Information on how to submit your app to Blackphone's app store, and pasted in below, the full text from their PDF (https://blog.blackphone.ch/wp-content/uploads/2015/02/Silent-Store_Process-Requirements-Agreement-Document.pdf) on the whole process.
You have to sign an NDA and Confidential Agreement in order to participate. **** https://blog.blackphone.ch/2015/02/13/silentstoreparticipation/ Dear Privacy Enthusiast, We are delighted to welcome app developers to our privacy-first Silent Store. We are confident this will become a premier venue for discovery and distribution of privacy-conscious apps to enterprise and individual customers around the world. Our goal is to ensure that every app in Silent Store is transparent about what it does, takes no liberties with private information already on the device, and uses reasonable security-minded coding and implementation practices. We want Silent Store to become the premier destination for those apps which don’t take the easy way out. No sketchy built-in advertising trackers. No duplicitous functions concealed from the user. No sloppy inconsistencies between what you say your app does vs. what it actually does when we put it under a microscope. Silent Store will be going online soon, and we want to invite you to submit your apps for inclusion. There are a few things we need to share with you: – At the outset, there is no payment option for Silent Store, so your apps must be free to download and use. We will add payment mechanisms in the future. – All apps will be subjected to a vetting process, the details of which are outlined in the document linked below. – You must review and sign an agreement between yourself and us before your app can be included in Silent Store. – At launch, Silent Store will only be available to devices running PrivatOS. In general your Android-compatible apps should work provided they have no hard dependencies on Google Play services. – Not all apps submitted will be accepted. So please, download this file, read it, and when you’re ready to move to the next step, send us an email to [email protected] with the information listed below. We will review your submission per the Process Requirements Agreement document and contact you accordingly. – Phone Number & Time Zone – Email Address (with PGP key if possible) – Website – App name and a full description of the app Thanks very much for your interest, we look forward to building a great community with you! Yours in private communications, Toby Weir-Jones CEO Blackphone *** NOT FOR EXECUTION! MUTUAL NONDISCLOSURE AND CONFIDENTIALITY AGREEMENT This Mutual Nondisclosure and Confidentiality Agreement (the “Agreement”) is effective as of the ________________________ 2015 (the “Effective Date”) between SGP Technologies, SA, a Switzerland Société Anonyme and ____________________________________________________________________________ __________________________________________. WHEREAS, in connection with discussions about, and the evaluation and negotiation of, a potential business relationship or transaction between the parties to this Agreement, each party is prepared to furnish the other party with certain confidential and proprietary information on the terms set forth in this Agreement; NOW THEREFORE, in consideration of the mutual agreements and covenants set forth herein, the parties agree as follows: 1. Definitions. The following terms shall have the meanings set forth opposite such terms: 1.1 “Affiliate” shall mean any partnership, joint venture, corporation or other form of enterprise, domestic or foreign, including but not limited to subsidiaries, that directly or indirectly, control, are controlled by, or are under common control with a party to this Agreement. 1.2 “Confidential Information” means information and related materials (whether disclosed in writing, or orally and reduced to writing promptly thereafter) of one of the parties to this Agreement or its Affiliates (the “Disclosing Party”) and disclosed by the Disclosing Party or its representative to the other party hereto (the “Receiving Party”) that is (a) not generally known to the public and (b) identified as confidential (or, to a reasonable person, would be expected to be confidential) including, but not limited to: financial information or projections; business trends; lists of and information about suppliers, dealers, potential customers, and associated statistical and financial information; designs, specifications and uses of products and services; information about clients that does not contain personally identifiable information; industry research; technologies and related documentation; marketing; trade secrets; business and strategic plans; price and cost structures; and other significant and valuable business information. “Confidential Information” also includes the terms of this Agreement. 1.3 “Disclosing Party” means a party or its Affiliate or authorized representative that provides Confidential Information to the other party to this Agreement. “Receiving Party” means a party to this Agreement that receives such Confidential Information from the Disclosing Party.NOT FOR EXECUTION 2. Confidentiality Obligations. 2.1 Receiving Party shall: (a) protect the confidentiality of the Confidential Information (using in any case, not less than the efforts such party uses to protect its own confidential information and no less than a reasonable degree of care), and prevent any access to or reproduction, disclosure or use of any of the Confidential Information other than by Receiving Party in pursuance of Receiving Party's business relationship or proposed business relationship with Disclosing Party and then only in strict compliance with the provisions hereof and subject to any applicable laws; (b) disclose the Confidential Information only to those officers, directors, shareholders, partners, agents, attorneys, Affiliates and employees of Receiving Party who have a legitimate need to know such information in pursuance of Receiving Party's business relationship with Disclosing Party (such persons are hereinafter collectively referred to as “Recipients”) and, in the event the employment of any such person is terminated, use reasonable efforts to recover any Confidential Information in such person's custody or control; (c) advise its Recipients of the confidential and proprietary nature of the Confidential Information and of the obligations in this Agreement and take appropriate action by written agreement with its Recipients to bind the Recipients to the confidentiality obligations under this Agreement; (d) promptly notify Disclosing Party in writing of any unauthorized use or disclosure of the Confidential Information of which it has knowledge, including a detailed description of the circumstances of the disclosure and the parties involved and cooperate with the Disclosing Party to obtain the return of such Confidential Information; and (e) advise its affiliates, officers, employees and agents that receive or have access to the Confidential Information that federal and state securities laws prohibit any person who has material non-public information concerning the Disclosing Party from purchasing or selling securities of the Disclosing Party or from communicating such information to any other person. 2.2 Notwithstanding the provisions of Section 2.1 above, information and materials provided by Disclosing Party shall not be considered Confidential Information to the extent that: (a) such information was known by Receiving Party prior to its disclosure by Disclosing Party; (b) such information came into the possession of Receiving Party, directly or indirectly, from persons who were not under any obligation to maintain the confidentiality of such information; (c) such information has become part of the public domain through no act or fault on the part of Receiving Party in breach of this Agreement; or (d) such information was independently developed by or for Receiving Party without the use of Confidential Information and the Receiving Party can verify the development of such information by written documentation.NOT FOR EXECUTION Additionally, Receiving Party may disclose: (i) Confidential Information where required pursuant to legal process (e.g., subpoena, interrogatories or similar legal process) or by law, provided that in such instance the Receiving Party shall use best efforts to provide advance written notice of such event to Disclosing Party and to reasonably cooperate with Disclosing Party so that the Disclosing Party may seek an appropriate protective order or waive compliance by the Receiving Party with the provisions of this Agreement, or both. If, absent the entry of a protective order or receipt of a waiver, the Receiving Party is, in the opinion of its legal counsel, legally compelled to disclose such Confidential Information, the Receiving Party may disclose such Confidential Information to the person and to the extent required without liability under this Agreement provided that Receiving Party uses its best efforts to obtain confidential treatment for any Confidential Information so disclosed; and (ii) the existence and summary of this Agreement in regulatory filings as required by law, regulation or standard accounting rules (e.g. FASB). 2.3 Nothing herein is intended to limit or abridge the protection of trade secrets under applicable trade secrets law, and the protection of trade secrets by the Receiving Party shall be maintained as such until they otherwise fall into the public domain. 3. Term. Receiving Party’s obligations hereunder with respect to Confidential Information shall terminate three (3) year after the date of disclosure for such Confidential Information, subject to the exceptions in Section 2.2. Any provision which by its terms is intended to survive termination of this Agreement, including, but not limited to, the provisions of Sections 1, 4, 5, 6, 7, 8 and 9 shall survive any termination or expiration of this Agreement. 4. No Definitive Agreement. The parties understand and agree that nothing herein (i) requires the disclosure of any Confidential Information by either party, which shall be disclosed if at all solely at the option of either such party, or (ii) requires either party to proceed with any proposed transaction, business relationship or joint venture, other than pursuant to a separate written agreement between the parties. 5. Return of Confidential Information. If either party decides not to proceed with a proposed business relationship or transaction, it will promptly inform the other party of that decision. In addition, the Disclosing Party may elect at any time by notice to the Receiving Party to terminate further access to and such party’s review of the Confidential Information. In any such case, or upon any other termination of this Agreement, the Receiving Party will immediately return all Confidential Information disclosed to it or will destroy all Confidential Information in its possession or control, without retaining any copy thereof. The Receiving Party shall, upon request of the Disclosing Party, certify in a sworn writing signed by a principal or officer of the Receiving Party compliance with this paragraph. 6. Equitable Relief. Receiving Party agrees that any unauthorized use of the Confidential Information by Receiving Party may cause Disclosing Party irreparable harm for which remedies at law may be inadequate. Therefore, in addition to any other rights it may have at law, Disclosing Party shall be entitled to seek equitable relief.NOT FOR EXECUTION 7. Proprietary Rights and Ownership. All right, title and interest in and to the Confidential Information shall be and remain vested in Disclosing Party. Nothing in this Agreement shall grant Receiving Party any license or right of any kind with respect to the Confidential Information, other than to review, evaluate and use such information solely in pursuance of Receiving Party's business relationship or proposed business relationship with Disclosing Party. Receiving Party shall not modify or create any derivative works from the Confidential Information. 8. Acknowledgement. Both Parties acknowledge that the other party and its Affiliates either presently or may in the future compete in the markets served by either party. The Parties further acknowledge that the other Party and its Affiliates will continue to compete with each other without restriction if a business relationship or transaction is not consummated, except with respect to use of the Confidential Information as contemplated by this Agreement. 9. General. This Agreement constitutes the entire agreement and understanding between the parties with respect to the use and disclosure of the Confidential Information in connection with discussions about, and the evaluation and negotiation of, a potential business relationship or transaction between the parties, and supersedes all prior and contemporaneous negotiations, discussions and understandings of the parties, whether written or oral, with respect to such subject matter. This Agreement shall inure to the benefit of, and may be specifically enforced by, the Affiliates of either party. No waiver or modification of any of the provisions of this Agreement shall be valid unless in writing and signed by both parties. Receiving Party's rights and obligations under this Agreement cannot be assigned, subcontracted or delegated to any third party without Disclosing Party's prior written consent and any attempted or purported assignment, subcontract or delegation of this Agreement without such consent shall be void. This Agreement does not create any agency or partnership relationship. This Agreement shall in all respects be governed by and construed in accordance with Swiss law. This Agreement may be executed in one or more counterparts via facsimile or otherwise, all of which taken together shall constitute one instrument. Should any provision of this Agreement be determined to be void, invalid or otherwise unenforceable, then such determination shall not affect the remaining provisions hereof which shall remain in full force and effect. Both parties shall adhere to all applicable laws, regulations, and rules relating to the export of technical data. INTENDING TO BE LEGALLY BOUND, the parties have executed this Mutual Nondisclosure and Confidentiality Agreement as of the Effective Date.NOT FOR EXECUTION SGP Technologies, SA SIGNED: ______________________________________________________ BY: _______________________________________________________ SGP Technologies, SA Recipient SIGNED: ______________________________________ BY: __________________________________________Silent Store Process, Requirements and Agreement Document This PDF is indicative and not for execution.NOT FOR EXECUTION Table of Contents Introduction ............................................................................................................................ 4 Purpose .................................................................................................................................... 4 App Submission Process .................................................................................................... 4 Why a Two-Tier System .................................................................................................. 5 Tier One – “Approved” ..................................................................................................... 6 Tier Two – “Certified” ....................................................................................................... 6 Rejection Process and Resubmission ........................................................................ 6 Requirements for Approval for 2015 ............................................................................... 7 Tier One Requirements - “Approved” ......................................................................... 8 BP-KV (Known Vulnerabilities) .................................................................................. 8 BP-NSP (Network Security Protocols) .................................................................... 8 BP-TLP (Transport Layer Protection) ...................................................................... 8 BP-DL (Data Leakage) ................................................................................................. 9 BP-AA (Authentication and Authorization) ........................................................... 9 BP-DAR (Data-at-Rest Encryption) ........................................................................ 9 BP-PC (Permission Checks) .................................................................................... 10 BP- PP (Privacy Policy) .............................................................................................. 10 BP-EH (Error Handling) ............................................................................................. 10 Tier Two Requirements – “Certified” ........................................................................ 10 BP-BB (Bug Bounty) ................................................................................................... 10 BP-VR (Vulnerability Remediation) ........................................................................ 11 BP-SC (Source Code Review) .................................................................................. 11 BP-CA (Code Analysis) .............................................................................................. 11 BP-AA (Authentication and Authorization) ......................................................... 12 BP-DL (Data Leakage) ............................................................................................... 12 BP-SH (Session Handling) ....................................................................................... 12 BP-TLP (Transport Layer Protection) .................................................................... 13 BP- PP (Privacy Policy) .............................................................................................. 13 BP-EH (Error Handling) ............................................................................................. 13 Recommended Sources/Tools for App Developers ................................................. 14 Examples of App Submissions and Qualifications ................................................... 14 Appendix A. Submissions Checklist .............................................................................. 16 Appendix B. Developer Agreement ................................................................................ 17 Definitions ......................................................................................................................... 17 Term and Termination ................................................................................................... 17 Submission by Developer ............................................................................................. 18 Validation by SGP and Developer ............................................................................... 18 Distribution by SGP ........................................................................................................ 18 Developer will provide all support for Products ................................................. 18 Representations and Warranties ............................................................................... 19 Intellectual Property ...................................................................................................... 19 2 | Silent StoreNOT FOR EXECUTION License grant ............................................................................................................... 19 Reservation of rights ................................................................................................ 20 Indemnification .......................................................................................................... 20 Disclaimer and Limitation of Liability ...................................................................... 20 Miscellaneous .................................................................................................................. 21 3 | Silent StoreNOT FOR EXECUTION Introduction Consumers and enterprises that choose to use smartphones and public app stores commonly find themselves having to choose convenience over privacy and security. For this reason Silent Circle and Geeksphone created the entity known as Blackphone. The Blackphone mission is to enable enterprises and consumers to take control of their security and privacy when using smartdevices and public app stores. Blackphone’s BP1 was the first step in creating the security and privacy ecosystem, with a local app repository, called the Silent Store, being part of our natural progression. Apps located in the Silent Store share common themes of transparency, control, security, and privacy. Purpose The purpose of the Silent Store is to be the source for Apps that embody transparency, security, and privacy. App developers will have a platform to distribute useful Apps, which in turn advance Blackphone’s security and privacy mission. As a result, enterprises and consumers are assured that a member of the Blackphone security staff has tested the App to validate its claims and alignment with the Blackphone project’s goals. App Submission Process In general, Apps will be admitted to the Silent Store provided they are not found to be inconsistent with the Blackphone project. Blackphone will retain sole discretion over the decision but will share its reasoning with the authors of any app that has been rejected. App developers must provide the following information to be considered for the Silent Store: • Valid Contact Information o Phone Number o Mailing Address o Email Address (w/PGP key 1 ) o Website o Link to Github or Public Repo if available • Full Description of App • Desired designation (either “Approved” or “Certified”, details below) • List of all permissions used by App and justification for usage • Test credentials, where applicable, to enable application testing !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1 PGP key encryption is requested to protect all e-mail communication between Blackphone and the developer. To learn more and generate your own keys please visit https://www.gnupg.org/download/. 4 | Silent StoreNOT FOR EXECUTION • • Privacy Policy EULA [Note: Please see Appendix A for a full list of assets that must be provided for an approved app to be made available for download in the Blackphone Silent Store.] Internally, a dedicated Appraisal Team consisting of skills related to Product Management, Engineering, and Marketing will perform the initial assessment of submissions. If the Appraisal Team deems the App appropriate then the App will be forwarded to the Technical Inspection team for final approval. Other teams within the company, such as Sales or Security, may consult on initial acceptance activities and offer opinions, but will not make the final decision in the preliminary stage. If the Appraisal Team approves the “need” for the app, the security vetting will commence. An internal Technical Inspection team oversees the security assessment process and must confirm the technical eligibility of the app in question before it can proceed to the Appraisal Team’s final review. Criteria for technical eligibility appear in the section titled, “Requirements for Approval 2015.” Figure 1 - Silent Store Submission Process Why a Two-Tier System While the Silent Store features all Apps that make it through the full Appraisal process, Blackphone determined that apps displaying an exceptional commitment to quality and security, both in concept and coding practices, 5 | Silent StoreNOT FOR EXECUTION deserve recognition for the Developer’s attention to detail. The following two categories exist to establish this dichotomy. Tier One – “Approved” Apps that pass the threshold for acceptance to the Silent Store will then be considered Approved for download and use, and will appear in the Silent Store. The primary focus of the Approved category is to fill the Silent Store with useful Apps that are transparent with regards to user privacy and are secure when it comes to protecting customer data. Tier Two – “Certified” A Certified App must meet all of the requirements listed for an app to be Approved, with the addition of several requirements that scrutinize the App’s source code and performance quality. The App must comply with the Certification process specified by the Blackphone Technical Inspection team. Technical details for meeting the requirements of either Approved or Certified can be found in subsequent sections of this document. Rejection Process and Resubmission In the event that an App is rejected for the Silent Store the Developer will be contacted via PGP encrypted email. The Technical Inspection team will provide a general email response that provides the category for which the App failed along with public guidance as to where the App Developer may gain insight to correct the issue. Example: App EX1 did not pass the Blackphone Security Inspection. Reason for Rejection: Insufficient Transport Layer Protection. Please Review OWASP M3 (https://www.owasp.org/index.php/Mobile_Top_10_2014-M3). Once the issue is resolved we would like to invite you to resubmit the App, along with change documentation, to the following URL (TBD). There is no limit to the number of times a developer may resubmit an App to be Approved. Upon resubmission, however, the App Developer must provide an explanation as to how the problem was resolved before the security team will inspect the App again. Please Note: The App will be inspected in the order it was received and will not receive any expedited review. Apps that do not meet the “Certified” app requirements may be resubmitted one additional time in a twelve-month period without incurring any additional 6 | Silent StoreNOT FOR EXECUTION costs. The App Developer will receive a full report on the App detailing the reasons the App was rejected. During the resubmission process a Blackphone security engineer will provide up to two consultation sessions, not to exceed 30 minutes each, to assist the developer pass the resubmission process. Consultation sessions are scheduled as time permits. Prior to scheduling a session, the developer must complete and submit the questions found at this URL https://silentstore.blackphone.ch/developers Please allow at least three business days before scheduling after submitting to the site. In the event that the App fails the second submission and the developer would like to appeal the results they must do so in writing within three calendar days of the notification email. The App Developer must provide a written explanation as to why they believe they have been successful in adhering to the Certified App requirements. Within one month an Appeals Team will meet to review the appeal. The Appeals Team consists of the following: • Chief Security Officer (Blackphone) • Chief Architect (Blackphone) • 3 rd Party Consultant (Selected from one of the pen testing companies {TBD}) Results of the appeal will be provided via registered mail and delivered to the address provided on the Silent Store Application. Requirements for Approval for 2015 The requirements below will be the standard for the calendar year 2015. Our intent is to increase the level of difficulty for each calendar year. Requirements for the upcoming year will be posted on the Silent Store page by November 1 st . The Silent Store web page will note the year in which each App was Approved and whether it was Certified (passed additional tests). If the App is Certified the date of certification as well as its expiration will be listed. If the certification lapses, then the App will be placed into the Approved category for three calendar months. During these three months, the App developer must notify Blackphone, in writing, of their intentions to re-Certify the app, or remain in the Approved category moving forward. Please Note: Each time an App is submitted, or an update to the App, the following requirements must be met in their entirety. 7 | Silent StoreNOT FOR EXECUTION Tier One Requirements - “Approved” BP-KV (Known Vulnerabilities) Apps will be tested to ensure that they are not susceptible to known publicly disclosed vulnerabilities. For example: ! Heartbleed ! Poodle ! MasterKey ! Common Path Traversal attacks ! Common SQL Injection attacks Please Note: New publicly disclosed vulnerabilities at a rating of major or higher must be remediated within 21 calendar days and all major vulnerabilities disclosed through the Blackphone Bug Bounty program must be remediated within 60 calendar days. BP-NSP (Network Security Protocols) The purpose of this category is to ensure that all apps are using Blackphone preferred network security protocols. All Apps that require transmission of data from the App to a system that does not exist on the device must use, at a minimum, TLS1.1 standards. However, Blackphone would prefer the usage of TLS1.2. Apps must not use algorithms for cryptographic purposes that are considered obsolete or outdated i.e. MD5, SHA1, RC4, DES, or any encryption algorithm that is weaker than AES128. Source: OWASP M3, M4, M6, CWE 311,319, 757 BP-TLP (Transport Layer Protection) The purpose of this category is to ensure that Apps are using proper SSL certificates with valid key lengths and sufficient hashing algorithms. The following requirements must be met: o All network communication should be encrypted o SSL Certs must not be expired o SSL key lengths of 2048 must not be valid for longer than 2 years from submission date o SSL Key lengths of 4096 must not be greater than 16 years from submission date o SSL Certs must use at a minimum: ! RSA Key must be a min of 2048 or Elliptical Curve min of 384 ! SHA256 ! Preferred that it is issued by trusted CA provider ! Certs must be complete ! Certs must not be marked as a CA 8 | Silent StoreNOT FOR EXECUTION o Must properly validate certificates o Reject certificates that are not in the trust chain ! Exception: App has enabled proper SSL Pinning o Not vulnerable to SSL Strip Source: OWASP M1, M3, M4, M6, CWE 311, 319, 326, 757 BP-DL (Data Leakage) The purpose of this category is to ensure that all customer data is protected commensurate with the purpose of the App. The following requirements must be met: o No storage of sensitive data outside of application sandbox o Files should not be created with MODE_WORLD_READABLE or MODE_WORLD_WRITABLE o Copy & Paste will be evaluated on a case by case basis o App logs should not contain sensitive information Source: OWASP M2, M4, M8, CWE 215, 312, 313, 522 BP-AA (Authentication and Authorization) The purpose of this category is to ensure that authentication credentials are protected and that unauthorized access attempts are properly handled. The following requirements must be met: o Validate that authentication credentials are not stored on the device o Must use an approved password-based key derivation function i.e. PBKDF2 ! Preferred scrypt Source: OWASP M4, M5, CWE 200, 308, 316 BP-DAR (Data-at-Rest Encryption) The purpose of this category is to ensure that proper data-at-rest encryption is used to protect the end-user’s confidential data. The following requirements must be met: o Must use at a minimum AES128 with modes CCM or GCM o Should not store the encryption key on the file system Source: OWASP M2, M4, CWE 215, 312, 313, 522 9 | Silent StoreNOT FOR EXECUTION BP-PC (Permission Checks) The purpose of this category is to ensure that Apps provide graceful error handling. The following requirements must be met: o The App must function with all permissions disabled o Apps must not hard crash if a permission is disabled o Apps should ask users to enable permissions that are disabled if needed to function properly and explain why the permission is necessary Source: OWASP M2, CWE 280 BP- PP (Privacy Policy) The purpose of this category is to ensure that App developers are being transparent with Blackphone customers. The following requirements must be met: o Apps must have a privacy policy that details how customer data is used, stored, shared, etc... o Apps must be configured with the customer opted out by default o App logs should not contain PII Source: BP Legal, OWASP M4, M8, CWE 79, 89, 120, 200 BP-EH (Error Handling) The purpose of this category is to ensure that sensitive data cannot be captured via logging and debugging data. The following requirements must be met: o Apps should follow best-practices for error handling and logging Source: OWASP M2, M4, CWE 200, 312, 313, 522 Tier Two Requirements – “Certified” In order to be accepted to the Silent Store as a Certified App, the app must meet all of the requirements of an “Approved” app, as well as the following additional categories. BP-BB (Bug Bounty) The purpose of this category is to ensure that Blackphone is not handling the submission of researcher disclosed vulnerabilities. While Blackphone does not require that monetary or non-monetary rewards be provided, Blackphone believes in transparency and recognizing the researcher community. The following requirements must be met: 10 | Silent StoreNOT FOR EXECUTION o Should have at a minimum a hall of fame and a submission process; ideally some type of reward. There are several that offer free programs if there is no monetary reward i.e. Bugcrowd Source: BP Legal Doc BP-VR (Vulnerability Remediation) The purpose of this category is to ensure that all major, and higher, vulnerabilities are remediated within reasonable time periods. The following requirements must be met: o All publicly reported major vulnerabilities must be remediated within seven calendar days o All major vulnerabilities disclosed through the Blackphone Bug Bounty program must be remediated within 30 calendar days Source: BP Legal Doc BP-SC (Source Code Review) The purpose of this category is to ensure proper vetting of the App Code. In many instances App Developers may not have the resources to utilize many of the commercial tools that would be capable of finding flaws within the software. Blackphone will be providing this service as part of the fee associated with certification. The following requirements must be met: o Should submit source code for review; in lieu of submission of source code we may accept a source code review from a recognized third-party code audit if the review was performed in the last 90 calendar days Source: BP Legal Doc BP-CA (Code Analysis) The purpose of this category is to protect against vulnerabilities found within the App that may cause malicious intent. The following requirements must be met: o Static code analysis will be performed and all major vulnerabilities must be remediated o Dynamic code analysis will be performed and all major vulnerabilities must be remediated o Must not have debugging enabled ! 11 | Silent StoreNOT FOR EXECUTION Source: OWASP M8, M10, CWE 215, 285, 927 BP-AA (Authentication and Authorization) The purpose of this category is to ensure that authentication credentials are protected and that unauthorized access attempts are properly handled. The following requirements must be met: o Must use scrypt or PBKD2 as the password based key derivation function o Must implement enhanced authentication techniques ! E.g. OAuth 2.0 Source: OWASP M4, M5, CWE 200, 308, 316 BP-DL (Data Leakage) The purpose of this category is to ensure that all customer data is protected commensurate with the purpose of App. The following requirements must be met: o Implementation of Anti-Tampering techniques o Storing sensitive data in memory should be nullified after use ! Apps must not store sensitive data in immutable objects o Secure Deletion of Data ! Apps should make attempts to securely delete confidential data o Sanitize and Validate all SQL queries o Secure Data Storage ! https://source.android.com/devices/storage/ o Protection of Application settings; settings which affect the security of the application must not be stored in shared preferences XML files or SQLite database o Apps should not store/cache confidential data insecurely o Files must not use modes 0666, 0777, or 0664 with the chmod library or syscalls accepting a file mode. o Intents must be set to private o Activities will be vetted to ensure proper implementation Source: OWASP M2, M4, M7, M8, M10, CWE 215, 285, 312, 313, 522, 926 BP-SH (Session Handling) The purpose of this category is to ensure that secure settings have been enabled to minimize the potential impact for data manipulation and interception. The following requirements must be met: 12 | Silent StoreNOT FOR EXECUTION o If cookies are required then they must be set to the secure setting o Local session timeouts must be implemented; once timeout has occurred memory must be wiped of all data pertinent to the user. o Input Validation must be implemented Source: OWASP M8, M9, CWE 79, 89, 120, 614 BP-TLP (Transport Layer Protection) The purpose of this category is to ensure that Apps are using proper SSL certificates with valid key lengths and sufficient hashing algorithms. The following requirements must be met: o Apps must implement certificate pinning wherever possible Source: OWASP M1, M3, M4, M6, CWE 311, 319, 326, 757 BP- PP (Privacy Policy) The purpose of this category is to ensure that App developers are being transparent with Blackphone customers. The following requirements must be met: o Apps must generate a unique identifier that cannot tie the user to the device ! Unique identifiers should be based on randomly generated values o Apps cannot use or collect the device-unique identifiers (IMEI, MAC Address or Serial Number collection prohibited) Source: BP Legal, OWASP M4, M8, CWE 79, 89, 120, 200, 312, 313 BP-EH (Error Handling) The purpose of this category is to ensure that sensitive data cannot be captured via data collected by either logging or debugging. The following requirements must be met: o Debugging Logs are not recommended in production Apps. o Developers are strongly encouraged to include a means for the user to enable/disable debug logging o When debug logging is disabled old logs should be securely erased o Logs should be scrubbed for personally identifiable data wherever possible 13 | Silent StoreNOT FOR EXECUTION o The user must be explicitly warned when personal data may be contained in debug logs Source: OWASP M2, M4, CWE 200, 312, 313, 522 Recommended Sources/Tools for App Developers There are open source tool suites that can be used quite extensively to test and validate for all of the principles contained within this document. • Santoku Linux (https://santoku-linux.com) • NowSecure App Testing Suite – Community Edition (https://www.nowsecure.com/apptesting/community/) • MobiSec (http://mobisec.professionallyevil.com) In addition, some app developers might find the following tools useful in testing their apps: • Apktool • Dex2jar • IDA Pro • Hopper • Baksmali • Mobile Substrate App developers are strongly encouraged to use static code analysis tools prior to submission. An example of a limited use tool is provided by Coverity (https://scan.coverity.com) Lastly, it is highly recommended that App developers familiarize themselves with OWASP Mobile Security Project, MITRE Common Weakness Enumeration, and NowSecure Mobile Development Best Practices. Examples)of)App)Submissions)and)Qualifications) Example #1: Facebook (Qualifies for Entry) The Facebook App utilizes many techniques to secure user content, but is at the same time susceptible to a proxy-based attack. A proxy attack could be executed by any enterprise using a Secure Gateway (Websense, Bluecoat, Cisco, McAfee). This requires the user to accept the certificate or it could be pushed through MDM. Example #2: Flashlight App (Qualifies for Entry) 14 | Silent StoreNOT FOR EXECUTION This is probably one of the more useful Apps in any App repository. However, in our Blackphone Silent Store a Flashlight App will not have access to any permissions that are not necessary for a Flashlight App to function. Example #3: Anti-Virus Apps (Disqualified) There have been many articles as well as internal studies that question the value of Anti-Virus on Mobile Devices. Apps that provide false sense of security or require elevated privileges will not be considered for the Silent Store. Example #4: Poorly Written Apps (Disqualified) Our app Silent Store allows our customers to individually select which App permissions they are most comfortable with permitting. All Apps must have graceful error handling. For instance, a navigation App will require geo- location in order to be useful, and in the event that the customer disabled the location permission the App should request the user to enable the permission instead of crashing. 15 | Silent StoreNOT FOR EXECUTION Appendix)A.)Submissions)Checklist Listed below is the checklist of assets you will need to send to appstore- [email protected] in order to get your app published in the Silent Store. We suggest combining these into a zip file no larger than 50MB. Please also send a separate checksum of the file for verification. 1. 2. 3. 4. Vendor name – Text string of 255 maximum characters App Name – Text string of 30 maximum characters App Description – Minimum of 200, maximum of 2000 characters Application Package APK - Digitally signed in release mode with the developer certificates. More info in http://developer.android.com/tools/publishing/app-signing.html 5. Package Name – Maximum of 255 characters. This will uniquely identify the app on the store and device. Once it is named it cannot be changed in further updates. 6. App icon – JPG or PNG format, 512 by 512 pixels 7. App Screen Captures - JPG or PNG format, 24 bit (no alpha), minimum size 320 pixels. Minimum of 2, maximum of 8 captures. 8. Promotion Banner – JPG or PNG format 1024x300 pixels. This banner will appear in the app detail page and will be used to promote the application in the store. 9. Keywords – text strings, OPTIONAL words that will trigger if a user were to search for them. Examples are “Games”, “Text Editor”, “SSH”, “Communications”, etc. 10. Security Page URL – Maximum of 500 characters. A URL to a webpage with the company’s security statement. 11. Privacy Page URL - Maximum of 500 characters. A URL to a webpage with the company’s privacy statement. 16 | Silent StoreNOT FOR EXECUTION Appendix)B.)Developer)Agreement This Developer Distribution Agreement (“DDA” or “Agreement”), is made effective as of the date of the last signature of the parties indicated on the signature page below, between you, the party whose name and address are indicated on the signature page of this Agreement, (“Developer” or “You”), and SGP Technologies, SA, a Swiss corporation with its headquarters at Route François-Peyrot, 12, CH-1218 Le Grand-Saconnex/GE, Switzerland (“SGP”). The parties hereby agree as follows: Definitions) “Affiliates” shall mean a direct or indirect parent company, wholly-owned subsidiary, or entity under common control with a Party. “Silent Store” shall mean the Silent Store application and marketplace, developed and provided by SGP, and containing Products. “Customers” shall mean persons that access Developer Products through the Silent Store. “Product” or “Products” shall mean software application(s) provided to SGP by Developer for distribution under the Agreement. “Third Party” shall mean any person except Developer and SGP. The Store is a publicly available site where Approved Developers can distribute Products for Devices. In order to distribute Products on the Store, you must acquire and maintain a valid Developer Account. This Agreement forms a legally binding contract between you and SGP in relation to your use of the Store to distribute Products. You acknowledge that SGP will, solely on your behalf, and not on SGP’s behalf, display and make Products available for download by users. Term)and)Termination) ! This Agreement is effective until terminated. SGP reserves the right to terminate this Agreement at any time, and for any reason or no reason at all. Developer may terminate this Agreement on fourteen (14) days’ notice. 17 | Silent StoreNOT FOR EXECUTION On termination, SGP will remove Products from the Silent Store. SGP is not able, and shall in no event be required to remove Products that have been installed on Customer devices. Submission)by)Developer) Developer will provide SGP with final copies of the Products in accordance with the Silent Store Submission Process and Requirements. SGP reserves the right to amend the Silent Store Submission Process and Requirements at any time in its sole discretion with or without notice to Developer. Validation)by)SGP)and)Developer) After receipt of Products from Developer, SGP will undertake Validation efforts as described in Silent Store Processes and Requirements. Whether Validation has been completed successfully shall be determined by SGP in its sole discretion. Distribution)by)SGP) On the successful completion of Validation of a Product, SGP will include such Product as an offering advertised as available through the Silent Store. All Products offered in the Silent Store are currently offered for download at zero cost. SGP reserves the right to delist a Product at any time and for any reason or no reason at all. Developer may request that SGP remove a Product from the Silent Store at any time. SGP will remove such product from the Silent Store within five (5) days. SGP may use Third Parties in connection with the performance of obligations and exercise of rights under this agreement, provided that such Third Parties must be subject to the same obligations as SGP. Developer)will)provide)all)support)for)Products) ! As a condition of this Agreement, Developer, and not SGP, will be responsible for any support required by Customers. SGP will have no responsibility to Developer for the maintenance or support of Products. SGP may inform Customers to contact Developer for questions or support needs related to Products. Developer must supply and maintain contact information for legal notice, and support inquiries. Submissions without 18 | Silent StoreNOT FOR EXECUTION contact information for support inquiries will be rejected. Products whose Developers are not responsive to support inquiries may be removed from the Blackphone App Store at any time. Representations)and)Warranties) Developer represents and warrants that: 1. Developer has the right and authority to enter into this Agreement, and without limitation, to distribute Products and all constituent elements of Products. 2. Developer has obtained any import or export license or permission that may be required by any jurisdiction to distribute Products as contemplated in this Agreement. 3. Developer has all intellectual property rights, including all necessary patent, trademark, trade secret, copyright or other proprietary rights, in and to Products. 4. Distribution of Products as contemplated in this Agreement will not, taken together with Distributor’s other activities, constitute a violation of applicable law. Intellectual)Property) License)grant) Developer grants to SGP a worldwide, royalty-free license to use any name, logo, trademark, trade dress, associated with the Products for the purposes of: 1. Identifying Products in the context of distributing such Products, 2. Publicizing the availability of Products, 3. As otherwise reasonably necessary to fulfill the purpose of this Agreement. Developer grants to SGP a non-exclusive, worldwide, royalty-free license to distribute Products through the Silent Store. SGP grants to Developer a worldwide, royalty-free license to use the name Silent Store, and associated logos and trademarks, for the exclusive purpose of publicizing the availability of the Products on Silent Store. Developer’s license is conditioned on complying with SGP and Silent Circle branding guidelines. SGP does not represent or warrant that the use of Silent Store logos and trademarks will not infringe on the intellectual property of third parties in all jurisdictions. 19 | Silent StoreNOT FOR EXECUTION By virtue of this section of the Agreement, neither Party shall acquire any right title or interest in the other Party’s intellectual property beyond what is expressly stated in the Agreement. All rights granted by this Agreement shall terminate entirely with this Agreement. Reservation)of)rights) Except for the license granted in the preceding section, SGP obtains no right, title or interest from Developer (or its licensors) under this Agreement, or to any Products. Indemnification) Developer shall defend, to the maximum extent permitted by law, indemnify, and hold harmless SGP, its affiliates, directors, officers, employees and agents against any third-party claims, actions, suits or proceedings, as well as all losses, liabilities, damages, costs and expenses (including reasonable attorneys fees) arising out of or accruing from: 1. Developer’s use of the Silent Store. 2. Products that infringe on an intellectual property right of a Third Party. 3. Products that violate the legal or regulatory requirements of any jurisdiction. 4. Developer’s failure to comply with the terms of this Agreement, including but not limited to the representations and warranties contained in the Agreement. Disclaimer)and)Limitation)of)Liability) YOU EXPRESSLY UNDERSTAND AND AGREE THAT YOUR USE OF THE SILENT STORE IS AT YOUR SOLE RISK AND THAT THE STORE IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTY OF ANY KIND. YOUR USE OF THE SILENT STORE AND ANY MATERIAL DOWNLAODED OR OTHERWISE OBTAINED THROUGH THE USE OF THE STORE IS AT YOUR OWN DISCRETION AND RISK AND YOU ARE SOLELY RESPONSIBLE FOR ANY DAMAGE TO YOUR EQUIPMENT OR LOSS OF DATA THAT RESULTS FROM SUCH USE. SGP FUTHER EXPRESSLY DISCLAIMS ALL WARRANTIES AND CONDITIONS OF ANY KIND, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY FITNESS FOR PARTICULAR PURPOSE AND NON-INFRINGEMENT. 20 | Silent StoreNOT FOR EXECUTION DEVELOPER AGREES THAT SGP, ITS SUBSIDIARIES, AFFILIATES, AND LICENSORS, SHALL HAVE NO LIABILITY TO DEVELOPER IN CONNECTION WITH THIS AGREEMENT. SGP IS NOT LIABLE TO DEVELOPER TO ANY DAMAGES OF ANY KIND, INCLUDING CONSEQUENTIAL, PUNITIVE, EXEMPLARY OR INDIRECT DAMAGES THAT MAY BE INCURRED BY DEVELOPER, INCLUDING LOSS OF DATA, WHETHER FORESEEABLE OR UNFORSEEABLE. Miscellaneous) Failure by SGP to exercise or enforce a right under this Agreement does not constitute formal waiver of such right. SGP may fulfill its responsibilities under this Agreement through the actions of an Affiliate. SGP may assign this Agreement in full to an Affiliate so long as such Affiliate is reasonably able to bear SGP’s responsibilities under the Agreement. If any portion of this Agreement is held to be invalid in a legal proceeding, such holding will not be construed to invalidate any other portion of the Agreement. This Agreement is the whole agreement between SGP and Developer. Any discussions or promises made outside this Agreement shall not be binding against SGP or Developer, unless contained in another executed document. Any disputes arising from or related to this Agreement will be judged under the laws of Switzerland and the Canton of Geneva. Any such disputes will be finally resolved by binding arbitration, to take place in English, in Geneva, Switzerland. The obligations arising in the sections titled Representations and Warranties (as they relate to the Term of the Agreement), Indemnification, Disclaimer and Limitation of Liability, Miscellaneous, shall survive the termination of this Agreement. IN WITNESS WHEREOF, the Parties have caused this Agreement to be executed in their respective corporate names. 21 | Silent StoreNOT FOR EXECUTION Developer: SGP: Representative: Representative: Signature: Signature: Title: Title: Date Date 22 | Silent Store -- Nathan of Guardian [email protected] _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
