OWASP, Application Security Verification Standard, ASVS, 3.0, OWASP ASVS

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, their goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

The project recently published the OWASP Mobile Application Security Verification Standard (MASVS) version 1.0. In this blog post we will give you an introduction to the new standard.


What is the OWASP Mobile Application Security Verification Standard (MASVS)?

The OWASP Mobile Application Security Verification Standard (MASVS) is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results.

The standard defines two strict security verification levels (L1 and L2), as well as a set of reverse engineering resiliency requirements (MASVS-R) that is flexible, i.e. adaptable to an app-specifc threat model.

MASVS-L1 and MASVS-L2 contain generic security requirements and are recommended for all mobile apps (L1) and apps that handle highly sensitive data (L2). MASVS-R covers additional protective controls that can be applied if preventing client-side threats is a design goal.

What are the OWASP MASVS Objectives?

The requirements were developed with the following objectives in mind:

  • Use as a metric – To provide a security standard against which existing mobile apps can be compared by developers and application owners.
  • Use as guidance – To provide guidance during all phases of mobile app development and testing.
  • Use during procurement – To provide a baseline for mobile app security verification.

OWASP MASVS Verification Levels in Detail

MASVS-L1: Standard Security
A mobile app that achieves MASVS-L1 adheres to mobile application security best practices. It fulfills basic requirements in terms of code quality, handling of sensitive data, and interaction with the mobile environment. A testing process must be in place to verify the security controls. This level is appropriate for all mobile applications.

MASVS-L2: Defense-in-Depth
MASVS-L2 introduces advanced security controls that go beyond the standard requirements. To fulfill L2, a threat model must exist, and security must be an integral part of the app’s architecture and design. This level is appropriate for applications that handle sensitive data, such as mobile banking.

MASVS-R: Resiliency Against Reverse Engineering and Tampering
The app has state-of-the-art security, and is also resilient against specific, clearly defined client-side attacks, such as tampering, modding, or reverse engineering to extract sensitive code or data. Such an app either leverages hardware security features or sufficiently strong and verifiable software protection techniques. MASVS-R is applicable to apps that handle highly sensitive data and may serve as a means of protecting intellectual property or tamper-proofing an app.

The Role of Automated Security Testing Tools

The use of source code scanners and black-box testing tools is encouraged in order to increase efficiency whenever possible. It is however not possible to complete MASVS verification using automated tools alone. Every mobile app is different, and understanding the overall architecture, business logic, and technical pitfalls of the specific technologies and frameworks being used, is a mandatory requirement to verify security of the app.

Want to learn more?

Read more about the OWASP Mobile Application Security Verification Standard (MASVS).

This blog post is based on contents provided by OWASP, and it follows a Creative Commons Attribution-ShareAlike 3.0 license.