OWASP Mobile Application Security Verification Standard (MASVS)

With the rapid growth in smartphone users in the past decade, mobile app usage is witnessing an upward trend. Applications have radically changed the way we communicate, interact and conduct business. While mobile applications have made our lives easier, there are still some security concerns that are yet to be addressed. From simply gaining unauthorized access to deleting app data, cyber attacks can bring a series of repercussions for the enterprise. Unsurprisingly, most of the attacks these days are financially motivated. Comprehensive security solutions are thus the need of the hour to maintain data privacy and integrity. 

MASVS (Mobile Application Security Verification Standard) is one of OWASP’s projects that stresses on mobile application security. Since application security can be compromised due to a variety of reasons including insecure mobile devices and device theft, the need for data protection has become even more apparent. MASVS provides a common security standard for different applications exposed to a variety of threat scenarios. This article will walk you through the significance of MASVS for mobile app security. 


OWASP Mobile Application Security Verification Standard (MASVS) is an open standard that provides a baseline for application security. It has several verification levels designed to ensure security of applications exposed to varying levels of risks. MASVS aims to standardize the requirements for a diverse range of applications by taking into account the current threat landscape. MASVS is developed to fulfill the following objectives:

  1. To be used as a metric: The security requirements stated in MASVS provide a standard for app developers to compare their existing applications
  2. To be used as guidance: It can be used as a guiding tool by developers and testers during all phases of mobile app development and testing
  3. To be used during procurement: MASVS provides a basis for verification of mobile app security. 

OWASP MASVS categories

Here is a look at the detailed MASVS security requirements which are grouped into 8 categories from V1 to V8. 

V1: Architecture, Design and Threat Modeling Requirements

This category deals with the architecture and design of the app.Mobile applications serving as clients to remote services must ensure security standards are applied to such remote services as well. It requires the applications to have adequate processes in place to address the security concerns right from planning the architecture of the app. 

V2: Data storage and Privacy

This category of MASV covers security verification requirements for protection of sensitive data in apps. Sensitive data includes personally identifiable information (PII) such as bank account numbers, credit card numbers and health information. It also includes contractual information and compliance-protected data. These controls address everything from preventing unintentionally exposing sensitive data to other apps to accidentally leaking information to backups, cloud storage, and keyboard cache. 

V3: Cryptography verification 

Security controls listed under this section aim to guide app developers with best practices to use cryptography. The chapter is focused on encouraging proven cryptographic libraries, random number generators and configuration of cryptographic primitives.  

V4: Authentication and session management requirements

Login to a remote service is a vital part of the mobile app architecture and MASVS V4 thus states basic requirements for managing user accounts and sessions. Verification of these requirements don’t require access to service endpoint source code. 

V5: Network Communication Requirements

This chapter stresses the importance of protecting the integrity and confidentiality of information transmitted between mobile app and remote service endpoints. It is important for the mobile app to have an encrypted channel with TLS protocol for network communication. Defense-in-depth measures like SSL pinning are recommended for level 2 and above. 

V6: Environmental Interaction Requirements

This section deals with standard components and platform APIs used by the application as well as security standards to be applied for inter-process communication. 

V7: Code Quality and Build Setting Requirements

Security controls covered under this section deal with security coding practices to be implemented during application development. It also highlights the need to activate security features from the compiler. This section encompasses everything from ensuring the app is signed with a valid certificate to emphasizing the need for an error handling logic that denies access by default.

V8: Resiliency against Reverse Engineering Requirements

The last section is about implementing adequate protection measures that make it difficult for hackers to reverse engineer the application. The controls stated under this section need to be applied after assessing the security requirements of the application in question as the degree of risk due to reverse engineering will vary from application to application. The purpose of these controls is to strengthen the security of application. By not implementing these controls, the application does not develop any vulnerabilities. 

Final Thoughts

OWASP MASVS offers an industry standard and contains recommendations on security levels appropriate for different threat scenarios. MASVS is immensely beneficial for security testers to ensure consistency in test results. MASVS contains two security verification levels along with reverse engineering resiliency requirements. While Level 1 ensures protection against common vulnerabilities, level 2 addresses more advanced security issues with measures such as SSL pinning among others. Level 2 of MASVS is recommended for applications that deal in highly sensitive data. Level 1 is termed standard security whereas Level 2 is termed defense-in-depth that goes beyond the standard security requirements.

MASVS-R, on the other hand, can be applied according to the app-specific threat model. It contains a set of requirements that address client-side threats such as modding, tampering and reverse engineering. MASVS level 1 or level 2 can be combined with MASVS-R after assessing the risk factors. Risk assessment is imperative to understand which security verification levels can be applied to the application in focus. MASVS can also act as a replacement for off-the-shelf secure coding lists and a guide for automated unit and integration tests. 


Post a Comment

Mới hơn Cũ hơn