6.53 MOBILE APPLICATION SECURITY OWASP MASVS 

WHAT IS IT? the official Github Repository of the OWASP Mobile Application Security Verification Standard (MASVS) - PDF - Web page - Excel file - YAML 2 

USE CASE SCENARIO METRIC To provide a security standard against which existing mobile apps can be compared by developers and application owners PROCUREMENT To provide a baseline for mobile app security verification. GUIDANCE To provide guidance during all phases of mobile app development and testing. 3 

GUIDANCE FOR CERTIFYING MOBILE APPS Performing an “open book” review testers are granted access to key resources such as architects and developers of the app, project documentation, source code, and authenticated access to endpoints, including access to at least one user account for each role 7/1/20XX Pitch deck title 4 

HOW NOT TO 7/1/20XX 5 

HOW TO 7/1/20XX 6 

VERIFICATION LEVELS 7 

VERIFICATION LEVELS IN DETAIL MASVS-L1: Standard Security fulfills basic requirements in terms of code quality, handling of sensitive data, and interaction with the mobile environment MASVS-L2: Defense-in- Depth handle highly sensitive data MASVS-R: Resiliency Against Reverse Engineering and Tampering The app has state-of-the-art security, and is also resilient against specific, clearly defined client-side attacks, such as tampering, modding, or reverse engineering to extract sensitive code or data 7/1/20XX Pitch deck title 8 

RECOMMENDED USE MASVS-L1 All mobile apps MASVS-L2 Healthcare, Financial industry MASVS L1+R - Mobile apps where Intellectual Property (IP) protection is a business goal - Gaming Industry MASVS L2+R - Financial Industry: Online banking apps that allow the user to move funds, - All mobile apps that, by design, need to store sensitive data on the mobile device, and at the same time must support a wide range of devices and operating system versions. - Apps with in-app purchases if no server-side protection 9 

THE CLASSICAL TRADE-OFF GOOD UX Equilibrium EXPENSIVE AFFORDABLE BAD UX 7/1/20XX 10 

CONTROLS 7/1/20XX 11 Architecture, Design and Threat Modeling Requirements Cryptography Requirements Data Storage and Privacy Requirements Authentication and Session Management Requirements Platform Interaction Requirements Network Communication Requirements Resiliency Against Reverse Engineering Requirements Code Quality and Build Setting Requirements 

LET'S SEE THE CHECKLIST 

V1: ARCHITECTURE, DESIGN AND THREAT MODELING REQUIREMENTS 7/1/20XX 13 The category “V1” lists requirements pertaining to architecture and design of the app. As such, this is the only category that does not map to technical test cases in the OWASP Mobile Testing Guide 

V2: DATA STORAGE AND PRIVACY REQUIREMENTS 7/1/20XX Pitch deck title 14 The protection of sensitive data, such as user credentials and private information, is a key focus in mobile security - Personally identifiable information - Highly sensitive data - Any data that must be protected by law or for compliance reasons 

V3: CRYPTOGRAPHY REQUIREMENTS 7/1/20XX Pitch deck title 15 to ensure that the verified application uses cryptography according to industry best practices, including: • Use of proven cryptographic libraries; • Proper choice and configuration of cryptographic primitives; • A suitable random number generator wherever randomness is required. 

V4: AUTHENTICATION AND SESSION MANAGEMENT REQUIREMENTS 7/1/20XX Pitch deck title 16 defines some basic requirements regarding how user accounts and sessions are to be managed 

V5: NETWORK COMMUNICATION REQUIREMENTS 7/1/20XX Pitch deck title 17 to ensure the confidentiality and integrity of information exchanged between the mobile app and remote service endpoints 

V6: PLATFORM INTERACTION REQUIREMENTS 7/1/20XX Pitch deck title 18 ensure that the app uses platform APIs and standard components in a secure manner 

V7: CODE QUALITY AND BUILD SETTING REQUIREMENTS 7/1/20XX Pitch deck title 19 to ensure that basic security coding practices are followed in developing the app, and that “free” security features offered by the compiler are activated 

V8: RESILIENCE REQUIREMENTS 7/1/20XX Pitch deck title 20 This section covers defense-in-depth measures recommended for apps that process, or give access to, sensitive data or functionality. 

THANK YOU 7/1/20XX Pitch deck title 21