Open Web Application Security Project Mobile AppSec Verification Standard 1.1.4

Status: Final Published

Date: July 2019

Region: Global

Document: Link

Background

The OWASP Mobile Application Security Verification Standard (MASVS) has been developed by the Open Web Application Security Project to standardize development practices and requirements to ensure the secure correct handling, storage, and protection of sensitive data in smartphones. The development of this standard was motivated by two factors:

• Distinction between Desktop and Smartphone OS: While software security practices for desktop devices are mature, they are not always relevant to the typical smartphone OS or to smartphone applications, which differ both in their design and in their dissemination.
• Smartphone Hardware Heterogeneity: Smartphones vary in their hardware configurations,
  and thus in their level of hardware-backed security features.

Therefore, MASVS sets out software development requirements, common testing standards, verification methods, and use case-specific recommendations for three different levels of applications security:

• MASVS-L1: Provides a “base-line” standard for application security of mobile devices. Therefore, this standard applies to all mobile applications, providing standards for handling sensitive data and secure interfaces.
• MASVS-L2: Builds upon MASVS-L1 to include methods for defense-in-depth, intended for use in the development for security-specific applications created with reference to a pre-defined threat model. This standard is relevant for applications that handle sensitive data, such as payment and online banking or healthcare applications.
• MASVS-R: Protects against threats originating from the client side, preventing reverse engineering and IP theft.
  MASVS is directly applicable to a number of automotive use cases, notably for the development of navigation systems, engine management diagnostics and tools, ride-hailing applications, in-car communications and entertainment system, and OEM app centers among other applications.

Summary

MASVS sets out development practices for eight different security requirements, including architecture design and threat modeling, data storage and privacy, cryptography, authentication, network communication, platform interaction, code quality, and resilience. For each security requirement, a number of basic practices set out the base-line standard consisting of the MASVS-L1, with additional requirements given for MASVS-L2 and MASVS-R relevant applications.

V1 Architecture, Design, and Threat Modeling
Best practices are set out to ensure that security concerns are considered throughout the architecture design and threat modeling phase. This includes considerations governing the interaction between the mobile app and any remote services. Six additional requirements for L2 applications are given, most notably a requirement relating to the development of a threat model that identifies potential threats and related countermeasures.

V2 Data Storage and Privacy
Seven requirements are set out to ensure that sensitive and personally-identifiable data are not accidentally leaked. This includes controls preventing the sharing of data with unauthorized third parties and the saving of sensitive data outside of the app container. L2 implementations carry five additional requirements, including prevention of sensitive data back-up, limits on how long sensitive data can be stored in the memory, and user education via the app on security best practices.

V3 Cryptography
Cryptography requirements are identical for both MASVS-L1 and MASVS-L2 implementations, and include preventions on the use of symmetric cryptography and hardcode keys, prevention on the use of depreciated algorithms/protocols, preventions on the re-use of keys for more than one purpose, and mandates for the use of proven cryptographic measures and random number generators.

V4 Authentication and Session Management Requirements
Requires the developments and enforcement of a password policy, and the termination of a session once the end user logs out. MASVS-L 2 implementations require second-factor authentication.

V5 Network Communication
These requirements mandate the use of TLS protocols to encrypt network communications. MASVS-L2 implementations must be used on email or Short Messaging Services (SMS) for password recovery or app enrollment.

V6 Platform Interaction
These requirements are intended to enforce the proper use of platform Application Programming Interfaces (APIs), and are identical for both MASVS-L 1 and MASVS-L 2 implementations.

V7 Code Quality and Build Setting Requirements
These requirements enforce elementary coding practices and ensure that all standard security features are activated.

V8 Resilience
These objectives are intended to make applications robust to reverse engineering and unauthorized code modification. Methods are given to impede dynamic analysis, tampering, and comprehension, and to ensure device binding.