The Open Worldwide Application Security Project (OWASP) Mobile Application Security Verification Standard is used in the development of mobile applications.
Follow best practices for secure interaction with the mobile platform’s APIs and resources, as well as with other installed apps. Limit permissions to those necessary for the app's functionality, and prevent data leakage or unauthorized interactions with other apps.
Implement secure IPC mechanisms to ensure that all interactions using Inter-Process Communication (IPC) mechanisms are securely configured. This includes limiting exposed data or functionality to only what is essential for the app's operation and verifying that interactions between the app and other installed apps are secure and intentional. Secure WebView configurations. Configure WebViews securely to prevent potential vulnerabilities, such as data leakage or unauthorized access. Disable unnecessary functionalities like JavaScript bridges unless required, and apply security headers to mitigate risks associated with sensitive operations involving the user interface. Protect sensitive data in the user interface. Implement safeguards to prevent sensitive data displayed in the user interface (e.g., passwords, credit card information, OTP codes) from being unintentionally exposed. Address risks like auto-generated screenshots, shoulder surfing, or accidental disclosure through features such as masking data, secure overlays, and disabling unnecessary notifications.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-04-05-01-01 | Secure inter-process communication (IPC) | Use platform-provided IPC mechanisms securely to prevent unauthorized access or unintended data sharing between apps. | Development | Development teams, Security team |
| SSS-02-04-05-01-02 | Configure webviews securely | Ensure WebViews are configured securely by disabling JavaScript if not required and restricting navigation to trusted domains only. | Development | Development teams, Security team |
| SSS-02-04-05-01-03 | Protect sensitive data in the user interface | Mask sensitive data displayed in the UI and prevent platform mechanisms like auto-generated screenshots from capturing sensitive screens. | Development | Development teams, QA team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1922) The Open Worldwide Application Security Project (MASVS-PLATFORM) The Open Worldwide Application Security Project (MASVS-PLATFORM) |