The Open Worldwide Application Security Project (OWASP) Mobile Application Security Verification Standard is used in the development of mobile applications.
Follow secure coding practices to process data safely and prevent vulnerabilities, such as input validation flaws or insecure data handling. Regularly update the app to address security patches, incorporate new security features, and keep up with evolving security standards.
Ensure an up-to-date platform version. Require that the app operates only on the latest platform versions to take advantage of updated security patches and features. Older platform versions expose users to known vulnerabilities, and this control ensures the app benefits from the highest level of platform security. Implement mandatory update mechanisms. Include mechanisms to enforce critical app updates for all users. This ensures that vulnerabilities discovered post-deployment are mitigated promptly, preventing users from continuing with outdated and insecure versions of the app. Rely only on software components without known vulnerabilities. Adopt a strict policy of using only software libraries and components verified as free from known vulnerabilities. Perform regular vulnerability scans on all dependencies and avoid unsupported or unmaintained third-party components to mitigate common and exploitable risks. Validate and sanitize all untrusted inputs. Secure all entry points in the app—including user inputs, IPC channels, file systems, and network traffic—by validating and sanitizing data to eliminate risks of injection attacks (e.g., SQL injection, XSS) and insecure deserialization. Treat all incoming data as untrusted and apply stringent verification to ensure its safety before use.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-04-06-01-01 | Require up-to-date platform versions | Ensure the app requires a minimum OS version that includes critical security patches and features to protect against known vulnerabilities. | Development | Development teams, Security team |
| SSS-02-04-06-01-02 | Enforce app updates mechanism | Implement mechanisms to require users to update to the latest app version when critical vulnerabilities are fixed. | Deployment | DevOps team, Security team |
| SSS-02-04-06-01-03 | Use secure and vulnerability-free components | Regularly scan all software dependencies and third-party libraries for known vulnerabilities and replace outdated components with secure alternatives. | Development | Development teams, QA team |
| SSS-02-04-06-01-04 | Validate and sanitize all untrusted inputs | Validate and sanitize all inputs from UI, IPC, network, and file system sources to prevent injection attacks or bypasses of security checks. | Development | Development teams, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1922) The Open Worldwide Application Security Project (MASVS-CODE) The Open Worldwide Application Security Project (MASVS-CODE) |