What is the OWASP MASVS?
The OWASP Mobile Security Project is an open-source initiative aimed at improving the security of mobile applications. The standard is designed to provide information and guidelines for mobile application developers and security professionals. The Mobile Application Security Verification Standard provides a comprehensive set of security requirements for mobile applications and was first released in January 2018. The Mobile Application Security Testing Guide (MAST), which provides guidance on how to test mobile applications for security vulnerabilities, was released alongside the standard to give practical guidance on how to adequately test the specific requirements.
The Mobile Application Security Verification Standard (MASVS) has just released its latest Release Candidate (MASVS v2.0.0 RC) and it’s shaping up to be a big update. The new version of MASVS, MASVS v2.0, is expected to be released in early 2023 and will bring several key changes to the project. Here’s a rundown of what’s new and improved in the latest version of this important standard.
Changes to the MASVS standard include:
- Expanded scope: MASVS v2.0.0 RC covers a broader range of mobile platforms, including wearable devices and Internet of Things (IoT) devices.
- Increased specificity: The standard now includes more specific details about the types of security testing that should be performed on mobile applications. For example, it outlines the different types of penetration testing that should be performed for specific test cases depending on the application and level of assurance required.
- Condensing & Simplification of Categories: The latest version of the MASVS standard will see condensing of MAVS-STORAGE and moving relevant requirements to MASVS-PLATFORM, simplification of MASVS-CRYPTO and alignment with NIST standards NIST.SP.800-175B and NIST.SP.800-57p1, and separation of client-side and server-side authentication in MASVS-AUTH with reliance on OWASP Application Security Verification Standard (ASVS).
- Improved guidance: The standard has been updated to provide more guidance on how to perform mobile application security testing, including best practices for security testing and common pitfalls to avoid.
- Existing MASVS Levels Changes: The existing levels (L1, L2, and R) will be thoroughly reviewed and supported with a corrected and well-documented threat model.
- Introduction of MAS Profiles: The levels have been shifted to the MASTG tests to evaluate different scenarios for the same control. For example, in the case of STORAGE-1, the use of internal storage is acceptable for L1, but L2 requires a more secure storage solution. This may result in different tests based on the required profile.
This was just a brief and general overview of the changes expected in the final version of the MASVS. I suggest you take a closer look at the feedback and rationale behind many of the changes, as it will give you a deeper understanding of the standard and the reasoning behind each category point.
Check out the below links to read more:
This might be your first encounter with the OWASP MASVS and mobile security testing. You may wonder why it is important and how it affects you.
As mobile device usage increases so does the threat of security breaches and data theft. Hackers continually find new ways to exploit vulnerabilities in mobile apps, making it crucial for organizations to test their app's security before release.
Mobile app security testing detects and reduces potential security risks, ensuring sensitive data is protected and the app operates as intended. It also improves the overall app quality, lowering the risk of bugs and other issues that affect the user experience.
Mobile app security testing is a vital aspect of the development process and should be integrated into the development workflow as early as possible. This way, organisations can guarantee their mobile apps are secure and their customers' data is protected.
Improve the security of your mobile application and protect your customer's sensitive data by reaching out to Cyberis. With our expertise in mobile security testing, we can help you assess the risks and vulnerabilities in your product, ensuring its protection and ensuring customer trust in your brand. Don't wait, take the first step to secure your mobile product and contact Cyberis today.