Embedded Files
Background
Background
The mobile profile outlines a baseline set of security requirements and associated test guide for mobile applications. This framework is applicable to developers that build apps that run on Android, Meta Quest, or Apple iOS.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Our Approach: OWASP MASVS as the Foundation
Our Approach: OWASP MASVS as the Foundation
This program leverages the internationally recognized OWASP Mobile Application Security Verification Standard (MASVS) as its core. The OWASP MASVS offers a comprehensive set of security assessment requirements and guidelines covering the entire mobile application development lifecycle. Building upon this base, the App Defense Alliance (ADA) focused on testable requirements with clear acceptance criteria. Further, the ADA approach emphasizes the use of automation where possible.
Mobile App Profile Specification
Mobile App Profile Specification
1 ANDROID
1 ANDROID
1.1 Storage
1.1.1 The app securely stores sensitive data in external storage
1.1.2 The app prevents leakage of sensitive data
1.2 Cryptography
1.2.1 The app employs current strong cryptography and uses it according to industry best practices
1.2.2 The app performs key management according to industry best practices
1.3 Authentication and Authorization
1.3.1 The app uses secure authentication and authorization protocols and follows the relevant best practices
1.4 Network
1.4.1 The app secures all network traffic according to the current best practices
1.5 Platform
1.5.1 The app uses IPC mechanisms securely
1.5.2 The app uses WebViews securely
1.5.3 The app uses the user interface securely
1.6 Code
1.6.1 The app requires an up-to-date platform version
1.6.2 The app only uses software components without known vulnerabilities
1.6.3 The app validates and sanitizes all untrusted inputs
1.7 Resilience
1.7.1 The app implements anti-tampering mechanisms
1.7.2 The app implements anti-static analysis mechanisms
1.7.3 The app implements anti-dynamic analysis mechanisms
1.8 Privacy
1.8.1 The app minimizes access to sensitive data and resources
1.8.2 The app is transparent about data collection and usage
1.8.3 The app offers user control over their data
2 iOS
2 iOS
2.1 Storage
2.1.1 The app securely stores sensitive data in external storage
2.1.2 The app prevents leakage of sensitive data
2.2 Cryptography
2.2.1 The app employs current strong cryptography and uses it according to industry best practices
2.2.2 The app performs key management according to industry best practices
2.3 Authentication and Authorization
2.3.1 The app uses secure authentication and authorization protocols and follows the relevant best practices
2.4 Network
2.4.1 The app secures all network traffic according to the current best practices
2.5 Platform
2.5.1 The app uses IPC mechanisms securely
2.5.2 The app uses WebViews securely
2.5.3 The app uses the user interface securely
2.6 Code
2.6.1 The app requires an up-to-date platform version
2.6.2 The app only uses software components without known vulnerabilities
2.6.3 The app validates and sanitizes all untrusted inputs
2.7 Resilience
2.7.1 The app implements anti-tampering mechanisms
2.7.2 The app implements anti-static analysis mechanisms
2.7.3 The app implements anti-dynamic analysis techniques
2.8 Privacy
2.8.1 The app minimizes access to sensitive data and resources
2.8.2 The app is transparent about data collection and usage
2.8.3 The app offers user control over their data
See GitHub for full details
Page updated
Report abuse