├── .gitbook.yaml ├── .github ├── FUNDING.yml ├── release.yml └── workflows │ ├── codeql-analysis.yml │ ├── config │ └── url-checker-config.json │ ├── docgenerator.yml │ ├── markdown-linter.yml │ ├── spell-checker.yml │ ├── url-checker-pr.yml │ └── url-checker.yml ├── .gitignore ├── .markdownlint.jsonc ├── .vscode ├── extensions.json └── settings.json ├── CHANGELOG.md ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── Document ├── 01-Foreword.md ├── 02-Frontispiece.md ├── 03-Using_the_MASVS.md ├── 04-Assessment_and_Certification.md ├── 05-MASVS-STORAGE.md ├── 06-MASVS-CRYPTO.md ├── 07-MASVS-AUTH.md ├── 08-MASVS-NETWORK.md ├── 09-MASVS-PLATFORM.md ├── 10-MASVS-CODE.md ├── 11-MASVS-RESILIENCE.md ├── 12-MASVS-PRIVACY.md ├── CHANGELOG.md ├── book.json ├── images │ ├── CC-license.png │ ├── donators.png │ ├── masvs-levels-new.jpg │ ├── open_website.png │ ├── owasp_mas_header.png │ └── trusted-by-logos.png └── metadata.md ├── License.md ├── PULL_REQUEST_TEMPLATE.md ├── README.md ├── book.json ├── controls ├── MASVS-AUTH-1.md ├── MASVS-AUTH-2.md ├── MASVS-AUTH-3.md ├── MASVS-CODE-1.md ├── MASVS-CODE-2.md ├── MASVS-CODE-3.md ├── MASVS-CODE-4.md ├── MASVS-CRYPTO-1.md ├── MASVS-CRYPTO-2.md ├── MASVS-NETWORK-1.md ├── MASVS-NETWORK-2.md ├── MASVS-PLATFORM-1.md ├── MASVS-PLATFORM-2.md ├── MASVS-PLATFORM-3.md ├── MASVS-PRIVACY-1.md ├── MASVS-PRIVACY-2.md ├── MASVS-PRIVACY-3.md ├── MASVS-PRIVACY-4.md ├── MASVS-RESILIENCE-1.md ├── MASVS-RESILIENCE-2.md ├── MASVS-RESILIENCE-3.md ├── MASVS-RESILIENCE-4.md ├── MASVS-STORAGE-1.md └── MASVS-STORAGE-2.md ├── cover.pdf ├── cover.png └── tools ├── docker ├── README.md ├── SourceSansPro-It.otf ├── cover.tex ├── custom.css ├── first_page.tex ├── imagereplace.sed ├── latex-header.tex └── pandoc_makedocs.sh ├── generate_masvs_cyclonedx.py ├── generate_masvs_sarif.py ├── generate_masvs_yaml.py └── populate_masvs_categories_md.py /.gitbook.yaml: -------------------------------------------------------------------------------- 1 | root : ./Document 2 | 3 | structure: 4 | readme: README.md 5 | summary: SUMMARY.md 6 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | custom: https://www.icrc.org/en/donate/ukraine 2 | -------------------------------------------------------------------------------- /.github/release.yml: -------------------------------------------------------------------------------- 1 | changelog: 2 | exclude: 3 | labels: 4 | - "ignore-for-release" 5 | categories: 6 | - title: Changes in MASVS Requirements 7 | labels: 8 | - "change-masvs" 9 | - title: Other Changes 10 | labels: 11 | - "*" -------------------------------------------------------------------------------- /.github/workflows/codeql-analysis.yml: -------------------------------------------------------------------------------- 1 | # For most projects, this workflow file will not need changing; you simply need 2 | # to commit it to your repository. 3 | # 4 | # You may wish to alter this file to override the set of languages analyzed, 5 | # or to provide custom queries or build logic. 6 | # 7 | # ******** NOTE ******** 8 | # We have attempted to detect the languages in your repository. Please check 9 | # the `language` matrix defined below to confirm you have the correct set of 10 | # supported CodeQL languages. 11 | # 12 | name: "CodeQL Security Scan" 13 | 14 | on: 15 | push: 16 | branches: [ master ] 17 | pull_request: 18 | # The branches below must be a subset of the branches above 19 | branches: [ master ] 20 | schedule: 21 | - cron: '34 11 * * 1' 22 | 23 | jobs: 24 | analyze: 25 | name: Analyze 26 | runs-on: ubuntu-latest 27 | permissions: 28 | actions: read 29 | contents: read 30 | security-events: write 31 | 32 | strategy: 33 | fail-fast: false 34 | matrix: 35 | language: [ 'python' ] 36 | # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] 37 | # Learn more about CodeQL language support at https://git.io/codeql-language-support 38 | 39 | steps: 40 | - name: Checkout repository 41 | uses: actions/checkout@v4 42 | 43 | # Initializes the CodeQL tools for scanning. 44 | - name: Initialize CodeQL 45 | uses: github/codeql-action/init@v2 46 | with: 47 | languages: ${{ matrix.language }} 48 | # If you wish to specify custom queries, you can do so here or in a config file. 49 | # By default, queries listed here will override any specified in a config file. 50 | # Prefix the list here with "+" to use these queries and those in the config file. 51 | # queries: ./path/to/local/query, your-org/your-repo/queries@main 52 | 53 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). 54 | # If this step fails, then you should remove it and run the build manually (see below) 55 | - name: Autobuild 56 | uses: github/codeql-action/autobuild@v2 57 | 58 | # ℹ️ Command-line programs to run using the OS shell. 59 | # 📚 https://git.io/JvXDl 60 | 61 | # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines 62 | # and modify them (or add more) to build your code if your project 63 | # uses a compiled language 64 | 65 | #- run: | 66 | # make bootstrap 67 | # make release 68 | 69 | - name: Perform CodeQL Analysis 70 | uses: github/codeql-action/analyze@v2 71 | -------------------------------------------------------------------------------- /.github/workflows/config/url-checker-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "ignorePatterns": [ 3 | { 4 | "pattern": "changelog" 5 | } 6 | ], 7 | "httpHeaders": [ 8 | { 9 | "urls": [ 10 | "https://", 11 | "http://" 12 | ], 13 | "headers": { 14 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" 15 | } 16 | } 17 | ], 18 | "retryOn429": true, 19 | "fallbackRetryDelay": "30s", 20 | "see": "https://github.com/tcort/markdown-link-check#config-file-format" 21 | } -------------------------------------------------------------------------------- /.github/workflows/docgenerator.yml: -------------------------------------------------------------------------------- 1 | name: MASVS Build 2 | 3 | on: [push, workflow_dispatch] 4 | 5 | jobs: 6 | Generate-MASVS-Documents: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/checkout@v4 10 | with: 11 | fetch-depth: 1 12 | 13 | - name: Set MASVS_VERSION to env 14 | run: echo "MASVS_VERSION=$(curl -s https://api.github.com/repos/OWASP/owasp-masvs/tags | jq '.[0].name' | sed 's/\"//g')" >> $GITHUB_ENV 15 | 16 | - name: Set DEV MASVS_VERSION if it's not a tag 17 | if: ${{ !startsWith(github.ref, 'refs/tags/') }} 18 | run: echo "MASVS_VERSION=${{env.MASVS_VERSION}}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV 19 | 20 | - name: Get Latest MASTG Release Tag 21 | run: echo "MASTG_VERSION=$(curl -s https://api.github.com/repos/OWASP/owasp-mastg/releases/latest | jq '.tag_name' | sed 's/\"//g')" >> $GITHUB_ENV 22 | 23 | 24 | 25 | - name: Generate MASVS yaml 26 | run: python3 ./tools/generate_masvs_yaml.py -v ${{ env.MASVS_VERSION }} 27 | 28 | - name: Populate MASVS Categories Markdown Files 29 | run: python3 ./tools/populate_masvs_categories_md.py 30 | 31 | - name: Generate PDF and ePub 32 | run: ./tools/docker/pandoc_makedocs.sh Document ${{ env.MASVS_VERSION }} ${{ env.MASTG_VERSION }} 33 | 34 | - name: Generate CycloneDX JSON 35 | run: python3 ./tools/generate_masvs_cyclonedx.py 36 | 37 | - name: Generate SARIF 38 | run: python3 ./tools/generate_masvs_sarif.py 39 | 40 | - name: Upload Artifacts 41 | uses: actions/upload-artifact@v4 42 | with: 43 | name: OWASP_MASVS 44 | path: OWASP_MASVS* 45 | 46 | release: 47 | runs-on: ubuntu-latest 48 | needs: [Generate-MASVS-Documents] 49 | if: startsWith(github.ref, 'refs/tags/') && (github.actor == 'cpholguera' || github.actor == 'sushi2k') 50 | steps: 51 | - uses: actions/download-artifact@v4 52 | - name: Move all files to the root folder 53 | run: mv OWASP_MASVS*/* . 54 | 55 | - name: Release 56 | uses: softprops/action-gh-release@v1 57 | with: 58 | prerelease: false 59 | draft: true 60 | generate_release_notes: true 61 | discussion_category_name: Announcements 62 | files: | 63 | OWASP_MASVS.pdf 64 | OWASP_MASVS.epub 65 | OWASP_MASVS.yaml 66 | OWASP_MASVS.cdx.json 67 | OWASP_MASVS.sarif 68 | env: 69 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 70 | -------------------------------------------------------------------------------- /.github/workflows/markdown-linter.yml: -------------------------------------------------------------------------------- 1 | name: Markdown Linter 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | markdown-lint-check: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - name: Checkout 10 | uses: actions/checkout@v4 11 | with: 12 | fetch-depth: 1 13 | - name: markdownlint-cli 14 | uses: nosborn/github-action-markdown-cli@v2.0.0 15 | with: 16 | files: './Document*' 17 | config_file: ".markdownlint.jsonc" 18 | ignore_files: "tools, node_modules" 19 | -------------------------------------------------------------------------------- /.github/workflows/spell-checker.yml: -------------------------------------------------------------------------------- 1 | name: Spell Checker 2 | on: [pull_request, push] 3 | jobs: 4 | spell-check: 5 | runs-on: ubuntu-latest 6 | steps: 7 | - uses: actions/checkout@v4 8 | - uses: codespell-project/actions-codespell@master 9 | with: 10 | path: ./Document 11 | ignore_words_list: OWASP,MASVS,MASTG 12 | -------------------------------------------------------------------------------- /.github/workflows/url-checker-pr.yml: -------------------------------------------------------------------------------- 1 | name: URL Checker (PR) 2 | 3 | on: 4 | pull_request: 5 | 6 | jobs: 7 | markdown-link-check: 8 | runs-on: ubuntu-latest 9 | steps: 10 | - name: Checkout 11 | uses: actions/checkout@v4 12 | with: 13 | fetch-depth: 1 14 | - name: link-check 15 | uses: gaurav-nelson/github-action-markdown-link-check@v1 16 | with: 17 | use-quiet-mode: 'yes' 18 | use-verbose-mode: 'yes' 19 | config-file: '.github/workflows/config/url-checker-config.json' 20 | folder-path: '.' 21 | check-modified-files-only: 'yes' 22 | -------------------------------------------------------------------------------- /.github/workflows/url-checker.yml: -------------------------------------------------------------------------------- 1 | name: URL Checker 2 | 3 | on: 4 | workflow_dispatch: 5 | push: 6 | branches: 7 | - master 8 | 9 | jobs: 10 | markdown-link-check: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Checkout 14 | uses: actions/checkout@v4 15 | with: 16 | fetch-depth: 1 17 | - name: link-check 18 | uses: gaurav-nelson/github-action-markdown-link-check@v1 19 | with: 20 | use-quiet-mode: 'yes' 21 | use-verbose-mode: 'yes' 22 | config-file: '.github/workflows/config/url-checker-config.json' 23 | folder-path: '.' 24 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | *.pyc 3 | node_modules 4 | *.out 5 | .idea 6 | Generated/ 7 | *.pdf 8 | *.epub 9 | tmp_*.tex 10 | OWASP_MASVS-SNAPSHOT*.docx 11 | *.mobi 12 | *.docx -------------------------------------------------------------------------------- /.markdownlint.jsonc: -------------------------------------------------------------------------------- 1 | { 2 | // https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md 3 | 4 | "MD004": {"style": "dash"}, // ul-style 5 | "MD013": false, // line-length 6 | "MD024": {"allow_different_nesting": true}, // no-duplicate-header 7 | "MD026": {"punctuation": ".,;:"}, // no-trailing-punctuation (allows !?) 8 | "MD033": false, // no-inline-html 9 | "MD035": {"style": "---"}, // hr-style 10 | "MD036": {"punctuation": ".,;:!。"}, // no-emphasis-as-header 11 | "MD041": false, // first-line-h1 12 | "MD046": {"style": "fenced"} , // code-block-style 13 | "MD049": {"style": "underscore"}, // emphasis-style 14 | "MD050": {"style": "asterisk"} // strong-style 15 | 16 | } -------------------------------------------------------------------------------- /.vscode/extensions.json: -------------------------------------------------------------------------------- 1 | { 2 | "recommendations": ["davidanson.vscode-markdownlint", "streetsidesoftware.code-spell-checker"] 3 | } -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "workbench.colorCustomizations": { 3 | "activityBar.activeBackground": "#65c89b", 4 | "activityBar.activeBorder": "#945bc4", 5 | "activityBar.background": "#65c89b", 6 | "activityBar.foreground": "#15202b", 7 | "activityBar.inactiveForeground": "#15202b99", 8 | "activityBarBadge.background": "#945bc4", 9 | "activityBarBadge.foreground": "#e7e7e7", 10 | "sash.hoverBorder": "#65c89b", 11 | "statusBar.background": "#42b883", 12 | "statusBar.foreground": "#15202b", 13 | "statusBarItem.hoverBackground": "#359268", 14 | "statusBarItem.remoteBackground": "#42b883", 15 | "statusBarItem.remoteForeground": "#15202b", 16 | "titleBar.activeBackground": "#42b883", 17 | "titleBar.activeForeground": "#15202b", 18 | "titleBar.inactiveBackground": "#42b88399", 19 | "titleBar.inactiveForeground": "#15202b99" 20 | }, 21 | "peacock.color": "#42b883" 22 | } -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | ## V1.3.1 and newer 4 | 5 | All our Changelogs are available online at the OWASP MASVS GitHub repository, see the [Releases page](https://github.com/OWASP/owasp-masvs/releases). 6 | 7 | ## V1.3 - 13 May 2021 8 | 9 | We are proud to announce the introduction of a new document build pipeline, which is a major milestone for our project. The build pipeline is based on [Pandocker](https://github.com/dalibo/pandocker) and [Github Actions](https://github.com/OWASP/owasp-masvs/tree/master/.github/workflows). 10 | This significantly reduces the time spent on creating new releases and will also be the foundation for the OWASP MSTG and will be made available for the OWASP ASVS project. 11 | 12 | ### Changes 13 | 14 | - 4 more translations are available, which are Hindi, Farsi, Portuguese and Brazilian Portuguese 15 | - Added requirement MSTG-PLATFORM-11 16 | 17 | ### Special Thanks 18 | 19 | - Jeroen Willemsen for kick-starting this initiative last year! 20 | - Damien Clochard and Dalibo for supporting and professionalizing the build pipeline. 21 | - All our Hindi, Farsi, Portuguese and Brazilian Portuguese collaborators for the excellent translation work. 22 | 23 | ## V1.2 - 7 March 2020 - International Release 24 | 25 | The following changes are part of release 1.2: 26 | 27 | - Translation in simplified Chinese of the MASVS available. 28 | - Change of title in MASVS book cover. 29 | - Removed Mobile Top 10 and CWE from MSTG and merged to existing references in MASVS. 30 | 31 | ## V1.2-RC - 5 October 2019 - Pre-release (English only) 32 | 33 | The following changes are part of pre-release 1.2: 34 | 35 | - Promoted to flagship status. 36 | - Requirement changed: MSTG-STORAGE-1 "need to be used". 37 | - Requirements MSTG-STORAGE-13, MSTG-STORAGE-14, and MSTG-STORAGE-15 are added with a focus on data protection. 38 | - Requirement MSTG-AUTH-11 is updated to preserve contextual information. 39 | - Requirement MSTG-CODE-4 is updated to cover more than just debugging. 40 | - Requirement MSTG-PLATFORM-10 added to further secure usage of WebViews. 41 | - Requirement MSTG-AUTH-12 added to remind developers of having authorizations implemented, especially in case of multi-user apps. 42 | - Added a little more description on how the MASVS should be used given a risk assessment. 43 | - Added a little more description on paid content. 44 | - Requirement MSTG-ARCH-11 added to include a Responsible Disclosure policy for L2 applications. 45 | - Requirement MSTG-ARCH-12 added to show application developers that relevant international privacy laws should be followed. 46 | - Created a consistent style for all references in the English version. 47 | - Requirement MSTG-PLATFORM-11 added to counter spying via third party keyboards. 48 | - Requirement MSTG-MSTG-RESILIENCE-13 added to impede eavesdropping at an application. 49 | 50 | ## V1.1.4 - 4 July 2019 - Summit edition 51 | 52 | The following changes are part of release 1.1.4: 53 | 54 | - Fix all markdown issues. 55 | - Updates in the French and Spanish translations. 56 | - Translated the changelog to Chinese (ZHTW) and Japanese. 57 | - Automated verification of the the markdown syntax and reachability of the URLs. 58 | - Added identification codes to the requirements, which will be included in the future version of the MSTG in order to find the recommendations and testcases easily. 59 | - Reduced the repo size and added Generated to the .gitignore. 60 | - Added a Code of Conduct & Contributing guidelines. 61 | - Added a Pull-Request template. 62 | - Updated the sync with the repo in use for hosting the Gitbook website. 63 | - Updated the scripts to generate XML/JSON/CSV for all the translations. 64 | - Translated the Foreword to Chinese (ZHTW). 65 | 66 | ## V1.1.3 - 9 January 2019 - Small fixes 67 | 68 | - Fix translation issue of requirement 7.1 in the Spanish version 69 | - New setup of translators in acknowledgements 70 | 71 | ## V1.1.2 - 3 January 2019 - Sponsorship and internationalization 72 | 73 | The following changes are part of release 1.1.2: 74 | 75 | - Added thank you note for buyers of the e-book. 76 | - Added missing authentication link & updated broken authentication link in V4. 77 | - Fixed swap of 4.7 and 4.8 in English. 78 | - First international release! 79 | - Fixes in Spanish translation. Translation is now in sync with English (1.1.2). 80 | - Fixes in Russian translation. Translation is now in sync with English (1.1.2). 81 | - Added first release of Chinese (ZHTW) French, German, and Japanese! 82 | - Simplified document for ease of translation. 83 | - Added instructions for automated releases. 84 | 85 | ## V1.1.0 - 14 July 2018 86 | 87 | The following changes are part of release 1.1: 88 | 89 | - Requirement 2.6 "The clipboard is deactivated on text fields that may contain sensitive data." was removed. 90 | - Requirement 2.2 "No sensitive data should be stored outside of the app container or system credential storage facilities." was added. 91 | - Requirement 2.1 was reworded to "System credential storage facilities are used appropriately to store sensitive data, such as PII, user credentials or cryptographic keys.". 92 | 93 | ## V1.0 12 - January 2018 94 | 95 | The following changes are part of release 1.0: 96 | 97 | - Delete 8.9 as the same as 8.12 98 | - Made 4.6 more generic 99 | - Minor fixes (typos etc.) 100 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation. 6 | 7 | ## Our Standards 8 | 9 | Examples of behavior that contributes to creating a positive environment include: 10 | 11 | - Using welcoming and inclusive language 12 | - Being respectful of differing viewpoints and experiences 13 | - Gracefully accepting constructive criticism 14 | - Focusing on what is best for the community 15 | - Showing empathy towards other community members 16 | 17 | Examples of unacceptable behavior by participants include: 18 | 19 | - The use of sexualized language or imagery and unwelcome sexual attention or advances 20 | - Trolling, insulting/derogatory comments, and personal or political attacks 21 | - Public or private harassment 22 | - Publishing others' private information, such as a physical or electronic address, without explicit permission 23 | - Misusing the context of the Mobile Application Security Verification Standard (MASVS) project for commercial goals (e.g. adding sales pitches to the guide or to communication channels used by the project, such as Slack). 24 | - Other conduct which could reasonably be considered inappropriate in a professional setting 25 | 26 | ## Our Responsibilities 27 | 28 | Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. 29 | 30 | Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. 31 | 32 | ## Scope 33 | 34 | This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community includes using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. 35 | 36 | ## Enforcement 37 | 38 | Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at sven.schleier@owasp.org and carlos.holguera@owasp.org. 39 | 40 | All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. 41 | 42 | Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. 43 | 44 | ## Attribution 45 | 46 | This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org "Contributor Covenant homepage"), [version 1.4](https://www.contributor-covenant.org/version/1/4/code-of-conduct.html "Code of Conduct version 1.4"). 47 | 48 | For answers to common questions about this code of conduct, see [the Contributor Covenant FAQ](https://www.contributor-covenant.org/faq) 49 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | Learn how you can contribute to the OWASP Mobile Application Security project [here](https://mas.owasp.org/contributing/). 4 | -------------------------------------------------------------------------------- /Document/01-Foreword.md: -------------------------------------------------------------------------------- 1 | # Foreword 2 | 3 | Technological revolutions can happen quickly. Less than a decade ago, smartphones were clunky devices with little keyboards - expensive playthings for tech-savvy business users. Today, smartphones are an essential part of our lives. We've come to rely on them for information, navigation and communication, and they are ubiquitous both in business and in our social lives. 4 | 5 | Every new technology introduces new security risks, and keeping up with those changes is one of the main challenges the security industry faces. The defensive side is always a few steps behind. For example, the default reflex for many was to apply old ways of doing things: Smartphones are like small computers, and mobile apps are just like classic software, so surely the security requirements are similar? But it doesn't work like that. Smartphone operating systems are different from desktop operating systems, and mobile apps are different from web apps. For example, the classical method of signature-based virus scanning doesn't make sense in modern mobile OS environments: Not only is it incompatible with the mobile app distribution model, it's also technically impossible due to sandboxing restrictions. Also, some vulnerability classes, such as buffer overflows and XSS issues, are less relevant in the context of run-of-the-mill mobile apps than in, say, desktop apps and web applications (exceptions apply). 6 | 7 | Over time, our industry has gotten a better grip on the mobile threat landscape. As it turns out, mobile security is all about data protection: Apps store our personal information, pictures, recordings, notes, account data, business information, location and much more. They act as clients that connect us to services we use on a daily basis, and as communications hubs that processes each and every message we exchange with others. Compromise a person's smartphone and you get unfiltered access to that person's life. When we consider that mobile devices are more readily lost or stolen and mobile malware is on the rise, the need for data protection becomes even more apparent. 8 | 9 | A security standard for mobile apps must therefore focus on how mobile apps handle, store and protect sensitive information. Even though modern mobile operating systems like iOS and Android offer mature APIs for secure data storage and communication, those have to be implemented and used correctly in order to be effective. Data storage, inter-app communication, proper usage of cryptographic APIs and secure network communication are only some of the aspects that require careful consideration. 10 | 11 | An important question in need of industry consensus is how far exactly one should go in protecting the confidentiality and integrity of data. For example, most of us would agree that a mobile app should verify the server certificate in a TLS exchange. But what about certificate or public key pinning? Does not doing it result in a vulnerability? Should this be a requirement if an app handles sensitive data, or is it maybe even counter-productive? Do we need to encrypt data stored in SQLite databases, even though the OS sandboxes the app? What is appropriate for one app might be unrealistic for another. The MASVS is an attempt to standardize these requirements using profiles that fit different threat scenarios. 12 | 13 | Furthermore, the appearance of root malware and remote administration tools has created awareness of the fact that mobile operating systems themselves have exploitable flaws, so containerization strategies are increasingly used to afford additional protection to sensitive data and prevent client-side tampering. This is where things get complicated. Hardware- backed security features and OS-level containerization solutions, such as Android Enterprise and Samsung Knox, do exist, but they aren't consistently available across different devices. As a band aid, it is possible to implement software-based protection measures - but unfortunately, there are no standards or testing processes for verifying these kinds of protections. 14 | 15 | As a result, mobile app security testing reports are all over the place: For example, some testers report a lack of obfuscation or root detection in an Android app as “security flaw”. On the other hand, measures like string encryption, debugger detection or control flow obfuscation aren't considered mandatory. However, this binary way of looking at things doesn't make sense because resilience is not a binary proposition: It depends on the particular client-side threats one aims to defend against. Software protections are not useless, but they can ultimately be bypassed, so they must never be used as a replacement for security controls. 16 | 17 | The overall goal of the MASVS is to offer a baseline for mobile application security, while also allowing for the inclusion of defense-in-depth measures and protections against client-side threats. The MASVS is meant to achieve the following: 18 | 19 | - Provide requirements for software architects and developers seeking to develop secure mobile applications; 20 | - Offer an industry standard that can be tested against in mobile app security reviews; 21 | - Clarify the role of software protection mechanisms in mobile security and provide requirements to verify their effectiveness; 22 | - Provide specific recommendations as to what level of security is recommended for different use-cases. 23 | 24 | We are aware that 100% industry consensus is impossible to achieve. Nevertheless, we hope that the MASVS is useful in providing guidance throughout all phases of mobile app development and testing. As an open source standard, the MASVS will evolve over time, and we welcome any contributions and suggestions. 25 | 26 | By Bernhard Mueller 27 | -------------------------------------------------------------------------------- /Document/02-Frontispiece.md: -------------------------------------------------------------------------------- 1 | # About the Standard 2 | 3 | 4 | 5 | The OWASP Mobile Application Security Verification Standard (MASVS) is the industry standard for mobile application security. It provides a comprehensive set of security controls that can be used to assess the security of mobile apps across various platforms (e.g., Android, iOS) and deployment scenarios (e.g., consumer, enterprise). The standard covers the key components of the mobile app attack surface including storage, cryptography, authentication and authorization, network communication, interaction with the mobile platform, code quality and resilience against reverse engineering and tampering. 6 | 7 | The OWASP MASVS is the result of years of community effort and industry feedback. We thank all the contributors who have helped shape this standard. We welcome your feedback on the OWASP MASVS at any time, especially as you apply it to your own organization and mobile app development projects. Getting inputs from a variety of mobile app developers will help us improve and update the standard which is revised periodically based on your inputs and feedback. 8 | 9 | You can provide feedback using GitHub Discussions in the OWASP MASVS repo , or contact the project leads directly . 10 | 11 | The OWASP MASVS and MASTG are trusted by the following platform providers and standardization, governmental and educational institutions. [Learn more](https://mas.owasp.org/MASTG/Intro/0x02b-MASVS-MASTG-Adoption/). 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | ## Authors 20 | 21 | ### Sven Schleier 22 | 23 | Sven is specialised in penetration testing and application security and has guided numerous projects to build security in from the start. He strongly believes in knowledge sharing and is speaking worldwide at meetups and conferences, is an adjunct professor and is conducting hands-on workshops about mobile app security to penetration testers, developers and students. 24 | 25 | ### Carlos Holguera 26 | 27 | Carlos is a mobile security research engineer with many years of hands-on experience in security testing for mobile apps and embedded systems such as automotive control units and IoT devices. He is passionate about reverse engineering and dynamic instrumentation of mobile apps and is continuously learning and sharing his knowledge. 28 | 29 | ### Jeroen Beckers 30 | 31 | Jeroen is a mobile security lead responsible for quality assurance on mobile security projects and for R&D on all things mobile. Ever since his master's thesis on Android security, Jeroen has been interested in mobile devices and their (in)security. He loves sharing his knowledge with other people, as is demonstrated by his many talks & trainings at colleges, universities, clients and conferences. 32 | 33 | ### Bernhard Mueller 34 | 35 | Bernhard is a cyber security specialist with a talent for hacking systems of all kinds. During more than a decade in the industry, he has published many zero-day exploits for software. BlackHat USA commended his pioneering work in mobile security with a Pwnie Award for Best Research. 36 | 37 | ### Jeroen Willemsen 38 | 39 | Jeroen is a principal security architect with a passion for mobile security and risk management. He has supported companies as a security coach, a security engineer and as a full-stack developer. He loves explaining technical subjects: from security issues to programming challenges. 40 | 41 | 42 | 43 | ## Contributors 44 | 45 | All of our contributors are listed in the Contributing section of the OWASP MAS website: 46 | 47 | 48 | 49 | ## Donators 50 | 51 | While both the MASVS and the MASTG are created and maintained by the community on a voluntary basis, sometimes outside help is required. We therefore thank our donators for providing the funds to be able to hire technical editors. Note that their donation does not influence the content of the MASVS or MASTG in any way. The Donation Packages are described on the [OWASP MAS Website](https://mas.owasp.org/donate/packages/). 52 | 53 | 54 | 55 | 56 | 57 | ## Changelog 58 | 59 | All our Changelogs are available online at the OWASP MASVS GitHub repository, see the Releases page: 60 | 61 | 62 | 63 | ## Copyright and License 64 | 65 | Copyright © The OWASP Foundation. This work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](https://creativecommons.org/licenses/by-sa/4.0/ "Creative Commons Attribution-ShareAlike 4.0 International License"). For any reuse or distribution, you must make clear to others the license terms of this work. 66 | 67 | 68 | -------------------------------------------------------------------------------- /Document/03-Using_the_MASVS.md: -------------------------------------------------------------------------------- 1 | # The Mobile Application Security Verification Standard 2 | 3 | The Mobile Application Security Verification Standard (MASVS) is a comprehensive security standard developed by the Open Worldwide Application Security Project (OWASP). This framework provides a clear and concise set of guidelines and best practices for assessing and enhancing the security of mobile applications. The MASVS is designed to be used as a metric, guidance, and baseline for mobile app security verification, serving as a valuable resource for developers, application owners, and security professionals. 4 | 5 | The objective of the MASVS is to establish a high level of confidence in the security of mobile apps by providing a set of controls that address the most common mobile application security issues. These controls were developed with a focus on providing guidance during all phases of mobile app development and testing, and to be used as a baseline for mobile app security verification during procurement. 6 | 7 | By adhering to the controls outlined in the OWASP MASVS, organizations can ensure that their mobile applications are built with security in mind, reducing the risk of security breaches and protecting sensitive user data. Whether used as a metric, guidance, or baseline, the OWASP MASVS is an invaluable tool for enhancing the security of mobile applications. 8 | 9 | The OWASP MASVS is a living document and is regularly updated to reflect the changing threat landscape and new attack vectors. As such, it's important to [stay up-to-date](https://mas.owasp.org/MASVS/) with the latest version of the standard and adapt security measures accordingly. 10 | 11 | ## Mobile Application Security Model 12 | 13 | The standard is divided into various groups that represent the most critical areas of the mobile attack surface. These control groups, labeled **MASVS-XXXXX**, provide guidance and standards for the following areas: 14 | 15 | - **MASVS-STORAGE:** Secure storage of sensitive data on a device (data-at-rest). 16 | - **MASVS-CRYPTO:** Cryptographic functionality used to protect sensitive data. 17 | - **MASVS-AUTH:** Authentication and authorization mechanisms used by the mobile app. 18 | - **MASVS-NETWORK:** Secure network communication between the mobile app and remote endpoints (data-in-transit). 19 | - **MASVS-PLATFORM:** Secure interaction with the underlying mobile platform and other installed apps. 20 | - **MASVS-CODE:** Security best practices for data processing and keeping the app up-to-date. 21 | - **MASVS-RESILIENCE:** Resilience to reverse engineering and tampering attempts. 22 | - **MASVS-PRIVACY:** Privacy controls to protect user privacy. 23 | 24 | Each of these control groups contains individual controls labeled **MASVS-XXXXX-Y**, which provide specific guidance on the particular security measures that need to be implemented to meet the standard. 25 | 26 | ## MAS Testing Profiles 27 | 28 | The MAS project has traditionally provided three verification levels (L1, L2 and R), which were revisited during the MASVS refactoring in 2023, and have been reworked as ["MAS Testing Profiles"](https://docs.google.com/document/d/1paz7dxKXHzAC9MN7Mnln1JiZwBNyg7Gs364AJ6KudEs/edit?usp=sharing) and moved over to the OWASP MASTG. These profiles are now aligned with the [NIST OSCAL (Open Security Controls Assessment Language)](https://pages.nist.gov/OSCAL/) standard, which is a comprehensive catalog of security controls that can be used to secure information systems. 29 | 30 | By aligning with OSCAL, the MASVS provides a more flexible and comprehensive approach to security testing. OSCAL provides a standard format for security control information, which allows for easier sharing and reuse of security controls across different systems and organizations. This allows for a more efficient use of resources and a more targeted approach to mobile app security testing. 31 | 32 | However, it is important to note that implementing these profiles fully or partially should be a risk-based decision made in consultation with business owners. The profiles should be tailored to the specific security risks and requirements of the mobile application being developed, and any deviations from the recommended controls should be carefully justified and documented. 33 | 34 | ## Assumptions 35 | 36 | When using the MASVS, it's important to keep in mind the following assumptions: 37 | 38 | - The MASVS is not a substitute for following secure development best practices, such as secure coding or secure SDLC. These practices should be followed holistically in your development process and the MASVS complements them specifically for mobile apps. 39 | - The MASVS assumes that you've followed the relevant standards of your industry and country for all elements of your app's ecosystem, such as backend servers, IoT, and other companion devices. 40 | - The MASVS is designed to evaluate the security of mobile apps that can be analyzed statically by obtaining the app package, dynamically by running it on a potentially compromised device, and also considers any network-based attacks such as MITM. 41 | 42 | While the OWASP MASVS is an invaluable tool for enhancing the security of mobile applications, it cannot guarantee absolute security. It should be used as a baseline for security requirements, but additional security measures should also be implemented as appropriate to address specific risks and threats to the mobile app. 43 | 44 | ### Security Architecture, Design and Threat Modeling for Mobile Apps 45 | 46 | > The OWASP MASVS assumes that best practices for secure architecture, design, and threat modeling have been followed as a foundation. 47 | 48 | Security must be a top priority throughout all stages of mobile app development, from the initial planning and design phase to deployment and ongoing maintenance. Developers need to follow secure development best practices and ensure that security measures are prioritized to protect sensitive data, comply with policies and regulations, and identify and address security issues that can be targeted by attackers. 49 | 50 | While the MASVS and MASTG focuses on controls and technical test cases for app security assessments, non-technical aspects such as following best practices laid out by [OWASP Software Assurance Maturity Model (SAMM)](https://owaspsamm.org/model/) or [NIST.SP.800-218 Secure Software Development Framework (SSDF)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf) for secure architecture, design, and threat modeling are still important. The MASVS can also be used as reference and input for a threat model to raise awareness of potential attacks. 51 | 52 | To ensure that these practices are followed, developers can provide documentation or evidence of adherence to these standards, such as design documents, threat models, and security architecture diagrams. Additionally, interviews can be conducted to collect information on adherence to these practices and provide an understanding of the level of compliance with these standards. 53 | 54 | ### Secure App Ecosystem 55 | 56 | > The OWASP MASVS assumes other relevant security standards are also leveraged to ensure that all systems involved in the app's operation meet their applicable requirements. 57 | 58 | Mobile apps often interact with multiple systems, including backend servers, third-party APIs, Bluetooth devices, cars, IoT devices, and more. Each of these systems may introduce their own security risks that must be considered as part of the mobile app's security design and threat modeling. For example, when interacting with a backend server, the [OWASP Application Security Verification Standard (ASVS)](https://owasp.org/www-project-application-security-verification-standard/) should be used to ensure that the server is secure and meets the required security standards. In the case of Bluetooth devices, the app should be designed to prevent unauthorized access, while for cars, the app should be designed to protect the user's data and ensure that there are no safety issues with the car's operation. 59 | 60 | ### Security Knowledge and Expertise 61 | 62 | > The OWASP MASVS assumes a certain level of security knowledge and expertise among developers and security professionals using the standard. It's important to have a good understanding of mobile app security concepts, as well as the relevant tools and techniques used for mobile app security testing and assessment. To support this, the OWASP MAS project also provides the [OWASP Mobile Application Security Testing Guide (MASTG)](https://mas.owasp.org/MASTG/), which provides in-depth guidance on mobile app security testing and assessment. 63 | 64 | Mobile app development is a rapidly evolving field, with new technologies, programming languages, and frameworks constantly emerging. It's essential for developers and security professionals to stay current with these developments, as well as to have a solid foundation in fundamental security principles. 65 | 66 | OWASP SAMM provides a dedicated ["Education & Guidance"](https://owaspsamm.org/model/governance/education-and-guidance/) domain which aims to ensure that all stakeholders involved in the software development lifecycle are aware of the software security risks and are equipped with the knowledge and skills to mitigate these risks. This includes developers, testers, architects, project managers, executives, and other personnel involved in software development and deployment. 67 | 68 | ## Applicability of the MASVS 69 | 70 | By adhering to the MASVS, businesses and developers can ensure that their mobile app are secure and meet industry-standard security requirements, regardless of the development approach used. This is the case for downloadable apps, as the project was traditionally focused on, but the MAS resources and guidelines are also applicable to other areas of the business such as preloaded applications and SDKs. 71 | 72 | ### Native Apps 73 | 74 | Native apps are written in platform-specific languages, such as Java/Kotlin for Android or Objective-C/Swift for iOS. 75 | 76 | ### Cross-Platform and Hybrid Apps 77 | 78 | Apps based on cross-platform (Flutter, React Native, Xamarin, Ionic, etc.) and hybrid (Cordova, PhoneGap, Framework7, Onsen UI, etc.) frameworks may be susceptible to platform-specific vulnerabilities that don't exist in native apps. For example, some JavaScript frameworks may introduce new security issues that don't exist in other programming languages. It is therefore essential to follow the security best practices of the used frameworks. 79 | 80 | The MASVS is agnostic to the type of mobile application being developed. This means that the guidelines and best practices outlined in the MASVS can be applied to all types of mobile apps, including cross-platform and hybrid apps. 81 | 82 | ### Preloads 83 | 84 | Preloaded apps are apps that are installed on a user's device at factory time and may have elevated privileges that leave users vulnerable to exploitative business practices. Given the large number of preloaded apps on an average user's device, it's important to measure their risk in a quantifiable way. 85 | 86 | There are hundreds of preloads that may ship on a device, and as a result, automation is critical. A subset of MAS criteria that is automation-friendly may be a good basis. 87 | 88 | ### SDKs 89 | 90 | SDKs play a vital role in the mobile app value chain, supplying code developers need to build faster, smarter, and more profitably. Developers rely on them heavily, with the average mobile app using 30 SDKs, and 90% of code sourced from third parties. While this widespread use delivers significant benefits to developers, it also propagates safety and security issues. 91 | 92 | SDKs offer a variety of functionality, and should be regarded as an individual project. You should evaluate how the MASVS applies to the used SDKs to ensure the highest possible security testing coverage. 93 | -------------------------------------------------------------------------------- /Document/04-Assessment_and_Certification.md: -------------------------------------------------------------------------------- 1 | # Assessment and Certification 2 | 3 | ## OWASP's Stance on MASVS Certifications and Trust Marks 4 | 5 | OWASP, as a vendor-neutral not-for-profit organization, does not certify any vendors, verifiers or software. 6 | 7 | All such assurance assertions, trust marks, or certifications are not officially vetted, registered, or certified by OWASP, so an organization relying upon such a view needs to be cautious of the trust placed in any third party or trust mark claiming (M)ASVS certification. 8 | 9 | This should not inhibit organizations from offering such assurance services, as long as they do not claim official OWASP certification. 10 | 11 | ## Guidance for Certifying Mobile Apps 12 | 13 | The recommended way of verifying compliance of a mobile app with the MASVS is by performing an "open book" review, meaning that the testers are granted access to key resources such as architects and developers of the app, project documentation, source code, and authenticated access to endpoints, including access to at least one user account for each role. 14 | 15 | It is important to note that the MASVS only covers the security of the mobile app (client-side). It does not contain specific controls for the remote endpoints (e.g. web services) associated with the app and they should be verified against appropriate standards, such as the [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/). 16 | 17 | A certifying organization must include in any report the scope of the verification (particularly if a key component is out of scope), a summary of verification findings, including passed and failed tests, with clear indications of how to resolve the failed tests. Keeping detailed work papers, screenshots or recording, scripts to reliably and repeatedly exploit an issue, and electronic records of testing, such as intercepting proxy logs and associated notes such as a cleanup list, is considered standard industry practice. It is not sufficient to simply run a tool and report on the failures; this does not provide sufficient evidence that all issues at a certifying level have been tested and tested thoroughly. In case of dispute, there should be sufficient supportive evidence to demonstrate that every verified control has indeed been tested. 18 | 19 | ### Using the OWASP Mobile Application Security Testing Guide (MASTG) 20 | 21 | The [OWASP MASTG](https://mas.owasp.org/MASTG/) is a manual for testing the security of mobile apps. It describes the technical processes for verifying the controls listed in the MASVS. The MASTG includes a list of test cases, each of which map to a control in the MASVS. While the MASVS controls are high-level and generic, the MASTG provides in-depth recommendations and testing procedures on a per-mobile-OS basis. 22 | 23 | Testing the app's remote endpoints is not covered in the MASTG. For example: 24 | 25 | - **Remote Endpoints**: The [OWASP Web Security Testing Guide (WSTG)](https://owasp.org/www-project-web-security-testing-guide/) is a comprehensive guide with detailed technical explanation and guidance for testing the security of web applications and web services holistically and can be used in addition to other relevant resources to complement the mobile app security testing exercise. 26 | - **Internet of Things (IoT)**: The [OWASP IoT Security Testing Guide (ISTG)](https://owasp.org/owasp-istg/) provides a comprehensive methodology for penetration tests in the IoT field offering flexibility to adapt innovations and developments on the IoT market while still ensuring comparability of test results. The guide provides an understanding of communication between manufacturers and operators of IoT devices as well as penetration testing teams that's facilitated by establishing a common terminology. 27 | 28 | ### The Role of Automated Security Testing Tools 29 | 30 | The use of source code scanners and black-box testing tools is encouraged in order to increase efficiency whenever possible. It is however not possible to complete MASVS verification using automated tools alone, since every mobile app is different. In order to fully verify the security of the app it is essential to understand the overall architecture, business logic, and technical pitfalls of the specific technologies and frameworks being used. 31 | 32 | ## Other Uses 33 | 34 | ### As Detailed Security Architecture Guidance 35 | 36 | One of the more common uses for the Mobile Application Security Verification Standard is as a resource for security architects. The two major security architecture frameworks, SABSA or TOGAF, are missing a great deal of information that is necessary to complete mobile application security architecture reviews. MASVS can be used to fill in those gaps by allowing security architects to choose better controls for issues common to mobile apps. 37 | 38 | ### As a Replacement for Off-the-shelf Secure Coding Checklists 39 | 40 | Many organizations can benefit from adopting the MASVS, by choosing one of the two levels, or by forking MASVS and changing what is required for each application's risk level in a domain-specific way. We encourage this type of forking as long as traceability is maintained, so that if an app has passed control 4.1, this means the same thing for forked copies as the standard evolves. 41 | 42 | ### As a Basis for Security Testing Methodologies 43 | 44 | A good mobile app security testing methodology should cover all controls listed in the MASVS. The OWASP Mobile Application Security Testing Guide (MASTG) describes black-box and white-box test cases for each verification control. 45 | 46 | ### As a Guide for Automated Unit and Integration Tests 47 | 48 | The MASVS is designed to be highly testable, with the sole exception of architectural controls. Automated unit, integration and acceptance testing based on the MASVS controls can be integrated in the continuous development lifecycle. This not only increases developer security awareness, but also improves the overall quality of the resulting apps, and reduces the amount of findings during security testing in the pre-release phase. 49 | 50 | ### For Secure Development Training 51 | 52 | MASVS can also be used to define characteristics of secure mobile apps. Many "secure coding" courses are simply ethical hacking courses with a light smear of coding tips. This does not help developers. Instead, secure development courses can use the MASVS, with a strong focus on the proactive controls documented in the MASVS, rather than e.g. the Top 10 code security issues. 53 | -------------------------------------------------------------------------------- /Document/05-MASVS-STORAGE.md: -------------------------------------------------------------------------------- 1 | # MASVS-STORAGE: Storage 2 | 3 | Mobile applications handle a wide variety of sensitive data, such as personally identifiable information (PII), cryptographic material, secrets, and API keys, that often need to be stored locally. This sensitive data may be stored in private locations, such as the app's internal storage, or in public folders that are accessible by the user or other apps installed on the device. However, sensitive data can also be unintentionally stored or exposed to publicly accessible locations, typically as a side-effect of using certain APIs or system capabilities such as backups or logs. 4 | 5 | This category is designed to help developers ensure that any sensitive data intentionally stored by the app is properly protected, regardless of the target location. It also covers unintentional leaks that can occur due to improper use of APIs or system capabilities. 6 | -------------------------------------------------------------------------------- /Document/06-MASVS-CRYPTO.md: -------------------------------------------------------------------------------- 1 | # MASVS-CRYPTO: Cryptography 2 | 3 | Cryptography is essential for mobile apps because mobile devices are highly portable and can be easily lost or stolen. This means that an attacker who gains physical access to a device can potentially access all the sensitive data stored on it, including passwords, financial information, and personally identifiable information. Cryptography provides a means of protecting this sensitive data by encrypting it so that it cannot be easily read or accessed by an unauthorized user. 4 | 5 | The purpose of the controls in this category is to ensure that the verified app uses cryptography according to industry best practices, which are typically defined in external standards such as [NIST.SP.800-175B](https://csrc.nist.gov/publications/detail/sp/800-175b/rev-1/final) and [NIST.SP.800-57](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final). This category also focuses on the management of cryptographic keys throughout their lifecycle, including key generation, storage, and protection. Poor key management can compromise even the strongest cryptography, so it is crucial for developers to follow the recommended best practices to ensure the security of their users' sensitive data. 6 | -------------------------------------------------------------------------------- /Document/07-MASVS-AUTH.md: -------------------------------------------------------------------------------- 1 | # MASVS-AUTH: Authentication and Authorization 2 | 3 | Authentication and authorization are essential components of most mobile apps, especially those that connect to a remote service. These mechanisms provide an added layer of security and help prevent unauthorized access to sensitive user data. Although the enforcement of these mechanisms must be on the remote endpoint, it is equally important for the app to follow relevant best practices to ensure the secure use of the involved protocols. 4 | 5 | Mobile apps often use different forms of authentication, such as biometrics, PIN, or multi-factor authentication code generators, to validate user identity. These mechanisms must be implemented correctly to ensure their effectiveness in preventing unauthorized access. Additionally, some apps may rely solely on local app authentication and may not have a remote endpoint. In such cases, it is critical to ensure that local authentication mechanisms are secure and implemented following industry best practices. 6 | 7 | The controls in this category aim to ensure that the app implements authentication and authorization mechanisms securely, protecting sensitive user information and preventing unauthorized access. It is important to note that the security of the remote endpoint should also be validated using industry standards such as the [OWASP Application Security Verification Standard (ASVS)](https://owasp.org/www-project-application-security-verification-standard/). 8 | -------------------------------------------------------------------------------- /Document/08-MASVS-NETWORK.md: -------------------------------------------------------------------------------- 1 | # MASVS-NETWORK: Network Communication 2 | 3 | Secure networking is a critical aspect of mobile app security, particularly for apps that communicate over the network. In order to ensure the confidentiality and integrity of data in transit, developers typically rely on encryption and authentication of the remote endpoint, such as through the use of TLS. However, there are numerous ways in which a developer may accidentally disable the platform secure defaults or bypass them entirely by utilizing low-level APIs or third-party libraries. 4 | 5 | This category is designed to ensure that the mobile app sets up secure connections under any circumstances. Specifically, it focuses on verifying that the app establishes a secure, encrypted channel for network communication. Additionally, this category covers situations where a developer may choose to trust only specific Certificate Authorities (CAs), which is commonly referred to as certificate pinning or public key pinning. 6 | -------------------------------------------------------------------------------- /Document/09-MASVS-PLATFORM.md: -------------------------------------------------------------------------------- 1 | # MASVS-PLATFORM: Platform Interaction 2 | 3 | The security of mobile apps heavily depends on their interaction with the mobile platform, which often involves exposing data or functionality intentionally through the use of platform-provided inter-process communication (IPC) mechanisms and WebViews to enhance the user experience. However, these mechanisms can also be exploited by attackers or other installed apps, potentially compromising the app's security. 4 | 5 | Furthermore, sensitive data, such as passwords, credit card details, and one-time passwords in notifications, is often displayed in the app's user interface. It is essential to ensure that this data is not unintentionally leaked through platform mechanisms such as auto-generated screenshots or accidental disclosure through shoulder surfing or device sharing. 6 | 7 | This category comprises controls that ensure the app's interactions with the mobile platform occur securely. These controls cover the secure use of platform-provided IPC mechanisms, WebView configurations to prevent sensitive data leakage and functionality exposure, and secure display of sensitive data in the app's user interface. By implementing these controls, mobile app developers can safeguard sensitive user information and prevent unauthorized access by attackers. 8 | -------------------------------------------------------------------------------- /Document/10-MASVS-CODE.md: -------------------------------------------------------------------------------- 1 | # MASVS-CODE: Code Quality 2 | 3 | Mobile apps have many data entry points, including the UI, IPC, network, and file system, which might receive data that has been inadvertently modified by untrusted actors. By treating this data as untrusted input and properly verifying and sanitizing it before use, developers can prevent classical injection attacks, such as SQL injection, XSS, or insecure deserialization. However, other common coding vulnerabilities, such as memory corruption flaws, are hard to detect in penetration testing but easy to prevent with secure architecture and coding practices. Developers should follow best practices such as the [OWASP Software Assurance Maturity Model (SAMM)](https://owaspsamm.org/model/) and [NIST.SP.800-218 Secure Software Development Framework (SSDF)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf) to avoid introducing these flaws in the first place. 4 | 5 | This category covers coding vulnerabilities that arise from external sources such as app data entry points, the OS, and third-party software components. Developers should verify and sanitize all incoming data to prevent injection attacks and bypass of security checks. They should also enforce app updates and ensure that the app runs up-to-date platforms to protect users from known vulnerabilities. 6 | -------------------------------------------------------------------------------- /Document/11-MASVS-RESILIENCE.md: -------------------------------------------------------------------------------- 1 | # MASVS-RESILIENCE: Resilience Against Reverse Engineering and Tampering 2 | 3 | Defense-in-depth measures such as code obfuscation, anti-debugging, anti-tampering, etc. are important to increase app resilience against reverse engineering and specific client-side attacks. They add multiple layers of security controls to the app, making it more difficult for attackers to successfully reverse engineer and extract valuable intellectual property or sensitive data from it, which could result in: 4 | 5 | - The theft or compromise of valuable business assets such as proprietary algorithms, trade secrets, or customer data 6 | - Significant financial losses due to loss of revenue or legal action 7 | - Legal and reputational damage due to breach of contracts or regulations 8 | - Damage to brand reputation due to negative publicity or customer dissatisfaction 9 | 10 | The controls in this category aim to ensure that the app is running on a trusted platform, prevent tampering at runtime and ensure the integrity of the app's intended functionality. Additionally, the controls impede comprehension by making it difficult to figure out how the app works using static analysis and prevent dynamic analysis and instrumentation that could allow an attacker to modify the code at runtime. 11 | 12 | Note, however, that **the absence of any of these measures does not necessarily cause vulnerabilities** - instead, they provide additional threat-specific protection. **All apps must also fulfill the rest of the OWASP MASVS** security controls according to their specific threat models. 13 | -------------------------------------------------------------------------------- /Document/12-MASVS-PRIVACY.md: -------------------------------------------------------------------------------- 1 | # MASVS-PRIVACY: Privacy 2 | 3 | The main goal of MASVS-PRIVACY is to provide a **baseline for user privacy**. It is not intended to cover all aspects of user privacy, especially when other standards and regulations such as ENISA or the GDPR already do that. We focus on the app itself, looking at what can be tested using information that's publicly available or found within the app through methods like static or dynamic analysis. 4 | 5 | While some associated tests can be automated, others necessitate manual intervention due to the nuanced nature of privacy. For example, if an app collects data that it didn't mention in the app store or its privacy policy, it takes careful manual checking to spot this. 6 | 7 | > **Note on "Data Collection and Sharing"**:For the MASTG tests, we treat "Collect" and "Share" in a unified manner. This means that whether the app is sending data to another server or transferring it to another app on the device, we view it as data that's potentially leaving the user's control. Validating what happens to the data on remote endpoints is challenging and often not feasible due to access restrictions and the dynamic nature of server-side operations. Therefore, this issue is outside of the scope of the MASVS. 8 | 9 | **IMPORTANT DISCLAIMER**: 10 | 11 | MASVS-PRIVACY is not intended to serve as an exhaustive or exclusive reference. While it provides valuable guidance on app-centric privacy considerations, it should never replace comprehensive assessments, such as a Data Protection Impact Assessment (DPIA) mandated by the General Data Protection Regulation (GDPR) or other pertinent legal and regulatory frameworks. Stakeholders are strongly advised to undertake a holistic approach to privacy, integrating MASVS-PRIVACY insights with broader assessments to ensure comprehensive data protection compliance. Given the specialized nature of privacy regulations and the complexity of data protection, these assessments are best conducted by privacy experts rather than security experts. 12 | -------------------------------------------------------------------------------- /Document/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | ## V1.3.1 and newer 4 | 5 | All our Changelogs are available online at the OWASP MASVS GitHub repository, see the [Releases page](https://github.com/OWASP/owasp-masvs/releases). 6 | 7 | ## V1.3 - 13 May 2021 8 | 9 | We are proud to announce the introduction of a new document build pipeline, which is a major milestone for our project. The build pipeline is based on [Pandocker](https://github.com/dalibo/pandocker) and [Github Actions](https://github.com/OWASP/owasp-masvs/tree/master/.github/workflows). 10 | This significantly reduces the time spent on creating new releases and will also be the foundation for the OWASP MSTG and will be made available for the OWASP ASVS project. 11 | 12 | ### Changes 13 | 14 | - 4 more translations are available, which are Hindi, Farsi, Portuguese and Brazilian Portuguese 15 | - Added requirement MSTG-PLATFORM-11 16 | 17 | ### Special Thanks 18 | 19 | - Jeroen Willemsen for kick-starting this initiative last year! 20 | - Damien Clochard and Dalibo for supporting and professionalizing the build pipeline. 21 | - All our Hindi, Farsi, Portuguese and Brazilian Portuguese collaborators for the excellent translation work. 22 | 23 | ## V1.2 - 7 March 2020 - International Release 24 | 25 | The following changes are part of release 1.2: 26 | 27 | - Translation in simplified Chinese of the MASVS available. 28 | - Change of title in MASVS book cover. 29 | - Removed Mobile Top 10 and CWE from MSTG and merged to existing references in MASVS. 30 | 31 | ## V1.2-RC - 5 October 2019 - Pre-release (English only) 32 | 33 | The following changes are part of pre-release 1.2: 34 | 35 | - Promoted to flagship status. 36 | - Requirement changed: MSTG-STORAGE-1 "need to be used". 37 | - Requirements MSTG-STORAGE-13, MSTG-STORAGE-14, and MSTG-STORAGE-15 are added with a focus on data protection. 38 | - Requirement MSTG-AUTH-11 is updated to preserve contextual information. 39 | - Requirement MSTG-CODE-4 is updated to cover more than just debugging. 40 | - Requirement MSTG-PLATFORM-10 added to further secure usage of WebViews. 41 | - Requirement MSTG-AUTH-12 added to remind developers of having authorizations implemented, especially in case of multi-user apps. 42 | - Added a little more description on how the MASVS should be used given a risk assessment. 43 | - Added a little more description on paid content. 44 | - Requirement MSTG-ARCH-11 added to include a Responsible Disclosure policy for L2 applications. 45 | - Requirement MSTG-ARCH-12 added to show application developers that relevant international privacy laws should be followed. 46 | - Created a consistent style for all references in the English version. 47 | - Requirement MSTG-PLATFORM-11 added to counter spying via third party keyboards. 48 | - Requirement MSTG-MSTG-RESILIENCE-13 added to impede eavesdropping at an application. 49 | 50 | ## V1.1.4 - 4 July 2019 - Summit edition 51 | 52 | The following changes are part of release 1.1.4: 53 | 54 | - Fix all markdown issues. 55 | - Updates in the French and Spanish translations. 56 | - Translated the changelog to Chinese (ZHTW) and Japanese. 57 | - Automated verification of the the markdown syntax and reachability of the URLs. 58 | - Added identification codes to the requirements, which will be included in the future version of the MSTG in order to find the recommendations and testcases easily. 59 | - Reduced the repo size and added Generated to the .gitignore. 60 | - Added a Code of Conduct & Contributing guidelines. 61 | - Added a Pull-Request template. 62 | - Updated the sync with the repo in use for hosting the Gitbook website. 63 | - Updated the scripts to generate XML/JSON/CSV for all the translations. 64 | - Translated the Foreword to Chinese (ZHTW). 65 | 66 | ## V1.1.3 - 9 January 2019 - Small fixes 67 | 68 | - Fix translation issue of requirement 7.1 in the Spanish version 69 | - New setup of translators in acknowledgements 70 | 71 | ## V1.1.2 - 3 January 2019 - Sponsorship and internationalization 72 | 73 | The following changes are part of release 1.1.2: 74 | 75 | - Added thank you note for buyers of the e-book. 76 | - Added missing authentication link & updated broken authentication link in V4. 77 | - Fixed swap of 4.7 and 4.8 in English. 78 | - First international release! 79 | - Fixes in Spanish translation. Translation is now in sync with English (1.1.2). 80 | - Fixes in Russian translation. Translation is now in sync with English (1.1.2). 81 | - Added first release of Chinese (ZHTW) French, German, and Japanese! 82 | - Simplified document for ease of translation. 83 | - Added instructions for automated releases. 84 | 85 | ## V1.1.0 - 14 July 2018 86 | 87 | The following changes are part of release 1.1: 88 | 89 | - Requirement 2.6 "The clipboard is deactivated on text fields that may contain sensitive data." was removed. 90 | - Requirement 2.2 "No sensitive data should be stored outside of the app container or system credential storage facilities." was added. 91 | - Requirement 2.1 was reworded to "System credential storage facilities are used appropriately to store sensitive data, such as PII, user credentials or cryptographic keys.". 92 | 93 | ## V1.0 12 - January 2018 94 | 95 | The following changes are part of release 1.0: 96 | 97 | - Delete 8.9 as the same as 8.12 98 | - Made 4.6 more generic 99 | - Minor fixes (typos etc.) 100 | -------------------------------------------------------------------------------- /Document/book.json: -------------------------------------------------------------------------------- 1 | { 2 | "root" : ".", 3 | 4 | "structure": { 5 | "readme": "0x01-Foreword.md" 6 | }, 7 | 8 | "language": "en" 9 | } 10 | -------------------------------------------------------------------------------- /Document/images/CC-license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/owasp-masvs/30a85aa928c16a2e0e58864a845ca8d9a528eaa9/Document/images/CC-license.png -------------------------------------------------------------------------------- /Document/images/donators.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/owasp-masvs/30a85aa928c16a2e0e58864a845ca8d9a528eaa9/Document/images/donators.png -------------------------------------------------------------------------------- /Document/images/masvs-levels-new.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/owasp-masvs/30a85aa928c16a2e0e58864a845ca8d9a528eaa9/Document/images/masvs-levels-new.jpg -------------------------------------------------------------------------------- /Document/images/open_website.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/owasp-masvs/30a85aa928c16a2e0e58864a845ca8d9a528eaa9/Document/images/open_website.png -------------------------------------------------------------------------------- /Document/images/owasp_mas_header.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/owasp-masvs/30a85aa928c16a2e0e58864a845ca8d9a528eaa9/Document/images/owasp_mas_header.png -------------------------------------------------------------------------------- /Document/images/trusted-by-logos.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/owasp-masvs/30a85aa928c16a2e0e58864a845ca8d9a528eaa9/Document/images/trusted-by-logos.png -------------------------------------------------------------------------------- /Document/metadata.md: -------------------------------------------------------------------------------- 1 | --- 2 | # This is the main metadata file. 3 | # Variables below can be overwritten by the local metadata 4 | # file (e.g. Document-fr/metadata.md) 5 | 6 | # Custom Template variables (cover, first page, etc.) 7 | version: 'SNAPSHOT' # this will overridden at build time 8 | languagetext: '' 9 | 10 | mainfont: 'DejaVu Sans' 11 | sansfont: 'DejaVu Sans' 12 | monofont: 'DejaVu Sans Mono' 13 | 14 | # General variables 15 | toc: true 16 | toc-depth: 2 17 | # numbersections: true 18 | # secnumdepth: 2 19 | linkcolor: blue 20 | 21 | # Language variables 22 | lang: 'en' 23 | 24 | # Latex variables 25 | 26 | # Eisvogel Latex variables 27 | # https://github.com/Wandmalfarbe/pandoc-latex-template#custom-template-variables 28 | code-block-font-size: '\tiny' 29 | 30 | table-use-row-colors: true 31 | geometry: "top=1cm,left=1cm,right=2cm,bottom=4cm" 32 | --- 33 | -------------------------------------------------------------------------------- /License.md: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: CC-BY-SA-4.0 2 | 3 | # Attribution-ShareAlike 4.0 International 4 | 5 | Creative Commons Corporation (“Creative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an “as-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible. 6 | 7 | ## Using Creative Commons Public Licenses 8 | 9 | Creative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses. 10 | 11 | - **Considerations for licensors:** Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. [More considerations for licensors](http://wiki.creativecommons.org/Considerations_for_licensors_and_licensees#Considerations_for_licensors). 12 | 13 | - **Considerations for the public:** By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor’s permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright–then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described. Although not required by our licenses, you are encouraged to respect those requests where reasonable. [More considerations for the public](http://wiki.creativecommons.org/Considerations_for_licensors_and_licensees#Considerations_for_licensees). 14 | 15 | ## Creative Commons Attribution-ShareAlike 4.0 International Public License 16 | 17 | By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions. 18 | 19 | ### Section 1 – Definitions 20 | 21 | a. **Adapted Material** means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image. 22 | 23 | b. **Adapter's License** means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License. 24 | 25 | c. **BY-SA Compatible License** means a license listed at [creativecommons.org/compatiblelicenses](http://creativecommons.org/compatiblelicenses), approved by Creative Commons as essentially the equivalent of this Public License. 26 | 27 | d. **Copyright and Similar Rights** means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights. 28 | 29 | e. **Effective Technological Measures** means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements. 30 | 31 | f. **Exceptions and Limitations** means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material. 32 | 33 | g. **License Elements** means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike. 34 | 35 | h. **Licensed Material** means the artistic or literary work, database, or other material to which the Licensor applied this Public License. 36 | 37 | i. **Licensed Rights** means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license. 38 | 39 | j. **Licensor** means the individual(s) or entity(ies) granting rights under this Public License. 40 | 41 | k. **Share** means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them. 42 | 43 | l. **Sui Generis Database Rights** means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world. 44 | 45 | m. **You** means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning. 46 | 47 | ### Section 2 – Scope 48 | 49 | a. _**License grant.**_ 50 | 51 | 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to: 52 | 53 | A. reproduce and Share the Licensed Material, in whole or in part; and 54 | 55 | B. produce, reproduce, and Share Adapted Material. 56 | 57 | 2. **Exceptions and Limitations.** For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions. 58 | 59 | 3. **Term.** The term of this Public License is specified in Section 6(a). 60 | 61 | 4. **Media and formats; technical modifications allowed.** The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material. 62 | 63 | 5. **Downstream recipients.** 64 | 65 | A. **Offer from the Licensor – Licensed Material.** Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License. 66 | 67 | B. **Additional offer from the Licensor – Adapted Material.** Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter’s License You apply. 68 | 69 | C. **No downstream restrictions.** You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material. 70 | 71 | 6. **No endorsement.** Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i). 72 | 73 | b. _**Other rights.**_ 74 | 75 | 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise. 76 | 77 | 2. Patent and trademark rights are not licensed under this Public License. 78 | 79 | 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties. 80 | 81 | ### Section 3 – License Conditions 82 | 83 | Your exercise of the Licensed Rights is expressly made subject to the following conditions. 84 | 85 | a. _**Attribution.**_ 86 | 87 | 1. If You Share the Licensed Material (including in modified form), You must: 88 | 89 | A. retain the following if it is supplied by the Licensor with the Licensed Material: 90 | 91 | i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated); 92 | 93 | ii. a copyright notice; 94 | 95 | iii. a notice that refers to this Public License; 96 | 97 | iv. a notice that refers to the disclaimer of warranties; 98 | 99 | v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable; 100 | 101 | B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and 102 | 103 | C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License. 104 | 105 | 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information. 106 | 107 | 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable. 108 | 109 | b. _**ShareAlike.**_ 110 | 111 | In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply. 112 | 113 | 1. The Adapter’s License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License. 114 | 115 | 2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material. 116 | 117 | 3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply. 118 | 119 | ### Section 4 – Sui Generis Database Rights 120 | 121 | Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material: 122 | 123 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database; 124 | 125 | b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and 126 | 127 | c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database. 128 | 129 | For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights. 130 | 131 | ### Section 5 – Disclaimer of Warranties and Limitation of Liability 132 | 133 | a. **Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.** 134 | 135 | b. **To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.** 136 | 137 | c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. 138 | 139 | ### Section 6 – Term and Termination 140 | 141 | a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically. 142 | 143 | b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates: 144 | 145 | 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or 146 | 147 | 2. upon express reinstatement by the Licensor. 148 | 149 | For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License. 150 | 151 | c. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License. 152 | 153 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License. 154 | 155 | ### Section 7 – Other Terms and Conditions 156 | 157 | a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed. 158 | 159 | b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License. 160 | 161 | ### Section 8 – Interpretation 162 | 163 | a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License. 164 | 165 | b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions. 166 | 167 | c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor. 168 | 169 | d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority. 170 | 171 | > Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” The text of the Creative Commons public licenses is dedicated to the public domain under the [CC0 Public Domain Dedication](https://creativecommons.org/publicdomain/zero/1.0/legalcode). Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at [creativecommons.org/policies](http://creativecommons.org/policies), Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses. 172 | > 173 | > Creative Commons may be contacted at creativecommons.org. 174 | -------------------------------------------------------------------------------- /PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | This PR covers issue #< insert number here >. 2 | 3 | --- 4 | 5 | > Note: Thank you for submitting a Pull Request to the OWASP MASVS repo! By opening a PR you're agreeing with our [contribution guidelines](https://github.com/OWASP/owasp-masvs/blob/master/CONTRIBUTING.md "Contribution guidelines"). 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # OWASP Mobile Application Security Verification Standard (MASVS) 4 | 5 | [![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-48A646.svg)](https://owasp.org/projects/) 6 | [![Creative Commons License](https://img.shields.io/github/license/OWASP/owasp-masvs)](https://creativecommons.org/licenses/by-sa/4.0/ "CC BY-SA 4.0") 7 | 8 | [![MASVS Build](https://github.com/OWASP/owasp-masvs/workflows/MASVS%20Build/badge.svg)](https://github.com/OWASP/owasp-masvs/actions/workflows/docgenerator.yml) 9 | [![Markdown Linter](https://github.com/OWASP/owasp-masvs/workflows/Markdown%20Linter/badge.svg)](https://github.com/OWASP/owasp-masvs/actions/workflows/markdown-linter.yml) 10 | [![URL Checker](https://github.com/OWASP/owasp-masvs/workflows/URL%20Checker/badge.svg)](https://github.com/OWASP/owasp-masvs/actions/workflows/url-checker.yml) 11 | 12 | This is the official Github Repository of the OWASP Mobile Application Security Verification Standard (MASVS). The MASVS establishes baseline security requirements for mobile apps that are useful in many scenarios. You can use it: 13 | 14 | - As a metric - To provide a security standard against which existing mobile apps can be compared by developers and application owners. 15 | - As guidance - To provide guidance during all phases of mobile app development and testing. 16 | - During procurement - To provide a baseline for mobile app security verification. 17 | 18 | The MASVS is a sister project of the [OWASP Mobile Application Security Testing Guide](https://github.com/OWASP/owasp-mastg "OWASP Mobile Application Security Testing Guide"). 19 | 20 |
21 | 22 |
23 | 24 | 25 | 26 |
27 | 28 |
29 | 30 | - 🌐 [Access the MASVS Web](https://mas.owasp.org/MASVS/) 31 | - ⬇️ [Download the latest PDF](https://github.com/OWASP/owasp-masvs/releases/latest) 32 | - ✅ [Get the latest Mobile App Security Checklists](https://github.com/OWASP/owasp-mastg/releases/latest) 33 | - ⚡ [Contribute!](#how-to-contribute) 34 | - 💥 [Play with our Crackmes](https://mas.owasp.org/crackmes) 35 | 36 | ## Trusted by ... 37 | 38 | The OWASP MASVS and MASTG are trusted by the following platform providers and standardization, governmental and educational institutions. [Learn more](https://mas.owasp.org/MASTG/0x02b-MASVS-MASTG-Adoption/). 39 | 40 | 41 | 42 | 43 | 44 | ## 🥇 MAS Advocates 45 | 46 | MAS Advocates are industry adopters of the OWASP MASVS and MASTG who have invested a significant and consistent amount of resources to push the project forward by providing consistent high-impact contributions and continuously spreading the word. [Learn more](https://mas.owasp.org/MASTG/0x02c-Acknowledgements). 47 | 48 |
49 | 50 | 51 | 52 | 53 | 54 | 55 |

56 | 57 | ## Connect with Us 58 | 59 | 60 | 61 | ## How to Contribute 62 | 63 | The MASVS is an open source effort and we welcome all kinds of contributions and feedback. 64 | 65 | **Help us improve & join our community:** 66 | 67 | - 🐞 [Report an error (typos, grammar)](https://github.com/OWASP/owasp-masvs/issues) or [fix it on a Pull Request](https://github.com/OWASP/owasp-masvs/pulls). 68 | - 💬 [Give feedback](https://github.com/OWASP/owasp-masvs/discussions/categories/general). 69 | - 🙏 [Ask questions](https://github.com/OWASP/owasp-masvs/discussions/categories/q-a) 70 | 71 | **Contribute with content:** 72 | 73 | - 💡 [Propose ideas or suggest improvements](https://github.com/OWASP/owasp-masvs/discussions/categories/ideas) (if it qualifies we'll promote it to an [Issue](https://github.com/OWASP/owasp-masvs/issues "Github issues")) 74 | - 📄 [Create a Pull Request](https://github.com/OWASP/owasp-masvs/pulls) for concrete fixes (e.g. grammar/typos) or content already approved by the core team. 75 | 76 | Before you start contributing, please check our [contribution guide](https://mas.owasp.org/contributing/) which should get you started. If you have any doubts [please contact us](#connect-with-us). 77 | -------------------------------------------------------------------------------- /book.json: -------------------------------------------------------------------------------- 1 | { 2 | "root" : ".", 3 | "plugins" : [ "anchors" ], 4 | 5 | "structure": { 6 | "readme": "0x01-Foreword.md" 7 | }, 8 | 9 | "title" : "OWASP Mobile Application Security Verification Standard", 10 | "description": "The MASVS is The MASVS is a framework of security requirements needed to design, develop and test secure mobile apps.", 11 | "pdf":{ 12 | "fontFamily":"Cambria, calibri", 13 | "font-size":11 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /controls/MASVS-AUTH-1.md: -------------------------------------------------------------------------------- 1 | # MASVS-AUTH-1 2 | 3 | ## Control 4 | 5 | The app uses secure authentication and authorization protocols and follows the relevant best practices. 6 | 7 | ## Description 8 | 9 | Most apps connecting to a remote endpoint require user authentication and also enforce some kind of authorization. While the enforcement of these mechanisms must be on the remote endpoint, the apps also have to ensure that it follows all the relevant best practices to ensure a secure use of the involved protocols. 10 | -------------------------------------------------------------------------------- /controls/MASVS-AUTH-2.md: -------------------------------------------------------------------------------- 1 | # MASVS-AUTH-2 2 | 3 | ## Control 4 | 5 | The app performs local authentication securely according to the platform best practices. 6 | 7 | ## Description 8 | 9 | Many apps allow users to authenticate via biometrics or a local PIN code. These authentication mechanisms need to be correctly implemented. Additionally, some apps might not have a remote endpoint, and rely fully on local app authentication. 10 | -------------------------------------------------------------------------------- /controls/MASVS-AUTH-3.md: -------------------------------------------------------------------------------- 1 | # MASVS-AUTH-3 2 | 3 | ## Control 4 | 5 | The app secures sensitive operations with additional authentication. 6 | 7 | ## Description 8 | 9 | Some additional form of authentication is often desirable for sensitive actions inside the app. This can be done in different ways (biometric, pin, MFA code generator, email, deep links, etc) and they all need to be implemented securely. 10 | -------------------------------------------------------------------------------- /controls/MASVS-CODE-1.md: -------------------------------------------------------------------------------- 1 | # MASVS-CODE-1 2 | 3 | ## Control 4 | 5 | The app requires an up-to-date platform version. 6 | 7 | ## Description 8 | 9 | Every release of the mobile OS includes security patches and new security features. By supporting older versions, apps stay vulnerable to well-known threats. This control ensures that the app is running on an up-to-date platform version so that users have the latest security protections. 10 | -------------------------------------------------------------------------------- /controls/MASVS-CODE-2.md: -------------------------------------------------------------------------------- 1 | # MASVS-CODE-2 2 | 3 | ## Control 4 | 5 | The app has a mechanism for enforcing app updates. 6 | 7 | ## Description 8 | 9 | Sometimes critical vulnerabilities are discovered in the app when it is already in production. This control ensures that there is a mechanism to force the users to update the app before they can continue using it. 10 | -------------------------------------------------------------------------------- /controls/MASVS-CODE-3.md: -------------------------------------------------------------------------------- 1 | # MASVS-CODE-3 2 | 3 | ## Control 4 | 5 | The app only uses software components without known vulnerabilities. 6 | 7 | ## Description 8 | 9 | To be truly secure, a full whitebox assessment should have been performed on all app components. However, as it usually happens with e.g. for third-party components this is not always feasible and not typically part of a penetration test. This control covers "low-hanging fruit" cases, such as those that can be detected just by scanning libraries for known vulnerabilities. 10 | -------------------------------------------------------------------------------- /controls/MASVS-CODE-4.md: -------------------------------------------------------------------------------- 1 | # MASVS-CODE-4 2 | 3 | ## Control 4 | 5 | The app validates and sanitizes all untrusted inputs. 6 | 7 | ## Description 8 | 9 | Apps have many data entry points including the UI, IPC, the network, the file system, etc. This incoming data might have been inadvertently modified by untrusted actors and may lead to bypass of critical security checks as well as classical injection attacks such as SQL injection, XSS or insecure deserialization. This control ensures that this data is treated as untrusted input and is properly verified and sanitized before it's used. 10 | -------------------------------------------------------------------------------- /controls/MASVS-CRYPTO-1.md: -------------------------------------------------------------------------------- 1 | # MASVS-CRYPTO-1 2 | 3 | ## Control 4 | 5 | The app employs current strong cryptography and uses it according to industry best practices. 6 | 7 | ## Description 8 | 9 | Cryptography plays an especially important role in securing the user's data - even more so in a mobile environment, where attackers having physical access to the user's device is a likely scenario. This control covers general cryptography best practices, which are typically defined in external standards. 10 | -------------------------------------------------------------------------------- /controls/MASVS-CRYPTO-2.md: -------------------------------------------------------------------------------- 1 | # MASVS-CRYPTO-2 2 | 3 | ## Control 4 | 5 | The app performs key management according to industry best practices. 6 | 7 | ## Description 8 | 9 | Even the strongest cryptography would be compromised by poor key management. This control covers the management of cryptographic keys throughout their lifecycle, including key generation, storage and protection. 10 | -------------------------------------------------------------------------------- /controls/MASVS-NETWORK-1.md: -------------------------------------------------------------------------------- 1 | # MASVS-NETWORK-1 2 | 3 | ## Control 4 | 5 | The app secures all network traffic according to the current best practices. 6 | 7 | ## Description 8 | 9 | Ensuring data privacy and integrity of any data in transit is critical for any app that communicates over the network. This is typically done by encrypting data and authenticating the remote endpoint, as TLS does. However, there are many ways for a developer to disable the platform secure defaults, or bypass them completely by using low-level APIs or third-party libraries. This control ensures that the app is in fact setting up secure connections in any situation. 10 | -------------------------------------------------------------------------------- /controls/MASVS-NETWORK-2.md: -------------------------------------------------------------------------------- 1 | # MASVS-NETWORK-2 2 | 3 | ## Control 4 | 5 | The app performs identity pinning for all remote endpoints under the developer's control. 6 | 7 | ## Description 8 | 9 | Instead of trusting all the default root CAs of the framework or device, this control will make sure that only very specific CAs are trusted. This practice is typically called certificate pinning or public key pinning. 10 | -------------------------------------------------------------------------------- /controls/MASVS-PLATFORM-1.md: -------------------------------------------------------------------------------- 1 | # MASVS-PLATFORM-1 2 | 3 | ## Control 4 | 5 | The app uses IPC mechanisms securely. 6 | 7 | ## Description 8 | 9 | Apps typically use platform provided IPC mechanisms to intentionally expose data or functionality. Both installed apps and the user are able to interact with the app in many different ways. This control ensures that all interactions involving IPC mechanisms happen securely. 10 | -------------------------------------------------------------------------------- /controls/MASVS-PLATFORM-2.md: -------------------------------------------------------------------------------- 1 | # MASVS-PLATFORM-2 2 | 3 | ## Control 4 | 5 | The app uses WebViews securely. 6 | 7 | ## Description 8 | 9 | WebViews are typically used by apps that have a need for increased control over the UI. This control ensures that WebViews are configured securely to prevent sensitive data leakage as well as sensitive functionality exposure (e.g. via JavaScript bridges to native code). 10 | -------------------------------------------------------------------------------- /controls/MASVS-PLATFORM-3.md: -------------------------------------------------------------------------------- 1 | # MASVS-PLATFORM-3 2 | 3 | ## Control 4 | 5 | The app uses the user interface securely. 6 | 7 | ## Description 8 | 9 | Sensitive data has to be displayed in the UI in many situations (e.g. passwords, credit card details, OTP codes in notifications). This control ensures that this data doesn't end up being unintentionally leaked due to platform mechanisms such as auto-generated screenshots or accidentally disclosed via e.g. shoulder surfing or sharing the device with another person. 10 | -------------------------------------------------------------------------------- /controls/MASVS-PRIVACY-1.md: -------------------------------------------------------------------------------- 1 | # MASVS-PRIVACY-1 2 | 3 | ## Control 4 | 5 | The app minimizes access to sensitive data and resources. 6 | 7 | ## Description 8 | 9 | Apps should only request access to the data they absolutely need for their functionality and always with informed consent from the user. This control ensures that apps practice data minimization and restricts access control, reducing the potential impact of data breaches or leaks. 10 | 11 | Furthermore, apps should share data with third parties only when necessary, and this should include enforcing that third-party SDKs operate based on user consent, not by default or without it. Apps should prevent third-party SDKs from ignoring consent signals or from collecting data before consent is confirmed. 12 | 13 | Additionally, apps should be aware of the 'supply chain' of SDKs they incorporate, ensuring that no data is unnecessarily passed down their chain of dependencies. This end-to-end responsibility for data aligns with recent SBOM regulatory requirements, making apps more accountable for their data practices. 14 | -------------------------------------------------------------------------------- /controls/MASVS-PRIVACY-2.md: -------------------------------------------------------------------------------- 1 | # MASVS-PRIVACY-2 2 | 3 | ## Control 4 | 5 | The app prevents identification of the user. 6 | 7 | ## Description 8 | 9 | Protecting user identity is crucial. This control emphasizes the use of unlinkability techniques like data abstraction, anonymization and pseudonymization to prevent user identification and tracking. 10 | 11 | Another key aspect addressed by this control is to establish technical barriers when employing complex 'fingerprint-like' signals (e.g. device IDs, IP addresses, behavioral patterns) for specific purposes. For instance, a fingerprint used for fraud detection should be isolated and not repurposed for audience measurement in an analytics SDK. This ensures that each data stream serves its intended function without risking user privacy. 12 | -------------------------------------------------------------------------------- /controls/MASVS-PRIVACY-3.md: -------------------------------------------------------------------------------- 1 | # MASVS-PRIVACY-3 2 | 3 | ## Control 4 | 5 | The app is transparent about data collection and usage. 6 | 7 | ## Description 8 | 9 | Users have the right to know how their data is being used. This control ensures that apps provide clear information about data collection, storage, and sharing practices, including any behavior a user wouldn't reasonably expect, such as background data collection. Apps should also adhere to platform guidelines on data declarations. 10 | -------------------------------------------------------------------------------- /controls/MASVS-PRIVACY-4.md: -------------------------------------------------------------------------------- 1 | # MASVS-PRIVACY-4 2 | 3 | ## Control 4 | 5 | The app offers user control over their data. 6 | 7 | ## Description 8 | 9 | Users should have control over their data. This control ensures that apps provide mechanisms for users to manage, delete, and modify their data, and change privacy settings as needed (e.g. to revoke consent). Additionally, apps should re-prompt for consent and update their transparency disclosures when they require more data than initially specified. 10 | -------------------------------------------------------------------------------- /controls/MASVS-RESILIENCE-1.md: -------------------------------------------------------------------------------- 1 | # MASVS-RESILIENCE-1 2 | 3 | ## Control 4 | 5 | The app validates the integrity of the platform. 6 | 7 | ## Description 8 | 9 | Running on a platform that has been tampered with can be very dangerous for apps, as this may disable certain security features, putting the data of the app at risk. Trusting the platform is essential for many of the MASVS controls relying on the platform being secure (e.g. secure storage, biometrics, sandboxing, etc.). This control tries to validate that the OS has not been compromised and its security features can thus be trusted. 10 | -------------------------------------------------------------------------------- /controls/MASVS-RESILIENCE-2.md: -------------------------------------------------------------------------------- 1 | # MASVS-RESILIENCE-2 2 | 3 | ## Control 4 | 5 | The app implements anti-tampering mechanisms. 6 | 7 | ## Description 8 | 9 | Apps run on a user-controlled device, and without proper protections it's relatively easy to run a modified version locally (e.g. to cheat in a game, or enable premium features without paying), or upload a backdoored version of it to third-party app stores. This control tries to ensure the integrity of the app's intended functionality by preventing modifications to the original code and resources. 10 | -------------------------------------------------------------------------------- /controls/MASVS-RESILIENCE-3.md: -------------------------------------------------------------------------------- 1 | # MASVS-RESILIENCE-3 2 | 3 | ## Control 4 | 5 | The app implements anti-static analysis mechanisms. 6 | 7 | ## Description 8 | 9 | Understanding the internals of an app is typically the first step towards tampering with it (either dynamically, or statically). This control tries to impede comprehension by making it as difficult as possible to figure out how an app works using static analysis. 10 | -------------------------------------------------------------------------------- /controls/MASVS-RESILIENCE-4.md: -------------------------------------------------------------------------------- 1 | # MASVS-RESILIENCE-4 2 | 3 | ## Control 4 | 5 | The app implements anti-dynamic analysis techniques. 6 | 7 | ## Description 8 | 9 | Sometimes pure static analysis is very difficult and time consuming so it typically goes hand in hand with dynamic analysis. Observing and manipulating an app during runtime makes it much easier to decipher its behavior. This control aims to make it as difficult as possible to perform dynamic analysis, as well as prevent dynamic instrumentation which could allow an attacker to modify the code at runtime. 10 | -------------------------------------------------------------------------------- /controls/MASVS-STORAGE-1.md: -------------------------------------------------------------------------------- 1 | # MASVS-STORAGE-1 2 | 3 | ## Control 4 | 5 | The app securely stores sensitive data. 6 | 7 | ## Description 8 | 9 | Apps handle sensitive data coming from many sources such as the user, the backend, system services or other apps on the device and usually need to store it locally. The storage locations may be private to the app (e.g. its internal storage) or be public and therefore accessible by the user or other installed apps (e.g. public folders such as Downloads). This control ensures that any sensitive data that is intentionally stored by the app is properly protected independently of the target location. 10 | -------------------------------------------------------------------------------- /controls/MASVS-STORAGE-2.md: -------------------------------------------------------------------------------- 1 | # MASVS-STORAGE-2 2 | 3 | ## Control 4 | 5 | The app prevents leakage of sensitive data. 6 | 7 | ## Description 8 | 9 | There are cases when sensitive data is unintentionally stored or exposed to publicly accessible locations; typically as a side-effect of using certain APIs, system capabilities such as backups or logs. This control covers this kind of unintentional leaks where the developer actually has a way to prevent it. 10 | -------------------------------------------------------------------------------- /cover.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/owasp-masvs/30a85aa928c16a2e0e58864a845ca8d9a528eaa9/cover.pdf -------------------------------------------------------------------------------- /cover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/owasp-masvs/30a85aa928c16a2e0e58864a845ca8d9a528eaa9/cover.png -------------------------------------------------------------------------------- /tools/docker/README.md: -------------------------------------------------------------------------------- 1 | # MASVS PDFs Generation with Docker 2 | 3 | The MASVS document generation is based on pandocker: [https://github.com/dalibo/pandocker/blob/latest/LICENSE](https://github.com/dalibo/pandocker/blob/latest/LICENSE). 4 | 5 | ## On your Machine 6 | 7 | - Install Docker 8 | - `cd` to the MASVS root folder `owasp-masvs/` 9 | - Run the `pandoc_makedocs.sh` script with the language folder and an optional version number (**do not `cd` into `tools/docker` to run it**): 10 | 11 | ```sh 12 | $ ./tools/docker/pandoc_makedocs.sh Document 1.3 13 | ``` 14 | 15 | - You can set `VERBOSE=1` for a more detailed output 16 | 17 | - For non-european languages (Hindi, Persion, CJK, etc.) you need to use the `stable-full` 18 | version of the docker image. Define the `TAG` variable like this : 19 | 20 | ```sh 21 | $ TAG=stable-full ./tools/docker/pandoc_makedocs.sh Document-ja 22 | ``` 23 | 24 | > __NOTE:__ The size `stable-full` docker image is approx. 800MB whereas the 25 | > regular `stable` version is 330MB. 26 | 27 | 28 | ## On GitHub 29 | 30 | Each time you push to GitHub the workflows in the [MASVS GitHub Actions](https://github.com/OWASP/owasp-masvs/actions "MASVS GitHub Actions") will be triggered. You can check what will be executed inside the folder `owasp-masvs/.github/workflows`, where `docgenerator.yml` takes care of building the Docker image and running the generation script once per language inside the container. 31 | 32 | See the results in: 33 | 34 | ## Generation Steps 35 | 36 | ### In case of a new Docker image 37 | 38 | - Create a PR with the new changes on the Docker generation scripts. 39 | - Once the PR is approved, create a tag: 40 | 41 | ```sh 42 | git tag -a docker- -m "Changeson docker image" 43 | ``` 44 | 45 | - Create a new image and push it to docker hub (requires being logged in to Docker hub and Docker hub membership of OWASP organization): 46 | 47 | ```sh 48 | docker build --tag owasp/masvs-docgenerator: tools/docker/ 49 | docker images 50 | #check the output and find the tag of the masvs-generator container image you created 51 | docker tag owasp/masvs-docgenerator: 52 | docker push owasp/masvs-docgenerator: 53 | ``` 54 | 55 | - Create a new PR with the new version in the `docgenerator.yml`, `release.yml`, and `run_docker_masvs_generation_on_local.sh`. 56 | 57 | ### In case of a new document 58 | 59 | Given a new version: 60 | 61 | - Run Docker container which will run the generation script (`pandoc_makedocs.sh`). 62 | - The script should be self explanatory, it basically: 63 | - Reads the `metadata.md` for the given language folder 64 | - Using that metadata creates the cover dynamically including language and version (no GIMP required anymore!) 65 | - For more details, read the inline comments in `pandoc_makedocs.sh`. 66 | - The PDFs will be generated in the MASVS root folder. 67 | 68 | ## Open Points (REMOVE from here when DONE!) 69 | 70 | Finish items for [https://github.com/OWASP/owasp-masvs/issues/361](https://github.com/OWASP/owasp-masvs/issues/361): 71 | -------------------------------------------------------------------------------- /tools/docker/SourceSansPro-It.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/owasp-masvs/30a85aa928c16a2e0e58864a845ca8d9a528eaa9/tools/docker/SourceSansPro-It.otf -------------------------------------------------------------------------------- /tools/docker/cover.tex: -------------------------------------------------------------------------------- 1 | % IMPORTANT NOTE this file requires latex-header.tex 2 | 3 | % The cover is created first using Google Drawings: https://docs.google.com/drawings/d/1i0NIJq3ChVrdQ-0YdqcYGeWUw9QCzd61gDBp05dP7b8/edit?usp=sharing 4 | % To best fit the PDF, in Google Drawings we go to "File > Page Setup" and set Width = 2480px and Height = 3508px. 5 | % It is exported as cover.pdf and lives in the root folder (owasp-mastg/) 6 | 7 | % The version text is written dynamically using the code in this file 8 | % The used latex overlay uses the coordinates (X,Y), where (0, 0) is the lower left corner of the page. 9 | 10 | % NOTE: For non-release versions e.g. v1.4.1-70281c8 it might look like the version string is not correctly located but it is for release versions e.g. v1.5.0. 11 | % The coordinates given below are for the release version and are correct. 12 | 13 | % This file requires the following pandoc metadata variable: $masvs_version$ 14 | 15 | \thispagestyle{empty} % remove page numbers 16 | 17 | % https://tex.stackexchange.com/questions/136900/insert-a-full-page-image 18 | \incgraph[documentpaper, 19 | overlay={\node[white] at (4.0,18.0) {\Large $masvs_version$};}] 20 | [width=\paperwidth,height=\paperheight]{cover.pdf} -------------------------------------------------------------------------------- /tools/docker/custom.css: -------------------------------------------------------------------------------- 1 | table { 2 | border-collapse: collapse; 3 | width: 100%; 4 | margin: 30px; 5 | } 6 | 7 | th, td { 8 | border: 1px solid #ffffff; 9 | padding: 8px; 10 | text-align: left; 11 | } 12 | 13 | th { 14 | background-color: #309dfc; 15 | color: #ffffff; 16 | } 17 | -------------------------------------------------------------------------------- /tools/docker/first_page.tex: -------------------------------------------------------------------------------- 1 | \thispagestyle{empty} % remove page numbers 2 | 3 | \includegraphics[width=\textwidth]{Document/images/owasp_mas_header.png} \\ \\ 4 | 5 | \large{\textbf{OWASP Mobile Application Security Verification Standard (MASVS)} } 6 | 7 | $masvs_version$ released \today \\ 8 | 9 | Release Notes: \url{https://github.com/OWASP/owasp-masvs/releases/tag/$masvs_version$} \\ \\ 10 | 11 | 12 | The OWASP MASVS, available online at \url{https://mas.owasp.org/MASVS}, is part of the OWASP Mobile Application Security (MAS) Project which also provides the \href{https://mas.owasp.org/MASTG}{OWASP Mobile Application Security Testing Guide (MASTG) $mastg_version$} \\ 13 | 14 | \url{https://mas.owasp.org} \\ \\ \\ \\ \\ \\ \\ 15 | 16 | \textbf{Copyright © The OWASP Foundation} \\ 17 | 18 | \footnotesize{\textcolor{gray}{This work is licensed under Creative Commons Attribution-ShareAlike 4.0 International. For any reuse or distribution, you must make clear to others the license terms of this work. 19 | OWASP ® is a registered trademark of the OWASP Foundation, Inc.} }\\ 20 | 21 | 22 | \emph{Cover design by Carlos Holguera} -------------------------------------------------------------------------------- /tools/docker/imagereplace.sed: -------------------------------------------------------------------------------- 1 | s//\![\2](\1){width=\3 height=\4}/g 2 | s//\![\2](\1){width=\3 height=\4}/g 3 | s//\![\2](\1){width=\3}/g 4 | s//\![\2](\1){width=\3}/g 5 | s//\![\1](\1){width=\2}/g 6 | s//\![\2](\1)/g 7 | s//\![\2](\1)/g 8 | s//\![\1](\1)/g -------------------------------------------------------------------------------- /tools/docker/latex-header.tex: -------------------------------------------------------------------------------- 1 | \usepackage{sectsty} 2 | \sectionfont{\LARGE\clearpage} 3 | 4 | \usepackage{hyperref} 5 | 6 | \hypersetup{ 7 | pdftitle={OWASP Mobile Application Security Verification Standard}, 8 | pdfauthor={Bernhard Mueller, Sven Schleier, Jeroen Willemsen, Carlos Holguera and Jeroen Beckers}, 9 | pdfsubject={The Mobile Application Security Verification Standard (MASVS) is a standard for mobile app security.}, 10 | pdfkeywords={Mobile Security,iOS,Android,OWASP} 11 | } 12 | 13 | \usepackage{incgraph,tikz} 14 | 15 | % Make "clones" of the commands 16 | \let\originalparagraph\paragraph 17 | \let\originalsubparagraph\subparagraph 18 | 19 | % Redefine the commands using the "clones" 20 | \renewcommand{\paragraph}[1]% 21 | {\originalparagraph{#1}\hfill} 22 | \renewcommand{\subparagraph}[1]% 23 | {\originalsubparagraph{#1}\hfill} 24 | 25 | % Remove all captions 26 | \renewcommand{\caption}[2][]{} 27 | 28 | % TODO for colored tables: add this to pandocker command -V table-use-row-colors=true 29 | 30 | \usepackage{geometry} 31 | 32 | \geometry{ 33 | a4paper, 34 | left=20mm, 35 | top=20mm, 36 | headheight=40pt, 37 | voffset=20pt, 38 | footskip=50pt %40pt gives some more space at the bottom: test it! 39 | } 40 | 41 | %%\usepackage[space]{xeCJK} 42 | %%\setCJKmainfont{Noto Sans CJK {{CJK-LANG}}} %JP,SC,TC,KR 43 | %%\renewcommand\CJKglue{}% get proper linebreaking if spaces are provided 44 | 45 | \usepackage{underscore} % Solves breaking line for **Protocol_KeyExchangeAlgorithm_WITH_BlockCipher_IntegrityCheckAlgorithm** 46 | 47 | % The next 2 block fix several issues with non-breaking texttt environments: 48 | % "The module app.package.attacksurface" 49 | % "in clear text in /data/data//shared_-" 50 | % "For example, \e search.quiet=true;" 51 | 52 | \newcommand*\justify{% 53 | \fontdimen2\font=0.4em% interword space 54 | \fontdimen3\font=0.2em% interword stretch 55 | \fontdimen4\font=0.1em% interword shrink 56 | \fontdimen7\font=0.1em% extra space 57 | \hyphenchar\font=`\-% allowing hyphenation 58 | } 59 | 60 | \renewcommand{\texttt}[1]{% 61 | \begingroup 62 | \ttfamily 63 | \begingroup\lccode`~=`/\lowercase{\endgroup\def~}{/\discretionary{}{}{}}% 64 | \begingroup\lccode`~=`[\lowercase{\endgroup\def~}{[\discretionary{}{}{}}% 65 | \begingroup\lccode`~=`.\lowercase{\endgroup\def~}{.\discretionary{}{}{}}% 66 | \catcode`/=\active\catcode`[=\active\catcode`.=\active 67 | \justify\scantokens{#1\noexpand}% 68 | \endgroup 69 | } 70 | 71 | %% Workaround for pandoc bug #8460 72 | %% https://github.com/jgm/pandoc/issues/8460 73 | \newenvironment{RTL}{\beginR}{\endR} 74 | -------------------------------------------------------------------------------- /tools/docker/pandoc_makedocs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eo pipefail 4 | 5 | # Input variables 6 | FOLDER=${1:-Document} 7 | MASVS_VERSION=${2:-SNAPSHOT} 8 | MASTG_VERSION=${3:-SNAPSHOT} 9 | 10 | # You can also use the environment variables below to adapt the build process 11 | IMG=${IMG:-dalibo/pandocker} 12 | TAG=${TAG:-23.03} # /!\ use stable-full for non-european languages 13 | LATEX_TEMPLATE=${LATEX_TEMPLATE:-eisvogel} 14 | TITLE=${TITLE:-OWASP Mobile Application Security Verification Standard ${MASVS_VERSION}} 15 | 16 | PANDOC_PARAMS=${PANDOC_PARAMS:-} 17 | PANDOC_PARAMS+="--resource-path=.:${FOLDER} " 18 | PANDOC_PARAMS+="--metadata masvs_version=${MASVS_VERSION} --metadata mastg_version=${MASTG_VERSION} " 19 | 20 | # disable captions for images in pandoc 21 | PANDOC_PARAMS+="-fmarkdown-implicit_figures" 22 | 23 | 24 | [ ! -z "${VERBOSE}" ] && PANDOC_PARAMS+="--verbose " 25 | 26 | PANDOCKER="docker run --rm --volume `pwd`:/pandoc ${IMG}:${TAG} ${PANDOC_PARAMS}" 27 | 28 | # remove the HTML comment from \pagebreak 29 | docker run --rm --entrypoint '/bin/sh' --volume `pwd`:/pandoc ${IMG}:${TAG} -c "sed -i 's##\1#g' ${FOLDER}/[0-9][0-9]-*.md" 30 | 31 | # convert HTML images to pandoc markdown images 32 | docker run --rm --entrypoint '/bin/sh' --volume `pwd`:/pandoc ${IMG}:${TAG} -c "sed -i -f tools/docker/imagereplace.sed ${FOLDER}/[0-9][0-9]-*.md" 33 | 34 | # Use pandocker PANDOCKER by default, unless `export PANDOC=pandoc` 35 | # this is useful for CI, because we can run the script directly inside the container 36 | PANDOC=${PANDOC:-${PANDOCKER}} 37 | 38 | METADATA="${FOLDER}/metadata.md" 39 | # Note: chapters for MASVS categories are generated by tools/generate_masvs_md.py using masvs.yaml 40 | CHAPTERS="${FOLDER}/[0-9][0-9]-*.md" 41 | OUTPUT_BASE_NAME="OWASP_MASVS" 42 | 43 | [ ! -z "${VERBOSE}" ] && echo "Create PDF" 44 | 45 | # header 46 | ${PANDOC} \ 47 | --output tmp_latex-header.latex \ 48 | --template tools/docker/latex-header.tex \ 49 | ${METADATA} 50 | 51 | # cover 52 | ${PANDOC} \ 53 | --output tmp_cover.latex \ 54 | --template tools/docker/cover.tex \ 55 | ${METADATA} 56 | 57 | # first_page 58 | ${PANDOC} \ 59 | --output tmp_first_page.latex \ 60 | --template tools/docker/first_page.tex \ 61 | ${METADATA} 62 | 63 | # PDF 64 | ${PANDOC} \ 65 | --template=${LATEX_TEMPLATE} \ 66 | --pdf-engine=xelatex \ 67 | --columns 50 \ 68 | --highlight-style=tango \ 69 | --metadata title="${TITLE}" \ 70 | --include-in-header tmp_latex-header.latex \ 71 | --include-before-body tmp_cover.latex \ 72 | --include-before-body tmp_first_page.latex \ 73 | --output ${OUTPUT_BASE_NAME}.pdf \ 74 | ${METADATA} \ 75 | ${CHAPTERS} 76 | 77 | # EPUB 78 | ${PANDOC} \ 79 | --metadata title="${TITLE}" \ 80 | --metadata author="Bernhard Mueller, Sven Schleier, Jeroen Willemsen, Carlos Holguera and Jeroen Beckers" \ 81 | --epub-cover-image=cover.png \ 82 | -o ${OUTPUT_BASE_NAME}.epub \ 83 | ${METADATA} \ 84 | ${CHAPTERS} 85 | 86 | # clean temp files 87 | rm -f tmp_latex-header.latex tmp_cover.latex tmp_first_page.latex 88 | -------------------------------------------------------------------------------- /tools/generate_masvs_cyclonedx.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' CycloneDX converter class 4 | 5 | Converts the MASVS YAML into CycloneDX Standards format 6 | Copyright (c) 2023 OWASP Foundation 7 | 8 | Permission is hereby granted, free of charge, to any person obtaining a copy 9 | of this software and associated documentation files (the "Software"), to deal 10 | in the Software without restriction, including without limitation the rights 11 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 12 | copies of the Software, and to permit persons to whom the Software is 13 | furnished to do so, subject to the following conditions: 14 | 15 | The above copyright notice and this permission notice shall be included in all 16 | copies or substantial portions of the Software. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 19 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 20 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 21 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 22 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 23 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 24 | SOFTWARE. 25 | 26 | ''' 27 | 28 | import datetime 29 | import json 30 | import uuid 31 | import yaml 32 | try: 33 | from StringIO import StringIO 34 | except ImportError: 35 | from io import StringIO 36 | 37 | class CycloneDX: 38 | bom = {'bomFormat': "CycloneDX", 'specVersion': "1.6", 'serialNumber': "urn:uuid:" + str(uuid.uuid4()), 39 | 'version': 1, 'metadata': {}} 40 | bom['metadata']['timestamp'] = datetime.datetime.now().astimezone().replace(microsecond=0).isoformat() 41 | bom['metadata']['licenses'] = [] 42 | bom['metadata']['licenses'].append({}) 43 | bom['metadata']['licenses'][0]['license'] = {} 44 | bom['metadata']['licenses'][0]['license']['id'] = "CC-BY-SA-4.0" 45 | bom['metadata']['licenses'][0]['license']['url'] = "https://creativecommons.org/licenses/by-sa/4.0/legalcode.txt" 46 | bom['metadata']['supplier'] = {} 47 | bom['metadata']['supplier']['name'] = "OWASP Foundation" 48 | bom['metadata']['supplier']['url'] = [ "https://owasp.org" ] 49 | bom['definitions'] = {} 50 | bom['definitions']['standards'] = [] 51 | bom['definitions']['standards'].append({}) 52 | 53 | def __init__(self, masvs): 54 | bom_ref = "MASVS-" + masvs["metadata"]["version"] 55 | self.bom['definitions']['standards'][0]['bom-ref'] = bom_ref 56 | self.bom['definitions']['standards'][0]['name'] = masvs["metadata"]["title"] 57 | self.bom['definitions']['standards'][0]['version'] = masvs["metadata"]["version"] 58 | self.bom['definitions']['standards'][0]['description'] = masvs["metadata"]["remarks"] 59 | self.bom['definitions']['standards'][0]['owner'] = "OWASP Mobile Application Security Verification Standard Project" 60 | 61 | requirements = [] 62 | for masvs_group in masvs['groups']: 63 | group_req = self.convert_masvs_group(masvs_group) 64 | requirements.append(group_req) 65 | if 'controls' in masvs_group: 66 | for masvs_control in masvs_group['controls']: 67 | control_req = self.convert_masvs_control(masvs_control, group_req['bom-ref']) 68 | requirements.append(control_req) 69 | 70 | self.bom['definitions']['standards'][0]['requirements'] = requirements 71 | self.bom['definitions']['standards'][0]['externalReferences'] = [] 72 | self.bom['definitions']['standards'][0]['externalReferences'].append({}) 73 | self.bom['definitions']['standards'][0]['externalReferences'][0]['type'] = 'website' 74 | self.bom['definitions']['standards'][0]['externalReferences'][0]['url'] = 'https://owasp.org/masvs' 75 | self.bom['definitions']['standards'][0]['externalReferences'].append({}) 76 | self.bom['definitions']['standards'][0]['externalReferences'][1]['type'] = 'vcs' 77 | self.bom['definitions']['standards'][0]['externalReferences'][1]['url'] = 'https://github.com/OWASP/owasp-masvs' 78 | self.bom['definitions']['standards'][0]['externalReferences'].append({}) 79 | self.bom['definitions']['standards'][0]['externalReferences'][2]['type'] = 'issue-tracker' 80 | self.bom['definitions']['standards'][0]['externalReferences'][2]['url'] = 'https://github.com/OWASP/owasp-masvs/issues' 81 | self.bom['definitions']['standards'][0]['externalReferences'].append({}) 82 | self.bom['definitions']['standards'][0]['externalReferences'][3]['type'] = 'social' 83 | self.bom['definitions']['standards'][0]['externalReferences'][3]['url'] = 'https://twitter.com/OWASP_MAS' 84 | 85 | def convert_masvs_group(self, masvs_group): 86 | requirement = {} 87 | requirement['bom-ref'] = masvs_group['id'] 88 | requirement['identifier'] = masvs_group['id'] 89 | requirement['title'] = masvs_group['title'] 90 | requirement['text'] = masvs_group['description'].replace('\n', '') 91 | return requirement 92 | 93 | def convert_masvs_control(self, masvs_control, parent): 94 | requirement = {} 95 | requirement['bom-ref'] = masvs_control['id'] 96 | requirement['identifier'] = masvs_control['id'] 97 | requirement['title'] = masvs_control['statement'] 98 | requirement['text'] = masvs_control['description'] 99 | if parent: 100 | requirement['parent'] = parent 101 | return requirement 102 | 103 | def to_json(self): 104 | ''' Returns a JSON-formatted string ''' 105 | return json.dumps(self.bom, indent = 2, sort_keys = False, ensure_ascii=False).strip() 106 | 107 | 108 | try: 109 | with open("OWASP_MASVS.yaml", 'r') as stream: 110 | data = yaml.safe_load(stream) 111 | cdx = CycloneDX(data) 112 | bom = cdx.to_json() 113 | f = open("OWASP_MASVS.cdx.json", "w") 114 | f.write(bom) 115 | f.close() 116 | except FileNotFoundError: 117 | print("OWASP_MASVS.yaml not found. Be sure to run generate_masvs_yaml.py prior to running this script.") 118 | -------------------------------------------------------------------------------- /tools/generate_masvs_sarif.py: -------------------------------------------------------------------------------- 1 | import yaml 2 | import json 3 | from datetime import datetime 4 | 5 | MASVS_SARIF_GUID = "77cf1749-d61e-4cfe-98f7-a217e3b5448c" 6 | 7 | # Re-examining the YAML content for structure 8 | masvs_parsed = yaml.safe_load(open("OWASP_MASVS.yaml")) 9 | version = masvs_parsed["metadata"]["version"] 10 | if version.startswith("v"): 11 | version = version[1:] 12 | current_date_str = datetime.now().strftime("%Y-%m-%d") 13 | 14 | # Creating a new SARIF template for the corrected conversion 15 | sarif_corrected_template = { 16 | "$schema": "http://json.schemastore.org/sarif-2.1.0", 17 | "version": "2.1.0", 18 | "runs": [{ 19 | "tool": { 20 | "driver": { 21 | "name": "OWASP MASVS", 22 | "fullName": "OWASP Mobile Application Security Verification Standard (MASVS)", 23 | "version": version, 24 | "releaseDateUtc": current_date_str, 25 | "organization": "OWASP", 26 | "informationUri": "https://mas.owasp.org/MASVS/", 27 | "downloadUri": "https://github.com/OWASP/owasp-masvs/releases" 28 | } 29 | }, 30 | "taxonomies": [{ 31 | "name": "OWASP MASVS", 32 | "guid": MASVS_SARIF_GUID, 33 | "isComprehensive": True, 34 | "taxa": [] 35 | }] 36 | }] 37 | } 38 | 39 | # Counter to ensure we capture the total number of controls 40 | total_controls_count = 0 41 | 42 | # Iterating through groups and their controls 43 | for group in masvs_parsed.get("groups", []): 44 | for control in group.get("controls", []): 45 | total_controls_count += 1 46 | taxa_element = { 47 | "id": control["id"], 48 | "name": control.get("id", ""), 49 | "shortDescription": { 50 | "text": control.get("statement", "") 51 | }, 52 | "fullDescription": { 53 | "text": control.get("description", "") 54 | } 55 | } 56 | sarif_corrected_template["runs"][0]["taxonomies"][0]["taxa"].append(taxa_element) 57 | 58 | # Verify the total number of taxa elements matches the total number of controls 59 | total_taxa_count = len(sarif_corrected_template["runs"][0]["taxonomies"][0]["taxa"]) 60 | 61 | # Save the correctly populated SARIF output 62 | sarif_corrected_output_path = 'OWASP_MASVS.sarif' 63 | with open(sarif_corrected_output_path, 'w') as file: 64 | json.dump(sarif_corrected_template, file, indent=2) 65 | -------------------------------------------------------------------------------- /tools/generate_masvs_yaml.py: -------------------------------------------------------------------------------- 1 | import os 2 | import yaml 3 | import re 4 | import argparse 5 | 6 | masvs = { 7 | "metadata": { 8 | "title": "Mobile Application Security Verification Standard (MASVS)", 9 | "remarks": "The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile apps, as well as security testers to ensure completeness and consistency of test results." 10 | }, 11 | "groups": [] 12 | } 13 | 14 | def read_md_sections(input_text): 15 | 16 | sections_dict = {} 17 | 18 | sections = re.split(r'^##\s(.+)', input_text, flags=re.MULTILINE) 19 | sections.pop(0) # Remove the initial empty string 20 | 21 | # Loop over the sections and write each one to a separate file 22 | for i in range(0, len(sections), 2): 23 | section_title = sections[i].strip() 24 | section_content = sections[i+1].strip() 25 | 26 | if section_title == "Control": 27 | sections_dict["statement"] = section_content 28 | elif section_title == "Description": 29 | sections_dict["description"] = section_content 30 | 31 | return sections_dict 32 | 33 | def get_masvs_dict(masvs_version, input_dir, controls_dir): 34 | index = 1 35 | 36 | for file in sorted(os.listdir(input_dir)): 37 | if "-MASVS-" in file: 38 | with open(os.path.join(input_dir, file), "r") as f: 39 | header = f.readline().replace("# ", "").strip() 40 | description = f.read() 41 | category_id = header.split(":")[0].strip() 42 | title = header.split(":")[1].strip() 43 | group = { 44 | "id": category_id, 45 | "index": index, 46 | "title": title, 47 | "description": description, 48 | "controls": [] 49 | } 50 | 51 | for control_file in os.listdir(controls_dir): 52 | if control_file.startswith(category_id): 53 | with open(os.path.join(controls_dir, control_file), "r") as cf: 54 | control_id = cf.readline().replace("# ", "").strip() 55 | control_content = cf.read() 56 | control_sections = read_md_sections(control_content) 57 | control = {"id": control_id} | control_sections 58 | group["controls"].append(control) 59 | group["controls"] = sorted(group["controls"], key=lambda k: k["id"]) 60 | masvs["groups"].append(group) 61 | index += 1 62 | # sort masvs dict by index 63 | masvs["groups"] = sorted(masvs["groups"], key=lambda k: k["index"]) 64 | 65 | masvs["metadata"]["version"] = masvs_version 66 | return masvs 67 | 68 | # get input arguments 69 | parser = argparse.ArgumentParser() 70 | parser.add_argument("-i", "--input", help="Input Directory", required=False, default="Document") 71 | parser.add_argument("-c", "--controls", help="Controls Directory", required=False, default="controls") 72 | parser.add_argument("-v", "--version", help="MASVS version", required=False, default="vx.x.x") 73 | args = parser.parse_args() 74 | 75 | masvs_version = args.version 76 | input_dir = args.input 77 | controls_dir = args.controls 78 | 79 | masvs = get_masvs_dict(masvs_version, input_dir, controls_dir) 80 | 81 | with open("OWASP_MASVS.yaml", "w") as f: 82 | yaml.dump(masvs, f, default_flow_style=False, sort_keys=False, allow_unicode=True, width=float("inf")) 83 | -------------------------------------------------------------------------------- /tools/populate_masvs_categories_md.py: -------------------------------------------------------------------------------- 1 | import os 2 | import yaml 3 | import argparse 4 | 5 | def write_controls_content(control, cf): 6 | h1 = '##' 7 | h2 = '###' 8 | final_newline = '\n' 9 | 10 | cf.write(f'{h1} {control["id"]}\n\n') 11 | cf.write(f'{h2} Control\n\n') 12 | cf.write(f'{control["statement"]}\n\n') 13 | cf.write(f'{h2} Description\n\n') 14 | cf.write(f'{control["description"]}\n{final_newline}') 15 | 16 | 17 | def yaml_to_md(input_dir, input_file, for_website): 18 | 19 | with open(input_file, 'r') as f: 20 | data = yaml.safe_load(f) 21 | 22 | for group in data['groups']: 23 | group_id = group['id'] 24 | controls = group['controls'] 25 | 26 | for file in sorted(os.listdir(input_dir)): 27 | if "-MASVS-" in file: 28 | # group_id_in_file is the part of the filename after the first dash and without the extension 29 | group_id_in_file = file.split("-")[1] + "-" + file.split("-")[2].split(".")[0] 30 | 31 | if group_id_in_file == group_id: 32 | with open(os.path.join(input_dir, file), "a") as f: 33 | f.write('\n## Controls\n\n') 34 | if for_website == True: 35 | f.write('\n\n\n') 36 | f.write('| ID | Control |\n') 37 | f.write('|----|-----------|\n') 38 | for control in controls: 39 | if for_website == True: 40 | control_id = f'[{control["id"]}](/MASVS/controls/{control["id"]})' 41 | else: 42 | control_id = control["id"] 43 | 44 | f.write(f'| {control_id} | {control["statement"]} |\n') 45 | 46 | f.write('\n') 47 | f.write('\n\n') 48 | 49 | if for_website == False: 50 | for control in controls: 51 | write_controls_content(control, f) 52 | print(f'Successfully wrote to {file}') 53 | 54 | # get input arguments 55 | parser = argparse.ArgumentParser() 56 | parser.add_argument("-d", "--input-dir", help="Input Directory", required=False, default="Document") 57 | parser.add_argument("-i", "--input", help="Input file", required=False, default="OWASP_MASVS.yaml") 58 | parser.add_argument("-w", "--website", help="Generate for website", action='store_true', required=False, default=False) 59 | args = parser.parse_args() 60 | 61 | input_dir = args.input_dir 62 | input_file = args.input 63 | for_website = args.website 64 | 65 | yaml_to_md(input_dir, input_file, for_website) 66 | --------------------------------------------------------------------------------