Skip to main content

OWASP MASVS

logo

Summary

The OWASP Mobile Application Security Verification Standard (OWASP MASVS) is a standard for mobile app security. It is used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The version used in this section is OWASP MASVS v1.4.2.

Definitions

DefinitionRequirements
V1_2. Architecture, design and threat modeling requirements320. Avoid client-side control enforcement
V1_3. Architecture, design and threat modeling requirements062. Define standard configurations
V1_8. Architecture, design and threat modeling requirements147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
V1_10. Architecture, design and threat modeling requirements062. Define standard configurations
266. Disable insecure functionalities
V1_12. Architecture, design and threat modeling requirements331. Guarantee legal compliance
V2_1. Security verification requirements143. Unique access credentials
229. Request access credentials
V2_2. Security verification requirements375. Remove sensitive data from client-side applications
V2_3. Security verification requirements083. Avoid logging sensitive data
V2_4. Security verification requirements315. Provide processed data information
V2_7. Security verification requirements235. Define credential interface
V2_10. Security verification requirements360. Remove unnecessary sensitive information
V2_11. Security verification requirements205. Configure PIN
V2_13. Security verification requirements329. Keep client-side storage without sensitive data
V2_14. Security verification requirements185. Encrypt sensitive information
V2_15. Security verification requirements210. Delete information from mobile devices
V3_1. Cryptography requirements148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
V3_4. Cryptography requirements224. Use secure cryptographic mechanisms
V3_5. Cryptography requirements351. Assign unique keys to each device
V3_6. Cryptography requirements223. Uniform distribution in random numbers
V4_1. Authentication and session management requirements229. Request access credentials
264. Request authentication
V4_2. Authentication and session management requirements024. Transfer information using session objects
030. Avoid object reutilization
V4_3. Authentication and session management requirements357. Use stateless session tokens
V4_4. Authentication and session management requirements023. Terminate inactive user sessions
V4_5. Authentication and session management requirements - Password policy127. Store hashed passwords
129. Validate previous passwords
130. Limit password lifespan
131. Deny multiple password changing attempts
133. Passwords with at least 20 characters
134. Store passwords with salt
135. Passwords with random salt
136. Force temporary password change
137. Change temporary passwords of third parties
138. Define lifespan for temporary passwords
209. Manage passwords in cache
332. Prevent the use of breached passwords
V4_6. Authentication and session management requirements327. Set a rate limit
V4_7. Authentication and session management requirements023. Terminate inactive user sessions
335. Define out of band token lifespan
V4_8. Authentication and session management requirements231. Implement a biometric verification component
V4_10. Authentication and session management requirements153. Out of band transactions
264. Request authentication
V5_1. Network communication requirements336. Disable insecure TLS versions
V5_2. Network communication requirements062. Define standard configurations
V5_4. Network communication requirements091. Use internally signed certificates
092. Use externally signed certificates
V5_5. Network communication requirements153. Out of band transactions
181. Transmit data using secure protocols
V6_2. Platform interaction requirements032. Avoid session ID leakages
173. Discard unsafe inputs
V6_3. Platform interaction requirements349. Include HTTP security headers
V6_5. Platform interaction requirements266. Disable insecure functionalities
V6_7. Platform interaction requirements266. Disable insecure functionalities
V6_8. Platform interaction requirements321. Avoid deserializing untrusted data
V7_1. Code quality and build setting requirements090. Use valid certificates
V7_2. Code quality and build setting requirements078. Disable debugging events
V7_5. Code quality and build setting requirements262. Verify third-party components
V7_6. Code quality and build setting requirements161. Define secure default options
266. Disable insecure functionalities
359. Avoid using generic exceptions
V7_8. Code quality and build setting requirements158. Use a secure programming language
164. Use optimized structures
V8_1. Resilience requirements - Impede dynamic analysis and tampering327. Set a rate limit
V8_2. Resilience requirements - Impede dynamic analysis and tampering078. Disable debugging events
V8_9. Resilience requirements - Impede dynamic analysis and tampering159. Obfuscate code
V8_10. Resilience requirements - Device binding122. Validate credential ownership
178. Use digital signatures
185. Encrypt sensitive information
320. Avoid client-side control enforcement
V8_11. Resilience requirements - Impede comprehension026. Encrypt client-side session information
329. Keep client-side storage without sensitive data
375. Remove sensitive data from client-side applications