DEV Community

Cover image for The Case for Standards in Mobile App Security
OWASP Foundation for OWASP® Foundation

Posted on

4

The Case for Standards in Mobile App Security

by Carlos Holguera and Sven Schleier

In cyber security staying ahead of potential threats and vulnerabilities is key; adherence to industry standards is not just a best practice; it's a necessity. In this article, we will explore why it's crucial to follow an industry standard like the OWASP Mobile Application Security Verification Standard (MASVS), both from the perspective of those developing tools and services to assess mobile apps and those seeking compliance.

The Benefits of Industry Standards

Thanks to industry standards like the OWASP MASVS, which provide comprehensive coverage of the attack surface, testing remains consistent and reliable over time, instilling trust in the quality of vendor services.

Standards like the OWASP MASVS are backed by a large community of security professionals who ensure that any new threats, or best practices are quickly integrated into the standard, keeping it relevant and effective. Established standards also promote transparency in the testing process, allowing customers to clearly understand the scope and coverage, preventing hidden gaps in security assessments.

Vendors adhering to recognized industry standards demonstrate professionalism, build trust, and simplify compliance efforts for organizations, ensuring credibility in delivering high-quality services. When comparing different vendors, having a known standard as a reference point makes it easier to evaluate the quality and scope of their services. It provides a common benchmark to assess their capabilities.

Additionally, by testing mobile apps against recognized standards, organizations can proactively manage and identify vulnerabilities early in the development lifecycle, minimizing the risk of costly post-release fixes.

The OWASP MAS Project and its Standards

The OWASP Mobile Application Security (MAS) flagship project provides a robust security standard for mobile apps, known as the OWASP MASVS, along with a comprehensive testing guide (OWASP MASTG). These resources cover the processes, techniques, and tools used during a mobile app security test, ensuring consistent and complete results.

Two blue cards, side-by-side: MASVS - Mobile Application Security Verification Standard, and MASTG: Mobile Application Security Testing Guide

The OWASP MASVS standard is divided into various groups of security controls, representing critical areas of the mobile attack surface, including:

  • MASVS-STORAGE: Secure storage of sensitive data on a device (data-at-rest).
  • MASVS-CRYPTO: Cryptographic functionality used to protect sensitive data.
  • MASVS-AUTH: Authentication and authorization mechanisms used by the mobile app.
  • MASVS-NETWORK: Secure network communication between the mobile app and remote endpoints (data-in-transit).
  • MASVS-PLATFORM: Secure interaction with the underlying mobile platform and other installed apps.
  • MASVS-CODE: Security best practices for data processing and app maintenance.
  • MASVS-RESILIENCE: Resilience to reverse engineering and tampering attempts.
  • MASVS-PRIVACY: Privacy controls to protect user privacy.

A Standard Backed by Standards

To complement the MASVS, the OWASP MAS project also provides the OWASP Mobile Application Security Testing Guide (MASTG) and the OWASP MAS Checklist. Together, these resources are the perfect companion for verifying the controls listed in the OWASP MASVS and demonstrating compliance.

The Mobile Application Security Verification Standard (MASVS) is intertwined with various industry standards, underpinning its robustness and effectiveness. MASVS-CRYPTO relies on NIST.SP.800-175B and NIST.SP.800-57, which provide established cryptographic guidelines and assurance, ensuring that sensitive data within mobile apps remains secure.

While MASVS-AUTH comprehensively covers app-side authentication and authorization, it recognizes the importance of validating security on the remote endpoint, referencing industry standards like the OWASP Application Security Verification Standard (ASVS).

MASVS-CODE encourages developers to follow best practices from OWASP Software Assurance Maturity Model (SAMM) and NIST.SP.800-218 Secure Software Development Framework (SSDF) to prevent vulnerabilities during development.

MASVS-PRIVACY draws inspiration from essential privacy regulations like GDPR, COPPA, CCPA, and ENISA, providing a foundation for privacy considerations.

Conclusion

The importance of following industry standards like the OWASP MASVS in mobile app security cannot be overstated. It ensures consistency, comprehensiveness, and up-to-date protection against evolving threats. For vendors and customers alike, adherence to these standards is not just a matter of trust; it's a strategic choice that enhances security, credibility, and long-term cost-effectiveness in an increasingly mobile-centric world. So, choose your mobile app security provider wisely, and together, let's build a more secure mobile future.

OWASP Mobile Application Security - https://mas.owasp.org/
OWASP MASVS - https://mas.owasp.org/MASVS/
OWASP MASTG - https://mas.owasp.org/MASTG/
OWASP MAS Checklist - https://mas.owasp.org/checklists/

--

OWASP is a non-profit foundation that envisions a world with no more insecure software. Our mission is to be the global open community that powers secure software through education, tools, and collaboration. We maintain hundreds of open source projects, run industry-leading educational and training conferences, and meet through over 250 chapters worldwide.

Image of Timescale

Timescale – the developer's data platform for modern apps, built on PostgreSQL

Timescale Cloud is PostgreSQL optimized for speed, scale, and performance. Over 3 million IoT, AI, crypto, and dev tool apps are powered by Timescale. Try it free today! No credit card required.

Try free

Top comments (1)

Collapse
 
dbshugrue profile image
daniel shugrue

Thank you Carlos! I'm particularly interested in the "Resilience" group...are there particular industries where adherence to that group is most important?

Sentry mobile image

Improving mobile performance, from slow screens to app start time

Based on our experience working with thousands of mobile developer teams, we developed a mobile monitoring maturity curve.

Read more

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay