OWASP Mobile Application Security Verification Standard

A standard for Mobile App Security

The OWASP Mobile Application Security Verification Standard (MASVS) defines security requirements that serve as guidelines for the creation of secure mobile apps. At the beginning the protection requirements of the app must be defined. The standard provides the levels MASVS-L1 and MASVS-L2, as well as additional MASVS-R “Resiliency” which can be increased on both levels.

MASVS Layer (cc) OWASP

MASVS-L1 “Standard Security” defines a base of security requirements, e.g. that network traffic is completely protected by TLS and only a defined set of X.509 certificates of the endpoint is accepted. MASVS-L2 is based on these and defines additional requirements. For example the specification of a two-factor authentication (2FA) or a renewed direct authentication before accessing sensitive data. Both levels can be additionally extended by MASVS-R “Resiliency Against Reverse Engineering and Tampering”. As the name suggests, the focus here is on protection against modifications and access to the app itself. Requirements from this level are, for example, that the app detects and reacts when it is started in an emulator or identifies and reacts to changes in code and data in its own memory area.
This results in the following levels after OWASP MASVS:

  • MASVS-L1
  • MASVS-L1+R
  • MASVS-L2
  • MASVS-L2+R

The selection of the correct level is determined by the respective protection requirements. For example, a games manufacturer may prefer apps MASVS-L1+R, since the standard security level is sufficient in this context, but resiliency is an important point to prevent or make changes to the app (e.g. cheating) more difficult.
The requirements for the levels MASVS-L1 and MASVS-L2 are divided into 7 categories from “Architecture, Design and Threat Modeling Requirements” to “Code Quality and Build Settings Requirements”. In each case, a base of requirements is defined according to MASVS-L1 and further requirements beyond that are specified according to MASVS-L2. In an eighth category, the resilience requirements are defined.
OWASP provides the Mobile Security Testing Guide (MSTG) to check the OWASP Mobile Application Security Verification Standard. This guide specifies test cases for the respective requirement.