-Certify the
app, or remain
in the Approved category moving forward.
Please Note: Each time an App is submitted, or an update to the App, the
following requirements must be met in their entirety.
7 | Silent StoreNOT FOR EXECUTION
Tier One Requirements - “Approved”
BP-KV (Known Vulnerabilities)
Apps will be tested to ensure that they are not susceptible to known
publicly
disclosed vulnerabilities. For example:
! Heartbleed
! Poodle
! MasterKey
! Common Path Traversal attacks
! Common SQL Injection attacks
Please Note: New publicly disclosed vulnerabilities at a rating of major
or
higher must be remediated within 21 calendar days and all major
vulnerabilities disclosed through the Blackphone Bug Bounty program
must be remediated within 60 calendar days.
BP-NSP (Network Security Protocols)
The purpose of this category is to ensure that all apps are using
Blackphone
preferred network security protocols.
All Apps that require transmission of data from the App to a system that
does
not exist on the device must use, at a minimum, TLS1.1 standards.
However,
Blackphone would prefer the usage of TLS1.2. Apps must not use
algorithms
for cryptographic purposes that are considered obsolete or outdated i.e.
MD5,
SHA1, RC4, DES, or any encryption algorithm that is weaker than AES128.
Source: OWASP M3, M4, M6, CWE 311,319, 757
BP-TLP (Transport Layer Protection)
The purpose of this category is to ensure that Apps are using proper SSL
certificates with valid key lengths and sufficient hashing algorithms.
The
following requirements must be met:
o All network communication should be encrypted
o SSL Certs must not be expired
o SSL key lengths of 2048 must not be valid for longer than 2 years
from submission date
o SSL Key lengths of 4096 must not be greater than 16 years from
submission date
o SSL Certs must use at a minimum:
! RSA Key must be a min of 2048 or Elliptical Curve min of
384
! SHA256
! Preferred that it is issued by trusted CA provider
! Certs must be complete
! Certs must not be marked as a CA
8 | Silent StoreNOT FOR EXECUTION
o Must properly validate certificates
o Reject certificates that are not in the trust chain
! Exception: App has enabled proper SSL Pinning
o Not vulnerable to SSL Strip
Source: OWASP M1, M3, M4, M6, CWE 311, 319, 326, 757
BP-DL (Data Leakage)
The purpose of this category is to ensure that all customer data is
protected
commensurate with the purpose of the App. The following requirements
must
be met:
o No storage of sensitive data outside of application sandbox
o Files should not be created with MODE_WORLD_READABLE or
MODE_WORLD_WRITABLE
o Copy & Paste will be evaluated on a case by case basis
o App logs should not contain sensitive information
Source: OWASP M2, M4, M8, CWE 215, 312, 313, 522
BP-AA (Authentication and Authorization)
The purpose of this category is to ensure that authentication
credentials are
protected and that unauthorized access attempts are properly handled.
The
following requirements must be met:
o Validate that authentication credentials are not stored on the
device
o Must use an approved password-based key derivation function
i.e. PBKDF2
! Preferred scrypt
Source: OWASP M4, M5, CWE 200, 308, 316
BP-DAR (Data-at-Rest Encryption)
The purpose of this category is to ensure that proper data-at-rest
encryption
is used to protect the end-user’s confidential data. The following
requirements
must be met:
o Must use at a minimum AES128 with modes CCM or GCM
o Should not store the encryption key on the file system
Source: OWASP M2, M4, CWE 215, 312, 313, 522
9 | Silent StoreNOT FOR EXECUTION
BP-PC (Permission Checks)
The purpose of this category is to ensure that Apps provide graceful
error
handling. The following requirements must be met:
o The App must function with all permissions disabled
o Apps must not hard crash if a permission is disabled
o Apps should ask users to enable permissions that are disabled if
needed to function properly and explain why the permission is
necessary
Source: OWASP M2, CWE 280
BP- PP (Privacy Policy)
The purpose of this category is to ensure that App developers are being
transparent with Blackphone customers. The following requirements must
be
met:
o Apps must have a privacy policy that details how customer data
is used, stored, shared, etc...
o Apps must be configured with the customer opted out by default
o App logs should not contain PII
Source: BP Legal, OWASP M4, M8, CWE 79, 89, 120, 200
BP-EH (Error Handling)
The purpose of this category is to ensure that sensitive data cannot be
captured via logging and debugging data. The following requirements must
be
met:
o Apps should follow best-practices for error handling and logging
Source: OWASP M2, M4, CWE 200, 312, 313, 522
Tier Two Requirements – “Certified”
In order to be accepted to the Silent Store as a Certified App, the app
must
meet all of the requirements of an “Approved” app, as well as the
following
additional categories.
BP-BB (Bug Bounty)
The purpose of this category is to ensure that Blackphone is not
handling the
submission of researcher disclosed vulnerabilities. While Blackphone
does not
require that monetary or non-monetary rewards be provided, Blackphone
believes in transparency and recognizing the researcher community. The
following requirements must be met:
10 | Silent StoreNOT FOR EXECUTION
o Should have at a minimum a hall of fame and a submission
process; ideally some type of reward. There are several that offer
free programs if there is no monetary reward i.e. Bugcrowd
Source: BP Legal Doc
BP-VR (Vulnerability Remediation)
The purpose of this category is to ensure that all major, and higher,
vulnerabilities are remediated within reasonable time periods. The
following
requirements must be met:
o All publicly reported major vulnerabilities must be remediated
within seven calendar days
o All major vulnerabilities disclosed through the Blackphone Bug
Bounty program must be remediated within 30 calendar days
Source: BP Legal Doc
BP-SC (Source Code Review)
The purpose of this category is to ensure proper vetting of the App
Code. In
many instances App Developers may not have the resources to utilize many
of
the commercial tools that would be capable of finding flaws within the
software. Blackphone will be providing this service as part of the fee
associated with certification. The following requirements must be met:
o Should submit source code for review; in lieu of submission of
source code we may accept a source code review from a
recognized third-party code audit if the review was performed in
the last 90 calendar days
Source: BP Legal Doc
BP-CA (Code Analysis)
The purpose of this category is to protect against vulnerabilities found
within
the App that may cause malicious intent. The following requirements must
be
met:
o Static code analysis will be performed and all major
vulnerabilities must be remediated
o Dynamic code analysis will be performed and all major
vulnerabilities must be remediated
o Must not have debugging enabled
!
11 | Silent StoreNOT FOR EXECUTION
Source: OWASP M8, M10, CWE 215, 285, 927
BP-AA (Authentication and Authorization)
The purpose of this category is to ensure that authentication
credentials are
protected and that unauthorized access attempts are properly handled.
The
following requirements must be met:
o Must use scrypt or PBKD2 as the password based key derivation
function
o Must implement enhanced authentication techniques
! E.g. OAuth 2.0
Source: OWASP M4, M5, CWE 200, 308, 316
BP-DL (Data Leakage)
The purpose of this category is to ensure that all customer data is
protected
commensurate with the purpose of App. The following requirements must be
met:
o Implementation of Anti-Tampering techniques
o Storing sensitive data in memory should be nullified after use
! Apps must not store sensitive data in immutable objects
o Secure Deletion of Data
! Apps should make attempts to securely delete
confidential data
o Sanitize and Validate all SQL queries
o Secure Data Storage
! https://source.android.com/devices/storage/
o Protection of Application settings; settings which affect the
security of the application must not be stored in shared
preferences XML files or SQLite database
o Apps should not store/cache confidential data insecurely
o Files must not use modes 0666, 0777, or 0664 with the chmod
library or syscalls accepting a file mode.
o Intents must be set to private
o Activities will be vetted to ensure proper implementation
Source: OWASP M2, M4, M7, M8, M10, CWE 215, 285, 312, 313, 522, 926
BP-SH (Session Handling)
The purpose of this category is to ensure that secure settings have been
enabled to minimize the potential impact for data manipulation and
interception. The following requirements must be met:
12 | Silent StoreNOT FOR EXECUTION
o If cookies are required then they must be set to the secure
setting
o Local session timeouts must be implemented; once timeout has
occurred memory must be wiped of all data pertinent to the user.
o Input Validation must be implemented
Source: OWASP M8, M9, CWE 79, 89, 120, 614
BP-TLP (Transport Layer Protection)
The purpose of this category is to ensure that Apps are using proper SSL
certificates with valid key lengths and sufficient hashing algorithms.
The
following requirements must be met:
o Apps must implement certificate pinning wherever possible
Source: OWASP M1, M3, M4, M6, CWE 311, 319, 326, 757
BP- PP (Privacy Policy)
The purpose of this category is to ensure that App developers are being
transparent with Blackphone customers. The following requirements must
be
met:
o Apps must generate a unique identifier that cannot tie the user
to the device
! Unique identifiers should be based on randomly generated
values
o Apps cannot use or collect the device-unique identifiers (IMEI,
MAC Address or Serial Number collection prohibited)
Source: BP Legal, OWASP M4, M8, CWE 79, 89, 120, 200, 312, 313
BP-EH (Error Handling)
The purpose of this category is to ensure that sensitive data cannot be
captured via data collected by either logging or debugging. The
following
requirements must be met:
o Debugging Logs are not recommended in production Apps.
o Developers are strongly encouraged to include a means for the
user to enable/disable debug logging
o When debug logging is disabled old logs should be securely
erased
o Logs should be scrubbed for personally identifiable data
wherever possible
13 | Silent StoreNOT FOR EXECUTION
o The user must be explicitly warned when personal data may be
contained in debug logs
Source: OWASP M2, M4, CWE 200, 312, 313, 522
Recommended Sources/Tools for App Developers
There are open source tool suites that can be used quite extensively to
test
and validate for all of the principles contained within this document.
• Santoku Linux (https://santoku-linux.com)
• NowSecure App Testing Suite – Community Edition
(https://www.nowsecure.com/apptesting/community/)
• MobiSec (http://mobisec.professionallyevil.com)
In addition, some app developers might find the following tools useful
in
testing their apps:
• Apktool
• Dex2jar
• IDA Pro
• Hopper
• Baksmali
• Mobile Substrate
App developers are strongly encouraged to use static code analysis tools
prior
to submission. An example of a limited use tool is provided by Coverity
(https://scan.coverity.com)
Lastly, it is highly recommended that App developers familiarize
themselves
with OWASP Mobile Security Project, MITRE Common Weakness Enumeration,
and NowSecure Mobile Development Best Practices.
Examples)of)App)Submissions)and)Qualifications)
Example #1: Facebook (Qualifies for Entry)
The Facebook App utilizes many techniques to secure user content, but is
at
the same time susceptible to a proxy-based attack. A proxy attack could
be
executed by any enterprise using a Secure Gateway (Websense, Bluecoat,
Cisco, McAfee). This requires the user to accept the certificate or it
could be
pushed through MDM.
Example #2: Flashlight App (Qualifies for Entry)
14 | Silent StoreNOT FOR EXECUTION
This is probably one of the more useful Apps in any App repository.
However, in
our Blackphone Silent Store a Flashlight App will not have access to any
permissions that are not necessary for a Flashlight App to function.
Example #3: Anti-Virus Apps (Disqualified)
There have been many articles as well as internal studies that question
the
value of Anti-Virus on Mobile Devices. Apps that provide false sense of
security or require elevated privileges will not be considered for the
Silent
Store.
Example #4: Poorly Written Apps (Disqualified)
Our app Silent Store allows our customers to individually select which
App
permissions they are most comfortable with permitting. All Apps must
have
graceful error handling. For instance, a navigation App will require
geo-
location in order to be useful, and in the event that the customer
disabled the
location permission the App should request the user to enable the
permission
instead of crashing.
15 | Silent StoreNOT FOR EXECUTION
Appendix)A.)Submissions)Checklist
Listed below is the checklist of assets you will need to send to
appstore-
submissions at blackphone.ch in order to get your app published in the
Silent
Store. We suggest combining these into a zip file no larger than 50MB.
Please
also send a separate checksum of the file for verification.
1.
2.
3.
4.
Vendor name – Text string of 255 maximum characters
App Name – Text string of 30 maximum characters
App Description – Minimum of 200, maximum of 2000 characters
Application Package APK - Digitally signed in release mode with the
developer certificates. More info in
http://developer.android.com/tools/publishing/app-signing.html
5. Package Name – Maximum of 255 characters. This will uniquely
identify the app on the store and device. Once it is named it cannot be
changed in further updates.
6. App icon – JPG or PNG format, 512 by 512 pixels
7. App Screen Captures - JPG or PNG format, 24 bit (no alpha), minimum
size 320 pixels. Minimum of 2, maximum of 8 captures.
8. Promotion Banner – JPG or PNG format 1024x300 pixels. This banner
will appear in the app detail page and will be used to promote the
application in the store.
9. Keywords – text strings, OPTIONAL words that will trigger if a user
were
to search for them. Examples are “Games”, “Text Editor”, “SSH”,
“Communications”, etc.
10. Security Page URL – Maximum of 500 characters. A URL to a webpage
with the company’s security statement.
11. Privacy Page URL - Maximum of 500 characters. A URL to a webpage
with the company’s privacy statement.
16 | Silent StoreNOT FOR EXECUTION
Appendix)B.)Developer)Agreement
This Developer Distribution Agreement (“DDA” or “Agreement”), is made
effective as of the date of the last signature of the parties indicated
on the
signature page below, between you, the party whose name and address are
indicated on the signature page of this Agreement, (“Developer” or
“You”), and
SGP Technologies, SA, a Swiss corporation with its headquarters at Route
François-Peyrot, 12, CH-1218 Le Grand-Saconnex/GE, Switzerland (“SGP”).
The parties hereby agree as follows:
Definitions)
“Affiliates” shall mean a direct or indirect parent company,
wholly-owned
subsidiary, or entity under common control with a Party.
“Silent Store” shall mean the Silent Store application and marketplace,
developed and provided by SGP, and containing Products.
“Customers” shall mean persons that access Developer Products through
the
Silent Store.
“Product” or “Products” shall mean software application(s) provided to
SGP
by Developer for distribution under the Agreement.
“Third Party” shall mean any person except Developer and SGP.
The Store is a publicly available site where Approved Developers can
distribute
Products for Devices. In order to distribute Products on the Store, you
must
acquire and maintain a valid Developer Account.
This Agreement forms a legally binding contract between you and SGP in
relation to your use of the Store to distribute Products. You
acknowledge that
SGP will, solely on your behalf, and not on SGP’s behalf, display and
make
Products available for download by users.
Term)and)Termination)
!
This Agreement is effective until terminated. SGP reserves the right to
terminate this Agreement at any time, and for any reason or no reason at
all.
Developer may terminate this Agreement on fourteen (14) days’ notice.
17 | Silent StoreNOT FOR EXECUTION
On termination, SGP will remove Products from the Silent Store. SGP is
not
able, and shall in no event be required to remove Products that have
been
installed on Customer devices.
Submission)by)Developer)
Developer will provide SGP with final copies of the Products in
accordance
with the Silent Store Submission Process and Requirements. SGP reserves
the right to amend the Silent Store Submission Process and Requirements
at
any time in its sole discretion with or without notice to Developer.
Validation)by)SGP)and)Developer)
After receipt of Products from Developer, SGP will undertake Validation
efforts
as described in Silent Store Processes and Requirements.
Whether Validation has been completed successfully shall be determined
by
SGP in its sole discretion.
Distribution)by)SGP)
On the successful completion of Validation of a Product, SGP will
include such
Product as an offering advertised as available through the Silent Store.
All Products offered in the Silent Store are currently offered for
download at
zero cost.
SGP reserves the right to delist a Product at any time and for any
reason or no
reason at all. Developer may request that SGP remove a Product from the
Silent Store at any time. SGP will remove such product from the Silent
Store
within five (5) days.
SGP may use Third Parties in connection with the performance of
obligations
and exercise of rights under this agreement, provided that such Third
Parties
must be subject to the same obligations as SGP.
Developer)will)provide)all)support)for)Products)
!
As a condition of this Agreement, Developer, and not SGP, will be
responsible
for any support required by Customers. SGP will have no responsibility
to
Developer for the maintenance or support of Products.
SGP may inform Customers to contact Developer for questions or support
needs related to Products. Developer must supply and maintain contact
information for legal notice, and support inquiries. Submissions without
18 | Silent StoreNOT FOR EXECUTION
contact information for support inquiries will be rejected. Products
whose
Developers are not responsive to support inquiries may be removed from
the
Blackphone App Store at any time.
Representations)and)Warranties)
Developer represents and warrants that:
1. Developer has the right and authority to enter into this Agreement,
and
without limitation, to distribute Products and all constituent elements
of Products.
2. Developer has obtained any import or export license or permission
that
may be required by any jurisdiction to distribute Products as
contemplated in this Agreement.
3. Developer has all intellectual property rights, including all
necessary
patent, trademark, trade secret, copyright or other proprietary rights,
in
and to Products.
4. Distribution of Products as contemplated in this Agreement will not,
taken together with Distributor’s other activities, constitute a
violation
of applicable law.
Intellectual)Property)
License)grant)
Developer grants to SGP a worldwide, royalty-free license to use any
name,
logo, trademark, trade dress, associated with the Products for the
purposes of:
1. Identifying Products in the context of distributing such Products,
2. Publicizing the availability of Products,
3. As otherwise reasonably necessary to fulfill the purpose of this
Agreement.
Developer grants to SGP a non-exclusive, worldwide, royalty-free license
to
distribute Products through the Silent Store.
SGP grants to Developer a worldwide, royalty-free license to use the
name
Silent Store, and associated logos and trademarks, for the exclusive
purpose
of publicizing the availability of the Products on Silent Store.
Developer’s
license is conditioned on complying with SGP and Silent Circle branding
guidelines. SGP does not represent or warrant that the use of Silent
Store
logos and trademarks will not infringe on the intellectual property of
third
parties in all jurisdictions.
19 | Silent StoreNOT FOR EXECUTION
By virtue of this section of the Agreement, neither Party shall acquire
any right
title or interest in the other Party’s intellectual property beyond what
is
expressly stated in the Agreement. All rights granted by this Agreement
shall
terminate entirely with this Agreement.
Reservation)of)rights)
Except for the license granted in the preceding section, SGP obtains no
right,
title or interest from Developer (or its licensors) under this
Agreement, or to
any Products.
Indemnification)
Developer shall defend, to the maximum extent permitted by law,
indemnify,
and hold harmless SGP, its affiliates, directors, officers, employees
and
agents against any third-party claims, actions, suits or proceedings, as
well as
all losses, liabilities, damages, costs and expenses (including
reasonable
attorneys fees) arising out of or accruing from:
1. Developer’s use of the Silent Store.
2. Products that infringe on an intellectual property right of a Third
Party.
3. Products that violate the legal or regulatory requirements of any
jurisdiction.
4. Developer’s failure to comply with the terms of this Agreement,
including but not limited to the representations and warranties
contained in the Agreement.
Disclaimer)and)Limitation)of)Liability)
YOU EXPRESSLY UNDERSTAND AND AGREE THAT YOUR USE OF THE SILENT
STORE IS AT YOUR SOLE RISK AND THAT THE STORE IS PROVIDED “AS IS”
AND “AS AVAILABLE” WITHOUT WARRANTY OF ANY KIND.
YOUR USE OF THE SILENT STORE AND ANY MATERIAL DOWNLAODED OR
OTHERWISE OBTAINED THROUGH THE USE OF THE STORE IS AT YOUR OWN
DISCRETION AND RISK AND YOU ARE SOLELY RESPONSIBLE FOR ANY
DAMAGE TO YOUR EQUIPMENT OR LOSS OF DATA THAT RESULTS FROM
SUCH USE.
SGP FUTHER EXPRESSLY DISCLAIMS ALL WARRANTIES AND CONDITIONS
OF ANY KIND, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES
AND CONDITIONS OF MERCHANTABILITY FITNESS FOR PARTICULAR
PURPOSE AND NON-INFRINGEMENT.
20 | Silent StoreNOT FOR EXECUTION
DEVELOPER AGREES THAT SGP, ITS SUBSIDIARIES, AFFILIATES, AND
LICENSORS, SHALL HAVE NO LIABILITY TO DEVELOPER IN CONNECTION
WITH THIS AGREEMENT. SGP IS NOT LIABLE TO DEVELOPER TO ANY
DAMAGES OF ANY KIND, INCLUDING CONSEQUENTIAL, PUNITIVE,
EXEMPLARY OR INDIRECT DAMAGES THAT MAY BE INCURRED BY
DEVELOPER, INCLUDING LOSS OF DATA, WHETHER FORESEEABLE OR
UNFORSEEABLE.
Miscellaneous)
Failure by SGP to exercise or enforce a right under this Agreement does
not
constitute formal waiver of such right.
SGP may fulfill its responsibilities under this Agreement through the
actions of
an Affiliate.
SGP may assign this Agreement in full to an Affiliate so long as such
Affiliate
is reasonably able to bear SGP’s responsibilities under the Agreement.
If any portion of this Agreement is held to be invalid in a legal
proceeding, such
holding will not be construed to invalidate any other portion of the
Agreement.
This Agreement is the whole agreement between SGP and Developer. Any
discussions or promises made outside this Agreement shall not be binding
against SGP or Developer, unless contained in another executed document.
Any disputes arising from or related to this Agreement will be judged
under
the laws of Switzerland and the Canton of Geneva. Any such disputes will
be
finally resolved by binding arbitration, to take place in English, in
Geneva,
Switzerland.
The obligations arising in the sections titled Representations and
Warranties
(as they relate to the Term of the Agreement), Indemnification,
Disclaimer and
Limitation of Liability, Miscellaneous, shall survive the termination of
this
Agreement.
IN WITNESS WHEREOF, the Parties have caused this Agreement to be
executed in their respective corporate names.
21 | Silent StoreNOT FOR EXECUTION
Developer: SGP:
Representative: Representative:
Signature: Signature:
Title: Title:
Date Date
22 | Silent Store

-- 
  Nathan of Guardian
  nathan at guardianproject.info


More information about the guardian-dev mailing list