The Open Worldwide Application Security Project (OWASP) Mobile Application Security Verification Standard is used in the development of mobile applications.
Use robust cryptographic algorithms and secure key management practices to protect sensitive data within the mobile app. This includes using approved encryption methods to prevent unauthorized access or decryption of sensitive data stored on the device.
Implement strong cryptographic standards to ensure that the application utilizes strong, industry-approved cryptographic algorithms to protect sensitive data, adhering to best practices to counter threats such as physical attacks or unauthorized data access. Cryptographic methods must be continuously updated to remain aligned with evolving security standards. Secure key management practices. Cryptographic keys must be managed securely throughout their lifecycle, including generation, storage, usage, and protection. Poor key management can nullify strong encryption; therefore, best practices such as key rotation, secure storage, and access restrictions must be enforced to mitigate risks and maintain data security integrity.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-04-02-01-01 | Implement strong cryptography for sensitive data | Use current, industry-approved cryptographic algorithms to encrypt sensitive data stored on the device or transmitted over networks. | Development | Development teams, Security team |
| SSS-02-04-02-01-02 | Follow secure key management practices | Generate, store, and protect cryptographic keys using secure methods, such as hardware-backed storage or secure enclaves, and ensure proper key lifecycle management. | Development | Development teams, Security team |
| SSS-02-04-02-01-03 | Regularly audit cryptographic implementations | Periodically review the app’s cryptographic functionality and key management processes to ensure compliance with industry standards and detect weaknesses. | Development | Security team, QA team |
| SSS-02-04-02-01-04 | Enforce proper cryptographic error handling | Implement error-handling mechanisms for cryptographic operations to avoid unintended behavior, such as plaintext exposure when encryption fails. | Deployment | Security team, IT operations |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1922) The Open Worldwide Application Security Project (MASVS-CRYPTO) The Open Worldwide Application Security Project (MASVS-CRYPTO) |