The document discusses the Mobile Application Security Verification Standard (MASVS) project from OWASP. It provides an overview of the MASVS levels and describes the eight verification requirements areas: 1) Architecture, Design and Threat Modeling; 2) Data Storage and Privacy; 3) Cryptography; 4) Authentication and Session Management; 5) Network Communication; 6) Platform Interaction; 7) Code Quality and Build Setting; and 8) Resilience. Each verification requirement area includes example requirements and references related information. The goal of MASVS is to provide a standard way to verify the security of mobile apps and help developers build more secure apps.
1. Prathan Phongthiproek
Mobile Security Team, OWASP Jump-Start the MASVS presentation at MiSSxTalks Special Aug 25, 2018
Content is available under Creative Commons Attribution-ShareAlike unless otherwise noted.
9. The MASVS Levels
R
L2
L1
Standard Security
• Follows security best practices
• Appropriate for all mobile apps
Defense-in-Depth
• Well-defined security model and added controls
• Appropriate for apps that handle sensitive data
Resiliency Against Reverse Engineering and Tampering
• Adds client side protection (e.g. Tampering, Reverse engineering)
• Optional protective layer for Intellectual property and data
10. Health-Care Industry : Mobile apps that store personally identifiable information that can be
used for identity theft or a variety of fraud schemes.
Financial Industry : Apps that enable access to highly sensitive information like credit card
Game Industry : Games with an essential need to prevent modding and cheating, such as
competitive online games.
Financial Industry: Online banking apps that allow the user to move funds, where techniques
code injection and instrumentation on compromised devices pose a risk.
All mobile apps. MASVS-L1 lists security best practices that can be followed with a reasonable
impact on development cost and user experience.
The MASVS Verification Type
L2
L1
L1+R
L2+R
11. The Verification Requirements
V1: Architecture, Design and Threat Modeling
V2: Data Storage and Privacy V3: Cryptography
V4: Authentication and
Session Management
V5: Network Communication V6: Platform Interaction
V7: Code Quality and Build
Setting
V8: Resilience
14. Related Information
o OWASP Mobile Top 10: M10 - Extraneous Functionality
o OWASP Security Architecture Cheat Sheet
o OWASP Threat Modeling
o OWASP Secure SDLC Cheat Sheet
o Microsoft SDL
o NIST SP 800-57
17. Example 2.1: System credential storage facilities are used appropriately to
store sensitive data, such as PII, user credentials or cryptographic keys
18. Example 2.7: No sensitive data, such as passwords or pins, is
exposed through the user interface
19. Example 2.8: No sensitive data is included in backups
generated by the mobile operating system
20. Example 2.9: The app removes sensitive data from views
when backgrounded
21. Related Information
o OWASP Mobile Top 10: M2 - Insecure Data Storage
o OWASP Mobile Security Testing Guide for Android and iOS - Testing Data
Storage
30. Example 4.1: If the app provides users access to a remote service, some form of
authentication, such as username/password authentication, is performed at the
remote endpoint
31. Example 4.1: If the app provides users access to a remote service, some form of
authentication, such as username/password authentication, is performed at the
remote endpoint
DEMO
32. Example 4.4: The remote endpoint terminates the existing
session when the user logs out
33. Example 4.7: Biometric authentication, if any, is not event-bound (i.e. using an
API that simply returns "true" or "false"). Instead, it is based on unlocking the
keychain/keystore.
DEMO
35. Related Information
o OWASP Mobile Top 10: M4 - Insecure Authentication
o OWASP Mobile Top 10: M6 - Insecure Authorization
o OWASP Mobile Security Testing Guide for Android and iOS - Testing
Authentication and Session Management
o OWASP Authentication Cheat Sheet
o OWASP Session Management Cheat Sheet
o OWASP Transaction Authorization Cheat Sheet
o OWASP Access Control Cheat Sheet
38. Example 5.3: The app verifies the X.509 certificate of the remote endpoint when
the secure channel is established. Only certificates signed by a trusted CA are
accepted
SSL/TLS
39. Example 5.4: The app either uses its own certificate store, or pins the endpoint
certificate or public key, and subsequently does not establish connections with
endpoints that offer a different certificate or key, even if signed by a trusted CA
SSL/TLS
40. Related Information
o OWASP Mobile Top 10: M3 - Insecure Communication
o OWASP Mobile Security Testing Guide for Android and iOS - Testing
Network Communication
o OWASP Transport Layer Protection Cheat Sheet
o OWASP Certificate Pinning Cheat Sheet
48. Related Information
o OWASP Mobile Top 10: M1 - Improper Platform Usage
o OWASP Mobile Security Testing Guide for Android and iOS - Testing
Platform Interaction
51. Example 7.2: The app has been built in release mode, with
settings appropriate for a release build (e.g. non-debuggable)
52. Example 7.4: Debugging code has been removed, and the app
does not log verbose errors or debugging messages
DEMO
53. Related Information
o OWASP Mobile Top 10: M7 - Client Code Quality
o OWASP Mobile Security Testing Guide for Android and iOS - Testing Code
Quality and Build Settings
57. Related Information
o OWASP Mobile Top 10: M8 - Code Tampering
o OWASP Mobile Top 10: M9 - Reverse Engineering
o OWASP Mobile Security Testing Guide for Android and iOS - Testing
Resiliency Against Reverse Engineering
o OWASP Reverse Engineering Threats
o OWASP Reverse Engineering and Code Modification Prevention
58. • OWASP Securing the SDLC (Jim Manico)
• OWASP Geneva-Chapter Meeting (Jeremy Matos)
• OWASP Mobile Top 10 Deep-Dive (Prathan Phongthiproek)
• https://github.com/OWASP/owasp-masvs
References