OWASP MASVS

Summary

The OWASP Mobile Application Security Verification Standard (OWASP MASVS) is a standard for mobile app security. It is used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The version used in this section is OWASP MASVS v2.0.

Definitions

Definition	Requirements
OWASPMASVS-STORAGE-1. The app securely stores sensitive data	178. Use digital signatures 185. Encrypt sensitive information 300. Mask sensitive data
OWASPMASVS-STORAGE-2. The app prevents leakage of sensitive data	178. Use digital signatures 185. Encrypt sensitive information 300. Mask sensitive data
OWASPMASVS-CRYPTO-1. The app employs current strong cryptography and uses it according to industry best practices	148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption 185. Encrypt sensitive information 224. Use secure cryptographic mechanisms
OWASPMASVS-CRYPTO-2. The app performs key management according to industry best practices	145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM 151. Separate keys for encryption and signatures 351. Assign unique keys to each device 361. Replace cryptographic keys
OWASPMASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices	122. Validate credential ownership 225. Proper authentication responses 226. Avoid account lockouts 227. Display access notification 228. Authenticate using standard protocols 229. Request access credentials 231. Implement a biometric verification component 235. Define credential interface 236. Establish authentication time 033. Restrict administrative access 034. Manage user accounts
OWASPMASVS-AUTH-2. The app performs local authentication securely according to the platform best practices	231. Implement a biometric verification component
OWASPMASVS-AUTH-3. The app secures sensitive operations with additional authentication	231. Implement a biometric verification component 362. Assign MFA mechanisms to a single account
OWASPMASVS-NETWORK-1. The app secures all network traffic according to the current best practices	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions
OWASPMASVS-NETWORK-2. The app performs identity pinning for all remote endpoints under the developer's control	373. Use certificate pinning 093. Use consistent certificates
OWASPMASVS-PLATFORM-1. The app uses IPC mechanisms securely	266. Disable insecure functionalities
OWASPMASVS-PLATFORM-2. The app uses WebViews securely	266. Disable insecure functionalities
OWASPMASVS-PLATFORM-3. The app uses the user interface securely	266. Disable insecure functionalities
OWASPMASVS-CODE-1. The app requires an up-to-date platform version	262. Verify third-party components
OWASPMASVS-CODE-2. The app has a mechanism for enforcing app updates	262. Verify third-party components
OWASPMASVS-CODE-3. The app only uses software components without known vulnerabilities	155. Application free of malicious code 262. Verify third-party components
OWASPMASVS-CODE-4. The app validates and sanitizes all untrusted inputs	169. Use parameterized queries 173. Discard unsafe inputs 324. Control redirects 342. Validate request parameters 344. Avoid dynamic code execution
OWASPMASVS-RESILIENCE-1. Cryptography requirementsThe app validates the integrity of the platform	262. Verify third-party components 046. Manage the integrity of critical files
OWASPMASVS-RESILIENCE-2. The app implements anti-tampering mechanisms	262. Verify third-party components
OWASPMASVS-PRIVACY-1. The app minimizes access to sensitive data and resources	176. Restrict system objects 181. Transmit data using secure protocols 261. Avoid exposing sensitive information 311. Demonstrate user consent
OWASPMASVS-PRIVACY-2. The app prevents identification of the user	300. Mask sensitive data
OWASPMASVS-PRIVACY-3. The app is transparent about data collection and usage	189. Specify the purpose of data collection 310. Request user consent 315. Provide processed data information
OWASPMASVS-PRIVACY-4. The app offers user control over their data	310. Request user consent 312. Allow user consent revocation 315. Provide processed data information

Last updated

2024/01/18