Essential OWASP MASVS Privacy Guidelines Every Mobile App Developer Should Know
Posted by Jeremy Murphy
Jeremy Murphy
Senior Application Security Analyst
As a penetration tester who conducts extensive NowSecure Mobile App Pen Testing as a Service (PTaaS) assessments of Android and iOS apps, I’ve seen firsthand how often mobile apps fail to meet even basic security and privacy standards. I’ve encountered everything from unsecured sensitive data to apps collecting far more personal information than needed. These experiences aren’t just professional — they reflect what I encounter as a user, too. Most mobile apps weren’t built with privacy in mind and data collection practices have fractured consumer trust.
Mobile app developers and mobile app product managers should rethink their approach to user privacy. Not only do consumers rightfully expect privacy, but regulatory scrutiny and compliance mandates have also intensified. The good news is that new Open Worldwide Application Security Project (OWASP) Mobile Application Security Verification Standard (MASVS) enhancements can help organizations adopt or strengthen privacy.
Implementing the OWASP MASVS privacy requirements will help developers ensure their apps collect only needed data, safeguard it properly and provide users with transparency and control over their information. This blog will explore the OWASP MASVS privacy requirements and their role in building innovative mobile apps that prioritize privacy and preserve brand reputation.
OWASP MASVS Explained
OWASP has been instrumental in creating guidelines for secure applications for all platforms. As mobile devices have become the primary method for people to interact online and consume products and services, the industry sought specific guidelines for mobile application security and privacy and formed the OWASP Mobile Application Security Project.
The OWASP MASVS contains a set of controls pertaining to the various components of mobile applications. These controls were designed to improve the security posture of mobile applications by establishing standards for baseline security requirements.
For example, does your application store your user data in a secure manner? The first control, MASVS-STORAGE-1, states;
“Apps handle sensitive data coming from many sources such as the user, the backend, system services or other apps on the device and usually need to store it locally. The storage locations may be private to the app (e.g. its internal storage) or be public and therefore accessible by the user or other installed apps (e.g. public folders such as Downloads). This control ensures that any sensitive data that is intentionally stored by the app is properly protected independently of the target location.”
In 2024, the MAS updated OWASP MASVS with a new set of controls pertaining to privacy. This newly added subset aims to address issues such as data collection transparency, user control over their data and protection of user anonymity.
Privacy & Data Collection Practices
When I was scrolling through my social media the other night, in between the various cat videos and motorcycle clips I was presented with something we are all too familiar with; a targeted ad. We have all been in this situation. Ads seem to know what we want, sometimes before we even know we want it. Many people think that our devices are always listening because they would get targeted with an ad for something that had been passively mentioned in casual conversation, myself included.
How is this possible? Companies know more about us than we know about ourselves and have access to a wealth of data to drive purchasing decisions. The saying, “If you’re not paying for it, you are not the customer; you’re the product being sold” perfectly describes online data collection processes. Most people are either unaware of the controls they have over their personal data or are hampered by the complexity of managing data collection.
The next time you develop a mobile app, put yourself in the shoes of a user and carefully consider how you’d want the app to handle your personal data. To shape your thinking, it may help to explain OWASP MASVS privacy requirements by drawing a parallel to everyday occurrences.
MASVS-Privacy-1 | The app minimizes access to sensitive data and resources
I was at the mechanic getting some work done on my vehicle. I checked in, the clerk handed me some forms to fill out. As I began to input my information, I came to a field where I was expected to fill in my social security number. Puzzled, I asked the clerk why they needed that information.
“It’s optional, you don’t have to write it down if you don’t want to.”
This is a great example of the issue that MASVS-Privacy-1 aims to address; applications should only request access to data they need to fulfill their purpose.
A real-world example of this could be the ever-popular social media giant Facebook and its mobile apps. The Facebook application for Android collects data on the user’s emails, text messages, religious and sexual preferences, personal files and even health and fitness information. One would have to ask themselves if all of this data is necessary for the application to work properly. I would imagine a vast majority of people would agree that it is not.
Next time you find an app that you want to install, take a look at the data that is collected and ask yourself, “Does it need all of this in order to function?”
The next time you develop a mobile app, put yourself in the shoes of a user and carefully consider how you’d want the app to handle your personal data.
MASVS-PRIVACY-2 | The app prevents identification of the user
Many of us are familiar with the classic board game Guess Who? The goal is to guess which character your opponent has by asking about various characteristics. Does the character have short hair? Do they wear jewelry? All of these characteristics on their own would not result in a victory, but together one can correctly discern the answer.
MASVS-Privacy-2 aims to encourage developers to implement functions within their applications that would make it impossible to discern one user from another. Data points such as Device ID, IP addresses and others could be used to create internal user profiles and track their activity inside and sometimes even outside the app.
This control encourages developers to implement mechanisms that create an obfuscation layer between the user and the data collection functions, making it impossible to track users and their activity.
MASVS-PRIVACY-3 | The app is transparent about data collection and usage
Imagine going to a grocery store to buy some ingredients for a recipe that you found online. You pick up an item and look at the nutrition label and ingredient list only to find it blank. I’d imagine most people would avoid that item going forward.
All applications listed in the various app stores include data safety labels which provide transparency on how apps collect, use, and share data. When users download an app, they can view a detailed breakdown of what types of data are collected, whether the data is linked to their identity, and how it is used. This kind of clear, upfront disclosure gives users a better understanding of what they’re consenting to and how their personal information is handled before they download or use an app.
When it comes to data collection, transparency is crucial for users because it helps them make informed decisions about their privacy. As mentioned before, most users do not realize how much data is being collected by apps or for what purpose. By being clear about what kind of data is collected and how it is used, app developers allow users to assess the potential risks and benefits of sharing their information. This empowers users to protect their privacy and avoid potential misuse of their data, building trust in an era of rising concerns over data breaches and surveillance.
MASVS-PRIVACY-4 | The app offers user control over their data
We’ve all been to the doctor’s office or hospital (hopefully not too often!) where we have to fill out forms that include our PII including name, address, social security number and more. Over the years and multiple moves, I have been to more than a dozen different providers and have gone through the same process. A nagging thought in the back of my mind is that all these different entities have all of my information in their filesystem. I have always wished that there was an easy way to request for my data to be deleted from their system once I am no longer a patient.
User control over data is important because it respects an individual’s autonomy over their personal information. Without control, users are at the mercy of app developers, unable to manage how their data is stored or used. By giving users the option to opt-out or ask for their data to be removed, app developers empower users to safeguard their privacy according to their comfort levels. This not only enhances trust but also allows users to minimize potential risks, such as exposure to data breaches or unwanted profiling.
Prioritize Mobile App Privacy
Adopting OWASP MASVS privacy requirements helps mobile app development teams build mobile apps that honor user demands for privacy, transparency and control. NowSecure Platform automated mobile app risk testing identifies security and privacy issues mapped directly to OWASP MASVS requirements to ensure organizations meet compliance and regulatory requirements.
To make achieving compliance easy, NowSecure Platform integrates directly into the DevSecOps toolchain and developers’ preferred workflows and provides developer documentation, code snippets and remediation advice to help developers quickly fix security and privacy problems. Get a demo to see NowSecure Platform standards-based testing and privacy findings in action.
