OWASP Mobile Application Security Verification Standard (MASVS)
v2.0.0 released April 1, 2023
Release Notes: https://github.com/OWASP/owasp-masvs/releases/tag/v2.0.0
The OWASP MASVS, available online at https://mas.owasp.org/MASVS, is part of the OWASP Mobile Application Security (MAS) Project which also provides the OWASP Mobile Application Security Testing Guide (MASTG) v1.5.0
https://mas.owasp.org
Foreword
Technological revolutions can happen quickly. Less than a decade ago, smartphones were clunky devices
with little keyboards – expensive playthings for tech-savvy business users. Today, smartphones are an essential part of our lives. We’ve come to rely on them for information, navigation and communication, and they are ubiquitous both in business and in our social lives.
Every new technology introduces new security risks, and keeping up with those changes is one of the main challenges the security industry faces. The defensive side is always a few steps behind. For example, the default reflex for many was to apply old ways of doing things: Smartphones are like small computers, and mobile apps are just like classic software, so surely the security requirements are similar? But it doesn’t work like that. Smartphone operating systems are different from desktop operating systems, and mobile apps are different from web apps. For example, the classical method of signature-based virus scanning doesn’t make sense in modern mobile OS environments: Not only is it incompatible with the mobile app distribution model, it’s also technically impossible due to sandboxing restrictions. Also, some vulnerability classes, such as buffer overflows and XSS issues, are less relevant in the context of run-of-the-mill mobile apps than in, say, desktop apps and web applications (exceptions apply).
Over time, our industry has gotten a better grip on the mobile threat landscape. As it turns out, mobile security is all about data protection: Apps store our personal information, pictures, recordings, notes, account data, business information, location and much more. They act as clients that connect us to services we use on a daily basis, and as communications hubs that processes each and every message we exchange with others. Compromise a person’s smartphone and you get unfiltered access to that person’s life. When we consider that mobile devices are more readily lost or stolen and mobile malware is on the rise, the need for data protection becomes even more apparent.
A security standard for mobile apps must therefore focus on how mobile apps handle, store and protect
sensitive information. Even though modern mobile operating systems like iOS and Android offer mature
APIs for secure data storage and communication, those have to be implemented and used correctly in order to be effective. Data storage, inter-app communication, proper usage of cryptographic APIs and secure network communication are only some of the aspects that require careful consideration.
An important question in need of industry consensus is how far exactly one should go in protecting the
confidentiality and integrity of data. For example, most of us would agree that a mobile app should verify
the server certificate in a TLS exchange. But what about certificate or public key pinning? Does not doing it result in a vulnerability? Should this be a requirement if an app handles sensitive data, or is it maybe even counter-productive? Do we need to encrypt data stored in SQLite databases, even though the OS sandboxes the app? What is appropriate for one app might be unrealistic for another. The MASVS is an attempt to standardize these requirements using profiles that fit different threat scenarios.
Furthermore, the appearance of root malware and remote administration tools has created awareness of
the fact that mobile operating systems themselves have exploitable flaws, so containerization strategies
are increasingly used to afford additional protection to sensitive data and prevent client-side tampering.
This is where things get complicated. Hardware- backed security features and OS-level containerization
solutions, such as Android Enterprise and Samsung Knox, do exist, but they aren’t consistently available
across different devices. As a band aid, it is possible to implement software-based protection measures –
but unfortunately, there are no standards or testing processes for verifying these kinds of protections.
As a result, mobile app security testing reports are all over the place: For example, some testers report a
lack of obfuscation or root detection in an Android app as “security flaw”. On the other hand, measures like string encryption, debugger detection or control flow obfuscation aren’t considered mandatory. However, this binary way of looking at things doesn’t make sense because resilience is not a binary proposition: It depends on the particular client-side threats one aims to defend against. Software protections are not useless, but they can ultimately be bypassed, so they must never be used as a replacement for security controls.
The overall goal of the MASVS is to offer a baseline for mobile application security, while also allowing for
the inclusion of defense-in-depth measures and protections against client-side threats. The MASVS is meant to achieve the following:
• Provide requirements for software architects and developers seeking to develop secure mobile applications;
• Offer an industry standard that can be tested against in mobile app security reviews;
• Clarify the role of software protection mechanisms in mobile security and provide requirements to
verify their effectiveness;
• Provide specific recommendations as to what level of security is recommended for different use-cases.
We are aware that 100% industry consensus is impossible to achieve. Nevertheless, we hope that the MASVS is useful in providing guidance throughout all phases of mobile app development and testing. As an open source standard, the MASVS will evolve over time, and we welcome any contributions and suggestions.
By Bernhard Mueller
About the Standard
The OWASP Mobile Application Security Verification Standard (MASVS) is the industry standard for mobile
application security. It provides a comprehensive set of security controls that can be used to assess the
security of mobile apps across various platforms (e.g., Android, iOS) and deployment scenarios (e.g., consumer, enterprise). The standard covers the key components of the mobile app attack surface including storage, cryptography, authentication and authorization, network communication, interaction with the mobile platform, code quality and resilience against reverse engineering and tampering.
The OWASP MASVS is the result of years of community effort and industry feedback. We thank all the
contributors who have helped shape this standard. We welcome your feedback on the OWASP MASVS at
any time, especially as you apply it to your own organization and mobile app development projects. Getting inputs from a variety of mobile app developers will help us improve and update the standard which is revised periodically based on your inputs and feedback.
You can provide feedback using GitHub Discussions in the OWASP MASVS repo https://github.com/OWASP/owasp-masvs/discussions, or contact the project leads directly https://mas.owasp.org/contact/.
The OWASP MASVS and MASTG are trusted by the following platform providers and standardization, governmental and educational institutions.
