OWASP MASVS
The OWASP Mobile Application Security Verification Standard (MASVS) is an industry standard for mobile verification. This standard provides a checklist broken down into categories for security properties that an application should guarantee in order to be secure. As defined by OWASP, the categories are as follows:
MASVS-STORAGE: Secure storage of sensitive data on a device.
MASVS-CRYPTO: Cryptographic functionality used to protect sensitive data.
MASVS-AUTH: Authentication and authorization mechanisms used by the mobile app.
MASVS-NETWORK: Secure network communication between the mobile app and remote endpoints.
MASVS-PLATFORM: Secure interaction with the underlying mobile platform and other installed apps.
MASVS-CODE: Security best practices for data processing and keeping the app up-to-date.
MASVS-RESILIENCE: Resilience to reverse engineering and tampering attempts.
MASVS-PRIVACY: Privacy controls to protect user privacy.
OWASP MASTG
In addition to this standard, OWASP provides the Mobile Application Security Testing Guide (MASTG), which defines tests to undertake, addressing each of the categories in MASVS. AppSweep can help you check your application using MASTG tests, to help reduce the burden on developers of adhering to the standard.
OWASP MASVS issues card
Every issue you see in AppSweep will have a MASVS category associated with it, and in most cases a MASTG category. These categories with links to their relevant documentation can be seen in the top right corner of the issue page, beneath the recommendations.
View issues by MASVS category
To see how a build’s findings relate to the different MASVS categories click the “OWASP” button, in AppSweep from the build page.
This takes you to a page looking like this:
The findings for the build are displayed and sorted according to their MASVS category. Further filters can then be applied to sort the issue types further within this view, such as sorting by severity.