Published on

Mobile Application Security Verification Standard (MASVS)

Authors
  • avatar
    Name
    Rosa Tiara
    Twitter

Overview

When you build a mobile app, how do you know if it's actually secure? Well, of course you could just trust your intuition or Google things as issues pop up, but neither approach really gives you the full picture. By using OWASP's MAS and MASVS, you'll have a clear checklist of what to check and how to make your app actually secure.

In this post, I'll break down what MAS and MASVS are, how they fit together, and why you should care about them.

What is OWASP MAS?

OWASP is a nonprofit organization that creates free security tools and guides for developers.

MAS (Mobile Application Security) is an OWASP project that gives developers and security testers a complete guide for building and checking mobile app security.

Anyway, I also wrote about OWASP mobile, you can read it here!

MAS currently consists of 3 main components that work together:

  • MASVS -> security requirements that a mobile app should meet.
  • MASWE -> identifies specific weaknesses and how they map to those requirements.
  • MASTG -> provides the detailed testing techniques and test cases to verify whether the requirements are actually met.

Each component plays a different role but they are all designed to be used together.

For this blog post, we will only focus on MASVS.

What is MASVS?

MASVS stands for Mobile Application Security Verification Standard. It is the foundation of the MAS project because it defines what a secure mobile application is supposed to look like.

In short, MASVS is a list of security requirements that your mobile app should satisfy. These requirements apply to both Android and iOS!

The key thing to remember about MASVS is that it only tells you what to achieve, but it does not tell you how to test it. That test job belongs to the MASTG, which provides the actual test cases.

First question, why? Why does MASVS exist?

Without a standard like MASVS, every developer, every security team, and every company would define "secure" differently. A penetration tester hired by one company might check 10 things, while a tester hired by another company might check 250 completely different things.

MASVS is aiming that there is a consistency for mobile app security.

They solve this by giving everyone a shared definition of what a secure mobile app looks like so that developers can use it as a guide while building, security testers can use it to make sure they are not missing anything, and companies can use it to set clear security expectations.

What does MASVS actually cover?

MASVS is organized into control groups, where each group addresses a specific area of mobile app security. Let's take a look at each one!

Control group 1: storage

This group is about how the app handles sensitive data that gets saved on the device. For example, if a user logs in and the app saves their session token, this group asks:

is that token stored in a safe location, or can another app on the same device read it?

Control group 2: cryptography

This group is about the app's use of encryption. If the app encrypts any data, this group asks:

is the encryption implemented correctly or did the developer use a weak algorithm or a hardcoded key that anyone can find by decompiling the app?

Control group 3: authentication and authorization

Authentication is basically showing who you are, while authorization is checking what you're allowed to do.

This control group focuses on how the app verifies who the user is and what they are allowed to do. It focuses on the connection between the app and the backend service it talks to, and then measure whether login and session management are handled securely.

Btw, if you want to learn more, I wrote a whole post about it :p

Control group 4: network communication

This group focuses on the data travel between the app and any server. The objective here is to make sure whether all app's communication is encrypted properly.

Control group 5: platform interaction

This group is about how the app interacts with the operating system and other apps on the device, and both Android and iOS have their own ways of doing this.

Android

On Android, apps communicate with each other using a mechanism called intents.

Intent is a message that one app sends to tell another app to do something, like opening a file or sharing a photo.

If an app is not careful about how it sends or receives these intents, a malicious app sitting on the same device could intercept that message and either steal the data inside it or respond to it pretending to be the legitimate app.

iOS

On iOS, a similar mechanism exists through URL schemes and Universal Links.

URL scheme is a custom address that an app registers so that other apps/websites can open it directly, like how tapping a link in your email can open your bank app straight to a specific screen

If that URL scheme isn't handled carefully, a malicious app could register the same scheme and intercept the request. Universal Links are Apple's more secure alternative, because they tie the link to a verified domain rather than just a name that any app can claim.

Control group 6: code quality

This group is about the overall quality of the code from a security perspective. It includes things like whether the app properly validates all input it receives, whether it avoids keeping sensitive information in memory longer than it needed, and whether its dependencies are kept up to date.

Control group 7: resilience

This one is about how well the app holds up against someone who's actively trying to get into our app (by however the ways). This covers techniques like obfuscation, anti-debugging, and tamper detection.

This group is more situational than the others because not every app needs that high level of resilience, it really depends on how sensitive the data the app handles is.

Control group 8: privacy

This is the newest addition to MASVS. It focuses on how the app handles personal data from a privacy perspective, asking whether the app collects only the data it actually needs, whether users are informed about what is being collected, and whether that data is handled in a way that respects the user's rights.

Are there any verification levels for MASVS?

There were.

MASVS used to have L1 and L2 levels. L1 was for basic apps, L2 was for sensitive apps like banking or healthcare.

But as of MASVS v2.0.0, these levels were removed and moved to MASTG instead. Why? Because MASVS should only list what to check, not decide which apps need which checks.

Conclusion

MASVS is a standard that defines the requirements every secure mobile app should meet, organized into 8 control groups that cover the most important areas of the mobile attack surface.

If you want to go deep into more detail about it, you can read its official documentation.

Good luck and happy learning!

Gif of a person coding aggressively