OWASP Developer Guide

Mobile Application Security

MAS logo

3.6 Mobile Application Security

The OWASP Mobile Application Security (MAS) flagship project provides industry standards for mobile application security.

The MAS project covers the processes, techniques, and tools used for security testing mobile applications. It provides a set of test cases that enables testers to deliver consistent and complete results. The OWASP MAS project provides both the Mobile Application Security Verification Standard (MASVS) for mobile applications and the Mobile Application Security Testing Guide (MASTG).

What is MASVS?

The OWASP MASVS is used by mobile software architects and developers to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The MAS project has several uses; when it comes to defining requirements then the MASVS contains a list of security controls for mobile applications.

The security controls are split into several categories:

The last category, MASVS-PRIVACY, is being reworked so is subject to change.

Why use MASVS?

The OWASP MASVS is the industry standard for mobile application security and it is expected that any given set of security requirements will satisfy the MASVS. When defining security requirements for mobile applications then each security control in the MASVS should be considered.

How to use MASVS

MASVS can be accessed online and the links followed for each security control. In addition MASVS can be downloaded as a PDF which can, for example, be used for evidence or compliance purposes. Inspect each control within MASVS and regard it as a potential security requirement.

The OWASP Cheat Sheets have been indexed specifically for each category of the MASVS, which can be used as a guide to decide if the category should to be included in the test scheme.

References


The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.

\newpage