OWASP MASVS

Summary

The OWASP Mobile Application Security Verification Standard (OWASP MASVS) is a standard for mobile app security. It is used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The version used in this section is OWASP MASVS v1.5.0.

Definitions

Definition	Requirements
V1_2. Architecture, design and threat modeling requirements	320. Avoid client-side control enforcement
V1_3. Architecture, design and threat modeling requirements	062. Define standard configurations
V1_8. Architecture, design and threat modeling requirements	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms
V1_10. Architecture, design and threat modeling requirements	062. Define standard configurations 266. Disable insecure functionalities
V1_12. Architecture, design and threat modeling requirements	331. Guarantee legal compliance
V2_1. Security verification requirements	143. Unique access credentials 229. Request access credentials
V2_2. Security verification requirements	375. Remove sensitive data from client-side applications
V2_3. Security verification requirements	083. Avoid logging sensitive data
V2_4. Security verification requirements	315. Provide processed data information
V2_5. Security verification requirements	117. Do not interpret HTML code
V2_7. Security verification requirements	235. Define credential interface
V2_10. Security verification requirements	360. Remove unnecessary sensitive information
V2_11. Security verification requirements	205. Configure PIN
V2_13. Security verification requirements	329. Keep client-side storage without sensitive data
V2_14. Security verification requirements	185. Encrypt sensitive information
V2_15. Security verification requirements	210. Delete information from mobile devices
V3_1. Cryptography requirements	148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption
V3_4. Cryptography requirements	224. Use secure cryptographic mechanisms
V3_5. Cryptography requirements	351. Assign unique keys to each device
V3_6. Cryptography requirements	223. Uniform distribution in random numbers
V4_1. Authentication and session management requirements	229. Request access credentials 264. Request authentication
V4_2. Authentication and session management requirements	024. Transfer information using session objects 030. Avoid object reutilization
V4_3. Authentication and session management requirements	357. Use stateless session tokens
V4_4. Authentication and session management requirements	023. Terminate inactive user sessions
V4_5. Authentication and session management requirements - Password policy	127. Store hashed passwords 129. Validate previous passwords 130. Limit password lifespan 131. Deny multiple password changing attempts 133. Passwords with at least 20 characters 134. Store passwords with salt 135. Passwords with random salt 136. Force temporary password change 137. Change temporary passwords of third parties 138. Define lifespan for temporary passwords 209. Manage passwords in cache 332. Prevent the use of breached passwords
V4_6. Authentication and session management requirements	327. Set a rate limit
V4_7. Authentication and session management requirements	023. Terminate inactive user sessions 335. Define out of band token lifespan
V4_8. Authentication and session management requirements	231. Implement a biometric verification component
V4_9. Authentication and session management requirements	153. Out of band transactions
V4_10. Authentication and session management requirements	153. Out of band transactions 264. Request authentication
V5_1. Network communication requirements	336. Disable insecure TLS versions
V5_2. Network communication requirements	062. Define standard configurations
V5_4. Network communication requirements	091. Use internally signed certificates 092. Use externally signed certificates
V5_5. Network communication requirements	153. Out of band transactions 181. Transmit data using secure protocols
V6_1. Platform interaction requirements	186. Use the principle of least privilege
V6_2. Platform interaction requirements	032. Avoid session ID leakages 173. Discard unsafe inputs
V6_3. Platform interaction requirements	349. Include HTTP security headers
V6_5. Platform interaction requirements	266. Disable insecure functionalities
V6_7. Platform interaction requirements	266. Disable insecure functionalities
V6_8. Platform interaction requirements	321. Avoid deserializing untrusted data
V6_10. Platform interaction requirements	031. Discard user session data
V7_1. Code quality and build setting requirements	090. Use valid certificates
V7_2. Code quality and build setting requirements	078. Disable debugging events
V7_5. Code quality and build setting requirements	262. Verify third-party components
V7_6. Code quality and build setting requirements	161. Define secure default options 266. Disable insecure functionalities 359. Avoid using generic exceptions
V7_7. Code quality and build setting requirements	341. Use the principle of deny by default
V7_8. Code quality and build setting requirements	158. Use a secure programming language 164. Use optimized structures
V7_9. Code quality and build setting requirements	161. Define secure default options 266. Disable insecure functionalities
V8_1. Resilience requirements - Impede dynamic analysis and tampering	327. Set a rate limit
V8_2. Resilience requirements - Impede dynamic analysis and tampering	078. Disable debugging events
V8_5. Resilience requirements - Impede dynamic analysis and tampering	062. Define standard configurations 266. Disable insecure functionalities 273. Define a fixed security suite
V8_6. Resilience requirements - Impede dynamic analysis and tampering	350. Enable memory protection mechanisms
V8_7. Resilience requirements - Impede dynamic analysis and tampering	350. Enable memory protection mechanisms 352. Enable trusted execution
V8_9. Resilience requirements - Impede dynamic analysis and tampering	159. Obfuscate code
V8_10. Resilience requirements - Device binding	122. Validate credential ownership 178. Use digital signatures 185. Encrypt sensitive information 320. Avoid client-side control enforcement
V8_11. Resilience requirements - Impede comprehension	026. Encrypt client-side session information 329. Keep client-side storage without sensitive data 375. Remove sensitive data from client-side applications
V8_12. Resilience requirements - Impede comprehension	184. Obfuscate application data

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.