4 |
5 | The OWASP Mobile Application Security Verification Standard (MASVS) is the industry standard for mobile application security. It provides a comprehensive set of security controls that can be used to assess the security of mobile apps across various platforms (e.g., Android, iOS) and deployment scenarios (e.g., consumer, enterprise). The standard covers the key components of the mobile app attack surface including storage, cryptography, authentication and authorization, network communication, interaction with the mobile platform, code quality and resilience against reverse engineering and tampering.
6 |
7 | The OWASP MASVS is the result of years of community effort and industry feedback. We thank all the contributors who have helped shape this standard. We welcome your feedback on the OWASP MASVS at any time, especially as you apply it to your own organization and mobile app development projects. Getting inputs from a variety of mobile app developers will help us improve and update the standard which is revised periodically based on your inputs and feedback.
8 |
9 | You can provide feedback using GitHub Discussions in the OWASP MASVS repo 
15 |
16 |
17 |
18 |
19 | ## Authors
20 |
21 | ### Sven Schleier
22 |
23 | Sven is specialised in penetration testing and application security and has guided numerous projects to build security in from the start. He strongly believes in knowledge sharing and is speaking worldwide at meetups and conferences, is an adjunct professor and is conducting hands-on workshops about mobile app security to penetration testers, developers and students.
24 |
25 | ### Carlos Holguera
26 |
27 | Carlos is a mobile security research engineer with many years of hands-on experience in security testing for mobile apps and embedded systems such as automotive control units and IoT devices. He is passionate about reverse engineering and dynamic instrumentation of mobile apps and is continuously learning and sharing his knowledge.
28 |
29 | ### Jeroen Beckers
30 |
31 | Jeroen is a mobile security lead responsible for quality assurance on mobile security projects and for R&D on all things mobile. Ever since his master's thesis on Android security, Jeroen has been interested in mobile devices and their (in)security. He loves sharing his knowledge with other people, as is demonstrated by his many talks & trainings at colleges, universities, clients and conferences.
32 |
33 | ### Bernhard Mueller
34 |
35 | Bernhard is a cyber security specialist with a talent for hacking systems of all kinds. During more than a decade in the industry, he has published many zero-day exploits for software. BlackHat USA commended his pioneering work in mobile security with a Pwnie Award for Best Research.
36 |
37 | ### Jeroen Willemsen
38 |
39 | Jeroen is a principal security architect with a passion for mobile security and risk management. He has supported companies as a security coach, a security engineer and as a full-stack developer. He loves explaining technical subjects: from security issues to programming challenges.
40 |
41 |
42 |
43 | ## Contributors
44 |
45 | All of our contributors are listed in the Contributing section of the OWASP MAS website:
46 |
47 | 
54 |
55 |
56 |
57 | ## Changelog
58 |
59 | All our Changelogs are available online at the OWASP MASVS GitHub repository, see the Releases page:
60 |
61 | 
68 |
--------------------------------------------------------------------------------
/Document/03-Using_the_MASVS.md:
--------------------------------------------------------------------------------
1 | # The Mobile Application Security Verification Standard
2 |
3 | The Mobile Application Security Verification Standard (MASVS) is a comprehensive security standard developed by the Open Worldwide Application Security Project (OWASP). This framework provides a clear and concise set of guidelines and best practices for assessing and enhancing the security of mobile applications. The MASVS is designed to be used as a metric, guidance, and baseline for mobile app security verification, serving as a valuable resource for developers, application owners, and security professionals.
4 |
5 | The objective of the MASVS is to establish a high level of confidence in the security of mobile apps by providing a set of controls that address the most common mobile application security issues. These controls were developed with a focus on providing guidance during all phases of mobile app development and testing, and to be used as a baseline for mobile app security verification during procurement.
6 |
7 | By adhering to the controls outlined in the OWASP MASVS, organizations can ensure that their mobile applications are built with security in mind, reducing the risk of security breaches and protecting sensitive user data. Whether used as a metric, guidance, or baseline, the OWASP MASVS is an invaluable tool for enhancing the security of mobile applications.
8 |
9 | The OWASP MASVS is a living document and is regularly updated to reflect the changing threat landscape and new attack vectors. As such, it's important to [stay up-to-date](https://mas.owasp.org/MASVS/) with the latest version of the standard and adapt security measures accordingly.
10 |
11 | ## Mobile Application Security Model
12 |
13 | The standard is divided into various groups that represent the most critical areas of the mobile attack surface. These control groups, labeled **MASVS-XXXXX**, provide guidance and standards for the following areas:
14 |
15 | - **MASVS-STORAGE:** Secure storage of sensitive data on a device (data-at-rest).
16 | - **MASVS-CRYPTO:** Cryptographic functionality used to protect sensitive data.
17 | - **MASVS-AUTH:** Authentication and authorization mechanisms used by the mobile app.
18 | - **MASVS-NETWORK:** Secure network communication between the mobile app and remote endpoints (data-in-transit).
19 | - **MASVS-PLATFORM:** Secure interaction with the underlying mobile platform and other installed apps.
20 | - **MASVS-CODE:** Security best practices for data processing and keeping the app up-to-date.
21 | - **MASVS-RESILIENCE:** Resilience to reverse engineering and tampering attempts.
22 | - **MASVS-PRIVACY:** Privacy controls to protect user privacy.
23 |
24 | Each of these control groups contains individual controls labeled **MASVS-XXXXX-Y**, which provide specific guidance on the particular security measures that need to be implemented to meet the standard.
25 |
26 | ## MAS Testing Profiles
27 |
28 | The MAS project has traditionally provided three verification levels (L1, L2 and R), which were revisited during the MASVS refactoring in 2023, and have been reworked as ["MAS Testing Profiles"](https://docs.google.com/document/d/1paz7dxKXHzAC9MN7Mnln1JiZwBNyg7Gs364AJ6KudEs/edit?usp=sharing) and moved over to the OWASP MASTG. These profiles are now aligned with the [NIST OSCAL (Open Security Controls Assessment Language)](https://pages.nist.gov/OSCAL/) standard, which is a comprehensive catalog of security controls that can be used to secure information systems.
29 |
30 | By aligning with OSCAL, the MASVS provides a more flexible and comprehensive approach to security testing. OSCAL provides a standard format for security control information, which allows for easier sharing and reuse of security controls across different systems and organizations. This allows for a more efficient use of resources and a more targeted approach to mobile app security testing.
31 |
32 | However, it is important to note that implementing these profiles fully or partially should be a risk-based decision made in consultation with business owners. The profiles should be tailored to the specific security risks and requirements of the mobile application being developed, and any deviations from the recommended controls should be carefully justified and documented.
33 |
34 | ## Assumptions
35 |
36 | When using the MASVS, it's important to keep in mind the following assumptions:
37 |
38 | - The MASVS is not a substitute for following secure development best practices, such as secure coding or secure SDLC. These practices should be followed holistically in your development process and the MASVS complements them specifically for mobile apps.
39 | - The MASVS assumes that you've followed the relevant standards of your industry and country for all elements of your app's ecosystem, such as backend servers, IoT, and other companion devices.
40 | - The MASVS is designed to evaluate the security of mobile apps that can be analyzed statically by obtaining the app package, dynamically by running it on a potentially compromised device, and also considers any network-based attacks such as MITM.
41 |
42 | While the OWASP MASVS is an invaluable tool for enhancing the security of mobile applications, it cannot guarantee absolute security. It should be used as a baseline for security requirements, but additional security measures should also be implemented as appropriate to address specific risks and threats to the mobile app.
43 |
44 | ### Security Architecture, Design and Threat Modeling for Mobile Apps
45 |
46 | > The OWASP MASVS assumes that best practices for secure architecture, design, and threat modeling have been followed as a foundation.
47 |
48 | Security must be a top priority throughout all stages of mobile app development, from the initial planning and design phase to deployment and ongoing maintenance. Developers need to follow secure development best practices and ensure that security measures are prioritized to protect sensitive data, comply with policies and regulations, and identify and address security issues that can be targeted by attackers.
49 |
50 | While the MASVS and MASTG focuses on controls and technical test cases for app security assessments, non-technical aspects such as following best practices laid out by [OWASP Software Assurance Maturity Model (SAMM)](https://owaspsamm.org/model/) or [NIST.SP.800-218 Secure Software Development Framework (SSDF)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf) for secure architecture, design, and threat modeling are still important. The MASVS can also be used as reference and input for a threat model to raise awareness of potential attacks.
51 |
52 | To ensure that these practices are followed, developers can provide documentation or evidence of adherence to these standards, such as design documents, threat models, and security architecture diagrams. Additionally, interviews can be conducted to collect information on adherence to these practices and provide an understanding of the level of compliance with these standards.
53 |
54 | ### Secure App Ecosystem
55 |
56 | > The OWASP MASVS assumes other relevant security standards are also leveraged to ensure that all systems involved in the app's operation meet their applicable requirements.
57 |
58 | Mobile apps often interact with multiple systems, including backend servers, third-party APIs, Bluetooth devices, cars, IoT devices, and more. Each of these systems may introduce their own security risks that must be considered as part of the mobile app's security design and threat modeling. For example, when interacting with a backend server, the [OWASP Application Security Verification Standard (ASVS)](https://owasp.org/www-project-application-security-verification-standard/) should be used to ensure that the server is secure and meets the required security standards. In the case of Bluetooth devices, the app should be designed to prevent unauthorized access, while for cars, the app should be designed to protect the user's data and ensure that there are no safety issues with the car's operation.
59 |
60 | ### Security Knowledge and Expertise
61 |
62 | > The OWASP MASVS assumes a certain level of security knowledge and expertise among developers and security professionals using the standard. It's important to have a good understanding of mobile app security concepts, as well as the relevant tools and techniques used for mobile app security testing and assessment. To support this, the OWASP MAS project also provides the [OWASP Mobile Application Security Testing Guide (MASTG)](https://mas.owasp.org/MASTG/), which provides in-depth guidance on mobile app security testing and assessment.
63 |
64 | Mobile app development is a rapidly evolving field, with new technologies, programming languages, and frameworks constantly emerging. It's essential for developers and security professionals to stay current with these developments, as well as to have a solid foundation in fundamental security principles.
65 |
66 | OWASP SAMM provides a dedicated ["Education & Guidance"](https://owaspsamm.org/model/governance/education-and-guidance/) domain which aims to ensure that all stakeholders involved in the software development lifecycle are aware of the software security risks and are equipped with the knowledge and skills to mitigate these risks. This includes developers, testers, architects, project managers, executives, and other personnel involved in software development and deployment.
67 |
68 | ## Applicability of the MASVS
69 |
70 | By adhering to the MASVS, businesses and developers can ensure that their mobile app are secure and meet industry-standard security requirements, regardless of the development approach used. This is the case for downloadable apps, as the project was traditionally focused on, but the MAS resources and guidelines are also applicable to other areas of the business such as preloaded applications and SDKs.
71 |
72 | ### Native Apps
73 |
74 | Native apps are written in platform-specific languages, such as Java/Kotlin for Android or Objective-C/Swift for iOS.
75 |
76 | ### Cross-Platform and Hybrid Apps
77 |
78 | Apps based on cross-platform (Flutter, React Native, Xamarin, Ionic, etc.) and hybrid (Cordova, PhoneGap, Framework7, Onsen UI, etc.) frameworks may be susceptible to platform-specific vulnerabilities that don't exist in native apps. For example, some JavaScript frameworks may introduce new security issues that don't exist in other programming languages. It is therefore essential to follow the security best practices of the used frameworks.
79 |
80 | The MASVS is agnostic to the type of mobile application being developed. This means that the guidelines and best practices outlined in the MASVS can be applied to all types of mobile apps, including cross-platform and hybrid apps.
81 |
82 | ### Preloads
83 |
84 | Preloaded apps are apps that are installed on a user's device at factory time and may have elevated privileges that leave users vulnerable to exploitative business practices. Given the large number of preloaded apps on an average user's device, it's important to measure their risk in a quantifiable way.
85 |
86 | There are hundreds of preloads that may ship on a device, and as a result, automation is critical. A subset of MAS criteria that is automation-friendly may be a good basis.
87 |
88 | ### SDKs
89 |
90 | SDKs play a vital role in the mobile app value chain, supplying code developers need to build faster, smarter, and more profitably. Developers rely on them heavily, with the average mobile app using 30 SDKs, and 90% of code sourced from third parties. While this widespread use delivers significant benefits to developers, it also propagates safety and security issues.
91 |
92 | SDKs offer a variety of functionality, and should be regarded as an individual project. You should evaluate how the MASVS applies to the used SDKs to ensure the highest possible security testing coverage.
93 |
--------------------------------------------------------------------------------
/Document/04-Assessment_and_Certification.md:
--------------------------------------------------------------------------------
1 | # Assessment and Certification
2 |
3 | ## OWASP's Stance on MASVS Certifications and Trust Marks
4 |
5 | OWASP, as a vendor-neutral not-for-profit organization, does not certify any vendors, verifiers or software.
6 |
7 | All such assurance assertions, trust marks, or certifications are not officially vetted, registered, or certified by OWASP, so an organization relying upon such a view needs to be cautious of the trust placed in any third party or trust mark claiming (M)ASVS certification.
8 |
9 | This should not inhibit organizations from offering such assurance services, as long as they do not claim official OWASP certification.
10 |
11 | ## Guidance for Certifying Mobile Apps
12 |
13 | The recommended way of verifying compliance of a mobile app with the MASVS is by performing an "open book" review, meaning that the testers are granted access to key resources such as architects and developers of the app, project documentation, source code, and authenticated access to endpoints, including access to at least one user account for each role.
14 |
15 | It is important to note that the MASVS only covers the security of the mobile app (client-side). It does not contain specific controls for the remote endpoints (e.g. web services) associated with the app and they should be verified against appropriate standards, such as the [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/).
16 |
17 | A certifying organization must include in any report the scope of the verification (particularly if a key component is out of scope), a summary of verification findings, including passed and failed tests, with clear indications of how to resolve the failed tests. Keeping detailed work papers, screenshots or recording, scripts to reliably and repeatedly exploit an issue, and electronic records of testing, such as intercepting proxy logs and associated notes such as a cleanup list, is considered standard industry practice. It is not sufficient to simply run a tool and report on the failures; this does not provide sufficient evidence that all issues at a certifying level have been tested and tested thoroughly. In case of dispute, there should be sufficient supportive evidence to demonstrate that every verified control has indeed been tested.
18 |
19 | ### Using the OWASP Mobile Application Security Testing Guide (MASTG)
20 |
21 | The [OWASP MASTG](https://mas.owasp.org/MASTG/) is a manual for testing the security of mobile apps. It describes the technical processes for verifying the controls listed in the MASVS. The MASTG includes a list of test cases, each of which map to a control in the MASVS. While the MASVS controls are high-level and generic, the MASTG provides in-depth recommendations and testing procedures on a per-mobile-OS basis.
22 |
23 | Testing the app's remote endpoints is not covered in the MASTG. For example:
24 |
25 | - **Remote Endpoints**: The [OWASP Web Security Testing Guide (WSTG)](https://owasp.org/www-project-web-security-testing-guide/) is a comprehensive guide with detailed technical explanation and guidance for testing the security of web applications and web services holistically and can be used in addition to other relevant resources to complement the mobile app security testing exercise.
26 | - **Internet of Things (IoT)**: The [OWASP IoT Security Testing Guide (ISTG)](https://owasp.org/owasp-istg/) provides a comprehensive methodology for penetration tests in the IoT field offering flexibility to adapt innovations and developments on the IoT market while still ensuring comparability of test results. The guide provides an understanding of communication between manufacturers and operators of IoT devices as well as penetration testing teams that's facilitated by establishing a common terminology.
27 |
28 | ### The Role of Automated Security Testing Tools
29 |
30 | The use of source code scanners and black-box testing tools is encouraged in order to increase efficiency whenever possible. It is however not possible to complete MASVS verification using automated tools alone, since every mobile app is different. In order to fully verify the security of the app it is essential to understand the overall architecture, business logic, and technical pitfalls of the specific technologies and frameworks being used.
31 |
32 | ## Other Uses
33 |
34 | ### As Detailed Security Architecture Guidance
35 |
36 | One of the more common uses for the Mobile Application Security Verification Standard is as a resource for security architects. The two major security architecture frameworks, SABSA or TOGAF, are missing a great deal of information that is necessary to complete mobile application security architecture reviews. MASVS can be used to fill in those gaps by allowing security architects to choose better controls for issues common to mobile apps.
37 |
38 | ### As a Replacement for Off-the-shelf Secure Coding Checklists
39 |
40 | Many organizations can benefit from adopting the MASVS, by choosing one of the two levels, or by forking MASVS and changing what is required for each application's risk level in a domain-specific way. We encourage this type of forking as long as traceability is maintained, so that if an app has passed control 4.1, this means the same thing for forked copies as the standard evolves.
41 |
42 | ### As a Basis for Security Testing Methodologies
43 |
44 | A good mobile app security testing methodology should cover all controls listed in the MASVS. The OWASP Mobile Application Security Testing Guide (MASTG) describes black-box and white-box test cases for each verification control.
45 |
46 | ### As a Guide for Automated Unit and Integration Tests
47 |
48 | The MASVS is designed to be highly testable, with the sole exception of architectural controls. Automated unit, integration and acceptance testing based on the MASVS controls can be integrated in the continuous development lifecycle. This not only increases developer security awareness, but also improves the overall quality of the resulting apps, and reduces the amount of findings during security testing in the pre-release phase.
49 |
50 | ### For Secure Development Training
51 |
52 | MASVS can also be used to define characteristics of secure mobile apps. Many "secure coding" courses are simply ethical hacking courses with a light smear of coding tips. This does not help developers. Instead, secure development courses can use the MASVS, with a strong focus on the proactive controls documented in the MASVS, rather than e.g. the Top 10 code security issues.
53 |
--------------------------------------------------------------------------------
/Document/05-MASVS-STORAGE.md:
--------------------------------------------------------------------------------
1 | # MASVS-STORAGE: Storage
2 |
3 | Mobile applications handle a wide variety of sensitive data, such as personally identifiable information (PII), cryptographic material, secrets, and API keys, that often need to be stored locally. This sensitive data may be stored in private locations, such as the app's internal storage, or in public folders that are accessible by the user or other apps installed on the device. However, sensitive data can also be unintentionally stored or exposed to publicly accessible locations, typically as a side-effect of using certain APIs or system capabilities such as backups or logs.
4 |
5 | This category is designed to help developers ensure that any sensitive data intentionally stored by the app is properly protected, regardless of the target location. It also covers unintentional leaks that can occur due to improper use of APIs or system capabilities.
6 |
--------------------------------------------------------------------------------
/Document/06-MASVS-CRYPTO.md:
--------------------------------------------------------------------------------
1 | # MASVS-CRYPTO: Cryptography
2 |
3 | Cryptography is essential for mobile apps because mobile devices are highly portable and can be easily lost or stolen. This means that an attacker who gains physical access to a device can potentially access all the sensitive data stored on it, including passwords, financial information, and personally identifiable information. Cryptography provides a means of protecting this sensitive data by encrypting it so that it cannot be easily read or accessed by an unauthorized user.
4 |
5 | The purpose of the controls in this category is to ensure that the verified app uses cryptography according to industry best practices, which are typically defined in external standards such as [NIST.SP.800-175B](https://csrc.nist.gov/publications/detail/sp/800-175b/rev-1/final) and [NIST.SP.800-57](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final). This category also focuses on the management of cryptographic keys throughout their lifecycle, including key generation, storage, and protection. Poor key management can compromise even the strongest cryptography, so it is crucial for developers to follow the recommended best practices to ensure the security of their users' sensitive data.
6 |
--------------------------------------------------------------------------------
/Document/07-MASVS-AUTH.md:
--------------------------------------------------------------------------------
1 | # MASVS-AUTH: Authentication and Authorization
2 |
3 | Authentication and authorization are essential components of most mobile apps, especially those that connect to a remote service. These mechanisms provide an added layer of security and help prevent unauthorized access to sensitive user data. Although the enforcement of these mechanisms must be on the remote endpoint, it is equally important for the app to follow relevant best practices to ensure the secure use of the involved protocols.
4 |
5 | Mobile apps often use different forms of authentication, such as biometrics, PIN, or multi-factor authentication code generators, to validate user identity. These mechanisms must be implemented correctly to ensure their effectiveness in preventing unauthorized access. Additionally, some apps may rely solely on local app authentication and may not have a remote endpoint. In such cases, it is critical to ensure that local authentication mechanisms are secure and implemented following industry best practices.
6 |
7 | The controls in this category aim to ensure that the app implements authentication and authorization mechanisms securely, protecting sensitive user information and preventing unauthorized access. It is important to note that the security of the remote endpoint should also be validated using industry standards such as the [OWASP Application Security Verification Standard (ASVS)](https://owasp.org/www-project-application-security-verification-standard/).
8 |
--------------------------------------------------------------------------------
/Document/08-MASVS-NETWORK.md:
--------------------------------------------------------------------------------
1 | # MASVS-NETWORK: Network Communication
2 |
3 | Secure networking is a critical aspect of mobile app security, particularly for apps that communicate over the network. In order to ensure the confidentiality and integrity of data in transit, developers typically rely on encryption and authentication of the remote endpoint, such as through the use of TLS. However, there are numerous ways in which a developer may accidentally disable the platform secure defaults or bypass them entirely by utilizing low-level APIs or third-party libraries.
4 |
5 | This category is designed to ensure that the mobile app sets up secure connections under any circumstances. Specifically, it focuses on verifying that the app establishes a secure, encrypted channel for network communication. Additionally, this category covers situations where a developer may choose to trust only specific Certificate Authorities (CAs), which is commonly referred to as certificate pinning or public key pinning.
6 |
--------------------------------------------------------------------------------
/Document/09-MASVS-PLATFORM.md:
--------------------------------------------------------------------------------
1 | # MASVS-PLATFORM: Platform Interaction
2 |
3 | The security of mobile apps heavily depends on their interaction with the mobile platform, which often involves exposing data or functionality intentionally through the use of platform-provided inter-process communication (IPC) mechanisms and WebViews to enhance the user experience. However, these mechanisms can also be exploited by attackers or other installed apps, potentially compromising the app's security.
4 |
5 | Furthermore, sensitive data, such as passwords, credit card details, and one-time passwords in notifications, is often displayed in the app's user interface. It is essential to ensure that this data is not unintentionally leaked through platform mechanisms such as auto-generated screenshots or accidental disclosure through shoulder surfing or device sharing.
6 |
7 | This category comprises controls that ensure the app's interactions with the mobile platform occur securely. These controls cover the secure use of platform-provided IPC mechanisms, WebView configurations to prevent sensitive data leakage and functionality exposure, and secure display of sensitive data in the app's user interface. By implementing these controls, mobile app developers can safeguard sensitive user information and prevent unauthorized access by attackers.
8 |
--------------------------------------------------------------------------------
/Document/10-MASVS-CODE.md:
--------------------------------------------------------------------------------
1 | # MASVS-CODE: Code Quality
2 |
3 | Mobile apps have many data entry points, including the UI, IPC, network, and file system, which might receive data that has been inadvertently modified by untrusted actors. By treating this data as untrusted input and properly verifying and sanitizing it before use, developers can prevent classical injection attacks, such as SQL injection, XSS, or insecure deserialization. However, other common coding vulnerabilities, such as memory corruption flaws, are hard to detect in penetration testing but easy to prevent with secure architecture and coding practices. Developers should follow best practices such as the [OWASP Software Assurance Maturity Model (SAMM)](https://owaspsamm.org/model/) and [NIST.SP.800-218 Secure Software Development Framework (SSDF)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf) to avoid introducing these flaws in the first place.
4 |
5 | This category covers coding vulnerabilities that arise from external sources such as app data entry points, the OS, and third-party software components. Developers should verify and sanitize all incoming data to prevent injection attacks and bypass of security checks. They should also enforce app updates and ensure that the app runs up-to-date platforms to protect users from known vulnerabilities.
6 |
--------------------------------------------------------------------------------
/Document/11-MASVS-RESILIENCE.md:
--------------------------------------------------------------------------------
1 | # MASVS-RESILIENCE: Resilience Against Reverse Engineering and Tampering
2 |
3 | Defense-in-depth measures such as code obfuscation, anti-debugging, anti-tampering, etc. are important to increase app resilience against reverse engineering and specific client-side attacks. They add multiple layers of security controls to the app, making it more difficult for attackers to successfully reverse engineer and extract valuable intellectual property or sensitive data from it, which could result in:
4 |
5 | - The theft or compromise of valuable business assets such as proprietary algorithms, trade secrets, or customer data
6 | - Significant financial losses due to loss of revenue or legal action
7 | - Legal and reputational damage due to breach of contracts or regulations
8 | - Damage to brand reputation due to negative publicity or customer dissatisfaction
9 |
10 | The controls in this category aim to ensure that the app is running on a trusted platform, prevent tampering at runtime and ensure the integrity of the app's intended functionality. Additionally, the controls impede comprehension by making it difficult to figure out how the app works using static analysis and prevent dynamic analysis and instrumentation that could allow an attacker to modify the code at runtime.
11 |
12 | Note, however, that **the absence of any of these measures does not necessarily cause vulnerabilities** - instead, they provide additional threat-specific protection. **All apps must also fulfill the rest of the OWASP MASVS** security controls according to their specific threat models.
13 |
--------------------------------------------------------------------------------
/Document/12-MASVS-PRIVACY.md:
--------------------------------------------------------------------------------
1 | # MASVS-PRIVACY: Privacy
2 |
3 | The main goal of MASVS-PRIVACY is to provide a **baseline for user privacy**. It is not intended to cover all aspects of user privacy, especially when other standards and regulations such as ENISA or the GDPR already do that. We focus on the app itself, looking at what can be tested using information that's publicly available or found within the app through methods like static or dynamic analysis.
4 |
5 | While some associated tests can be automated, others necessitate manual intervention due to the nuanced nature of privacy. For example, if an app collects data that it didn't mention in the app store or its privacy policy, it takes careful manual checking to spot this.
6 |
7 | > **Note on "Data Collection and Sharing"**:For the MASTG tests, we treat "Collect" and "Share" in a unified manner. This means that whether the app is sending data to another server or transferring it to another app on the device, we view it as data that's potentially leaving the user's control. Validating what happens to the data on remote endpoints is challenging and often not feasible due to access restrictions and the dynamic nature of server-side operations. Therefore, this issue is outside of the scope of the MASVS.
8 |
9 | **IMPORTANT DISCLAIMER**:
10 |
11 | MASVS-PRIVACY is not intended to serve as an exhaustive or exclusive reference. While it provides valuable guidance on app-centric privacy considerations, it should never replace comprehensive assessments, such as a Data Protection Impact Assessment (DPIA) mandated by the General Data Protection Regulation (GDPR) or other pertinent legal and regulatory frameworks. Stakeholders are strongly advised to undertake a holistic approach to privacy, integrating MASVS-PRIVACY insights with broader assessments to ensure comprehensive data protection compliance. Given the specialized nature of privacy regulations and the complexity of data protection, these assessments are best conducted by privacy experts rather than security experts.
12 |
--------------------------------------------------------------------------------
/Document/CHANGELOG.md:
--------------------------------------------------------------------------------
1 | # Changelog
2 |
3 | ## V1.3.1 and newer
4 |
5 | All our Changelogs are available online at the OWASP MASVS GitHub repository, see the [Releases page](https://github.com/OWASP/owasp-masvs/releases).
6 |
7 | ## V1.3 - 13 May 2021
8 |
9 | We are proud to announce the introduction of a new document build pipeline, which is a major milestone for our project. The build pipeline is based on [Pandocker](https://github.com/dalibo/pandocker) and [Github Actions](https://github.com/OWASP/owasp-masvs/tree/master/.github/workflows).
10 | This significantly reduces the time spent on creating new releases and will also be the foundation for the OWASP MSTG and will be made available for the OWASP ASVS project.
11 |
12 | ### Changes
13 |
14 | - 4 more translations are available, which are Hindi, Farsi, Portuguese and Brazilian Portuguese
15 | - Added requirement MSTG-PLATFORM-11
16 |
17 | ### Special Thanks
18 |
19 | - Jeroen Willemsen for kick-starting this initiative last year!
20 | - Damien Clochard and Dalibo for supporting and professionalizing the build pipeline.
21 | - All our Hindi, Farsi, Portuguese and Brazilian Portuguese collaborators for the excellent translation work.
22 |
23 | ## V1.2 - 7 March 2020 - International Release
24 |
25 | The following changes are part of release 1.2:
26 |
27 | - Translation in simplified Chinese of the MASVS available.
28 | - Change of title in MASVS book cover.
29 | - Removed Mobile Top 10 and CWE from MSTG and merged to existing references in MASVS.
30 |
31 | ## V1.2-RC - 5 October 2019 - Pre-release (English only)
32 |
33 | The following changes are part of pre-release 1.2:
34 |
35 | - Promoted to flagship status.
36 | - Requirement changed: MSTG-STORAGE-1 "need to be used".
37 | - Requirements MSTG-STORAGE-13, MSTG-STORAGE-14, and MSTG-STORAGE-15 are added with a focus on data protection.
38 | - Requirement MSTG-AUTH-11 is updated to preserve contextual information.
39 | - Requirement MSTG-CODE-4 is updated to cover more than just debugging.
40 | - Requirement MSTG-PLATFORM-10 added to further secure usage of WebViews.
41 | - Requirement MSTG-AUTH-12 added to remind developers of having authorizations implemented, especially in case of multi-user apps.
42 | - Added a little more description on how the MASVS should be used given a risk assessment.
43 | - Added a little more description on paid content.
44 | - Requirement MSTG-ARCH-11 added to include a Responsible Disclosure policy for L2 applications.
45 | - Requirement MSTG-ARCH-12 added to show application developers that relevant international privacy laws should be followed.
46 | - Created a consistent style for all references in the English version.
47 | - Requirement MSTG-PLATFORM-11 added to counter spying via third party keyboards.
48 | - Requirement MSTG-MSTG-RESILIENCE-13 added to impede eavesdropping at an application.
49 |
50 | ## V1.1.4 - 4 July 2019 - Summit edition
51 |
52 | The following changes are part of release 1.1.4:
53 |
54 | - Fix all markdown issues.
55 | - Updates in the French and Spanish translations.
56 | - Translated the changelog to Chinese (ZHTW) and Japanese.
57 | - Automated verification of the the markdown syntax and reachability of the URLs.
58 | - Added identification codes to the requirements, which will be included in the future version of the MSTG in order to find the recommendations and testcases easily.
59 | - Reduced the repo size and added Generated to the .gitignore.
60 | - Added a Code of Conduct & Contributing guidelines.
61 | - Added a Pull-Request template.
62 | - Updated the sync with the repo in use for hosting the Gitbook website.
63 | - Updated the scripts to generate XML/JSON/CSV for all the translations.
64 | - Translated the Foreword to Chinese (ZHTW).
65 |
66 | ## V1.1.3 - 9 January 2019 - Small fixes
67 |
68 | - Fix translation issue of requirement 7.1 in the Spanish version
69 | - New setup of translators in acknowledgements
70 |
71 | ## V1.1.2 - 3 January 2019 - Sponsorship and internationalization
72 |
73 | The following changes are part of release 1.1.2:
74 |
75 | - Added thank you note for buyers of the e-book.
76 | - Added missing authentication link & updated broken authentication link in V4.
77 | - Fixed swap of 4.7 and 4.8 in English.
78 | - First international release!
79 | - Fixes in Spanish translation. Translation is now in sync with English (1.1.2).
80 | - Fixes in Russian translation. Translation is now in sync with English (1.1.2).
81 | - Added first release of Chinese (ZHTW) French, German, and Japanese!
82 | - Simplified document for ease of translation.
83 | - Added instructions for automated releases.
84 |
85 | ## V1.1.0 - 14 July 2018
86 |
87 | The following changes are part of release 1.1:
88 |
89 | - Requirement 2.6 "The clipboard is deactivated on text fields that may contain sensitive data." was removed.
90 | - Requirement 2.2 "No sensitive data should be stored outside of the app container or system credential storage facilities." was added.
91 | - Requirement 2.1 was reworded to "System credential storage facilities are used appropriately to store sensitive data, such as PII, user credentials or cryptographic keys.".
92 |
93 | ## V1.0 12 - January 2018
94 |
95 | The following changes are part of release 1.0:
96 |
97 | - Delete 8.9 as the same as 8.12
98 | - Made 4.6 more generic
99 | - Minor fixes (typos etc.)
100 |
--------------------------------------------------------------------------------
/Document/book.json:
--------------------------------------------------------------------------------
1 | {
2 | "root" : ".",
3 |
4 | "structure": {
5 | "readme": "0x01-Foreword.md"
6 | },
7 |
8 | "language": "en"
9 | }
10 |
--------------------------------------------------------------------------------
/Document/images/CC-license.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/owasp-masvs/30a85aa928c16a2e0e58864a845ca8d9a528eaa9/Document/images/CC-license.png
--------------------------------------------------------------------------------
/Document/images/donators.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/owasp-masvs/30a85aa928c16a2e0e58864a845ca8d9a528eaa9/Document/images/donators.png
--------------------------------------------------------------------------------
/Document/images/masvs-levels-new.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/owasp-masvs/30a85aa928c16a2e0e58864a845ca8d9a528eaa9/Document/images/masvs-levels-new.jpg
--------------------------------------------------------------------------------
/Document/images/open_website.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/owasp-masvs/30a85aa928c16a2e0e58864a845ca8d9a528eaa9/Document/images/open_website.png
--------------------------------------------------------------------------------
/Document/images/owasp_mas_header.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/owasp-masvs/30a85aa928c16a2e0e58864a845ca8d9a528eaa9/Document/images/owasp_mas_header.png
--------------------------------------------------------------------------------
/Document/images/trusted-by-logos.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/owasp-masvs/30a85aa928c16a2e0e58864a845ca8d9a528eaa9/Document/images/trusted-by-logos.png
--------------------------------------------------------------------------------
/Document/metadata.md:
--------------------------------------------------------------------------------
1 | ---
2 | # This is the main metadata file.
3 | # Variables below can be overwritten by the local metadata
4 | # file (e.g. Document-fr/metadata.md)
5 |
6 | # Custom Template variables (cover, first page, etc.)
7 | version: 'SNAPSHOT' # this will overridden at build time
8 | languagetext: ''
9 |
10 | mainfont: 'DejaVu Sans'
11 | sansfont: 'DejaVu Sans'
12 | monofont: 'DejaVu Sans Mono'
13 |
14 | # General variables
15 | toc: true
16 | toc-depth: 2
17 | # numbersections: true
18 | # secnumdepth: 2
19 | linkcolor: blue
20 |
21 | # Language variables
22 | lang: 'en'
23 |
24 | # Latex variables
25 |
26 | # Eisvogel Latex variables
27 | # https://github.com/Wandmalfarbe/pandoc-latex-template#custom-template-variables
28 | code-block-font-size: '\tiny'
29 |
30 | table-use-row-colors: true
31 | geometry: "top=1cm,left=1cm,right=2cm,bottom=4cm"
32 | ---
33 |
--------------------------------------------------------------------------------
/License.md:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: CC-BY-SA-4.0
2 |
3 | # Attribution-ShareAlike 4.0 International
4 |
5 | Creative Commons Corporation (“Creative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an “as-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.
6 |
7 | ## Using Creative Commons Public Licenses
8 |
9 | Creative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.
10 |
11 | - **Considerations for licensors:** Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. [More considerations for licensors](http://wiki.creativecommons.org/Considerations_for_licensors_and_licensees#Considerations_for_licensors).
12 |
13 | - **Considerations for the public:** By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor’s permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright–then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described. Although not required by our licenses, you are encouraged to respect those requests where reasonable. [More considerations for the public](http://wiki.creativecommons.org/Considerations_for_licensors_and_licensees#Considerations_for_licensees).
14 |
15 | ## Creative Commons Attribution-ShareAlike 4.0 International Public License
16 |
17 | By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.
18 |
19 | ### Section 1 – Definitions
20 |
21 | a. **Adapted Material** means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.
22 |
23 | b. **Adapter's License** means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License.
24 |
25 | c. **BY-SA Compatible License** means a license listed at [creativecommons.org/compatiblelicenses](http://creativecommons.org/compatiblelicenses), approved by Creative Commons as essentially the equivalent of this Public License.
26 |
27 | d. **Copyright and Similar Rights** means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.
28 |
29 | e. **Effective Technological Measures** means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.
30 |
31 | f. **Exceptions and Limitations** means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.
32 |
33 | g. **License Elements** means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike.
34 |
35 | h. **Licensed Material** means the artistic or literary work, database, or other material to which the Licensor applied this Public License.
36 |
37 | i. **Licensed Rights** means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.
38 |
39 | j. **Licensor** means the individual(s) or entity(ies) granting rights under this Public License.
40 |
41 | k. **Share** means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.
42 |
43 | l. **Sui Generis Database Rights** means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.
44 |
45 | m. **You** means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.
46 |
47 | ### Section 2 – Scope
48 |
49 | a. _**License grant.**_
50 |
51 | 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:
52 |
53 | A. reproduce and Share the Licensed Material, in whole or in part; and
54 |
55 | B. produce, reproduce, and Share Adapted Material.
56 |
57 | 2. **Exceptions and Limitations.** For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.
58 |
59 | 3. **Term.** The term of this Public License is specified in Section 6(a).
60 |
61 | 4. **Media and formats; technical modifications allowed.** The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.
62 |
63 | 5. **Downstream recipients.**
64 |
65 | A. **Offer from the Licensor – Licensed Material.** Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.
66 |
67 | B. **Additional offer from the Licensor – Adapted Material.** Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter’s License You apply.
68 |
69 | C. **No downstream restrictions.** You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.
70 |
71 | 6. **No endorsement.** Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
72 |
73 | b. _**Other rights.**_
74 |
75 | 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.
76 |
77 | 2. Patent and trademark rights are not licensed under this Public License.
78 |
79 | 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties.
80 |
81 | ### Section 3 – License Conditions
82 |
83 | Your exercise of the Licensed Rights is expressly made subject to the following conditions.
84 |
85 | a. _**Attribution.**_
86 |
87 | 1. If You Share the Licensed Material (including in modified form), You must:
88 |
89 | A. retain the following if it is supplied by the Licensor with the Licensed Material:
90 |
91 | i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);
92 |
93 | ii. a copyright notice;
94 |
95 | iii. a notice that refers to this Public License;
96 |
97 | iv. a notice that refers to the disclaimer of warranties;
98 |
99 | v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
100 |
101 | B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
102 |
103 | C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.
104 |
105 | 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.
106 |
107 | 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.
108 |
109 | b. _**ShareAlike.**_
110 |
111 | In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply.
112 |
113 | 1. The Adapter’s License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License.
114 |
115 | 2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material.
116 |
117 | 3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply.
118 |
119 | ### Section 4 – Sui Generis Database Rights
120 |
121 | Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:
122 |
123 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database;
124 |
125 | b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and
126 |
127 | c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.
128 |
129 | For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.
130 |
131 | ### Section 5 – Disclaimer of Warranties and Limitation of Liability
132 |
133 | a. **Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.**
134 |
135 | b. **To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.**
136 |
137 | c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.
138 |
139 | ### Section 6 – Term and Termination
140 |
141 | a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.
142 |
143 | b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
144 |
145 | 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
146 |
147 | 2. upon express reinstatement by the Licensor.
148 |
149 | For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.
150 |
151 | c. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.
152 |
153 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.
154 |
155 | ### Section 7 – Other Terms and Conditions
156 |
157 | a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.
158 |
159 | b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.
160 |
161 | ### Section 8 – Interpretation
162 |
163 | a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.
164 |
165 | b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.
166 |
167 | c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.
168 |
169 | d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.
170 |
171 | > Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” The text of the Creative Commons public licenses is dedicated to the public domain under the [CC0 Public Domain Dedication](https://creativecommons.org/publicdomain/zero/1.0/legalcode). Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at [creativecommons.org/policies](http://creativecommons.org/policies), Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.
172 | >
173 | > Creative Commons may be contacted at creativecommons.org.
174 |
--------------------------------------------------------------------------------
/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | This PR covers issue #< insert number here >.
2 |
3 | ---
4 |
5 | > Note: Thank you for submitting a Pull Request to the OWASP MASVS repo! By opening a PR you're agreeing with our [contribution guidelines](https://github.com/OWASP/owasp-masvs/blob/master/CONTRIBUTING.md "Contribution guidelines").
6 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | # OWASP Mobile Application Security Verification Standard (MASVS)
4 |
5 | [](https://owasp.org/projects/)
6 | [](https://creativecommons.org/licenses/by-sa/4.0/ "CC BY-SA 4.0")
7 |
8 | [](https://github.com/OWASP/owasp-masvs/actions/workflows/docgenerator.yml)
9 | [](https://github.com/OWASP/owasp-masvs/actions/workflows/markdown-linter.yml)
10 | [](https://github.com/OWASP/owasp-masvs/actions/workflows/url-checker.yml)
11 |
12 | This is the official Github Repository of the OWASP Mobile Application Security Verification Standard (MASVS). The MASVS establishes baseline security requirements for mobile apps that are useful in many scenarios. You can use it:
13 |
14 | - As a metric - To provide a security standard against which existing mobile apps can be compared by developers and application owners.
15 | - As guidance - To provide guidance during all phases of mobile app development and testing.
16 | - During procurement - To provide a baseline for mobile app security verification.
17 |
18 | The MASVS is a sister project of the [OWASP Mobile Application Security Testing Guide](https://github.com/OWASP/owasp-mastg "OWASP Mobile Application Security Testing Guide").
19 |
20 | 21 | 22 |
25 |
26 | 29 | 30 | - 🌐 [Access the MASVS Web](https://mas.owasp.org/MASVS/) 31 | - ⬇️ [Download the latest PDF](https://github.com/OWASP/owasp-masvs/releases/latest) 32 | - ✅ [Get the latest Mobile App Security Checklists](https://github.com/OWASP/owasp-mastg/releases/latest) 33 | - ⚡ [Contribute!](#how-to-contribute) 34 | - 💥 [Play with our Crackmes](https://mas.owasp.org/crackmes) 35 | 36 | ## Trusted by ... 37 | 38 | The OWASP MASVS and MASTG are trusted by the following platform providers and standardization, governmental and educational institutions. [Learn more](https://mas.owasp.org/MASTG/0x02b-MASVS-MASTG-Adoption/). 39 | 40 | 41 |
42 |
43 |
44 | ## 🥇 MAS Advocates
45 |
46 | MAS Advocates are industry adopters of the OWASP MASVS and MASTG who have invested a significant and consistent amount of resources to push the project forward by providing consistent high-impact contributions and continuously spreading the word. [Learn more](https://mas.owasp.org/MASTG/0x02c-Acknowledgements).
47 |
48 | 49 | 50 | 51 |
52 | 
53 |
54 |
55 | 56 | 57 | ## Connect with Us 58 | 59 | 60 | 61 | ## How to Contribute 62 | 63 | The MASVS is an open source effort and we welcome all kinds of contributions and feedback. 64 | 65 | **Help us improve & join our community:** 66 | 67 | - 🐞 [Report an error (typos, grammar)](https://github.com/OWASP/owasp-masvs/issues) or [fix it on a Pull Request](https://github.com/OWASP/owasp-masvs/pulls). 68 | - 💬 [Give feedback](https://github.com/OWASP/owasp-masvs/discussions/categories/general). 69 | - 🙏 [Ask questions](https://github.com/OWASP/owasp-masvs/discussions/categories/q-a) 70 | 71 | **Contribute with content:** 72 | 73 | - 💡 [Propose ideas or suggest improvements](https://github.com/OWASP/owasp-masvs/discussions/categories/ideas) (if it qualifies we'll promote it to an [Issue](https://github.com/OWASP/owasp-masvs/issues "Github issues")) 74 | - 📄 [Create a Pull Request](https://github.com/OWASP/owasp-masvs/pulls) for concrete fixes (e.g. grammar/typos) or content already approved by the core team. 75 | 76 | Before you start contributing, please check our [contribution guide](https://mas.owasp.org/contributing/) which should get you started. If you have any doubts [please contact us](#connect-with-us). 77 | -------------------------------------------------------------------------------- /book.json: -------------------------------------------------------------------------------- 1 | { 2 | "root" : ".", 3 | "plugins" : [ "anchors" ], 4 | 5 | "structure": { 6 | "readme": "0x01-Foreword.md" 7 | }, 8 | 9 | "title" : "OWASP Mobile Application Security Verification Standard", 10 | "description": "The MASVS is The MASVS is a framework of security requirements needed to design, develop and test secure mobile apps.", 11 | "pdf":{ 12 | "fontFamily":"Cambria, calibri", 13 | "font-size":11 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /controls/MASVS-AUTH-1.md: -------------------------------------------------------------------------------- 1 | # MASVS-AUTH-1 2 | 3 | ## Control 4 | 5 | The app uses secure authentication and authorization protocols and follows the relevant best practices. 6 | 7 | ## Description 8 | 9 | Most apps connecting to a remote endpoint require user authentication and also enforce some kind of authorization. While the enforcement of these mechanisms must be on the remote endpoint, the apps also have to ensure that it follows all the relevant best practices to ensure a secure use of the involved protocols. 10 | -------------------------------------------------------------------------------- /controls/MASVS-AUTH-2.md: -------------------------------------------------------------------------------- 1 | # MASVS-AUTH-2 2 | 3 | ## Control 4 | 5 | The app performs local authentication securely according to the platform best practices. 6 | 7 | ## Description 8 | 9 | Many apps allow users to authenticate via biometrics or a local PIN code. These authentication mechanisms need to be correctly implemented. Additionally, some apps might not have a remote endpoint, and rely fully on local app authentication. 10 | -------------------------------------------------------------------------------- /controls/MASVS-AUTH-3.md: -------------------------------------------------------------------------------- 1 | # MASVS-AUTH-3 2 | 3 | ## Control 4 | 5 | The app secures sensitive operations with additional authentication. 6 | 7 | ## Description 8 | 9 | Some additional form of authentication is often desirable for sensitive actions inside the app. This can be done in different ways (biometric, pin, MFA code generator, email, deep links, etc) and they all need to be implemented securely. 10 | -------------------------------------------------------------------------------- /controls/MASVS-CODE-1.md: -------------------------------------------------------------------------------- 1 | # MASVS-CODE-1 2 | 3 | ## Control 4 | 5 | The app requires an up-to-date platform version. 6 | 7 | ## Description 8 | 9 | Every release of the mobile OS includes security patches and new security features. By supporting older versions, apps stay vulnerable to well-known threats. This control ensures that the app is running on an up-to-date platform version so that users have the latest security protections. 10 | -------------------------------------------------------------------------------- /controls/MASVS-CODE-2.md: -------------------------------------------------------------------------------- 1 | # MASVS-CODE-2 2 | 3 | ## Control 4 | 5 | The app has a mechanism for enforcing app updates. 6 | 7 | ## Description 8 | 9 | Sometimes critical vulnerabilities are discovered in the app when it is already in production. This control ensures that there is a mechanism to force the users to update the app before they can continue using it. 10 | -------------------------------------------------------------------------------- /controls/MASVS-CODE-3.md: -------------------------------------------------------------------------------- 1 | # MASVS-CODE-3 2 | 3 | ## Control 4 | 5 | The app only uses software components without known vulnerabilities. 6 | 7 | ## Description 8 | 9 | To be truly secure, a full whitebox assessment should have been performed on all app components. However, as it usually happens with e.g. for third-party components this is not always feasible and not typically part of a penetration test. This control covers "low-hanging fruit" cases, such as those that can be detected just by scanning libraries for known vulnerabilities. 10 | -------------------------------------------------------------------------------- /controls/MASVS-CODE-4.md: -------------------------------------------------------------------------------- 1 | # MASVS-CODE-4 2 | 3 | ## Control 4 | 5 | The app validates and sanitizes all untrusted inputs. 6 | 7 | ## Description 8 | 9 | Apps have many data entry points including the UI, IPC, the network, the file system, etc. This incoming data might have been inadvertently modified by untrusted actors and may lead to bypass of critical security checks as well as classical injection attacks such as SQL injection, XSS or insecure deserialization. This control ensures that this data is treated as untrusted input and is properly verified and sanitized before it's used. 10 | -------------------------------------------------------------------------------- /controls/MASVS-CRYPTO-1.md: -------------------------------------------------------------------------------- 1 | # MASVS-CRYPTO-1 2 | 3 | ## Control 4 | 5 | The app employs current strong cryptography and uses it according to industry best practices. 6 | 7 | ## Description 8 | 9 | Cryptography plays an especially important role in securing the user's data - even more so in a mobile environment, where attackers having physical access to the user's device is a likely scenario. This control covers general cryptography best practices, which are typically defined in external standards. 10 | -------------------------------------------------------------------------------- /controls/MASVS-CRYPTO-2.md: -------------------------------------------------------------------------------- 1 | # MASVS-CRYPTO-2 2 | 3 | ## Control 4 | 5 | The app performs key management according to industry best practices. 6 | 7 | ## Description 8 | 9 | Even the strongest cryptography would be compromised by poor key management. This control covers the management of cryptographic keys throughout their lifecycle, including key generation, storage and protection. 10 | -------------------------------------------------------------------------------- /controls/MASVS-NETWORK-1.md: -------------------------------------------------------------------------------- 1 | # MASVS-NETWORK-1 2 | 3 | ## Control 4 | 5 | The app secures all network traffic according to the current best practices. 6 | 7 | ## Description 8 | 9 | Ensuring data privacy and integrity of any data in transit is critical for any app that communicates over the network. This is typically done by encrypting data and authenticating the remote endpoint, as TLS does. However, there are many ways for a developer to disable the platform secure defaults, or bypass them completely by using low-level APIs or third-party libraries. This control ensures that the app is in fact setting up secure connections in any situation. 10 | -------------------------------------------------------------------------------- /controls/MASVS-NETWORK-2.md: -------------------------------------------------------------------------------- 1 | # MASVS-NETWORK-2 2 | 3 | ## Control 4 | 5 | The app performs identity pinning for all remote endpoints under the developer's control. 6 | 7 | ## Description 8 | 9 | Instead of trusting all the default root CAs of the framework or device, this control will make sure that only very specific CAs are trusted. This practice is typically called certificate pinning or public key pinning. 10 | -------------------------------------------------------------------------------- /controls/MASVS-PLATFORM-1.md: -------------------------------------------------------------------------------- 1 | # MASVS-PLATFORM-1 2 | 3 | ## Control 4 | 5 | The app uses IPC mechanisms securely. 6 | 7 | ## Description 8 | 9 | Apps typically use platform provided IPC mechanisms to intentionally expose data or functionality. Both installed apps and the user are able to interact with the app in many different ways. This control ensures that all interactions involving IPC mechanisms happen securely. 10 | -------------------------------------------------------------------------------- /controls/MASVS-PLATFORM-2.md: -------------------------------------------------------------------------------- 1 | # MASVS-PLATFORM-2 2 | 3 | ## Control 4 | 5 | The app uses WebViews securely. 6 | 7 | ## Description 8 | 9 | WebViews are typically used by apps that have a need for increased control over the UI. This control ensures that WebViews are configured securely to prevent sensitive data leakage as well as sensitive functionality exposure (e.g. via JavaScript bridges to native code). 10 | -------------------------------------------------------------------------------- /controls/MASVS-PLATFORM-3.md: -------------------------------------------------------------------------------- 1 | # MASVS-PLATFORM-3 2 | 3 | ## Control 4 | 5 | The app uses the user interface securely. 6 | 7 | ## Description 8 | 9 | Sensitive data has to be displayed in the UI in many situations (e.g. passwords, credit card details, OTP codes in notifications). This control ensures that this data doesn't end up being unintentionally leaked due to platform mechanisms such as auto-generated screenshots or accidentally disclosed via e.g. shoulder surfing or sharing the device with another person. 10 | -------------------------------------------------------------------------------- /controls/MASVS-PRIVACY-1.md: -------------------------------------------------------------------------------- 1 | # MASVS-PRIVACY-1 2 | 3 | ## Control 4 | 5 | The app minimizes access to sensitive data and resources. 6 | 7 | ## Description 8 | 9 | Apps should only request access to the data they absolutely need for their functionality and always with informed consent from the user. This control ensures that apps practice data minimization and restricts access control, reducing the potential impact of data breaches or leaks. 10 | 11 | Furthermore, apps should share data with third parties only when necessary, and this should include enforcing that third-party SDKs operate based on user consent, not by default or without it. Apps should prevent third-party SDKs from ignoring consent signals or from collecting data before consent is confirmed. 12 | 13 | Additionally, apps should be aware of the 'supply chain' of SDKs they incorporate, ensuring that no data is unnecessarily passed down their chain of dependencies. This end-to-end responsibility for data aligns with recent SBOM regulatory requirements, making apps more accountable for their data practices. 14 | -------------------------------------------------------------------------------- /controls/MASVS-PRIVACY-2.md: -------------------------------------------------------------------------------- 1 | # MASVS-PRIVACY-2 2 | 3 | ## Control 4 | 5 | The app prevents identification of the user. 6 | 7 | ## Description 8 | 9 | Protecting user identity is crucial. This control emphasizes the use of unlinkability techniques like data abstraction, anonymization and pseudonymization to prevent user identification and tracking. 10 | 11 | Another key aspect addressed by this control is to establish technical barriers when employing complex 'fingerprint-like' signals (e.g. device IDs, IP addresses, behavioral patterns) for specific purposes. For instance, a fingerprint used for fraud detection should be isolated and not repurposed for audience measurement in an analytics SDK. This ensures that each data stream serves its intended function without risking user privacy. 12 | -------------------------------------------------------------------------------- /controls/MASVS-PRIVACY-3.md: -------------------------------------------------------------------------------- 1 | # MASVS-PRIVACY-3 2 | 3 | ## Control 4 | 5 | The app is transparent about data collection and usage. 6 | 7 | ## Description 8 | 9 | Users have the right to know how their data is being used. This control ensures that apps provide clear information about data collection, storage, and sharing practices, including any behavior a user wouldn't reasonably expect, such as background data collection. Apps should also adhere to platform guidelines on data declarations. 10 | -------------------------------------------------------------------------------- /controls/MASVS-PRIVACY-4.md: -------------------------------------------------------------------------------- 1 | # MASVS-PRIVACY-4 2 | 3 | ## Control 4 | 5 | The app offers user control over their data. 6 | 7 | ## Description 8 | 9 | Users should have control over their data. This control ensures that apps provide mechanisms for users to manage, delete, and modify their data, and change privacy settings as needed (e.g. to revoke consent). Additionally, apps should re-prompt for consent and update their transparency disclosures when they require more data than initially specified. 10 | -------------------------------------------------------------------------------- /controls/MASVS-RESILIENCE-1.md: -------------------------------------------------------------------------------- 1 | # MASVS-RESILIENCE-1 2 | 3 | ## Control 4 | 5 | The app validates the integrity of the platform. 6 | 7 | ## Description 8 | 9 | Running on a platform that has been tampered with can be very dangerous for apps, as this may disable certain security features, putting the data of the app at risk. Trusting the platform is essential for many of the MASVS controls relying on the platform being secure (e.g. secure storage, biometrics, sandboxing, etc.). This control tries to validate that the OS has not been compromised and its security features can thus be trusted. 10 | -------------------------------------------------------------------------------- /controls/MASVS-RESILIENCE-2.md: -------------------------------------------------------------------------------- 1 | # MASVS-RESILIENCE-2 2 | 3 | ## Control 4 | 5 | The app implements anti-tampering mechanisms. 6 | 7 | ## Description 8 | 9 | Apps run on a user-controlled device, and without proper protections it's relatively easy to run a modified version locally (e.g. to cheat in a game, or enable premium features without paying), or upload a backdoored version of it to third-party app stores. This control tries to ensure the integrity of the app's intended functionality by preventing modifications to the original code and resources. 10 | -------------------------------------------------------------------------------- /controls/MASVS-RESILIENCE-3.md: -------------------------------------------------------------------------------- 1 | # MASVS-RESILIENCE-3 2 | 3 | ## Control 4 | 5 | The app implements anti-static analysis mechanisms. 6 | 7 | ## Description 8 | 9 | Understanding the internals of an app is typically the first step towards tampering with it (either dynamically, or statically). This control tries to impede comprehension by making it as difficult as possible to figure out how an app works using static analysis. 10 | -------------------------------------------------------------------------------- /controls/MASVS-RESILIENCE-4.md: -------------------------------------------------------------------------------- 1 | # MASVS-RESILIENCE-4 2 | 3 | ## Control 4 | 5 | The app implements anti-dynamic analysis techniques. 6 | 7 | ## Description 8 | 9 | Sometimes pure static analysis is very difficult and time consuming so it typically goes hand in hand with dynamic analysis. Observing and manipulating an app during runtime makes it much easier to decipher its behavior. This control aims to make it as difficult as possible to perform dynamic analysis, as well as prevent dynamic instrumentation which could allow an attacker to modify the code at runtime. 10 | -------------------------------------------------------------------------------- /controls/MASVS-STORAGE-1.md: -------------------------------------------------------------------------------- 1 | # MASVS-STORAGE-1 2 | 3 | ## Control 4 | 5 | The app securely stores sensitive data. 6 | 7 | ## Description 8 | 9 | Apps handle sensitive data coming from many sources such as the user, the backend, system services or other apps on the device and usually need to store it locally. The storage locations may be private to the app (e.g. its internal storage) or be public and therefore accessible by the user or other installed apps (e.g. public folders such as Downloads). This control ensures that any sensitive data that is intentionally stored by the app is properly protected independently of the target location. 10 | -------------------------------------------------------------------------------- /controls/MASVS-STORAGE-2.md: -------------------------------------------------------------------------------- 1 | # MASVS-STORAGE-2 2 | 3 | ## Control 4 | 5 | The app prevents leakage of sensitive data. 6 | 7 | ## Description 8 | 9 | There are cases when sensitive data is unintentionally stored or exposed to publicly accessible locations; typically as a side-effect of using certain APIs, system capabilities such as backups or logs. This control covers this kind of unintentional leaks where the developer actually has a way to prevent it. 10 | -------------------------------------------------------------------------------- /cover.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/owasp-masvs/30a85aa928c16a2e0e58864a845ca8d9a528eaa9/cover.pdf -------------------------------------------------------------------------------- /cover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/owasp-masvs/30a85aa928c16a2e0e58864a845ca8d9a528eaa9/cover.png -------------------------------------------------------------------------------- /tools/docker/README.md: -------------------------------------------------------------------------------- 1 | # MASVS PDFs Generation with Docker 2 | 3 | The MASVS document generation is based on pandocker: [https://github.com/dalibo/pandocker/blob/latest/LICENSE](https://github.com/dalibo/pandocker/blob/latest/LICENSE). 4 | 5 | ## On your Machine 6 | 7 | - Install Docker 8 | - `cd` to the MASVS root folder `owasp-masvs/` 9 | - Run the `pandoc_makedocs.sh` script with the language folder and an optional version number (**do not `cd` into `tools/docker` to run it**): 10 | 11 | ```sh 12 | $ ./tools/docker/pandoc_makedocs.sh Document 1.3 13 | ``` 14 | 15 | - You can set `VERBOSE=1` for a more detailed output 16 | 17 | - For non-european languages (Hindi, Persion, CJK, etc.) you need to use the `stable-full` 18 | version of the docker image. Define the `TAG` variable like this : 19 | 20 | ```sh 21 | $ TAG=stable-full ./tools/docker/pandoc_makedocs.sh Document-ja 22 | ``` 23 | 24 | > __NOTE:__ The size `stable-full` docker image is approx. 800MB whereas the 25 | > regular `stable` version is 330MB. 26 | 27 | 28 | ## On GitHub 29 | 30 | Each time you push to GitHub the workflows in the [MASVS GitHub Actions](https://github.com/OWASP/owasp-masvs/actions "MASVS GitHub Actions") will be triggered. You can check what will be executed inside the folder `owasp-masvs/.github/workflows`, where `docgenerator.yml` takes care of building the Docker image and running the generation script once per language inside the container. 31 | 32 | See the results in: