What is OWASP MASVS?
The Mobile Application Security Verification Standard (MASVS) is a comprehensive security framework for mobile applications developed by OWASP.
MASVS Levels
MASVS-L1: Standard Security
Basic security requirements for all mobile apps:
- Secure data storage
- Proper authentication
- Network security
- Code quality
MASVS-L2: Defense in Depth
Enhanced security for apps handling sensitive data:
- All L1 requirements plus
- Advanced authentication
- Additional data protection
- Enhanced network security
MASVS-R: Resilience
Anti-tampering and reverse engineering protection:
- Obfuscation
- Root/jailbreak detection
- Anti-debugging
- Integrity verification
Key Security Categories
MASVS-STORAGE
Secure data storage requirements including:
- No sensitive data in logs
- No sensitive data in backups
- Encrypted storage
- Secure key management
MASVS-CRYPTO
Cryptographic requirements:
- Strong algorithms only
- Proper key generation
- Secure random number generation
- No hardcoded keys
MASVS-AUTH
Authentication and session management:
- Biometric authentication
- Session handling
- Password policies
- Multi-factor authentication
MASVS-NETWORK
Network communication security:
- TLS configuration
- Certificate validation
- Certificate pinning
- API security
MASVS-PLATFORM
Platform interaction security:
- Permission handling
- WebView security
- IPC security
- Intent handling
MASVS-CODE
Code quality and security:
- Input validation
- Memory safety
- Third-party libraries
- Error handling
MASVS and PCI DSS
MASVS complements PCI DSS by providing:
- Mobile-specific guidance
- Technical implementation details
- Testing methodologies
- Resilience requirements
Verify your app against OWASP MASVS. Scan now.