Skip to main content

OWASP MASVS

logo

Summary

The OWASP Mobile Application Security Verification Standard (OWASP MASVS) is a standard for mobile app security. It is used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The version used in this section is OWASP MASVS v2.0.

Definitions

DefinitionRequirements
STORAGE-1. The app securely stores sensitive data
178. Use digital signatures
185. Encrypt sensitive information
300. Mask sensitive data
STORAGE-2. The app prevents leakage of sensitive data
178. Use digital signatures
185. Encrypt sensitive information
300. Mask sensitive data
CRYPTO-1. The app employs current strong cryptography and uses it according to industry best practices
148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
185. Encrypt sensitive information
224. Use secure cryptographic mechanisms
CRYPTO-2. The app performs key management according to industry best practices
145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM
151. Separate keys for encryption and signatures
351. Assign unique keys to each device
361. Replace cryptographic keys
AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
033. Restrict administrative access
034. Manage user accounts
122. Validate credential ownership
225. Proper authentication responses
226. Avoid account lockouts
227. Display access notification
228. Authenticate using standard protocols
229. Request access credentials
231. Implement a biometric verification component
235. Define credential interface
236. Establish authentication time
AUTH-2. The app performs local authentication securely according to the platform best practices
231. Implement a biometric verification component
AUTH-3. The app secures sensitive operations with additional authentication
231. Implement a biometric verification component
362. Assign MFA mechanisms to a single account
NETWORK-1. The app secures all network traffic according to the current best practices
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
NETWORK-2. The app performs identity pinning for all remote endpoints under the developer's control
093. Use consistent certificates
373. Use certificate pinning
PLATFORM-1. The app uses IPC mechanisms securely
266. Disable insecure functionalities
PLATFORM-2. The app uses WebViews securely
266. Disable insecure functionalities
PLATFORM-3. The app uses the user interface securely
266. Disable insecure functionalities
CODE-1. The app requires an up-to-date platform version
262. Verify third-party components
CODE-2. The app has a mechanism for enforcing app updates
262. Verify third-party components
CODE-3. The app only uses software components without known vulnerabilities
155. Application free of malicious code
262. Verify third-party components
CODE-4. The app validates and sanitizes all untrusted inputs
169. Use parameterized queries
173. Discard unsafe inputs
324. Control redirects
342. Validate request parameters
344. Avoid dynamic code execution
RESILIENCE-1. Cryptography requirementsThe app validates the integrity of the platform
046. Manage the integrity of critical files
262. Verify third-party components
RESILIENCE-2. The app implements anti-tampering mechanisms
262. Verify third-party components
PRIVACY-1. The app minimizes access to sensitive data and resources
176. Restrict system objects
181. Transmit data using secure protocols
261. Avoid exposing sensitive information
311. Demonstrate user consent
PRIVACY-2. The app prevents identification of the user
300. Mask sensitive data
PRIVACY-3. The app is transparent about data collection and usage
189. Specify the purpose of data collection
310. Request user consent
315. Provide processed data information
PRIVACY-4. The app offers user control over their data
310. Request user consent
312. Allow user consent revocation
315. Provide processed data information
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Last updated on