When evaluating your mobile app against the OWASP MASVS (Mobile Application Security Verification Standard) one category that may not be intuitive is the MASVS-RESILIENCE category.
The V8: Resilience Requirements are an optional set of requirements that are intended to help in evaluating the protection and resilience against reverse engineering and tampering of your mobile app. It is a defense-in-depth category that is designed for applications that process, give access or share sensitive data or functionality.
If you do not implement controls for the resilience requirements, it does not necessarily mean your app is vulnerable, but rather it lacks defenses against a certain type of security threat. Whether this gap is important comes down to the threat model of your application. Customers building applications or SDKs for financial services involving payments, applications that deal with sensitive data such as healthcare, as well as applications with paid or monetized features could be subject to reverse engineering and tampering threats. This article on reversing mobile train tickets provides a great real-world example of the threat of mobile app reverse engineering.
Breaking down the new MASVS-RESILIENCE requirements
MASVS-RESILIENCE-1: The app validates the integrity of the platform.
Validating the integrity of the platform is a control that is aimed at ensuring the mobile platform (Android, iOS) have not been compromised in a way that gives an advantage when performing reverse engineering. This requirement includes a focus on root/jailbreak detection, virtual environment detection, as well as utilizing device attestation to guarantee the authenticity of the user device.
MASVS-RESILIENCE-2: The app implements anti-tampering mechanisms.
Anti-tampering mechanisms are focused on checks which verify the integrity of the application, ensuring it has been modified or repackaged. It can also focus on guaranteeing the runtime integrity of the application and the resources it depends on.
MASVS-RESILIENCE-3: The app implements anti-static analysis mechanisms.
While it is impossible to prevent someone from analyzing your application using static analysis tools, obfuscation techniques can play a vital role in increasing the difficulty of performing static analysis. Layers of obfuscation techniques and steps to prevent leaking metadata about your application can significantly improve the resilience of your application to static analysis.
MASVS-RESILIENCE-4: The app implements anti-dynamic analysis techniques.
Dynamic analysis is a technique used to observe or manipulate an application and its behavior at runtime. In order to prevent dynamic analysis as a tool for reverse engineering it is important to build in detections of debuggers, or dynamic analysis tools and techniques. These detections should be carefully implemented and hardened to ensure they are not easily bypassed or observed by an attacker.
Mobile Application Protection to Increase Resilience of your App
In order to properly implement support for MASVS-RESILIENCE requirements, Guardsquare recommends considering DexGuard (Android) and iXGuard (iOS) as tools to help implement a robust mobile app protection strategy.
A strong solution for mobile app protection will rely on layers of features that implement obfuscation, encryption and runtime protection that increases the resilience against static and dynamic analysis techniques used in reverse engineering efforts.
You can learn more about our mobile app protection in this video series. If you would like to discuss your needs around mobile app protection or to see how it can be applied to your application as part of your development process, please use the 💬 icon on this page to reach out, or contact us through our website.