MASVS Notes
Last updated
Was this helpful?
Last updated
Was this helpful?
🔗
🔗
MASVS (Mobile Application Security Verification Standard)
Security Standard - focus on how mobile apps handle, store, protect sensitive information and Standardize the security requirements with a baseline for mobile app security, allowing defense-in-depth measures and protection against client-side threats.
MASVS only covers the security of the client-side mobile app.
Mobile Attack Surface
Storage
Cryptography
Authentication & Authorization
Network communication
Platform interaction
Code quality
Resilience against reverse engineering & tampering
Each control group is labeled with MASVS-XXXXX and each individual control with MASVS-XXXXX-Y.
Security Testing Profiles
before 2023: 3 verification levels (L1, L2, R)
2023: alighend with NIST OSCAL
Native apps written in Java/Kotlin for Android or Objective-C/Swift for iOS.
Apps based on cross-platform (Flutter, React Native, Xamarin, Ionic, etc.) and hybrid (Cordova, PhoneGap, Framework7, Onsen UI, etc.) frameworks - susceptible to platform-specific vulnerabilities.
Secure storage of sensitive data on a device (data-at-rest).
PII (Personally identifiable information)
Cryptographic material
Secrets, Credentials
API keys
Any sensitive data intentially stored by the app must be properly protected, regardless of the target (internal storage) location. If possible, use hardware-backed security features for apps development.
The app securely stores sensitive data.
Intentional storage location may be:
app's internal (private) storage
public (accessible by user/other apps)
Ensure any sensitive data is properly protected
The app prevents leakage of sensitive data.
Unintentional (public) storage location
using certain APIs, backup, logs
Ensure prevention of unintentional leaks
Cryptographic functionality used to protect sensitive data.
Ensure that the app uses cryptography and keys management (generation, storage, protection, encryption) according to industry best practices
Avoid physical access to sensitive data
The app employs current strong cryptography and uses it according to industry best practices.
External cryptography standards for securing the user's data
The app performs key management according to industry best practices.
Manage cryptographic keys lifecycle (generation, storage, protection)
Authentication and authorization mechanisms used by the mobile app.
Implement correct user identity validation with Biometrics, Pin, multi-factor authenticatin code generators, to prevent unauthorized access.
Remote/local app secure auth
The app uses secure authentication and authorization protocols and follows relevant best practices.
Apps must use secure protocols to authenticate to a remote endpoint
The app performs local authentication securely according to the platform best practices.
Correctly implement local & remote authentication (biometrics, local PIN code)
The app secures sensitive operations with additional authentication.
Securely implement additional authentication methods for sensitive actions inside the app (biometric, pin, MFA, email, deep links, etc)
Secure network communication between the mobile app and remote endpoints (data-in-transit).
Ensure exchanged data confidentiality and integrity
Apps must set up a secure, encrypted network communicatino channel using the TLS protocol.
Trust only specific Certificate Authorities
The app secures all network traffic according to the current best practices.
Ensure in-transit Data privacy & integrity, using TLS protocol, in any situation, avoiding security bypass/disabling
The app performs identity pinning for all remote endpoints under the developer's control.
Only very specific CAs are trusted = certificate/public key pinning
Secure interaction with the underlying mobile platform and other installed apps.
Mobile platform app's interactions must occur securely, using secure platform-provided IPC mechanisms & WebView configurations
IPC (inter-process communication)
Prevent sensitive data leakage
Secure display sensitive data in app's user interface (passwords, credit card details, one-time pwds notifications)
The app uses IPC mechanisms securely.
Ensure secure interactions (through IPC mechanisms) between user and installed apps
The app uses WebViews securely.
Secure WebViews configuration, preventing data leakage & sensitive functionality exposure (e.g. JavaScript to native code)
The app uses the user interface securely.
Avoid data unintentionally leakage due to platform mechanism (screenshots, UI data displaying)
Security best practices for data processing and keeping the app up-to-date.
Data entry points: UI, IPC, Network, File System
Treat data as untrusted input, verify and sanitize it before use - prevention of injection attacks (SQL, XSS, insecure deserialization) and bypass of security checks
The app requires an up-to-date platform version.
Ensure users have the latest security protections (OS patches)
The app has a mechanism for enforcing app updates.
Force app updates
The app only uses software components without known vulnerabilities.
Conver "low-hanging fruits" by scanning libraries for known vulnerabilities
The app validates and sanitizes all untrusted inputs
Data inputs sanitized before usage: UI, IPC, network, file system, etc
Resilience to reverse engineering and tampering attempts.
Defense-in-depth measures (code obfuscation, anti-debugging, anti-tampering, etc)
App run on trusted platform, prevent runtime tampering, integrity of app's inteded functionality
Quanto l'app è in grado di resistere ad un attacco mirato?
e.g. Se l'app B2C root check, antiroot, saperlo e bloccarsi
The app validates the integrity of the platform.
Validates the OS is not tampered/compromised and its security features can be trusted.
The app implements anti-tampering mechanisms.
Ensure app's integrity, preventing original code and resources modifications
The app implements anti-static analysis mechanisms.
Impede comprehension of the app's functioning with static analysis.
The app implements anti-dynamic analysis techniques.
Prevent dynamic analysis/instrumentation of the app, avoiding code modification at runtime