OWASP MASVS v2.0

OWASP MASVS Guide for Mobile Apps

The Mobile Application Security Verification Standard - the industry benchmark for mobile app security testing.

What is OWASP MASVS?

The OWASP Mobile Application Security Verification Standard (MASVS) is a comprehensive framework that defines security requirements for mobile applications. It provides a baseline for mobile app security that can be used throughout the development lifecycle.

MASVS v2.0 organizes security controls into categories covering storage, cryptography, authentication, network security, platform interaction, code quality, resilience, and privacy. It's widely adopted by security professionals and required by many enterprise clients.

MASVS Security Categories

Core security domains covered by the standard

Storage

MASVS-STORAGE

Secure storage of sensitive data on mobile devices.

Sensitive data is not stored in plaintext
Credentials are stored in secure storage (Keychain/Keystore)
No sensitive data in application logs
No sensitive data shared with third parties

Cryptography

MASVS-CRYPTO

Proper implementation of cryptographic controls.

Strong, up-to-date cryptographic algorithms
Proper key management practices
No hardcoded cryptographic keys
Secure random number generation

Authentication

MASVS-AUTH

Secure user authentication and session management.

Biometric authentication properly implemented
Session tokens are securely generated
Session timeout is enforced
Step-up authentication for sensitive operations

Network Communication

MASVS-NETWORK

Secure network communication and data transmission.

TLS is used for all network traffic
Certificate pinning is implemented
No cleartext traffic allowed
Proper certificate validation

Platform Interaction

MASVS-PLATFORM

Secure interaction with the mobile platform.

Minimal required permissions
IPC mechanisms are secured
WebViews are securely configured
No sensitive data in backups

Code Quality

MASVS-CODE

Secure coding practices and code protection.

Input validation on all untrusted data
Memory corruption vulnerabilities addressed
Free security features enabled
Dependencies are up to date

Resilience

MASVS-RESILIENCE

Protection against reverse engineering and tampering.

Root/jailbreak detection
Anti-debugging measures
Code obfuscation
Integrity verification

Privacy

MASVS-PRIVACY

Protection of user privacy and personal data.

Privacy policy is accessible
User consent for data collection
Data minimization practiced
User data deletion capability

Test Your App Against MASVS

Scan your mobile app against all OWASP MASVS requirements with our automated testing platform.

Start MASVS Scan

Cookie preferences

We use necessary storage for security and login. With your permission, we also use analytics to understand page journeys and marketing pixels to measure ad campaigns.