New Release – Mobile Application Security Verification Standard (MASVS) v1.0
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, their goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
The project recently published the OWASP Mobile Application Security Verification Standard (MASVS) version 1.0. In this blog post we will give you an introduction to the new standard.
What is the OWASP Mobile Application Security Verification Standard (MASVS)?
The standard defines two strict security verification levels (L1 and L2), as well as a set of reverse engineering resiliency requirements (MASVS-R) that is flexible, i.e. adaptable to an app-specifc threat model.
MASVS-L1 and MASVS-L2 contain generic security requirements and are recommended for all mobile apps (L1) and apps that handle highly sensitive data (L2). MASVS-R covers additional protective controls that can be applied if preventing client-side threats is a design goal.
What are the OWASP MASVS Objectives?
The requirements were developed with the following objectives in mind:
Use as a metric – To provide a security standard against which existing mobile apps can be compared by developers and application owners.
Use as guidance – To provide guidance during all phases of mobile app development and testing.
Use during procurement – To provide a baseline for mobile app security verification.
OWASP MASVS Verification Levels in Detail
MASVS-L1: Standard Security A mobile app that achieves MASVS-L1 adheres to mobile application security best practices. It fulfills basic requirements in terms of code quality, handling of sensitive data, and interaction with the mobile environment. A testing process must be in place to verify the security controls. This level is appropriate for all mobile applications.
MASVS-L2: Defense-in-Depth MASVS-L2 introduces advanced security controls that go beyond the standard requirements. To fulfill L2, a threat model must exist, and security must be an integral part of the app’s architecture and design. This level is appropriate for applications that handle sensitive data, such as mobile banking.
MASVS-R: Resiliency Against Reverse Engineering and Tampering The app has state-of-the-art security, and is also resilient against specific, clearly defined client-side attacks, such as tampering, modding, or reverse engineering to extract sensitive code or data. Such an app either leverages hardware security features or sufficiently strong and verifiable software protection techniques. MASVS-R is applicable to apps that handle highly sensitive data and may serve as a means of protecting intellectual property or tamper-proofing an app.
The Role of Automated Security Testing Tools
The use of source code scanners and black-box testing tools is encouraged in order to increase efficiency whenever possible. It is however not possible to complete MASVS verification using automated tools alone. Every mobile app is different, and understanding the overall architecture, business logic, and technical pitfalls of the specific technologies and frameworks being used, is a mandatory requirement to verify security of the app.
Encripto values your privacy. Therefore, we do not use tracking cookies. Read our policy for more information. AcceptRejectRead More
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.