Owasp Mas Checklist

Mobile Application Security C
MASVS-STORAGE: Storage
OWASP MASTG v1.7.0 (commit: 7172dfa) OWASP MASVS v2.0.0 (commit: f2e668b)
MASVS-ID Platform
MASVS-STORAGE-1
android
android
ios
MASVS-STORAGE-2
android
android
android
android
android
android
ios
ios
ios
ios
ios
obile Application Security Checklist
ASVS-STORAGE: Storage
SP MASTG v1.7.0 (commit: 7172dfa) OWASP MASVS v2.0.0 (commit: f2e668b)
Description L1 L2
The app securely stores sensitive data.
Testing Local Storage for Sensitive Data
Testing the Device-Access-Security Policy
Testing Local Data Storage
The app prevents leakage of sensitive data.
Determining Whether Sensitive Data Is Shared with Third Parties via Embedded Services
Determining Whether Sensitive Data Is Shared with Third Parties via Notifications
Testing Backups for Sensitive Data

Testing Memory for Sensitive Data
Determining Whether the Keyboard Cache Is Disabled for Text Input Fields
Testing Logs for Sensitive Data
Checking Logs for Sensitive Data
Testing Memory for Sensitive Data
Testing Backups for Sensitive Data
Finding Sensitive Data in the Keyboard Cache
Determining Whether Sensitive Data Is Shared with Third Parties

R Status
MASVS-CRYPTO: Cryptography
MASVS-ID Platform
MASVS-CRYPTO-1
android
android
android
ios
ios
MASVS-CRYPTO-2
android
ios
ASVS-CRYPTO: Cryptography
Description L1 L2
The app employs current strong cryptography and uses it according to industry best
practices.
Testing Symmetric Cryptography
Testing the Configuration of Cryptographic Standard Algorithms
Testing Random Number Generation
Verifying the Configuration of Cryptographic Standard Algorithms
Testing Random Number Generation
The app performs key management according to industry best practices.
Testing the Purposes of Keys

Testing Key Management
R Status
MASVS-AUTH: Authentication and Auth
MASVS-ID Platform
MASVS-AUTH-1
MASVS-AUTH-2
android
android
ios
MASVS-AUTH-3
ASVS-AUTH: Authentication and Authorization
Description L1 L2
The app uses secure authentication and authorization protocols and follows the relevant best
practices.
The app performs local authentication securely according to the platform best practices.
Testing Biometric Authentication
Testing Confirm Credentials
Testing Local Authentication
The app secures sensitive operations with additional authentication.

R Status
MASVS-NETWORK: Network Commun
MASVS-ID Platform
MASVS-NETWORK-1
android
android
android
android
ios
ios
ios
MASVS-NETWORK-2
android
ios
ASVS-NETWORK: Network Communication
Description L1 L2
The app secures all network traffic according to the current best practices.
Testing Endpoint Identify Verification
Testing the Security Provider
Testing Data Encryption on the Network
Testing the TLS Settings
Testing the TLS Settings
Testing Endpoint Identity Verification
Testing Data Encryption on the Network
The app performs identity pinning for all remote endpoints under the developer's control.
Testing Custom Certificate Stores and Certificate Pinning
Testing Custom Certificate Stores and Certificate Pinning

R Status
MASVS-PLATFORM: Platform Interacti
MASVS-ID Platform
MASVS-PLATFORM-1
android
android
android
android
android
ios
ios
ios
ios
ios
ios
ios
ios
MASVS-PLATFORM-2
android
android
android
android
ios
ios
ios
MASVS-PLATFORM-3
android
android
android
ios
ios
ASVS-PLATFORM: Platform Interaction
Description L1 L2
The app uses IPC mechanisms securely.
Testing for App Permissions
Testing for Vulnerable Implementation of PendingIntent
Testing for Sensitive Functionality Exposure Through IPC
Determining Whether Sensitive Stored Data Has Been Exposed via IPC Mechanisms
Testing Deep Links
Testing App Extensions
Testing Custom URL Schemes

Testing App Permissions
Determining Whether Sensitive Data Is Exposed via IPC Mechanisms
Testing UIPasteboard
Testing for Sensitive Functionality Exposure Through IPC
Testing UIActivity Sharing
Testing Universal Links
The app uses WebViews securely.
Testing WebView Protocol Handlers
Testing WebViews Cleanup
Testing JavaScript Execution in WebViews
Testing for Java Objects Exposed Through WebViews
Testing WebView Protocol Handlers

Testing iOS WebViews
Determining Whether Native Methods Are Exposed Through WebViews
The app uses the user interface securely.
Testing for Overlay Attacks
Checking for Sensitive Data Disclosure Through the User Interface
Finding Sensitive Information in Auto-Generated Screenshots
Checking for Sensitive Data Disclosed Through the User Interface
Testing Auto-Generated Screenshots for Sensitive Information

R Status
MASVS-CODE: Code Quality
MASVS-ID Platform
MASVS-CODE-1
MASVS-CODE-2
android
ios
MASVS-CODE-3
android
ios
MASVS-CODE-4
android
android
android
android
android
android
android
ios
ios
ios
ASVS-CODE: Code Quality
Description L1 L2
The app requires an up-to-date platform version.
The app has a mechanism for enforcing app updates.
Testing Enforced Updating
Testing Enforced Updating
The app only uses software components without known vulnerabilities.
Checking for Weaknesses in Third Party Libraries
Checking for Weaknesses in Third Party Libraries
The app validates and sanitizes all untrusted inputs.
Make Sure That Free Security Features Are Activated

Testing for Injection Flaws
Testing Local Storage for Input Validation
Memory Corruption Bugs
Testing Object Persistence
Testing Implicit Intents
Testing for URL Loading in WebViews
Testing Object Persistence
Memory Corruption Bugs
Make Sure That Free Security Features Are Activated

R Status
MASVS-RESILIENCE: Resilience Again
Engineering and Tampering
MASVS-ID Platform
MASVS-RESILIENCE-1
android
android
ios
ios
MASVS-RESILIENCE-2
android
android
android
ios
ios
MASVS-RESILIENCE-3
android
android
android
ios
ios
ios
MASVS-RESILIENCE-4
android
android
android
ios
ios
ios
ASVS-RESILIENCE: Resilience Against Reverse
gineering and Tampering
Description L1 L2
The app validates the integrity of the platform.
Testing Root Detection
Testing Emulator Detection
Testing Jailbreak Detection
Testing Emulator Detection
The app implements anti-tampering mechanisms.
Testing File Integrity Checks
Testing Runtime Integrity Checks

Making Sure that the App is Properly Signed
Testing File Integrity Checks
Making Sure that the App Is Properly Signed
The app implements anti-static analysis mechanisms.
Testing for Debugging Symbols
Testing for Debugging Code and Verbose Error Logging
Testing Obfuscation
Testing for Debugging Code and Verbose Error Logging
Testing Obfuscation
Testing for Debugging Symbols
The app implements anti-dynamic analysis techniques.
Testing whether the App is Debuggable

Testing Reverse Engineering Tools Detection
Testing Anti-Debugging Detection
Testing Anti-Debugging Detection
Testing whether the App is Debuggable
Testing Reverse Engineering Tools Detection

R Status
About
About the Project

The OWASP Mobile Application Security (MAS) flagship project led by Carlos Holguera and Sven Schleier
defines the industry standard for mobile application security.
https://mas.owasp.org/
The OWASP MASVS (Mobile Application Security Verification Standard) is a standard that establishes the
security requirements for mobile app security.
https://mas.owasp.org/MASVS/
The OWASP MASTG (Mobile Application Security Testing Guide) is a comprehensive manual for mobile app se
and reverse engineering. It describes technical processes for verifying the controls listed in the MASVS.
https://mas.owasp.org/MASTG/
Feedback
If you have any comments or suggestions, please post them on our GitHub Discussions.
https://github.com/OWASP/owasp-mastg/discussions/categories/ideas
Licence
Copyright © 2023 The OWASP Foundation. This work is licensed under a Creative Commons Attribution-ShareA
For any reuse or distribution, you must make clear to others the license terms of this work.
https://github.com/OWASP/owasp-mastg/blob/master/License.md
out
urity (MAS) flagship project led by Carlos Holguera and Sven Schleier
ile application security.
cation Security Verification Standard) is a standard that establishes the

security.
OWASP MASVS v2.0.0 (commit: f2e668b)
cation Security Testing Guide) is a comprehensive manual for mobile app security testing
technical processes for verifying the controls listed in the MASVS.
OWASP MASTG v1.7.0 (commit: 7172dfa)
ions, please post them on our GitHub Discussions.
mastg/discussions/categories/ideas
ndation. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
st make clear to others the license terms of this work.
mastg/blob/master/License.md

Owasp Mas Checklist

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Owasp Mas Checklist

Uploaded by

Copyright:

Available Formats

Mobile Application Security C

The app securely stores sensitive data.

Testing Local Storage for Sensitive Data

Testing the Device-Access-Security Policy

Testing Local Data Storage

The app prevents leakage of sensitive data.

Testing Backups for Sensitive Data

Testing Logs for Sensitive Data

Checking Logs for Sensitive Data

Testing Memory for Sensitive Data

Testing Backups for Sensitive Data

Finding Sensitive Data in the Keyboard Cache

Determining Whether Sensitive Data Is Shared with Third Parties

Testing Symmetric Cryptography

Testing the Configuration of Cryptographic Standard Algorithms

Testing Random Number Generation

Verifying the Configuration of Cryptographic Standard Algorithms

Testing Random Number Generation

The app performs key management according to industry best practices.

Testing the Purposes of Keys

Testing Biometric Authentication

Testing Confirm Credentials

Testing Local Authentication

The app secures sensitive operations with additional authentication.

Testing Endpoint Identify Verification

Testing the Security Provider

Testing Data Encryption on the Network

Testing the TLS Settings

Testing the TLS Settings

Testing Endpoint Identity Verification

Testing Data Encryption on the Network

Testing Custom Certificate Stores and Certificate Pinning

The app uses IPC mechanisms securely.

Testing for App Permissions

Testing for Vulnerable Implementation of PendingIntent

Testing for Sensitive Functionality Exposure Through IPC

Testing Deep Links

Testing App Extensions

Testing Custom URL Schemes

Determining Whether Sensitive Data Is Exposed via IPC Mechanisms

Testing for Sensitive Functionality Exposure Through IPC

Testing UIActivity Sharing

Testing Universal Links

The app uses WebViews securely.

Testing WebView Protocol Handlers

Testing WebViews Cleanup

Testing JavaScript Execution in WebViews

Testing for Java Objects Exposed Through WebViews

Testing WebView Protocol Handlers

Determining Whether Native Methods Are Exposed Through WebViews

The app uses the user interface securely.

Testing for Overlay Attacks

Checking for Sensitive Data Disclosure Through the User Interface

Finding Sensitive Information in Auto-Generated Screenshots

Checking for Sensitive Data Disclosed Through the User Interface

Testing Auto-Generated Screenshots for Sensitive Information

The app requires an up-to-date platform version.

The app has a mechanism for enforcing app updates.

Testing Enforced Updating

Testing Enforced Updating

The app only uses software components without known vulnerabilities.

Checking for Weaknesses in Third Party Libraries

Checking for Weaknesses in Third Party Libraries

The app validates and sanitizes all untrusted inputs.