Mobile Application Security
3.6 Mobile Application Security
The OWASP Mobile Application Security (MAS) flagship project provides industry standards for mobile application security.
The MAS project covers the processes, techniques, and tools used for security testing mobile applications. It provides a set of test cases that enables testers to deliver consistent and complete results. The OWASP MAS project provides both the Mobile Application Security Verification Standard (MASVS) for mobile applications and the Mobile Application Security Testing Guide (MASTG).
What is MASVS?
The OWASP MASVS is used by mobile software architects and developers to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The MAS project has several uses; when it comes to defining requirements then the MASVS contains a list of security controls for mobile applications.
The security controls are split into several categories:
- MASVS-STORAGE / Cheat Sheets
- MASVS-CRYPTO / Cheat Sheets
- MASVS-AUTH / Cheat Sheets
- MASVS-NETWORK / Cheat Sheets
- MASVS-PLATFORM / Cheat Sheets
- MASVS-CODE / Cheat Sheets
- MASVS-RESILIENCE / Cheat Sheets
- MASVS-PRIVACY / Cheat Sheets
The last category, MASVS-PRIVACY, is being reworked so is subject to change.
Why use MASVS?
The OWASP MASVS is the industry standard for mobile application security and it is expected that any given set of security requirements will satisfy the MASVS. When defining security requirements for mobile applications then each security control in the MASVS should be considered.
How to use MASVS
MASVS can be accessed online and the links followed for each security control. In addition MASVS can be downloaded as a PDF which can, for example, be used for evidence or compliance purposes. Inspect each control within MASVS and regard it as a potential security requirement.
The OWASP Cheat Sheets have been indexed specifically for each category of the MASVS, which can be used as a guide to decide if the category should to be included in the test scheme.
References
- OWASP Mobile Application Security (MAS)
- MAS project
- MAS Checklist
- MAS Verification Standard (MASVS)
- OWASP Mobile Application Security cheat sheet
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.
\newpage