Enhance Mobile App Security with OWASP MASVS 2.0.0 and Application Hardening

By Egidijus Lileika, Sr. Security Researcher

In April 2023, OWASP released version v2.0.0 of their “Mobile Application Security Verification Standard.” The new version removes the three verification levels called L1, L2, and R. Security control group verification requirements was reworked as “security testing profiles” and moved to the OWASP Mobile Application Security Testing Guide or “MASTG.” These profiles are now aligned with the NIST (National Institute of Standards and Technology) OSCAL (Open Security Controls Assessment Language) standard. By aligning with the OSCAL format, the MASVS provides a more flexible and comprehensive approach to security testing and makes it easier to share and reuse the security controls between different security platforms and organizations.

New Mobile Application Security Model

The reworked MASVS application security model is divided into several control groups representing the most critical areas of mobile application attack surfaces. The MASVS 2.0.0 security control groups are:

• MASVS-STORAGE: Secure storage of sensitive data on a device (data-at-rest).
• MASVS-CRYPTO: Cryptographic functionality used to protect sensitive data.
• MASVS-AUTH: Authentication and authorization mechanisms used by the mobile app.
• MASVS-NETWORK: Secure network communication between the mobile app and remote endpoints (data-in-transit).
• MASVS-PLATFORM: Secure interaction with the underlying mobile platform and other installed apps.
• MASVS-CODE: Security best practices for data processing and keeping the app up-to-date.
• MASVS-RESILIENCE: Resilience to reverse engineering and tampering attempts.

Each control group contains individual units labeled MASVS-XXXXX-Y, which provide specific guidance on the security measures that must be implemented to meet the standard.

The Role of Application Hardening in MASVS 2.0.0

Ideally, addressing the security control group requirements should occur from the start of the application development lifecycle. For instance, app developers must securely use the Android platform, address particular vulnerabilities, and ensure secure networking. Mitigating those issues when the app is released comes at a great cost. The MASVS-RESILIENCE security control group is not an exception to this. While testing can identify certain security risks – including extensive penetration testing – external threats like attempts to reverse engineer the application logic or attacks on the end-users happen after releasing the application into the wild. Application Hardening solutions ensure that the application meets MASVS-RESILIENCE requirements at any time.

MASVS-RESILIENCE Control Group

The MASVS-RESILIENCE control group was a “V8: Resilience Requirements” requirement in MASVS 1.5.0 release. Also, the MASVS-RESILIENCE represents the MASVS-R verification level that got removed. Currently, this group is divided into four control units. On a high level, these four control units represent the previous 13 verification requirements from MASVS 1.5.0 that describe specific attack vectors and attack areas. Also, these control units are so abstract that they will represent any other new emerging attack vectors and areas. The MASVS 1.5.0 had more specific requirements from a mobile app developer standpoint, mentioning specific risks to guard against. Since it is known that verification requirements were moved to the MASTG as “security testing profiles,” app developers must use the MASTG as a reference to learn about the specifics of different attack vectors and how to test them.

MASVS-RESILIENCE-1

MASVS-RESILIENCE-1 requires an application to validate the integrity of the platform. Platform integrity validations include checking if a device is rooted or jailbroken, if the app is running on an emulator, whether the application is running in a virtualizer, or when the app is checking if any malicious applications are installed on the device.

MASVS-RESILIENCE-2

MASVS-RESILIENCE-2 requires an application to implement anti-tampering mechanisms. Anti-tampering mechanisms include:

• Checking the application package signature.
• Validating the application’s DEX and native code integrity.
• Validating application resource integrity.

MASVS-RESILIENCE-3

MASVS-RESILIENCE-3 requires an application to implement anti-static analysis mechanisms that include code obfuscation and encryption, code control flow flattening and obfuscation, symbol stripping and identifier renaming, dead code and opaque predicate injection, and string literal encryption.

MASVS-RESILIENCE-4

MASVS-RESILIENCE-4 requires an application to implement anti-dynamic analysis techniques. Anti-dynamic analysis techniques could be debugging detection, dynamic instrumentation framework detection (like Frida), method hooking, and swizzling detection.

Summary

The MASVS 2.0.0 is simplified, but now application developers can’t just use the MASVS 2.0.0 as a guide because it is too abstract and doesn’t provide many examples of attack vectors and how to test resilience against them. The MASTG must serve as a complementary reference for secure application development. However, as with the previous version of the MASVS, Application Hardening tools still address the Resiliency requirements set forth by the OWASP Mobile Application Security Project.

Want to discover the keys to building secure and resilient mobile apps? Boost revenue, protect customer data, and mitigate risks with OWASP MAS in our blog: Build Bulletproof Mobile Apps with OWASP MAS