| Version | Date | Descirption |
|---|---|---|
| 1.0 | 11/15/2021 | Initial version based on OWASP MASVS version 1.3 and MASTG Version 1.2 |
| 1.1 | 1/11/2022 | No change to ADA specifications. OWASP MASVS updated to version 1.4 and MASTG updated to version 1.3 |
| 1.4-1.4 | 2/8/2022 | No change to ADA specifications. No change to OWASP MASVS. MASTG updated to version 1.4 |
| 1.5 | 7/13/2022 | Removed v1 from ADA specifications. No change to OWASP MASVS version 1.4 or MASTG version 1.4 |
| ID | MSTG-ID | Description | Test Procedures |
|---|---|---|---|
| 2.1 | MSTG-STORAGE-1 | System credential storage facilities need to be used to store sensitive data, such as PII, user credentials or cryptographic keys. | Testing Local Storage for Sensitive Data Testing Key Management |
| 2.2 | MSTG-STORAGE-2 | No sensitive data should be stored outside of the app container or system credential storage facilities. | Testing Local Storage for Sensitive Data |
| 2.3 | MSTG-STORAGE-3 | No sensitive data is written to application logs. | Testing Logs for Sensitive Data |
| 2.5 | MSTG-STORAGE-5 | The keyboard cache is disabled on text inputs that process sensitive data. | Determining Whether the Keyboard Cache Is Disabled for Text Input Fields |
| 2.7 | MSTG-STORAGE-7 | No sensitive data, such as passwords or pins, is exposed through the user interface. | Checking for Sensitive Data Disclosure Through the User Interface |
| 2.12 | MSTG-STORAGE-12 | The app educates the user about the types of personally identifiable information processed, as well as security best practices the user should follow in using the app. | Testing User Education |
| ID | MSTG-ID | Description | Test Procedures |
|---|---|---|---|
| 3.1 | MSTG-CRYPTO-1 | The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption. | Testing Key Management |
| 3.2 | MSTG-CRYPTO-2 | The app uses proven implementations of cryptographic primitives. | Common Configuration Issues Testing the Configuration of Cryptographic Standard Algorithms |
| 3.3 | MSTG-CRYPTO-3 | The app uses cryptographic primitives that are appropriate for the particular use-case, configured with parameters that adhere to industry best practices. | Testing the Configuration of Cryptographic Standard Algorithms Common Configuration Issues |
| 3.4 | MSTG-CRYPTO-4 | The app does not use cryptographic protocols or algorithms that are widely considered deprecated for security purposes. | Identifying Insecure and/or Deprecated Cryptographic Algorithms Testing the Configuration of Cryptographic Standard Algorithms |
| 3.5 | MSTG-CRYPTO-5 | The app does not re-use the same cryptographic key for multiple purposes. | Testing Key Management |
| 3.6 | MSTG-CRYPTO-6 | All random values are generated using a sufficiently secure random number generator. | Testing Random Number Generation |
| ID | MSTG-ID | Description | Test Procedures |
|---|---|---|---|
| 4.1 | MSTG-AUTH-1 | If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. | Testing Confirm Credentials Verifying that Appropriate Authentication is in Place Testing OAuth 2.0 Flows |
| 4.2 | MSTG-AUTH-2 | If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the users credentials. | Testing Stateful Session Management |
| 4.3 | MSTG-AUTH-3 | If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. | Testing Stateless (Token-Based) Authentication Testing OAuth 2.0 Flows |
| 4.4 | MSTG-AUTH-4 | The remote endpoint terminates the existing session when the user logs out. | Testing User Logout |
| 4.5 | MSTG-AUTH-5 | A password policy exists and is enforced at the remote endpoint. | Testing Best Practices for Passwords |
| 4.6 | MSTG-AUTH-6 | The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times. | Testing Best Practices for Passwords Dynamic Testing |
| 4.7 | MSTG-AUTH-7 | Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire. | Testing Session Timeout |
| ID | MSTG-ID | Description | Test Procedures |
|---|---|---|---|
| 5.1 | MSTG-NETWORK-1 | Data is encrypted on the network using TLS. The secure channel is used consistently throughout the app. | Verifying Data Encryption on the Network |
| 5.2 | MSTG-NETWORK-2 | The TLS settings are in line with current best practices, or as close as possible if the mobile operating system does not support the recommended standards. | Verifying Data Encryption on the Network |
| 5.3 | MSTG-NETWORK-3 | The app verifies the X.509 certificate of the remote endpoint when the secure channel is established. Only certificates signed by a trusted CA are accepted. | Testing Endpoint Identify Verification |
| ID | MSTG-ID | Description | Test Procedures |
|---|---|---|---|
| 6.1 | MSTG-PLATFORM-1 | The app only requests the minimum set of permissions necessary. | Testing App Permissions |
| 6.2 | MSTG-PLATFORM-2 | All inputs from external sources and the user are validated and if necessary sanitized. This includes data received via the UI, IPC mechanisms such as intents, custom URLs, and network sources. | Injection Flaws Cross-Site Scripting Flaws |
| 6.3 | MSTG-PLATFORM-3 | The app does not export sensitive functionality via custom URL schemes, unless these mechanisms are properly protected. | Testing Custom URL Schemes |
| 6.4 | MSTG-PLATFORM-4 | The app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly protected. | Testing for Sensitive Functionality Exposure Through IPC |
| ID | MSTG-ID | Description | Test Procedures |
|---|---|---|---|
| 7.1 | MSTG-CODE-1 | The app is signed and provisioned with a valid certificate, of which the private key is properly protected. | Making Sure That the App is Properly Signed |
| 7.2 | MSTG-CODE-2 | The app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable). | Testing Whether the App is Debuggable |
| 7.3 | MSTG-CODE-3 | Debugging symbols have been removed from native binaries. | Testing for Debugging Symbols |
| 7.4 | MSTG-CODE-4 | Debugging code and developer assistance code (e.g. test code, backdoors, hidden settings) have been removed. The app does not log verbose errors or debugging messages. | Testing for Debugging Code and Verbose Error Logging |
| 7.5 | MSTG-CODE-5 | All third party components used by the mobile app, such as libraries and frameworks, are identified, and checked for known vulnerabilities. | Checking for Weaknesses in Third Party Libraries |
| 7.9 | MSTG-CODE-9 | Free security features offered by the toolchain, such as byte-code minification, stack protection, PIE support and automatic reference counting, are activated. | Make Sure That Free Security Features Are Activated |