A community of industry security experts collaborate to produce the most widely used global standards for mobile application security, the OWASP Mobile Application Security (MAS) Project. OWASP MAS enables mobile security and development teams to move faster and identify and remediate the most severe issues in their mobile applications.
“With the MASVS and MASTG refactoring, we’re building the next generation of standards and documentation to help security architects, developers and security analysts to do their jobs more efficiently,” says Carlos Holguera, OWASP MAS Co-Leader and a NowSecure Mobile Security Research Engineer.
With the MASVS and MASTG refactoring, we’re building the next generation of standards and documentation to help security architects, developers and security analysts to do their jobs more efficiently. – Carlos Holguera, OWASP MAS Co-Leader & NowSecure Mobile Security Research Engineer
Standards-based practices establish consensus between security, developers and business stakeholders on the risks that must be addressed as part of the mobile application release process. NowSecure built its automated mobile application security testing based on standards. NowSecure Platform automates MASVS testing so organizations can find and fix security and privacy issues in their mobile apps. NowSecure also offers full-scope mobile penetration testing services for OWASP MAS.
What follows are five current developments mobile AppSec pros and devs should know about OWASP MAS:
- OWASP renamed the project from the OWASP Mobile Security Project to OWASP Mobile Application Security in 2022. The new name reflects the focus of the project, mobile application security. As part of the change, the OWASP project launched a new website and adopted a new Twitter handle, OWASP_MAS. Follow the account for project updates and resources.
- Major refactoring of the OWASP Mobile Application Security Verification Standards (MASVS) is underway to simplify and streamline requirements for building secure mobile apps. We expect to see the MASVS v2.0 release in January 2023 with the following changes included:
- Condensation of MAVS-STORAGE and moving relevant requirements to MASVS-PLATFORM
- Simplification of MASVS-CRYPTO and alignment with NIST standards NIST.SP.800-175B and NIST.SP.800-57p1
- Separation of client-side and server-side authentication in MASVS-AUTH with reliance on OWASP Application Security Verification Standard (ASVS)
- Removal of MASVS-ARCH in favor of using NIST.SP.800.218 and OWASP Software Assurance Maturity Model (SAMM) standards
- Transition of selected old requirements into test cases
- Focus on improving automation and enabling compliance as code
- 2023 will bring intensive work to refactor the OWASP Mobile Application Security Testing Guide (MASTG) manual for mobile app security testing which is extensively used by professional security analysts to verify the MASVS controls. The refactoring project will align MASTG test cases with the new MASVS v2.0 controls and create what the MAS project calls ‘atomic tests.’ The MAS community will collaborate to take the current large MASTG test cases and split them into smaller, more manageable chunks. This will provide a more fine-grained and comprehensive view of MASVS testing supported by the MASTG.
- OWASP MAS recently relaunched the MAS Crackmes as part of its new website. You can find this collection of Android and iOS mobile reverse engineering challenges throughout the OWASP MASTG and can also solve them for fun. NowSecure contributed the “Android UnCrackable L4”, a difficult crackme requiring advanced knowledge to crack the included whitebox crypto and bypass the anti-root, anti-Frida and other protection mechanisms. It offers a great place to practice the MASTG.
- NowSecure has supported the OWASP MAS community for seven years and helps advance the initiatives in several ways.
- NowSecure Mobile Researcher Carlos Holguera leads OWASP MAS together with co-leader Sven Schleier.
- NowSecure is honored as a MAS Advocate, the highest status that industry contributors can achieve. Advocates must invest a significant volume of resources by showing adoption, providing consistent high-impact contributions and spreading the word.
- NowSecure financially sponsors the project as a God Mode Donator.
Hear about ongoing MAS work directly from the co-leaders. Register to watch a replay of their recent NowSecure Connect conference session, “Inside the OWASP MASVS Refactor v2.0” and gain access to the other recordings. You can also find free education in the NowSecure Academy “OWASP MASVS & MASTG Updates” course along with much more mobile application security and secure mobile development training.