Mobile Application Security

The OWASP Mobile Application Security (MAS) flagship project has the mission statement: “Define the industry standard for mobile application security”.

The MAS project covers the processes, techniques, and tools used for security testing a mobile application, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results. The OWASP MAS project provides the Mobile Application Security Verification Standard (MASVS) for mobile applications that can be used as a guide for security gap analysis.

What is MASVS?

The OWASP MASVS is the industry standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results.

The MAS project has several uses; when it comes to security gap analysis then the MASVS contains a list of security controls for mobile applications that are expected to be present / implemented.

The security controls are split into several categories:

Why use MASVS?

The OWASP MASVS provides a list of industry-standard security controls for secure mobile applications. If the application does not implement any of the controls then this could become a compliance issue, given that MASVS is the industry standard for mobile applications, so any omissions need to be justified.

How to use MASVS

The MASVS provides a list of expected security controls for mobile applications, and this can be used to identify missing or inadequate controls during the gap analysis. These controls can then be tested using the MAS Testing Guide.

MASVS can be accessed online and the links followed for the security controls; the mobile application can then be inspected for compliance with each control. This provides a starting point for a security gap evaluation for any existing controls.

References

• OWASP Mobile Application Security (MAS)
• MAS project
• MAS Testing Guide (MASTG)
• MAS Verification Standard (MASVS)
• OWASP Mobile Application Security cheat sheet

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.

The OWASP ® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.

Developer Guide

• 1. Introduction
• 2. Foundations
• 2.1 Security fundamentals
• 2.2 Secure development and integration
• 2.3 Principles of security
• 2.4 Principles of cryptography
• 2.5 OWASP Top 10
• 3. Requirements
• 3.1 Requirements in practice
• 3.2 Risk profile
• 3.3 OpenCRE and Integration Standards
• 3.4 SecurityRAT
• 3.5 Application Security Verification Standard
• 3.6 Mobile Application Security
• 3.7 Security Knowledge Framework
• 4. Design
• 4.1 Threat modeling
• 4.1.1 Threat modeling in practice
• 4.1.2 pytm
• 4.1.3 Threat Dragon
• 4.1.4 Cornucopia
• 4.1.5 LINDDUN GO
• 4.1.6 Threat Modeling toolkit
• 4.2 Web application checklist
• 4.2.1 Checklist: Define Security Requirements
• 4.2.2 Checklist: Leverage Security Frameworks and Libraries
• 4.2.3 Checklist: Secure Database Access
• 4.2.4 Checklist: Encode and Escape Data
• 4.2.5 Checklist: Validate All Inputs
• 4.2.6 Checklist: Implement Digital Identity
• 4.2.7 Checklist: Enforce Access Controls
• 4.2.8 Checklist: Protect Data Everywhere
• 4.2.9 Checklist: Implement Security Logging and Monitoring
• 4.2.10 Checklist: Handle all Errors and Exceptions
• 4.3 Mobile application checklist
• 5. Implementation
• 5.1 Documentation
• 5.1.1 Top 10 Proactive Controls
• 5.1.2 Go Secure Coding Practices
• 5.1.3 Cheatsheet Series
• 5.2 Dependencies
• 5.2.1 Dependency_Check
• 5.2.2 Dependency_Track
• 5.2.3 CycloneDX
• 5.3 Secure Libraries
• 5.3.1 Enterprise Security API library
• 5.3.2 CSRFGuard library
• 5.3.3 OWASP Secure Headers Project
• 5.4 Implementation Do's and Don'ts
• 5.4.1 Container security
• 5.4.2 Secure coding
• 5.4.3 Cryptographic practices
• 5.4.4 Application spoofing
• 5.4.5 Content Security Policy (CSP)
• 5.4.6 Exception and error handling
• 5.4.7 File management
• 5.4.8 Memory management
• 6. Verification
• 6.1 Guides
• 6.1.1 Web Security Testing Guide
• 6.1.2 MAS Testing Guide
• 6.1.3 Application Security Verification Standard
• 6.2 Tools
• 6.2.1 Zed Attack Proxy
• 6.2.2 Amass
• 6.2.3 Offensive Web Testing Framework
• 6.2.4 Nettacker
• 6.2.5 OWASP Secure Headers Project
• 6.3 Frameworks
• 6.3.1 secureCodeBox
• 6.4 Vulnerability management
• 6.4.1 DefectDojo
• 6.5 Verification Do's and Don'ts
• 6.5.1 Secure environment
• 6.5.2 System hardening
• 6.5.3 Open Source software
• 7. Training and Education
• 7.1 Vulnerable Applications
• 7.1.1 Juice Shop
• 7.1.2 WebGoat
• 7.1.3 PyGoat
• 7.1.4 Security Shepherd
• 7.2 Secure Coding Dojo
• 7.3 Security Knowledge Framework
• 7.4 SamuraiWTF
• 7.5 OWASP Top 10 project
• 7.6 Mobile Top 10
• 7.7 API Top 10
• 7.8 WrongSecrets
• 7.9 OWASP Snakes and Ladders
• 8. Culture building and Process maturing
• 8.1 Security Culture
• 8.2 Security Champions
• 8.2.1 Security champions program
• 8.2.2 Security Champions Guide
• 8.2.3 Security Champions Playbook
• 8.3 Software Assurance Maturity Model
• 8.4 Application Security Verification Standard
• 8.5 Mobile Application Security
• 9. Operations
• 9.1 DevSecOps Guideline
• 9.2 Coraza Web Application Firewall
• 9.3 ModSecurity Web Application Firewall
• 9.4 OWASP CRS
• 10. Metrics
• 11. Security gap analysis
• 11.1 Guides
• 11.1.1 Software Assurance Maturity Model
• 11.1.2 Application Security Verification Standard
• 11.1.3 Mobile Application Security
• 11.2 Bug Logging Tool

Upcoming OWASP Global Events

Corporate Supporters

OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, and LASCON are trademarks of the OWASP Foundation, Inc. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our General Disclaimer. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. Copyright 2024, OWASP Foundation, Inc.