Skip to main content

OWASP MASVS

logo

Summary

The OWASP Mobile Application Security Verification Standard (OWASP MASVS) is a standard for mobile app security. It is used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The version used in this section is OWASP MASVS v1.5.0.

Definitions

DefinitionRequirements
V1_2. Architecture, design and threat modeling requirements
320. Avoid client-side control enforcement
V1_3. Architecture, design and threat modeling requirements
062. Define standard configurations
V1_8. Architecture, design and threat modeling requirements
147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
V1_10. Architecture, design and threat modeling requirements
062. Define standard configurations
266. Disable insecure functionalities
V1_12. Architecture, design and threat modeling requirements
331. Guarantee legal compliance
V2_1. Security verification requirements
143. Unique access credentials
229. Request access credentials
V2_2. Security verification requirements
375. Remove sensitive data from client-side applications
V2_3. Security verification requirements
083. Avoid logging sensitive data
V2_4. Security verification requirements
315. Provide processed data information
V2_5. Security verification requirements
117. Do not interpret HTML code
V2_7. Security verification requirements
235. Define credential interface
V2_10. Security verification requirements
360. Remove unnecessary sensitive information
V2_11. Security verification requirements
205. Configure PIN
V2_13. Security verification requirements
329. Keep client-side storage without sensitive data
V2_14. Security verification requirements
185. Encrypt sensitive information
V2_15. Security verification requirements
210. Delete information from mobile devices
V3_1. Cryptography requirements
148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
V3_4. Cryptography requirements
224. Use secure cryptographic mechanisms
V3_5. Cryptography requirements
351. Assign unique keys to each device
V3_6. Cryptography requirements
223. Uniform distribution in random numbers
V4_1. Authentication and session management requirements
229. Request access credentials
264. Request authentication
V4_2. Authentication and session management requirements
024. Transfer information using session objects
030. Avoid object reutilization
V4_3. Authentication and session management requirements
357. Use stateless session tokens
V4_4. Authentication and session management requirements
023. Terminate inactive user sessions
V4_5. Authentication and session management requirements - Password policy
127. Store hashed passwords
129. Validate previous passwords
130. Limit password lifespan
131. Deny multiple password changing attempts
133. Passwords with at least 20 characters
134. Store passwords with salt
135. Passwords with random salt
136. Force temporary password change
137. Change temporary passwords of third parties
138. Define lifespan for temporary passwords
209. Manage passwords in cache
332. Prevent the use of breached passwords
V4_6. Authentication and session management requirements
327. Set a rate limit
V4_7. Authentication and session management requirements
023. Terminate inactive user sessions
335. Define out of band token lifespan
V4_8. Authentication and session management requirements
231. Implement a biometric verification component
V4_9. Authentication and session management requirements
153. Out of band transactions
V4_10. Authentication and session management requirements
153. Out of band transactions
264. Request authentication
V5_1. Network communication requirements
336. Disable insecure TLS versions
V5_2. Network communication requirements
062. Define standard configurations
V5_4. Network communication requirements
091. Use internally signed certificates
092. Use externally signed certificates
V5_5. Network communication requirements
153. Out of band transactions
181. Transmit data using secure protocols
V6_1. Platform interaction requirements
186. Use the principle of least privilege
V6_2. Platform interaction requirements
032. Avoid session ID leakages
173. Discard unsafe inputs
V6_3. Platform interaction requirements
349. Include HTTP security headers
V6_5. Platform interaction requirements
266. Disable insecure functionalities
V6_7. Platform interaction requirements
266. Disable insecure functionalities
V6_8. Platform interaction requirements
321. Avoid deserializing untrusted data
V6_10. Platform interaction requirements
031. Discard user session data
V7_1. Code quality and build setting requirements
090. Use valid certificates
V7_2. Code quality and build setting requirements
078. Disable debugging events
V7_5. Code quality and build setting requirements
262. Verify third-party components
V7_6. Code quality and build setting requirements
161. Define secure default options
266. Disable insecure functionalities
359. Avoid using generic exceptions
V7_7. Code quality and build setting requirements
341. Use the principle of deny by default
V7_8. Code quality and build setting requirements
158. Use a secure programming language
164. Use optimized structures
V7_9. Code quality and build setting requirements
161. Define secure default options
266. Disable insecure functionalities
V8_1. Resilience requirements - Impede dynamic analysis and tampering
327. Set a rate limit
V8_2. Resilience requirements - Impede dynamic analysis and tampering
078. Disable debugging events
V8_5. Resilience requirements - Impede dynamic analysis and tampering
062. Define standard configurations
266. Disable insecure functionalities
273. Define a fixed security suite
V8_6. Resilience requirements - Impede dynamic analysis and tampering
350. Enable memory protection mechanisms
V8_7. Resilience requirements - Impede dynamic analysis and tampering
350. Enable memory protection mechanisms
352. Enable trusted execution
V8_9. Resilience requirements - Impede dynamic analysis and tampering
159. Obfuscate code
V8_10. Resilience requirements - Device binding
122. Validate credential ownership
178. Use digital signatures
185. Encrypt sensitive information
320. Avoid client-side control enforcement
V8_11. Resilience requirements - Impede comprehension
026. Encrypt client-side session information
329. Keep client-side storage without sensitive data
375. Remove sensitive data from client-side applications
V8_12. Resilience requirements - Impede comprehension
184. Obfuscate application data
free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.