Request pricing
En
    Request pricing

    Login
      Table of contents
      [ Report ]

      How to Protect Your Mobile App Using OWASP MASVS Security Standards

      Download the Document

      Introduction

      When thinking about mobile app security, the topic may feel more complicated than the actual process of creating an app. Why? Development teams are often overcommitted and understaffed, so security feels like just one more thing to add to an already long list of responsibilities. There’s also pressure to get an app to market quickly, which pushes security even further down the list. But mobile app security doesn’t have to be complicated and it definitely shouldn’t be consigned to the bottom of your development “todo” list. Let’s talk about “shifting left.”

      “Shifting left”, or incorporating security requirements earlier in the development process, is the easiest, most effective way for developers to approach mobile app security. Choosing to delay the implementation of security requirements can lead to vulnerable code, components, and dependencies in your app. If left unchecked, these may cause additional work later in the development process and possibly even delay the app’s release.

      If you’re looking to shift left, the process begins with developing an understanding of the current threat landscape. Then, it’s important to consider the business case for implementing security measures earlier in the development process and deciding which security standards to adopt.

      Developers considering security standards for their mobile app should look no further than the Open Worldwide Application Security Project (OWASP). OWASP is a nonprofit foundation and online community of experts who have been informing the conversation around web and mobile application security standards for years. Through the OWASP Mobile Application Security (MAS) project, the organization provides great resources that enable developers around the world to improve the security of their software and mobile apps. These resources include a variety of guides and checklists like the OWASP Mobile Application Security Verification Standard (MASVS), which presents a comprehensive list of security requirements for your application, and the Mobile Top Ten list, which outlines the top security risks mobile applications face.

      In this report, we cover the myths surrounding mobile app security, the current state of the threat landscape, and the security standards recommended by OWASP MAS to protect your mobile application. After reading, you and your development team should have a better understanding of how to apply the necessary security standards to protect your mobile application. After all, you’ve spent hundreds (possibly thousands) of hours developing your application — shouldn’t you protect your investment?

      Common myths surrounding mobile app security

      Few developers would debate the need for mobile application security. There is uncertainty, however, about when and how to include it. For example, many believe the Android and iOS operating systems offer sufficient security to protect a mobile app. While both operating systems offer some protection against security concerns like hacking and monitoring, the baseline protection offered is not enough to thwart sophisticated threat actors with multiple tools at their disposal.

      Other common misconceptions include: the belief that iOS is more secure than Android, that security is only needed server-side, and that mobile app security is only for applications in regulated industries (e.g., banking and healthcare). These misconceptions point to the necessity of understanding the security threats most pertinent to your app and how industry standards like OWASP can help.

      Vulnerabilities in mobile applications

      The need for security standards is also evident in the significant number of mobile applications with serious vulnerabilities. In a recent study by Symantec’s Threat Hunter Team, researchers sampled a number of apps and found 1,800 publicly available applications in the sample containing easily exploited, hard-coded AWS credentials. These credentials could have enabled threat actors to access cloud resources and file directories to steal user data. In a separate study by Intertrust, a data orchestration platform, researchers discovered that 81% of finance apps leak data. These research results point to the potential negative business implications of not having sufficient security in mobile applications.

      Mobile application market growth, and security problems

      There are currently 3.5 million mobile applications available now, and the market continues to grow rapidly as industry research points to growing user preference for mobile applications. Where there’s explosive market growth, there’s usually a concurrent rise in risk, and unfortunately, the mobile application industry is no different. Recently, researchers found that brand abuse attacks across Android and iOS apps increased by 274% in 2021. This figure includes threat actors impersonating an authentic brand’s mobile app. From the same report, we also know 68% of digital banking fraud originates from mobile channels. As the threat landscape grows, we see that the methods threat actors employ to steal data and reverse engineer mobile applications is becoming more sophisticated.

      Developers looking to lessen the impact of mobile application attacks need to build a strong mobile application security strategy. Let’s look at how OWASP MAS and its resources can help.

      OWASP MAS Project

      The OWASP MAS project was created with the goal of defining the industry standard for mobile application security. There are three main resources in this flagship project: the OWASP Mobile Application Security Verification Standard (MASVS), the OWASP Mobile Application Security Testing Guide (MASTG), and the OWASP MAS Checklist.

      OWASP Mobile Application Security Verification Standard

      OWASP MASVS was created to be the industry standard for mobile app security. It provides a framework and a layered model for how development teams can approach security in various areas, as well as a strategy for implementing the requirements. The report is an excellent resource to enable security and development professionals to leverage the skills and resources of security experts around the world.

      OWASP Mobile Application Security Testing Guide

      OWASP MASTG is a companion resource to MASVS. Developers can use this manual for mobile app security testing. The manual approaches testing in two contexts. First, the MASTG recommends testing the finished, or nearly finished, app in a classic method that identifies security issues and creates a report. The second context is focused on shifting left and recommending automated security testing that can be performed at the beginning of the development lifecycle and throughout each subsequent step.

      Reverse engineering and tampering are included and provide developers with the basic skills necessary to perform black-box testing, enhance static analysis (specifically in blackbox testing), and assess resilience against the protective measures recommended in MASVS’s controls.

      OWASP MAS Checklist

      The OWASP MAS Checklist links the test cases outlined in the MASTG to their complimentary MASVS requirement. This is a handy guide to ensure developers are able to cover the standard security recommendations and practice their mobile security skills.

      As a starting point, we will cover the eight categories in MASVS and how to interpret the manual’s security recommendations. We also recommend using the MASTG for security testing recommendations and the OWASP MAS checklist when you’re looking for a recommendation on a specific security concern or would like to learn more about testing in a particular area.

      How to improve your mobile app security strategy using OWASP MASVS

      At the beginning of the manual, OWASP MASVS states that the requirements were developed with three objectives in mind.

      1. To be used as a metric: In other words, MASVS is the security standard apps should be held up against to determine if their security level is adequate.
      2. To be used as guidance: MASVS is a recommended reference guide for developers and application owners to use during every step of the development and testing process.
      3. To be used during procurement: App developers can use MASVS as a baseline when they’re looking to establish security verification requirements in contracts.

      MASVS’s Mobile AppSec Model

      Before looking at the security recommendations MASVS lays out, it’s important to review their three layer model.

      1. MASVS-L1: Generic security requirements recommended for all mobile apps. Developers who follow the recommendations of MASVS-L1 only will have a mobile app free from common vulnerabilities like insecure data storage.
      2. MASVS-L2: Security requirements for apps that store, send, or collect highly sensitive data. This level of security results in an app that’s resilient against more sophisticated attacks with controls for things like SSL pinning.
      3. MASVS-R: Security requirements providing resiliency against reverse engineering and tampering. Following the recommendations of this security level produces an app with protective controls that can be applied to prevent clientside threats.

      The level of security you choose for your app depends on the function of the app you’re creating. For example, a financial app that doesn’t move funds (e.g., an expense tracking app that does not provide direct access to user data) or an mHealth app would choose Level 2. These are apps that store PII, which can be used for identity theft or fraud. Both of these apps also have strict compliance requirements in their respective industries that they need to meet and maintain. Mobile apps can also add resiliency-level recommendations to their baseline security level. This could look like:

      1. Gaming apps: These apps are perfect for a MASVS-L1+R security strategy. While they don’t necessarily deal with the sensitive information a Level 2 app might, protecting intellectual property is a business goal. In this case, the addition of resiliency-level recommendations would help block threat actors from accessing the app’s source code.
      2. Banking apps: OWASP recommends these apps pursue a MASVS-L2+R security strategy. Not only does the app store sensitive data, but the user also has the option of moving funds. Threats like code injection could pose a risk, and the resiliency security recommendations will help protect against tampering attempts by threat actors.

      What are the 8 OWASP MASVS categories?

      Once you’ve selected your app’s preferred level of security, you’ll proceed through the eight categories in the MASVS manual:

      1. Architecture, Design and Threat Modeling Requirements: The goal of this category is to help the developer address security concerns in the earliest development phase. The category’s requirements don’t link to technical test cases in the OWASP MASTG, but instead link to effective threat models developers can use as a reference when building their own.
      2. Data Storage and Privacy Requirements: This category deals with the protection of sensitive data, defined by MASVS as PII, data that could lead to reputational harm or financial loss, and any data that must be protected by law or for compliance. MASVS is mobile appcentric so these are not devicelevel requirements.
      3. Cryptography Requirements: When followed correctly, this category ensures developers use cryptography according to the current best practices. The requirements cover cryptographic libraries, choice and configuration of cryptographic primitives, and the proper use of random number generators, when required.
      4. Authentication and Session Management Requirements: Remote service logins are an integral part of a mobile application’s architecture. MASVS provides basic security requirements to help developers manage user accounts and sessions.
      5. Network Communication Requirements: The requirements in this category help ensure the confidentiality and integrity of information exchanged between the mobile app and remote service endpoints. For Level 1 apps, this would include using TLS protocol with appropriate settings, while Level 2 apps need additional requirements like SSL pinning.
      6. Platform Interaction Requirements: In this category, developers will find recommendations for how to use platform APIs and standard components in a secure manner. Requirements will also address secure communication between apps.
      7. Code Quality and Build Setting Requirements: The requirements in this category speak to basic security coding practices developers should follow, as well as recommendations on the “free” security features offered by the compiler that one should activate.
      8. Resilience Requirements: Unique to all of the other categories, these requirements are meant to be used in addition to Level 1 or Level 2 security requirements. Also, it’s important to note apps without these features are not considered inherently vulnerable by OWASP. Instead, these recommendations are meant to protect an app against reverse engineering and specific client-side attacks.

      How to read the MASVS categories

      Each of the eight categories contains a list of security requirements under the umbrella of the category’s theme. For example, the first category, “Architecture, Design and Threat Modeling Requirements,” lists security requirements dealing with the overall build of the app and how components relate to threat modeling.

      The category includes requirements like, “All security controls have a centralized implementation,” MSTGARCH-7. You’ll notice each requirement has one or two X’s marked next to it. These tell you which to follow based upon the level of security you’ve chosen for your app.

      How to automate the process

      Even though the MASVS is separated into eight categories, there are at least five requirements per category. OWASP is aware that developers are balancing enduser experience needs and the push to get their app to market quickly with these security recommendations. Consequently, they encourage the use of automated security testing tools whenever possible. This doesn’t eclipse the manual portion of the verification process such as understanding your app’s overall architecture, considerations around business logic, and background to avoid technical pitfalls. It does, however, show the importance of bringing automation in the verification process to help your team meet the MASVS requirements quickly and efficiently.

      Build vs. buy

      When you and your team decide to add security tools to your development process, you’ll need to consider whether you’d like to build or buy the tools you need. Often, developers find the biggest barriers to building security tools are resources (both staffing and money), and technical expertise. For more background on how to think about this, you can review our tips in the piece, “Build vs. Buy: Which Should You Choose for Mobile App Security?”

      What to look for when buying a mobile app security solution

      When you have decided to buy mobile app security tools, you’ll want to find solutions that will help you meet the MASVS requirements for your app’s preferred level of security, as well as integrate into your technology stack. We recommend tools that meet the following criteria:

          1. Your tool/solution should test: Just as you thoroughly test your mobile app’s functionality, you need tools to assist you in testing your app’s security during the development process and after. This includes pentesting tools to locate security vulnerabilities in your app as well as solutions with high-confidence tests to find and fix security issues and dependencies.
          2. Your tool/solution should protect: Once your app is implemented, you’ll need tools to help defend against threat actors looking to reverse engineer your app. These tools should employ code hardening techniques and runtime application self-protection (RASP) to protect against tampering.
          3. Your tool/solution should monitor: Post release, developers need tools to help them monitor their apps’ usage and track the threat landscape in real time. Why? It’s important to stay abreast of new and evolving threats that may potentially affect your app. For example, in the highly-regulated mHealth app space, publishers are often asked to provide continuous surveillance. This helps security teams react promptly to any new, incoming cyber attacks.

      How Guardsquare can help

      When looking for mobile app security solutions that help you protect, test, and monitor your app, Guardsquare offers the tools you need for your iOS and Android apps.

          1. Protect your app with iXGuard and DexGuard: These products offer comprehensive mobile app security for iOS and Android apps, respectively, including the latest code-hardening techniques, code obfuscation, and mobile runtime application self-protection (RASP). The solutions’ multi-layered protection strategy will help protect against tampering and reverse engineering.
          2. Test your app with AppSweep: App developers can test their application for free using AppSweep, our tool that provides industry-leading mobile app security testing based on Guardsquare’s open-source ProGuard® technology. AppSweep will find security issues in your app and provide actionable recommendations to fix them.
          3. Monitor your app with ThreatCast: ThreatCast offers real-time visibility for both iOS and Android apps. The result is proactive threat monitoring that puts you in the driver’s seat with intuitive dashboards and custom alerts that will help you find, analyze, and neutralize threats faster and more effectively

      Each of these tools answers the crucial security requirements outlined in OWASP MASVS’s manual. Most importantly, they are useful at every step of the development process and integrate easily with your existing DevOps toolchain.

      Final thoughts: OWASP MASVS and more

      When thinking about mobile app security, it’s easy to get lost in the myths or even underestimate the growth and sophistication of the threat landscape and the threat actors who inhabit it. Mobile app security doesn’t have to be overwhelming, but it does have to be multi-layered and thorough. Using the OWASP MASVS manual as a framework to inform your mobile app’s security posture will ensure your app has the proactive, protective security stance it needs to secure your finances, your brand’s reputation, and everything in between.

      OWASP encourages automation in the verification process and choosing the right security tools can make implementing the OWASP framework easier. Guardsquare’s testing, protection and monitoring solutions offer developers the streamlined support they need at every step of the development lifecycle.

      Ready to get started with AppSweep?

      Scan Your App for Free

      Developer friendly mobile app sec tools tools:

      Guardsquare offers the most complete approach to mobile application security on the market. Built on the open source ProGuard® technology, Guardsquare’s software integrates seamlessly across the development cycle. From app security testing to code hardening to real-time visibility into the threat landscape, Guardsquare solutions provide enhanced mobile application security from early in the development process through publication.

      More than 900 customers worldwide across all major industries rely on Guardsquare to help them identify security risks and protect their mobile applications against reverse engineering and tampering.

      Guardsquare