MAS Weakness Enumeration
5.4 Mobile application weakness enumeration
The OWASP Mobile Application Security (MAS) flagship project provides industry standards for mobile application security.
The OWASP MASWE project is one of the tools provided by MAS, and provides a list of weaknesses that have been found in various mobile applications.
What is the MASWE?
The MAS Weakness Enumeration lists weaknesses, and therefore potential vulnerabilities, that have been found in various mobile applications over time.
The MASWE is split out into weakness categories that correspond to the MASVS verification categories:
- MASVS-STORAGE sensitive data storage
- MASVS-CRYPTO cryptography best practices
- MASVS-AUTH authentication and authorization mechanisms
- MASVS-NETWORK network communications
- MASVS-PLATFORM interactions with the mobile platform
- MASVS-CODE platform and third-party software
- MASVS-RESILIENCE integrity and running on a trusted platform
- MASVS-PRIVACY privacy of users, data and resources
Why use it?
Although the MASWE is a relatively new project from 2024, it already provides a common language when discussing and categorizing weaknesses found in mobile applications. It also provides a list of potential vulnerabilities that should be considered during the design lifecycle and when creating or revising security requirements for mobile applications.
The MASWE is a valuable list of what can go wrong with mobile applications along with the activities of malicious actors.
How to use it
The Common Weakness Enumeration (CWE), published by Mitre, can be used by security architects so they are aware of what weaknesses and potential vulnerabilities that could be present in an application. Development teams can use the CWE as a reference to these weaknesses and to help understanding of any mitigations. These are just two examples of how the CWE is widely used.
In a similar way the MASWE can be used in the development of mobile applications :
- inform development teams of specific weaknesses
- identification of security requirements
- used as a training aid
- provide categorization of weaknesses
This list is just a starting point; there are many uses for the MASWE.
References
- Mobile Application Security (MAS) project
- MAS Weakness Enumeration (MASWE)
- Mitre Common Weakness Enumeration (CWE)
- MAS Verification Standard (MASVS)
- MAS Checklist
- MAS Testing Guide (MASTG)
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.