The Open Worldwide Application Security Project (OWASP) Mobile Application Security Verification Standard is used in the development of mobile applications.
Implement secure authentication and authorization mechanisms to verify user identity and control access to app resources. This includes multi-factor authentication, secure token storage, and proper session management to prevent unauthorized access.
Adopt secure authentication and authorization protocols. The app must implement secure authentication and authorization protocols, following industry best practices. This includes ensuring that all remote connections enforce proper authentication and authorization, as well as adhering to secure protocol standards to prevent unauthorized access. Enforce secure local authentication practices. For apps that rely on local authentication (such as biometric or PIN code verification), secure implementation following platform-specific best practices is essential. The app must ensure that these authentication mechanisms are properly configured to safeguard user data, especially in cases where remote authentication is not used. Consider additional authentication for sensitive operations. Sensitive actions within the app should trigger additional layers of authentication (e.g., multi-factor authentication, biometrics, or a PIN). These additional methods must be securely implemented to ensure that only authorized users can perform critical tasks within the app.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-04-03-01-01 | Implement secure remote authentication | Use secure authentication protocols (e.g., OAuth 2.0, OpenID Connect) to connect to remote endpoints. Ensure tokens are securely managed and stored to prevent misuse. | Development | Development teams, Security team |
| SSS-02-04-03-01-02 | Follow local authentication best practices | For apps using local authentication (e.g., biometrics, PINs), follow platform-specific guidelines to securely implement and store authentication credentials. | Development | Development teams, Platform specialists |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1922) The Open Worldwide Application Security Project (MASVS-AUTH) The Open Worldwide Application Security Project (MASVS-AUTH) |