Mobile Application Security C

MASVS-STORAGE: Storage
OWASP MASTG v1.7.0 (commit: 7172dfa) OWASP MASVS v2.0.0 (commit: f2e668b)

MASVS-ID Platform

MASVS-STORAGE-1

android

android

ios

MASVS-STORAGE-2

android

android

android
android

android

android

ios

ios

ios

ios

ios
obile Application Security Checklist
ASVS-STORAGE: Storage
SP MASTG v1.7.0 (commit: 7172dfa) OWASP MASVS v2.0.0 (commit: f2e668b)

Description L1 L2

The app securely stores sensitive data.

Testing Local Storage for Sensitive Data

Testing the Device-Access-Security Policy

Testing Local Data Storage

The app prevents leakage of sensitive data.

Determining Whether Sensitive Data Is Shared with Third Parties via Embedded Services

Determining Whether Sensitive Data Is Shared with Third Parties via Notifications

Testing Backups for Sensitive Data

Testing Memory for Sensitive Data

Determining Whether the Keyboard Cache Is Disabled for Text Input Fields

Testing Logs for Sensitive Data

Checking Logs for Sensitive Data

Testing Memory for Sensitive Data

Testing Backups for Sensitive Data

Finding Sensitive Data in the Keyboard Cache

Determining Whether Sensitive Data Is Shared with Third Parties

R Status
 Mobile Application Security C
MASVS-CRYPTO: Cryptography
OWASP MASTG v1.7.0 (commit: 7172dfa) OWASP MASVS v2.0.0 (commit: f2e668b)

MASVS-ID Platform

MASVS-CRYPTO-1

android

android

android

ios

ios

MASVS-CRYPTO-2

android
ios
obile Application Security Checklist
ASVS-CRYPTO: Cryptography
SP MASTG v1.7.0 (commit: 7172dfa) OWASP MASVS v2.0.0 (commit: f2e668b)

Description L1 L2

The app employs current strong cryptography and uses it according to industry best
practices.

Testing Symmetric Cryptography

Testing the Configuration of Cryptographic Standard Algorithms

Testing Random Number Generation

Verifying the Configuration of Cryptographic Standard Algorithms

Testing Random Number Generation

The app performs key management according to industry best practices.

Testing the Purposes of Keys

Testing Key Management
R Status
 Mobile Application Security C
MASVS-AUTH: Authentication and Auth
OWASP MASTG v1.7.0 (commit: 7172dfa) OWASP MASVS v2.0.0 (commit: f2e668b)

MASVS-ID Platform

MASVS-AUTH-1

MASVS-AUTH-2

android

android

ios

MASVS-AUTH-3
obile Application Security Checklist
ASVS-AUTH: Authentication and Authorization
SP MASTG v1.7.0 (commit: 7172dfa) OWASP MASVS v2.0.0 (commit: f2e668b)

Description L1 L2

The app uses secure authentication and authorization protocols and follows the relevant best
practices.

The app performs local authentication securely according to the platform best practices.

Testing Biometric Authentication

Testing Confirm Credentials

Testing Local Authentication

The app secures sensitive operations with additional authentication.

R Status
 Mobile Application Security C
MASVS-NETWORK: Network Commun
OWASP MASTG v1.7.0 (commit: 7172dfa) OWASP MASVS v2.0.0 (commit: f2e668b)

MASVS-ID Platform

MASVS-NETWORK-1

android

android

android

android

ios

ios

ios

MASVS-NETWORK-2
android

ios
obile Application Security Checklist
ASVS-NETWORK: Network Communication
SP MASTG v1.7.0 (commit: 7172dfa) OWASP MASVS v2.0.0 (commit: f2e668b)

Description L1 L2

The app secures all network traffic according to the current best practices.

Testing Endpoint Identify Verification

Testing the Security Provider

Testing Data Encryption on the Network

Testing the TLS Settings

Testing the TLS Settings

Testing Endpoint Identity Verification

Testing Data Encryption on the Network

The app performs identity pinning for all remote endpoints under the developer's control.
Testing Custom Certificate Stores and Certificate Pinning

Testing Custom Certificate Stores and Certificate Pinning

R Status
 Mobile Application Security C
MASVS-PLATFORM: Platform Interacti
OWASP MASTG v1.7.0 (commit: 7172dfa) OWASP MASVS v2.0.0 (commit: f2e668b)

MASVS-ID Platform

MASVS-PLATFORM-1

android

android

android

android

android

ios

ios
 ios

ios

ios

ios

ios

ios

MASVS-PLATFORM-2

android

android

android

android

ios
 ios

ios

MASVS-PLATFORM-3

android

android

android

ios

ios
obile Application Security Checklist
ASVS-PLATFORM: Platform Interaction
SP MASTG v1.7.0 (commit: 7172dfa) OWASP MASVS v2.0.0 (commit: f2e668b)

Description L1 L2

The app uses IPC mechanisms securely.

Testing for App Permissions

Testing for Vulnerable Implementation of PendingIntent

Testing for Sensitive Functionality Exposure Through IPC

Determining Whether Sensitive Stored Data Has Been Exposed via IPC Mechanisms

Testing Deep Links

Testing App Extensions

Testing Custom URL Schemes

Testing App Permissions

Determining Whether Sensitive Data Is Exposed via IPC Mechanisms

Testing UIPasteboard

Testing for Sensitive Functionality Exposure Through IPC

Testing UIActivity Sharing

Testing Universal Links

The app uses WebViews securely.

Testing WebView Protocol Handlers

Testing WebViews Cleanup

Testing JavaScript Execution in WebViews

Testing for Java Objects Exposed Through WebViews

Testing WebView Protocol Handlers

Testing iOS WebViews

Determining Whether Native Methods Are Exposed Through WebViews

The app uses the user interface securely.

Testing for Overlay Attacks

Checking for Sensitive Data Disclosure Through the User Interface

Finding Sensitive Information in Auto-Generated Screenshots

Checking for Sensitive Data Disclosed Through the User Interface

Testing Auto-Generated Screenshots for Sensitive Information

R Status
 Mobile Application Security C
MASVS-CODE: Code Quality
OWASP MASTG v1.7.0 (commit: 7172dfa) OWASP MASVS v2.0.0 (commit: f2e668b)

MASVS-ID Platform

MASVS-CODE-1

MASVS-CODE-2

android

ios

MASVS-CODE-3

android

ios

MASVS-CODE-4

android
android

android

android

android

android

android

ios

ios

ios
obile Application Security Checklist
ASVS-CODE: Code Quality
SP MASTG v1.7.0 (commit: 7172dfa) OWASP MASVS v2.0.0 (commit: f2e668b)

Description L1 L2

The app requires an up-to-date platform version.

The app has a mechanism for enforcing app updates.

Testing Enforced Updating

Testing Enforced Updating

The app only uses software components without known vulnerabilities.

Checking for Weaknesses in Third Party Libraries

Checking for Weaknesses in Third Party Libraries

The app validates and sanitizes all untrusted inputs.

Make Sure That Free Security Features Are Activated

Testing for Injection Flaws

Testing Local Storage for Input Validation

Memory Corruption Bugs

Testing Object Persistence

Testing Implicit Intents

Testing for URL Loading in WebViews

Testing Object Persistence

Memory Corruption Bugs

Make Sure That Free Security Features Are Activated

R Status
 Mobile Application Security C
MASVS-RESILIENCE: Resilience Again
Engineering and Tampering
OWASP MASTG v1.7.0 (commit: 7172dfa) OWASP MASVS v2.0.0 (commit: f2e668b)

MASVS-ID Platform

MASVS-RESILIENCE-1

android

android

ios

ios

MASVS-RESILIENCE-2

android

android
 android

ios

ios

MASVS-RESILIENCE-3

android

android

android

ios

ios

ios

MASVS-RESILIENCE-4

android
android

android

ios

ios

ios
obile Application Security Checklist
ASVS-RESILIENCE: Resilience Against Reverse
gineering and Tampering
SP MASTG v1.7.0 (commit: 7172dfa) OWASP MASVS v2.0.0 (commit: f2e668b)

Description L1 L2

The app validates the integrity of the platform.

Testing Root Detection

Testing Emulator Detection

Testing Jailbreak Detection

Testing Emulator Detection

The app implements anti-tampering mechanisms.

Testing File Integrity Checks

Testing Runtime Integrity Checks

Making Sure that the App is Properly Signed

Testing File Integrity Checks

Making Sure that the App Is Properly Signed

The app implements anti-static analysis mechanisms.

Testing for Debugging Symbols

Testing for Debugging Code and Verbose Error Logging

Testing Obfuscation

Testing for Debugging Code and Verbose Error Logging

Testing Obfuscation

Testing for Debugging Symbols

The app implements anti-dynamic analysis techniques.

Testing whether the App is Debuggable

Testing Reverse Engineering Tools Detection

Testing Anti-Debugging Detection

Testing Anti-Debugging Detection

Testing whether the App is Debuggable

Testing Reverse Engineering Tools Detection

R Status
 Mobile Application Security C
About
OWASP MASTG v1.7.0 (commit: 7172dfa) OWASP MASVS v2.0.0 (commit: f2e668b)

About the Project

The OWASP Mobile Application Security (MAS) flagship project led by Carlos Holguera and Sven Schleier
defines the industry standard for mobile application security.

https://mas.owasp.org/

The OWASP MASVS (Mobile Application Security Verification Standard) is a standard that establishes the
security requirements for mobile app security.

https://mas.owasp.org/MASVS/

The OWASP MASTG (Mobile Application Security Testing Guide) is a comprehensive manual for mobile app se
and reverse engineering. It describes technical processes for verifying the controls listed in the MASVS.

https://mas.owasp.org/MASTG/

Feedback

If you have any comments or suggestions, please post them on our GitHub Discussions.

https://github.com/OWASP/owasp-mastg/discussions/categories/ideas

Licence
Copyright © 2023 The OWASP Foundation. This work is licensed under a Creative Commons Attribution-ShareA
For any reuse or distribution, you must make clear to others the license terms of this work.

https://github.com/OWASP/owasp-mastg/blob/master/License.md
 obile Application Security Checklist
out
SP MASTG v1.7.0 (commit: 7172dfa) OWASP MASVS v2.0.0 (commit: f2e668b)

urity (MAS) flagship project led by Carlos Holguera and Sven Schleier
ile application security.

cation Security Verification Standard) is a standard that establishes the

security.

OWASP MASVS v2.0.0 (commit: f2e668b)

cation Security Testing Guide) is a comprehensive manual for mobile app security testing
technical processes for verifying the controls listed in the MASVS.

OWASP MASTG v1.7.0 (commit: 7172dfa)

ions, please post them on our GitHub Discussions.

mastg/discussions/categories/ideas

ndation. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
st make clear to others the license terms of this work.

mastg/blob/master/License.md