Fluid Attacks Database

OWASP MASVS

Last updated: 2024/01/18

The OWASP Mobile Application Security Verification Standard (OWASP MASVS) is a standard for mobile app security. It is used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The version used in this section is OWASP MASVS v2.0.

Control-Requirement Mapping

Definition	Requirements
STORAGE-1. The app securely stores sensitive data	178. Use digital signatures 185. Encrypt sensitive information 300. Mask sensitive data
STORAGE-2. The app prevents leakage of sensitive data	178. Use digital signatures 185. Encrypt sensitive information 300. Mask sensitive data
CRYPTO-1. The app employs current strong cryptography and uses it according to industry best practices	148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption 185. Encrypt sensitive information 224. Use secure cryptographic mechanisms
CRYPTO-2. The app performs key management according to industry best practices	145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM 151. Separate keys for encryption and signatures 351. Assign unique keys to each device 361. Replace cryptographic keys
AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices	122. Validate credential ownership 225. Proper authentication responses 226. Avoid account lockouts 227. Display access notification 228. Authenticate using standard protocols 229. Request access credentials 231. Implement a biometric verification component 235. Define credential interface 236. Establish authentication time 033. Restrict administrative access 034. Manage user accounts
AUTH-2. The app performs local authentication securely according to the platform best practices	231. Implement a biometric verification component
AUTH-3. The app secures sensitive operations with additional authentication	231. Implement a biometric verification component 362. Assign MFA mechanisms to a single account
NETWORK-1. The app secures all network traffic according to the current best practices	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions
NETWORK-2. The app performs identity pinning for all remote endpoints under the developer's control	373. Use certificate pinning 093. Use consistent certificates
PLATFORM-1. The app uses IPC mechanisms securely	266. Disable insecure functionalities
PLATFORM-2. The app uses WebViews securely	266. Disable insecure functionalities
PLATFORM-3. The app uses the user interface securely	266. Disable insecure functionalities
CODE-1. The app requires an up-to-date platform version	262. Verify third-party components
CODE-2. The app has a mechanism for enforcing app updates	262. Verify third-party components
CODE-3. The app only uses software components without known vulnerabilities	155. Application free of malicious code 262. Verify third-party components
CODE-4. The app validates and sanitizes all untrusted inputs	169. Use parameterized queries 173. Discard unsafe inputs 324. Control redirects 342. Validate request parameters 344. Avoid dynamic code execution
RESILIENCE-1. Cryptography requirementsThe app validates the integrity of the platform	262. Verify third-party components 046. Manage the integrity of critical files
RESILIENCE-2. The app implements anti-tampering mechanisms	262. Verify third-party components
PRIVACY-1. The app minimizes access to sensitive data and resources	176. Restrict system objects 181. Transmit data using secure protocols 261. Avoid exposing sensitive information 311. Demonstrate user consent
PRIVACY-2. The app prevents identification of the user	300. Mask sensitive data
PRIVACY-3. The app is transparent about data collection and usage	189. Specify the purpose of data collection 310. Request user consent 315. Provide processed data information
PRIVACY-4. The app offers user control over their data	310. Request user consent 312. Allow user consent revocation 315. Provide processed data information

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.