The Open Worldwide Application Security Project (OWASP) Mobile Application Security Verification Standard is used in the development of mobile applications.
Protect data in transit by implementing secure communication protocols, such as TLS, to encrypt data exchanged between the mobile app and remote servers. This helps prevent man-in-the-middle (MITM) attacks and ensures data integrity and confidentiality during transmission.
Secure network taffic with best practices. The app must encrypt all data transmitted over the network using secure communication protocols, such as TLS, following current industry best practices. This includes ensuring that the remote endpoint is authenticated to protect against MITM attacks. Developers must ensure that secure defaults provided by the platform are maintained and not bypassed by using low-level APIs or unsupported libraries. Implement identity pinning for endpoint verification. To strengthen endpoint security, the app should use certificate pinning or public key pinning to validate remote endpoints under the developer's control. This approach ensures that only specific, trusted Certificate Authorities (CAs) or keys are accepted, reducing the risk of unauthorized entities intercepting or modifying data during transmission.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-04-04-01-01 | Implement secure network communication using TLS | Ensure all network communication between the app and remote endpoints uses the latest version of TLS (e.g., TLS 1.3), with secure ciphers and proper server authentication. | Development | Development teams, Security team |
| SSS-02-04-04-01-02 | Enforce certificate or public key pinning | Pin certificates or public keys for endpoints under the developer’s control to prevent man-in-the-middle (MITM) attacks and restrict trusted root CAs. | Development | Development teams, Security team |
| SSS-02-04-04-01-03 | Disable insecure protocols and APIs | Block insecure protocols (e.g., HTTP) and prevent the use of outdated or insecure libraries for network communication. | Development | Development teams, QA team |
| SSS-02-04-04-01-04 | Monitor and audit network security | Use automated tools to regularly test and monitor for any deviations from secure network communication practices, such as weak cipher usage or expired certificates. | Post-deployment | Security team, Risk management team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1922) The Open Worldwide Application Security Project (MASVS-NETWORK) The Open Worldwide Application Security Project (MASVS-NETWORK) |