Long gone are the days when mobile devices were the leading edge of modern technology. Nowadays, the convenience of mobile applications makes them practically required for seamless productivity in everyday tasks, both professional and personal. We have applications for sending emails, messaging, voice/video calls, workplace collaboration, sharing files, purchasing products and services, global positioning navigation, banking; the list goes on. These are all incredibly sensitive operations, and users put a great amount of trust into the applications that record, store, and transmit their personal data.
Securing mobile applications is primarily about assessing how the applications protect this sensitive data. Mobile applications are a distinct beast of their own; standards and methodologies that work wonders for testing web or desktop applications usually will not apply to mobile applications. To truly gauge the security of your mobile application, you will need a standard tailored for this specific class of software.
Setting the Standard
The OWASP Mobile Application Security Verification Standard (MASVS) is a framework of security controls that act as a standardized basis for outlining how mobile applications should be designed, developed, and tested. With 84 controls directly tied to an actionable requirement, the OWASP MASVS is widely understood to be the top standard for assessing mobile application security.
Two+ Levels of Depth
The OWASP MASVS model is broken down into two main levels of depth – Level 1 and Level 2. A MASVS Level 1 assessment consists of assessing all controls marked as L1, and a Level 2 assessment assesses all controls marked L1 and L2. The MASVS offers an additional ‘level’ that can be added to either Level 1 or 2 for the benefit of assessing application resiliency.
Level 1 – The controls that comprise this level fulfill what is considered to be “best practice” when it comes to mobile application security. Level 1 is the recommended MASVS level for most mobile applications.
Level 2 – This level establishes defence-in-depth by including advanced security controls. Level 2 is the recommended MASVS level for mobile applications that perform highly sensitive functions, such as banking applications.
LeveI R – This level contains an additional set of controls that asses the application’s resilience against specific threats such as reverse engineering or tampering. This level should not be assessed on its own and is instead added onto either Level 1 or 2 for the deepest, most thorough assessments this standard has to offer.
For quick reference, the OWASP MASVS offers four distinct levels of verification:
Not sure which MASVS Level is best suited for your application? Connect with one of our security experts today to discuss!
Eight Domains of Security
The controls in the OWASP MASVS span eight chapters, with each chapter covering a different domain in mobile application security. The eight chapters alongside a brief description of each are as follows:
I. Architecture, Design, and Threat Modeling – Assess the design and overall security architecture of the mobile application.
II. Data Storage and Privacy – Verify the application properly handles sensitive data.
III. Cryptography – Ensure cryptographic modules, random number generation and key management all meet modern security standards.
IV. Authentication and Session Management – Verify the mobile application’s authentication mechanisms are secure, and sessions are established with security controls that prevent sessions from being compromised.
V. Network Communication – Verify any communication between the mobile application and remote services are performed over secure channels.
VI. Platform Interaction – Assess how the application interacts with the underlying Android/iOS mobile platform.
VII. Code Quality and Build Setting – Verify developers follow secure coding practices when developing the application.
VIII. Resilience – A set of controls for assessing the mobile application’s resilience against reverse engineering and tampering. All of the controls under this chapter fall under MASVS Level R, and as such, are only applicable should a Level R assessment be deemed applicable to the application in question.
One of the most common instances in which you might want an OWASP MASVS assessment is when you are developing a commercial mobile application. The results of a MASVS assessment can be used to show potential users and auditors how your application stacks up against a universally accepted standard.
Another instance in which you might want a MASVS assessment is during third-party mobile application procurement. Oftentimes, organizations who are purchasing an ‘off-the-shelf’ application from a vendor wish to have third-party risk assessments performed against it before deciding whether to have it installed on their users’ smartphones. Performing a MASVS assessment is a great way to avoid unknown risks and receive a benchmark for the security of the mobile application.
The resulting outcome of an OWASP MASVS assessment is a detailed report outlining whether your mobile app passed or failed each control in the standard. Alongside this report is a spreadsheet for a quick overview showing the results of each control from a bird’s eye view. If required, a letter of attestation can be written to provide a high-level summary of the assessment for parties external to your organization.
Do you have a web application you wish to assess according to the Mobile Application Security Verification Standard? Reach out to connect with one of Mariner’s security experts today!
Mariner Security Solutions Team