Anyone familiar with what we do here at AppSolid knows how much we value mobile application security. It is, after all, our business to increase the knowledge base and protection of today’s mobile applications. In fact, the need for comprehensive security measures has never been stronger, with cyberattacks seemingly occurring more often than ever before.
With the increasing popularization of mobile technology, hackers have sharpened their methods and taken aim at the many vulnerabilities at their disposal. Thankfully, just as the risks have become more apparent, a number of resources have arisen to guide developers in designing greater protections into their apps.
Key among these is one particular measure created by the Open Web Application Security Project (OWASP), an international organization devoted to “enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted,” according to its website.
The OWASP Mobile Application Security Verification Standard -- or MASVS, for short -- is one of the most widely recognized tools out there for maintaining a consistent level of mobile application security.
As such, anyone within the industry needs to keep abreast of its latest changes and updates, especially in light of just how rampant attacks seem to be nowadays. In addition to its role as a primary resource for developers, MASVS has proven instrumental for security testing purposes in order to ensure that a given application maintains an effective, thorough security plan on an ongoing basis.
To say that MASVS is one of OWASP’s greatest accomplishments would be something of an understatement. However, before you can truly take advantage of the benefits offered by MASVS, you need a firmer grasp at the details involved in the standard.
So let’s delve a bit deeper into how MASVS works and why every developer needs to make it an integral part of the development process.
How It Works
In general, the MASVS was designed with three primary goals in mind. Although they all can be traced back to the positive effect they have on the overall security level, each objective tackles a specific aspect of an app’s security and the faith your team places in it.
- It is used as a comparative measurement tool for application developers and owners to focus on the big picture and meet a certain standard of service for their user base.
- It is used to guide mobile application development teams to establish and design a comprehensive security plan from the ground up, specifically during the development and testing phases.
- It is used to create a baseline for other existing apps, raising the bar and creating a trickle-down effect for the industry to demonstrate continual improvement in the long term.
In order to function at the highest level, the MASVS operates with two very distinct security verification levels and a set of reverse engineering resiliency requirements that can be adapted for any app-specific threat model, offering additional protections for vulnerabilities on the client side.
The pair of verification levels may contain more generic security requirements but offer a few very different criteria:
- Recommended for all mobile apps, this first one is an essential part of maintaining a secure app that adheres to all the common best practices and guards against potential pitfalls.
- This second one only pertains to apps that deal directly with extremely sensitive material and imbues an application with more extreme safeguards against cyberattack. Of course, this protection assumes that the standard security controls remain intact and being access by a safe user.
Moreover, the aforementioned reverse engineering resiliency requirements should not supplant security controls. Still, they remain the best course of action to protect against potentially malicious users or an operating system that may no longer be sound.
Laying It Out
Now that you have a clearer idea of the overall design and purpose of MASVS, the time has come to explore its structure. The standard’s layout has been formatted to provide optimum usability and effectiveness, and an understanding of its various pieces can only further shine a light on how it can help you.
Case in point, the MASVS actually begins with a brief description of the security model and the available verification levels involved as well as usage recommendations for how the standard might be most helpful. From there, things get far more detailed, outlining the security requirements and verification levels themselves.
In general, this breaks down into several distinct parts, and the verbiage used throughout typically describes each requirement category as MASVS-V[x] -- wherein the x is replaced with the designated category number -- and each requirement itself as MASVS-[x].[y] to distinguish every piece of a specific category from its brothers.
- First level: As you might assume, this initial verification level -- a benchmark for all mobile applications -- is reached once a mobile app meets the minimum standard security settings. The recommended best practices regarding your app need to be confirmed through a thorough test of security controls, including certain measures for code quality, how well sensitive data is handled and mobile integration. All apps should meet this minimum security standard, as it doesn’t adversely complicate development or user experience. It’s perfect if your risk assessment doesn’t call for something more.
- Second level: Next comes a more detailed approach to defense. A step beyond the standard security needs, this second verification level is only achieved after a threat model is established. It works best for mobile apps that specialize in sensitive data, such as those in the healthcare and financial industries. For obvious reasons, such apps need to keep personal information under wraps, in order to ensure user confidence in your service. Failure to do this might result in fraud, identity theft or even other steep cost for either you or your users. So this level requires that in-depth security is a key element in the app’s design from the start. Take note, developers.
- Third level: As previously mentioned in our summary of MASVS’s structure, the third level pertains to the resiliency of your app against reverse engineering and tampering. The security system at this point is top of the line and particularly protects against attacks on the client side of things. This includes tampering, modding, reverse engineering and other techniques that hackers may use to access sensitive data or even your coding itself. Whether through hardware security features or verifiable software protection, this level is an absolute necessity for apps for which sensitive data is instrumental.
One key reason to add this level of detail to either the first or second level of security is protection of intellectual property and branding. You’ll especially need to keep your source code out of the wrong hands in that case to retain long-term appeal for your app’s services.
In addition, games may be particular targets of cyberattacks, as hacks may be motivated by a desire to cheat and/or crack the code of your built-in security settings. Anti-tampering measures are therefore only a natural extension of your approach to security.
As mentioned, the financial and healthcare industries are of particular note for higher levels of protections, especially if your app will be designed for use on multiple types of devices or operating systems and will be storing a ton of sensitive data on a user’s mobile device itself.
This can open up a great deal of vulnerabilities, and you should always take great caution when this is the case.
No matter which levels your app is aiming to meet, you’ll need to verify -- through prior risk assessment or some other means -- the overall level of security you need and the extent to which you achieve it. Such thorough protection might not be required of your specific app, and if you deem it unnecessary, such extra protection might restrict the flexibility of the end product.
However, if higher security is required, we highly encourage you to maintain the necessary protection against the mounting external threats to your app’s livelihood. The more involved your security, the higher the cost of development will be and the more it will affect the user experience.
So always bear that trade-off in mind when making critical decisions regarding your mobile application security.
A Useful Tool
With any luck, the discussion above has given you some insight into precisely how vital MASVS is to a winning mobile application security strategy. The OWASP in general is an incredible resource for developers and their security teams to gather data, perform testing and generally establish a safer, more productive environment for both your team and your users.
Yet, it is only one of many organizations determined to push the mobile application security standards higher and higher with each passing year. Security, after all, is a primary concern -- or at least should be -- for any app developer but especially in the circumstances we mentioned above that might open your coding or your users up to greater threats.
Your user’s sensitive data and your own coding must be protected at all costs. So never underestimate the power of a sound security system for your app, and don’t be afraid to invest in it as necessary for your app’s specific needs. Be sure to consider consulting MASVS to gauge the current level of protection in place for your app.
But of course, our brief overview of some of MASVS’s structure and key features only scratches the surface of the resources available to you. Its purpose and verification levels effectively give you an idea of how your app is far better off with such standards established (preferably before going live for the first time).
Although OWASP may have created one of the most important security standards out there, you really should stay up-to-date on not only MASVS but some of the other resources for mobile application security to maintain a consistent level of protection across the board.
As the technology itself has developed, the level of available security surrounding the industry has risen to the challenge. Consumers have accordingly become ever more wary of security protections, and your app will only be more successful both in the long term and short term if you’re able to proudly declare the level of security protection you have in place for your app. MASVS is simply one -- albeit very significant -- way to get you there.