The Open Worldwide Application Security Project (OWASP) Mobile Application Security Verification Standard is used in the development of mobile applications.
Ensure sensitive data stored on the device, such as user credentials or personal information, is protected using strong encryption and secure storage mechanisms. Implement data-at-rest encryption standards to prevent unauthorized access if the device is lost or compromised.
Secure storage of sensitive data to ensure that applications securely store sensitive data originating from various sources, including users, backend systems, or system services. Storage locations may vary, such as private internal app storage or public locations like downloads folders accessible by users or other apps. The app must ensure that all sensitive data is appropriately encrypted and protected, regardless of the storage location, thereby safeguarding against unauthorized access or tampering. Consider prevention of data Leakage to ensure that sensitive data is not unintentionally stored or exposed in publicly accessible locations, which may occur due to APIs, system capabilities (e.g., backups or logs), or developer oversight. Developers should identify and mitigate risks of unintentional data leaks by applying security controls, such as encryption and appropriate data handling practices, ensuring sensitive information remains confined to secure environments.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-04-01-01-01 | Implement secure storage mechanisms for sensitive data | Use secure storage options such as the device's secure enclave, keychain, or encrypted internal storage to store sensitive data like user credentials or tokens. | Development | Development teams, Security team |
| SSS-02-04-01-01-02 | Prevent unintentional data leakage | Configure app logs, backups, and public storage APIs to avoid unintentional exposure of sensitive data. Ensure debug logs do not include sensitive information. | Development | Development teams, QA team |
| SSS-02-04-01-01-03 | Perform regular security audits and tests | Conduct security audits and static code analysis to identify unintentional data storage in public locations or potential data leaks caused by misconfigurations. | Development | Security team, QA team |
| SSS-02-04-01-01-04 | Use encryption for data-at-rest | Encrypt all sensitive data stored on the device, whether private or public, using strong encryption standards such as AES-256. Ensure encryption keys are securely managed. | Development | Development teams, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1922) The Open Worldwide Application Security Project (MASVS-STORAGE) The Open Worldwide Application Security Project (MASVS-STORAGE) |
Use robust cryptographic algorithms and secure key management practices to protect sensitive data within the mobile app. This includes using approved encryption methods to prevent unauthorized access or decryption of sensitive data stored on the device.
Implement strong cryptographic standards to ensure that the application utilizes strong, industry-approved cryptographic algorithms to protect sensitive data, adhering to best practices to counter threats such as physical attacks or unauthorized data access. Cryptographic methods must be continuously updated to remain aligned with evolving security standards. Secure key management practices. Cryptographic keys must be managed securely throughout their lifecycle, including generation, storage, usage, and protection. Poor key management can nullify strong encryption; therefore, best practices such as key rotation, secure storage, and access restrictions must be enforced to mitigate risks and maintain data security integrity.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-04-02-01-01 | Implement strong cryptography for sensitive data | Use current, industry-approved cryptographic algorithms to encrypt sensitive data stored on the device or transmitted over networks. | Development | Development teams, Security team |
| SSS-02-04-02-01-02 | Follow secure key management practices | Generate, store, and protect cryptographic keys using secure methods, such as hardware-backed storage or secure enclaves, and ensure proper key lifecycle management. | Development | Development teams, Security team |
| SSS-02-04-02-01-03 | Regularly audit cryptographic implementations | Periodically review the app’s cryptographic functionality and key management processes to ensure compliance with industry standards and detect weaknesses. | Development | Security team, QA team |
| SSS-02-04-02-01-04 | Enforce proper cryptographic error handling | Implement error-handling mechanisms for cryptographic operations to avoid unintended behavior, such as plaintext exposure when encryption fails. | Deployment | Security team, IT operations |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1922) The Open Worldwide Application Security Project (MASVS-CRYPTO) The Open Worldwide Application Security Project (MASVS-CRYPTO) |
Implement secure authentication and authorization mechanisms to verify user identity and control access to app resources. This includes multi-factor authentication, secure token storage, and proper session management to prevent unauthorized access.
Adopt secure authentication and authorization protocols. The app must implement secure authentication and authorization protocols, following industry best practices. This includes ensuring that all remote connections enforce proper authentication and authorization, as well as adhering to secure protocol standards to prevent unauthorized access. Enforce secure local authentication practices. For apps that rely on local authentication (such as biometric or PIN code verification), secure implementation following platform-specific best practices is essential. The app must ensure that these authentication mechanisms are properly configured to safeguard user data, especially in cases where remote authentication is not used. Consider additional authentication for sensitive operations. Sensitive actions within the app should trigger additional layers of authentication (e.g., multi-factor authentication, biometrics, or a PIN). These additional methods must be securely implemented to ensure that only authorized users can perform critical tasks within the app.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-04-03-01-01 | Implement secure remote authentication | Use secure authentication protocols (e.g., OAuth 2.0, OpenID Connect) to connect to remote endpoints. Ensure tokens are securely managed and stored to prevent misuse. | Development | Development teams, Security team |
| SSS-02-04-03-01-02 | Follow local authentication best practices | For apps using local authentication (e.g., biometrics, PINs), follow platform-specific guidelines to securely implement and store authentication credentials. | Development | Development teams, Platform specialists |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1922) The Open Worldwide Application Security Project (MASVS-AUTH) The Open Worldwide Application Security Project (MASVS-AUTH) |
Protect data in transit by implementing secure communication protocols, such as TLS, to encrypt data exchanged between the mobile app and remote servers. This helps prevent man-in-the-middle (MITM) attacks and ensures data integrity and confidentiality during transmission.
Secure network taffic with best practices. The app must encrypt all data transmitted over the network using secure communication protocols, such as TLS, following current industry best practices. This includes ensuring that the remote endpoint is authenticated to protect against MITM attacks. Developers must ensure that secure defaults provided by the platform are maintained and not bypassed by using low-level APIs or unsupported libraries. Implement identity pinning for endpoint verification. To strengthen endpoint security, the app should use certificate pinning or public key pinning to validate remote endpoints under the developer's control. This approach ensures that only specific, trusted Certificate Authorities (CAs) or keys are accepted, reducing the risk of unauthorized entities intercepting or modifying data during transmission.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-04-04-01-01 | Implement secure network communication using TLS | Ensure all network communication between the app and remote endpoints uses the latest version of TLS (e.g., TLS 1.3), with secure ciphers and proper server authentication. | Development | Development teams, Security team |
| SSS-02-04-04-01-02 | Enforce certificate or public key pinning | Pin certificates or public keys for endpoints under the developer’s control to prevent man-in-the-middle (MITM) attacks and restrict trusted root CAs. | Development | Development teams, Security team |
| SSS-02-04-04-01-03 | Disable insecure protocols and APIs | Block insecure protocols (e.g., HTTP) and prevent the use of outdated or insecure libraries for network communication. | Development | Development teams, QA team |
| SSS-02-04-04-01-04 | Monitor and audit network security | Use automated tools to regularly test and monitor for any deviations from secure network communication practices, such as weak cipher usage or expired certificates. | Post-deployment | Security team, Risk management team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1922) The Open Worldwide Application Security Project (MASVS-NETWORK) The Open Worldwide Application Security Project (MASVS-NETWORK) |
Follow best practices for secure interaction with the mobile platform’s APIs and resources, as well as with other installed apps. Limit permissions to those necessary for the app's functionality, and prevent data leakage or unauthorized interactions with other apps.
Implement secure IPC mechanisms to ensure that all interactions using Inter-Process Communication (IPC) mechanisms are securely configured. This includes limiting exposed data or functionality to only what is essential for the app's operation and verifying that interactions between the app and other installed apps are secure and intentional. Secure WebView configurations. Configure WebViews securely to prevent potential vulnerabilities, such as data leakage or unauthorized access. Disable unnecessary functionalities like JavaScript bridges unless required, and apply security headers to mitigate risks associated with sensitive operations involving the user interface. Protect sensitive data in the user interface. Implement safeguards to prevent sensitive data displayed in the user interface (e.g., passwords, credit card information, OTP codes) from being unintentionally exposed. Address risks like auto-generated screenshots, shoulder surfing, or accidental disclosure through features such as masking data, secure overlays, and disabling unnecessary notifications.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-04-05-01-01 | Secure inter-process communication (IPC) | Use platform-provided IPC mechanisms securely to prevent unauthorized access or unintended data sharing between apps. | Development | Development teams, Security team |
| SSS-02-04-05-01-02 | Configure webviews securely | Ensure WebViews are configured securely by disabling JavaScript if not required and restricting navigation to trusted domains only. | Development | Development teams, Security team |
| SSS-02-04-05-01-03 | Protect sensitive data in the user interface | Mask sensitive data displayed in the UI and prevent platform mechanisms like auto-generated screenshots from capturing sensitive screens. | Development | Development teams, QA team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1922) The Open Worldwide Application Security Project (MASVS-PLATFORM) The Open Worldwide Application Security Project (MASVS-PLATFORM) |
Follow secure coding practices to process data safely and prevent vulnerabilities, such as input validation flaws or insecure data handling. Regularly update the app to address security patches, incorporate new security features, and keep up with evolving security standards.
Ensure an up-to-date platform version. Require that the app operates only on the latest platform versions to take advantage of updated security patches and features. Older platform versions expose users to known vulnerabilities, and this control ensures the app benefits from the highest level of platform security. Implement mandatory update mechanisms. Include mechanisms to enforce critical app updates for all users. This ensures that vulnerabilities discovered post-deployment are mitigated promptly, preventing users from continuing with outdated and insecure versions of the app. Rely only on software components without known vulnerabilities. Adopt a strict policy of using only software libraries and components verified as free from known vulnerabilities. Perform regular vulnerability scans on all dependencies and avoid unsupported or unmaintained third-party components to mitigate common and exploitable risks. Validate and sanitize all untrusted inputs. Secure all entry points in the app—including user inputs, IPC channels, file systems, and network traffic—by validating and sanitizing data to eliminate risks of injection attacks (e.g., SQL injection, XSS) and insecure deserialization. Treat all incoming data as untrusted and apply stringent verification to ensure its safety before use.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-04-06-01-01 | Require up-to-date platform versions | Ensure the app requires a minimum OS version that includes critical security patches and features to protect against known vulnerabilities. | Development | Development teams, Security team |
| SSS-02-04-06-01-02 | Enforce app updates mechanism | Implement mechanisms to require users to update to the latest app version when critical vulnerabilities are fixed. | Deployment | DevOps team, Security team |
| SSS-02-04-06-01-03 | Use secure and vulnerability-free components | Regularly scan all software dependencies and third-party libraries for known vulnerabilities and replace outdated components with secure alternatives. | Development | Development teams, QA team |
| SSS-02-04-06-01-04 | Validate and sanitize all untrusted inputs | Validate and sanitize all inputs from UI, IPC, network, and file system sources to prevent injection attacks or bypasses of security checks. | Development | Development teams, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1922) The Open Worldwide Application Security Project (MASVS-CODE) The Open Worldwide Application Security Project (MASVS-CODE) |
Implement protections against reverse engineering and tampering, such as code obfuscation, integrity checks, and anti-tampering mechanisms. This helps protect intellectual property, sensitive code, and data from unauthorized modification or extraction by attackers.
Validate platform integrity. Ensure the app verifies the integrity of the operating platform it runs on. Compromised platforms may disable critical security features, exposing app data to risks. This control ensures the app trusts its environment by validating that essential security features (e.g., secure storage, biometrics, sandboxing) remain uncompromised. Implement anti-tampering mechanisms. Protect the app from being modified or redistributed in unauthorized ways (e.g., enabling premium features for free or uploading malicious versions to third-party stores). Anti-tampering controls ensure the app's code and resources maintain their original integrity, preventing unauthorized modifications. Employ anti-static analysis measures. Obfuscate and protect the app's code to make it difficult for attackers to analyze and understand its inner workings using static analysis tools. These measures increase the effort required to reverse engineer the app, safeguarding its intellectual property and security features. Utilize anti-dynamic analysis techniques. Deploy runtime protections to hinder dynamic analysis techniques, such as observing and manipulating the app's behavior during execution. Prevent dynamic instrumentation and runtime modifications that attackers could use to extract sensitive data or modify app behavior. By combining these measures, the app achieves a higher level of security, protecting its functionality, data, and intellectual property against tampering and reverse engineering threats.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-04-07-01-01 | Validate platform integrity | Check whether the app is running on a secure and untampered platform, ensuring that essential security features like sandboxing and secure storage can be trusted. | Development | Development teams, Security team |
| SSS-02-04-07-01-02 | Implement anti-tampering mechanisms | Protect the app against modifications by validating its code and resource integrity at runtime and preventing execution of modified versions. | Development | Security team, DevOps team |
| SSS-02-04-07-01-03 | Obfuscate code and use anti-static analysis mechanisms | Make reverse engineering of the app more challenging by obfuscating code and adding layers of protection against static analysis tools. | Development | Development teams, Security team |
| SSS-02-04-07-01-04 | Implement anti-dynamic analysis protections | Detect and prevent dynamic analysis attempts by using techniques such as anti-debugging and runtime behavior validation. | Development | Security team, QA team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1922) The Open Worldwide Application Security Project (MASVS-RESILIENCE) The Open Worldwide Application Security Project (MASVS-RESILIENCE) |
Include privacy controls to protect user data and ensure compliance with privacy regulations. Limit data collection to what is necessary for the app's functionality, provide clear data usage disclosures, and allow users to control their privacy settings.
Minimize data access. Limit app access to sensitive data strictly to what is essential for its functionality, ensuring all access is contingent on explicit, informed user consent. Ensure third-party SDKs respect user consent signals and do not collect data prematurely or unnecessarily. Maintain full accountability across the SDK supply chain by verifying compliance with data minimization practices and recent regulatory requirements, such as SBOM (Software Bill of Materials). Prevent user identification. Implement privacy-preserving techniques, such as data abstraction, anonymization, and pseudonymization, to protect user identities. Restrict the use of device-specific identifiers (e.g., device IDs, IP addresses) to their intended purposes, such as fraud detection, and prevent repurposing for unrelated analytics or tracking. Ensure transparency. Clearly disclose data collection, usage, and sharing practices to users. Highlight any unexpected behaviors, such as background data collection, and comply with platform-specific guidelines for data declarations. Provide users with accessible and understandable information about how their data is handled. Empower user control. Equip users with robust tools to manage their data, such as the ability to view, delete, or modify stored data, and adjust privacy preferences. Regularly re-prompt for consent whenever new data types are required, ensuring alignment with evolving transparency policies and user expectations. These controls collectively align the app with best practices for privacy compliance and user trust while reducing potential exposure to privacy violations.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-04-08-01-01 | Minimize access to sensitive data | Request access only to essential data and resources required for app functionality. Restrict third-party SDKs from collecting data before user consent and ensure SDKs respect user preferences. | Development | Development teams, Product teams |
| SSS-02-04-08-01-02 | Ensure anonymization and data isolation | Implement unlinkability techniques like data abstraction, anonymization, or pseudonymization to prevent user identification. Isolate fingerprint-like data streams for specific purposes. | Development | Security team, Privacy compliance team |
| SSS-02-04-08-01-03 | Enhance data transparency | Include a privacy policy link in the app's settings explaining how location data is stored, shared, and used. | Deployment | Legal team, Product teams |
| SSS-02-04-08-01-04 | Offer comprehensive user controls | Add a "Privacy Settings" section where users can revoke location-sharing consent or delete their account and associated data. | Post-deployment | Development teams, Support teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1922) The Open Worldwide Application Security Project (MASVS-PRIVACY) The Open Worldwide Application Security Project (MASVS-PRIVACY) |