The Open Worldwide Application Security Project (OWASP) Mobile Application Security Verification Standard is used in the development of mobile applications.
Implement protections against reverse engineering and tampering, such as code obfuscation, integrity checks, and anti-tampering mechanisms. This helps protect intellectual property, sensitive code, and data from unauthorized modification or extraction by attackers.
Validate platform integrity. Ensure the app verifies the integrity of the operating platform it runs on. Compromised platforms may disable critical security features, exposing app data to risks. This control ensures the app trusts its environment by validating that essential security features (e.g., secure storage, biometrics, sandboxing) remain uncompromised. Implement anti-tampering mechanisms. Protect the app from being modified or redistributed in unauthorized ways (e.g., enabling premium features for free or uploading malicious versions to third-party stores). Anti-tampering controls ensure the app's code and resources maintain their original integrity, preventing unauthorized modifications. Employ anti-static analysis measures. Obfuscate and protect the app's code to make it difficult for attackers to analyze and understand its inner workings using static analysis tools. These measures increase the effort required to reverse engineer the app, safeguarding its intellectual property and security features. Utilize anti-dynamic analysis techniques. Deploy runtime protections to hinder dynamic analysis techniques, such as observing and manipulating the app's behavior during execution. Prevent dynamic instrumentation and runtime modifications that attackers could use to extract sensitive data or modify app behavior. By combining these measures, the app achieves a higher level of security, protecting its functionality, data, and intellectual property against tampering and reverse engineering threats.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-04-07-01-01 | Validate platform integrity | Check whether the app is running on a secure and untampered platform, ensuring that essential security features like sandboxing and secure storage can be trusted. | Development | Development teams, Security team |
| SSS-02-04-07-01-02 | Implement anti-tampering mechanisms | Protect the app against modifications by validating its code and resource integrity at runtime and preventing execution of modified versions. | Development | Security team, DevOps team |
| SSS-02-04-07-01-03 | Obfuscate code and use anti-static analysis mechanisms | Make reverse engineering of the app more challenging by obfuscating code and adding layers of protection against static analysis tools. | Development | Development teams, Security team |
| SSS-02-04-07-01-04 | Implement anti-dynamic analysis protections | Detect and prevent dynamic analysis attempts by using techniques such as anti-debugging and runtime behavior validation. | Development | Security team, QA team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1922) The Open Worldwide Application Security Project (MASVS-RESILIENCE) The Open Worldwide Application Security Project (MASVS-RESILIENCE) |