95% of Mobile Apps Fail the OWASP MASVS Industry Standard for Mobile Security, Finds NowSecure Industry Benchmark
For Immediate Release
October 30, 2023 - 8:00 amMajor mobile app security gaps place millions of mobile app users at risk, demonstrating that current security and privacy methods are not working and change is needed to protect the consumer.
Washington, DC – Oct 30, 2023 — NowSecure, the recognized experts in mobile security and privacy, announced today at OWASP Global AppSec DC its new security benchmark analysis shockingly reveals 95% of ~6,500 popular mobile apps fail to meet the world’s most recognized industry standard for mobile app security – the OWASP MASVS. These results raise the alarm that all organizations building mobile apps and downloading commercial mobile apps for use should immediately review their mobile app security strategies and shift to a more rigorous approach for security and privacy. It also demonstrates that regulators, auditors, risk committees and cyberinsurance companies need to raise the bar on mobile app security and privacy before the next major breach occurs.
Established by industry experts and practitioners across the global community, the OWASP Mobile App Security (MAS) Project with the OWASP Mobile Application Security Verification Standard (MASVS) serves as the most recognized standard for mobile application security. OWASP MASVS sets a minimum bar for mobile app developers to follow when building apps securely and provides security teams with the ideal testing strategy as part of the organization’s proof of controls.
The 2023 NowSecure benchmark mobile app security analysis shows 95% of nearly 6,500 leading mobile apps fail at least one of the seven OWASP MASVS categories that cover the mobile app attack surface. Across the seven OWASP MASVS categories, the areas of highest failure rates are:
- 54% of mobile apps fail MASVS-NETWORK, exposing critical user information transmitted between mobile app and backend systems over the Internet that could be remotely intercepted to harvest company data, steal user credentials, profile backend attacks, phish users, and violate privacy mandates.
- 47% of mobile apps fail MASVS-PLATFORM, allowing theft of sensitive data through interprocess communication between other mobile apps and leaving the mobile app open to device-based attacks.
- 43% of mobile apps fail MASVS-CODE, indicating improper coding practices such as failure to properly validate information, use of insecure third-party libraries and failure to use mobile app protections built into mobile OS and development languages.
These weaknesses put organizations at risk of system breaches, data loss and privacy exposures that can tarnish the brand, reduce revenue, damage customer trust, incur regulatory fines and invite lawsuits.
“Clearly mobile developers and security teams are not meeting industry-recognized minimum bar standards, putting their organizations and billions of mobile users at risk,” said NowSecure CEO Alan Snyder. “The OWASP community of experts working for over a decade has delivered a proven global standard for mobile app security. All organizations building and using mobile apps should use the OWASP MASVS proven industry standard to reduce risk, demonstrate proof of controls and streamline the development process as they mobilize the business safely and efficiently.”
NowSecure recommends all organizations take action to address these significant gaps in mobile app security, including
- Review the OWASP MAS project resources to understand mobile app security requirements and testing processes.
- Train developers on secure coding best practices and testing teams on testing techniques.
- Establish release policies across dev, devops, security and compliance teams using OWASP MASVS requirements.
- Deploy policy-based, continuous automated mobile app security testing in pipelines, feeding issues and embedded remediation to developers to speed resolution.
- For highest-risk mobile apps with critical intellectual property, highly sensitive data or transactions, add expert pen testing using OWASP MASVS and OWASP MASTG.
- Generate OWASP MASVS self-attestation reports or use third-party pen testing attestation reports to demonstrate to customers that the organization has taken proven measures.
- For third-party mobile apps purchased, downloaded and used, ensure that the mobile app developer provides an attestation of OWASP MASVS compliance.
The NowSecure OWASP MASVS Benchmark testing methodology leverages NowSecure Platform automated mobile application security testing software that performs a battery of more than 600 security and privacy tests using SAST, DAST, IAST and APISec technologies with results mapped to OWASP MASVS categories. NowSecure took a snapshot of benchmark data from the MobileRiskTracker in October 2023. For this benchmark analysis, NowSecure used the mobile app data set from the NowSecure MobileRiskTracker™ – a live benchmarking tool continuously monitors the security and privacy of 6,434 Android and iOS mobile apps from the Apple App Store™ and Google Play™ representing a range of industries, including finance and banking, mHealth, high tech, retail, travel & hospitality and government, among others.
NowSecure partners with the OWASP Mobile Application Security (MAS) Project community in several ways. In addition to providing financial support as a God Mode sponsor, NowSecure has been honored as the first OWASP MAS Advocate for significant contributions to the initiative and provides dedicated staff experts to support the project.
NowSecure delivers the industry’s only full suite of mobile app security and privacy solutions including NowSecure Platform for automated security and privacy testing, NowSecure Workstation kit for pen tester productivity, NowSecure Supply Chain Risk Management, NowSecure expert Mobile Pen Testing as a Service (PTaaS), and NowSecure Academy training courseware for dev and security teams. NowSecure customers report high-value returns of releasing safe mobile software 30% faster, reducing testing and delivery costs by 30% and reducing risk by 40%.
Download the full NowSecure OWASP MASVS Benchmark report to see a more detailed analysis and request a test of your own mobile app to the OWASP MASVS standard.
To scale up your mobile app security program with automated OWASP MASVS testing built into your mobile pipelines, request a demo of NowSecure Platform. Learn how to add a full OWASP MASVS mobile compliance pentest to ensure complete coverage.
About NowSecure
Mobile apps define an enterprise’s digital presence and drive engagement with both employees and customers. However, the rapid pace of mobile innovation introduces security, safety and privacy risks that traditional risk management technologies often miss. By partnering with NowSecure to build a Mobile Applications Risk Management (MARM) program, organizations are better protected against the risks that plague the largely insecure mobile app ecosystem. NowSecure provides policy-driven progressive testing tailored to risk tiers, combining automated continuous assessments with expert Pen Testing as a Service (PTaaS) to pinpoint and remediate security, safety, and privacy issues. This approach shrinks the mobile app attack surface and accelerates app releases. Built on a foundation of industry standards by mobile security experts, NowSecure safeguards many of the world’s leading brands and their employees, partners and customers.