menu
close_24px

BLOG

An Actionable Guide to OWASP MASVS V2 (+ Practical Examples)

Learn about the evolution of MASVS into MASVS v2 and its role in transforming mobile application security standards for a more flexible approach to security testing.
  • Posted on: May 23, 2024
  • By Akshay Shinde
  • Read time 7 Mins Read
  • Last updated on: Oct 13, 2024

In an era of digital innovation and technological advancements, robust application security has never been more crucial. As cyber threats continue to evolve, organizations must stay ahead of the curve to protect their sensitive data and maintain the security of their users. 

One project that can help in this process is OWASP (Open Web Application Security Project), a globally recognized non-profit organization dedicated to improving application security. 

In this blog, we will explore the substantial impact that OWASP can have on enhancing the security of mobile applications.


Table of Content

Unveiling the power of OWASP MAS

The OWASP Mobile Application Security (MAS) flagship project provides a security standard for mobile apps known as the OWASP Mobile Application Security Verification Standard (MASVS). It also offers a comprehensive testing guide, the OWASP Mobile Application Security Testing Guide (MASTG).

The MASTG covers the processes, techniques, and tools used during a mobile app security test. At the same time, the MASVS includes an exhaustive set of test cases that enable security engineers to deliver consistent and complete results.

OWASP is especially helpful for security engineers in finding and securing security issues through best practices. The documentation and guidelines provided by OWASP cover a wide range of security topics that can help security professionals understand common vulnerabilities and effective security solutions.

Staying ahead in security is not just a necessity, it's a proactive approach to effectively identifying and addressing vulnerabilities within your organization's systems and infrastructure. This guide can help developers and security enthusiasts amplify their security framework, motivating them to stay one step ahead of potential threats.

It is essential to highlight that you have the flexibility to add your methodology to this guide, thereby contributing to developing a more secure approach to protecting applications.

A deeper dive into MASTG and MASVS

MASTG and MASVS are two frameworks that provide guidelines and best practices for securing mobile applications. 

Mobile Application Security Testing Guide (MASTG)

MASTG is a comprehensive resource developed by the Open Web Application Security Project (OWASP) to assist mobile app developers, testers, and security professionals in identifying and addressing security issues in mobile applications. It provides a systematic approach to mobile app security testing, covering data storage, app communication, authentication, cryptography, and more.

The Mobile Security Testing Guide includes detailed information on testing techniques, tools, and best practices for enhancing the security posture of mobile applications. Researchers widely use this guide to cover test cases for securing mobile apps. 

Mobile Application Security Verification Standard (MASVS)

OWASP MASVS is a set of security standards for mobile apps established by the Open Web Application Security Project (OWASP). Architects and developers use it to develop secure mobile applications. Security engineers use it to enhance the security of their mobile apps.

By complying with the controls outlined by the OWASP MASVS v2 standard, companies and organizations can build robust mobile applications. This adherence provides a sense of security, reassuring you that your app follows best security practices.

Initially, MASVS provided three verification levels (L1, L2, and R).

MASVS-L1 and MASVS-L2 cover security basics and are recommended for all mobile apps (L1) and apps that handle highly sensitive data (L2). 

MASVS-R covers additional protective controls that can be applied if preventing client-side threats in a design goal.

The three levels of verification of MASVS - L1, L2, R.

In 2023, the MASVS underwent a significant refactoring. The above three verification levels (L1, L2, and R) have been moved to the OWASP MASTG after being reworked as MAS Testing Profiles. This restructuring was done to streamline the standard and make it more user-friendly, allowing developers and security professionals to apply the appropriate security measures to their mobile apps easily.

The release of MASVS v2

The new standard is divided into various control groups, each of which is illustrated with a practical example. These examples are designed to show how the concepts discussed in the text can be applied in real-world scenarios, providing a clear understanding of their practical implications.

MASVS-STORAGE

MASVS-STORAGE entails securely storing sensitive data on a device (data-at-rest). This ensures that encryption and access controls secure the data stored within the devices (Android/iOS). 

In simple terms, MASVS-STORAGE helps secure the application data stored within the device from unauthorized access. The best way to do this is to encrypt the sensitive data present at rest. This will ensure the data is protected against various security threats and risks.

Example

One example of this category, MASVS-STORAGE, would be finding sensitive information in SQLite databases. Some applications tend to store cleartext data in SQLite databases, which are usually located at “/data/data/<package_name>/databases”. This icommon security issue can lead to data breaches if not addressed, highlighting the importance of following the MASVS standards. 

To check this misconfiguration, install the application on a rooted device, login in to the application, and navigate to the above-specified location using the adb shell

Inspecting the files present in a sample application and navigating to "/data/data/com.appknox.mfva/databases" to find sensitive information there. Read more at: https://1683437.hubspotpreview-na1.com/_hcms/preview/content/168072255625?_preview=true&benderPackage=InpageEditorUI&cacheBust=1716456611045&cssPath=bundles%252Fapp.css&inpageEditorUI=true&localAssets=false&portalId=1683437&preview_key=TgkRInQf&scriptPath=bundles%252Fapp.js&staticVersion=static-1.61568&preview_theme=true&env=prod&injectedScripts=hubspot-dlb%252Cbundle.production.js%252Cfalse%252Cstatic-1.584&hsSmartContentDefault=true&hsEditorApp=blog_post

In the image given above, we navigated to “/data/data/com.appknox.mfva/databases” and inspected the files present in it. We could see that in one of the files, sensitive information was present in plaintext format. Security is a concern in this situation, and it is advisable to secure such sensitive data through encryption.

MASVS-CRYPTO

The cryptographic functionality protects sensitive data. In simple terms, the application uses the latest cryptography standards to handle sensitive user data.

Example

One thing to look out for under this category, MASVS-CRYPTO, is hardcoded AES keys or outdated algorithms used within the application. If not addressed, this typical security issue can lead to unauthorized access to sensitive data. If the key becomes known to unauthorized individuals, it could allow them to decrypt sensitive data, leading to a security breach and potential loss of user trust.

This security threat can greatly impact the organization, underscoring the importance of following the MASVS standards.

Example of an application using an outdated algorithm (DES), considered insecure due to the possibility of brute force attacks.

As you can see in the attached screenshot, the application uses an outdated algorithm (DES), which is a bad practice and can have negative implications. DES is considered insecure due to the possibility of brute-force attacks. If the key becomes known to unauthorized individuals, it could allow them to decrypt sensitive data, leading to a security breach and potential loss of user data. It is highly recommended that AES encryption be used with longer key lengths to mitigate these risks.

MASVS-AUTH

Mobile apps use authentication and authorization mechanisms. Applications use different kinds of authentication, such as PIN-based, biometrics-based, or OTP-based, to verify a user's identity. Ensuring these mechanisms are secure from unauthorized access involves implementing several best practices and security measures.

Example

Biometric authentication is commonly used in applications to verify a user's identity. If the logic implemented on an application is flawed, you can bypass fingerprint authentication using Frida and Objection. 

With physical access, injecting a script for fingerprint bypass into the application becomes feasible. This allows the authentication flow to be bypassed and result in unauthorized access. Our security researchers frequently encounter this issue among various clients, highlighting the importance of following the MASVS standards to prevent such security breaches. 

Are you interested in diving deeper into the detailed processes of effective remediation strategies applicable to mobile applications? Check out this article.

MASVS-NETWORK

This category ensures that the application establishes secure communication with the server. In simple terms, it guarantees that the data transmitted over the network is encrypted to protect it from unauthorized access and man-in-the-middle attacks.

Example

In this case, we must check if the application communicates over a secure HTTPS protocol. We can do this by intercepting the traffic between the client and the server using a proxy tool like Burp Suite to inspect the traffic and observe the communication. 

A screenshot is attached below for reference.

A screenshot showing the app communicating over an insecure HTTP protocol, making it vulnerable to attackers to intercept and read the communication between the client and the server. Read more at: https://1683437.hubspotpreview-na1.com/_hcms/preview/content/168072255625?_preview=true&benderPackage=InpageEditorUI&cacheBust=1716456611045&cssPath=bundles%252Fapp.css&inpageEditorUI=true&localAssets=false&portalId=1683437&preview_key=TgkRInQf&scriptPath=bundles%252Fapp.js&staticVersion=static-1.61568&preview_theme=true&env=prod&injectedScripts=hubspot-dlb%252Cbundle.production.js%252Cfalse%252Cstatic-1.584&hsSmartContentDefault=true&hsEditorApp=blog_post

As you can see in the screenshot, the app is communicating over an insecure HTTP protocol. Attackers can intercept and read the communication between the client and the server, mainly when sensitive information is being transmitted in plaintext. It is strongly recommended that HTTPs be used for all communications to ensure the confidentiality, integrity, and authenticity of data exchanged between the client and the server.

MASVS-PLATFORM

MASVS-PLATFORM ensures secure interaction with the underlying mobile platform and other installed apps. This specific category focuses on providing the safe implementation of Inter-Process Communication (IPC) mechanisms, WebViews, and the display of user data within the app's UI interface.

Implementing these security measures will safeguard the mobile application and its user data against potential threats posed by attackers or other installed applications.

Example 

Check the AndroidManifest.xml file, where all services, receivers, activities, and providers will be defined. We can inspect the source code for the exported ones to analyze the flow and find issues accordingly.

A screenshot showing the AndroidManifest.xml file which, on inspection, shows different services and receivers being exploited.

In the screenshot given above, we can see different services and receivers being exported. We can analyze the code for these components to see if any vulnerabilities can be identified.

To restrict access to IPC components, we need to set android:exported=”false” in the AndroidManifest.xml file.

If you want your IPC to be available to other applications, you should establish a security policy using the <permission> element and configure the android:protectionLevel attribute appropriately.

MASVS-CODE

Mobile apps have many data entry points through which different attacks can be carried out. We must ensure proper data validation and sanitization to prevent injection attacks from these untrusted inputs. MASVS-CODE helps achieve this.

Organizations should also prioritize regular patching and updates to maintain app security and protect against potential threats from attackers.

Example

WebView is a component that allows developers to embed web content within an application. Carefully examining the application flow can help attackers identify potential issues within the application.

A screenshot of a webview opening an insecure HTTP connection. This is prone to attacks as attackers can intercept and manipulate data transmitted over insecure connections. Read more at: https://1683437.hubspotpreview-na1.com/_hcms/preview/content/168072255625?_preview=true&benderPackage=InpageEditorUI&cacheBust=1716456611045&cssPath=bundles%252Fapp.css&inpageEditorUI=true&localAssets=false&portalId=1683437&preview_key=TgkRInQf&scriptPath=bundles%252Fapp.js&staticVersion=static-1.61568&preview_theme=true&env=prod&injectedScripts=hubspot-dlb%252Cbundle.production.js%252Cfalse%252Cstatic-1.584&hsSmartContentDefault=true&hsEditorApp=blog_post

This WebView is insecure because it opens an insecure HTTP connection. Attackers can intercept and manipulate data transmitted over insecure connections. Additionally, enabling JavaScript within WebViews can introduce vulnerabilities to injection attacks. Managing the application code carefully is essential to mitigate its associated security risks.

MASVS-RESILIENCE.

This functionality helps in reverse engineering and tampering attempts. 

Adding protections such as hooking detection, tampering detection, root detection, and code obfuscation can enhance the security of the mobile application. Implementing these measures will make it more difficult for attackers to reverse-engineer the code, understand it, and manipulate the logic.

These security measures significantly enhance protection because attackers will require ample resources and time to overcome them. So, to minimize security issues, a combination of protection shields and security at the application code level should be used.

Example
We can check whether the application is debuggable by checking the AndroidManifest.xml for android:debuggable attribute.

A screenshot showing the android:debuggable attribute in the AndroidManifest.xml file

You can mitigate the security risks by setting the android:debuggable attribute to false and ensuring the confidentiality, integrity, and availability of your Android application and its data.

MASVS-PRIVACY

MASVS-PRIVACY provides privacy controls to protect user privacy. It emphasizes the importance of ethical and responsible handling of user data to build trust with users and protect their sensitive information from unauthorized access or misuse. Apps should disclose and obtain consent for any third-party services integrated into the app that may collect user data.

Example

The app should inform users about what data is being collected from them, how it will be utilized, and whether it will be shared with third parties. Proper security measures should also be in place to protect the collected data from unauthorized access and security breaches.

How can Appknox help you follow OWASP MASVS?

Appknox follows these testing guides and standards to protect mobile applications from various attacks. Our product aligns with various guidelines and methodologies established by OWASP. 

In addition to the examples given under each category for MASVS v2, Appknox offers an automated application testing solution that helps streamline MASVS and MASTG implementation. Our platform utilizes a combination of static and dynamic analysis techniques to detect vulnerabilities within your Android & iOS applications.

Appknox helps you adopt a security-first approach throughout your application's ideation, development, go-live, and run and support phases. Our security experts will  

➢  Identify your application’s tech stack, 

➢  Analyze its threat landscape,  

➢  Set up breakpoints on critical functionalities,  

➢  Perform exploits for advanced threat detection and test responses. 

Moreover, Appknox generates a comprehensive report with remediation guidance in just 60 minutes, empowering your team to address the detected vulnerabilities right away. So, with Appknox, you get specialized mobile application security solutions that deliver targeted protection and compliance by going beyond the traditional.