Mobile Application Checklist
4.3 Mobile application checklist
The OWASP Mobile Application Security (MAS) flagship project has the mission statement: “Define the industry standard for mobile application security”.
The MAS project covers the processes, techniques, and tools used for security testing a mobile application, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results. The OWASP MAS project provides the Mobile Application Security Verification Standard (MASVS) for mobile applications and a comprehensive Mobile Application Security Testing Guide (MASTG).
The Mobile Application Security Checklist contains links to the MASTG test cases for each MASVS control.
What is MAS Checklist?
The MAS Checklist provides a checklist that keeps track of the MASTG test cases for each MASVS control, and the checklist is split out into categories that match the MASVS categories:
- MASVS-STORAGE sensitive data storage
- MASVS-CRYPTO cryptography best practices
- MASVS-AUTH authentication and authorization mechanisms
- MASVS-NETWORK network communications
- MASVS-PLATFORM interactions with the mobile platform
- MASVS-CODE platform and data entry points along with third-party software
- MASVS-RESILIENCE integrity and running on a trusted platform
In addition to the web links there is a downloadable spreadsheet.
Why use it?
If the MASTG is being applied to a mobile application then the MAS Checklist is a handy reference that can also be used for compliance purposes.
How to use it
The online version is useful to list the MASVS controls and which MASTG tests apply. Follow the links to access the individual controls and tests.
The spreadsheet download allows the status of each test to be recorded, with a separate sheet for each MASVS category. This record of test results can be used as evidence for compliance purposes.
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.
\newpage