The Case for Standards in Mobile App Security

OWASP Foundation - Jul 31 - - Dev Community

by Carlos Holguera and Sven Schleier

In cyber security staying ahead of potential threats and vulnerabilities is key; adherence to industry standards is not just a best practice; it's a necessity. In this article, we will explore why it's crucial to follow an industry standard like the OWASP Mobile Application Security Verification Standard (MASVS), both from the perspective of those developing tools and services to assess mobile apps and those seeking compliance.

The Benefits of Industry Standards

Thanks to industry standards like the OWASP MASVS, which provide comprehensive coverage of the attack surface, testing remains consistent and reliable over time, instilling trust in the quality of vendor services.

Standards like the OWASP MASVS are backed by a large community of security professionals who ensure that any new threats, or best practices are quickly integrated into the standard, keeping it relevant and effective. Established standards also promote transparency in the testing process, allowing customers to clearly understand the scope and coverage, preventing hidden gaps in security assessments.

Vendors adhering to recognized industry standards demonstrate professionalism, build trust, and simplify compliance efforts for organizations, ensuring credibility in delivering high-quality services. When comparing different vendors, having a known standard as a reference point makes it easier to evaluate the quality and scope of their services. It provides a common benchmark to assess their capabilities.

Additionally, by testing mobile apps against recognized standards, organizations can proactively manage and identify vulnerabilities early in the development lifecycle, minimizing the risk of costly post-release fixes.

The OWASP MAS Project and its Standards

The OWASP Mobile Application Security (MAS) flagship project provides a robust security standard for mobile apps, known as the OWASP MASVS, along with a comprehensive testing guide (OWASP MASTG). These resources cover the processes, techniques, and tools used during a mobile app security test, ensuring consistent and complete results.

Two blue cards, side-by-side: MASVS - Mobile Application Security Verification Standard, and MASTG: Mobile Application Security Testing Guide

The OWASP MASVS standard is divided into various groups of security controls, representing critical areas of the mobile attack surface, including:

  • MASVS-STORAGE: Secure storage of sensitive data on a device (data-at-rest).
  • MASVS-CRYPTO: Cryptographic functionality used to protect sensitive data.
  • MASVS-AUTH: Authentication and authorization mechanisms used by the mobile app.
  • MASVS-NETWORK: Secure network communication between the mobile app and remote endpoints (data-in-transit).
  • MASVS-PLATFORM: Secure interaction with the underlying mobile platform and other installed apps.
  • MASVS-CODE: Security best practices for data processing and app maintenance.
  • MASVS-RESILIENCE: Resilience to reverse engineering and tampering attempts.
  • MASVS-PRIVACY: Privacy controls to protect user privacy.

A Standard Backed by Standards

To complement the MASVS, the OWASP MAS project also provides the OWASP Mobile Application Security Testing Guide (MASTG) and the OWASP MAS Checklist. Together, these resources are the perfect companion for verifying the controls listed in the OWASP MASVS and demonstrating compliance.

The Mobile Application Security Verification Standard (MASVS) is intertwined with various industry standards, underpinning its robustness and effectiveness. MASVS-CRYPTO relies on NIST.SP.800-175B and NIST.SP.800-57, which provide established cryptographic guidelines and assurance, ensuring that sensitive data within mobile apps remains secure.

While MASVS-AUTH comprehensively covers app-side authentication and authorization, it recognizes the importance of validating security on the remote endpoint, referencing industry standards like the OWASP Application Security Verification Standard (ASVS).

MASVS-CODE encourages developers to follow best practices from OWASP Software Assurance Maturity Model (SAMM) and NIST.SP.800-218 Secure Software Development Framework (SSDF) to prevent vulnerabilities during development.

MASVS-PRIVACY draws inspiration from essential privacy regulations like GDPR, COPPA, CCPA, and ENISA, providing a foundation for privacy considerations.

Conclusion

The importance of following industry standards like the OWASP MASVS in mobile app security cannot be overstated. It ensures consistency, comprehensiveness, and up-to-date protection against evolving threats. For vendors and customers alike, adherence to these standards is not just a matter of trust; it's a strategic choice that enhances security, credibility, and long-term cost-effectiveness in an increasingly mobile-centric world. So, choose your mobile app security provider wisely, and together, let's build a more secure mobile future.

OWASP Mobile Application Security - https://mas.owasp.org/
OWASP MASVS - https://mas.owasp.org/MASVS/
OWASP MASTG - https://mas.owasp.org/MASTG/
OWASP MAS Checklist - https://mas.owasp.org/checklists/

--

OWASP is a non-profit foundation that envisions a world with no more insecure software. Our mission is to be the global open community that powers secure software through education, tools, and collaboration. We maintain hundreds of open source projects, run industry-leading educational and training conferences, and meet through over 250 chapters worldwide.

. . . . . . . . . . . . . . .