Mobile App Standards and Compliance

Offers a proactive and systematic approach to cybersecurity measures for all types of computing platforms, including general-purpose computing, cyber-physical, cloud-based, weapons, space, communications, environmental control, and industrial control systems as well as mobile and Internet of Things (IoT) devices. NowSecure supports organizations looking to comply with NIST 800-53. The solution visually implements mobile app security controls that will identify security vulnerabilities requiring remediation to meet the framework requirements.

Details requirements for information security management systems to help automate the security management of critical assets like financial information, intellectual property (IP), employee details, and information entrusted by third parties. NowSecure supports organizations looking to comply with ISO 27001 by implementing mobile app security controls that identify security vulnerabilities requiring remediation to meet the framework requirements.

Captures the tactics and techniques organizations should utilize for device access, mobile apps and network-based attack vectors often used by adversaries with or without device access. NowSecure supports organizations that seek to threat model their mobile apps using the MITRE ATT&CK framework. This approach enables rapid implementation of mobile app security controls that will identify security vulnerabilities requiring remediation to meet the framework requirements.

The OWASP Mobile Application Security Verification Standard (MASVS) is the definitive standard for mobile app security. It specifies/details mobile app security requirements to be utilized by mobile software designers and developers to build more secure mobile applications. It also serves as a guide for security testers for the depth of testing and consistency of test results.
MASVS requirements are organized into eight categories:

• V1 – Architecture Design and Threat Modeling Requirements
• V2 – Data Storage and Privacy Requirements
• V3 – Cryptography Requirements
• V4 – Authentication and Session Management Requirements
• V5 – Network Communication Requirements
• V6 – Platform Interaction Requirements
• V7 – Code Quality and Build Setting Requirements
• V8 – Resilience Requirements

NowSecure tests for the OWASP MASVS throughout the mobile app security testing software and services.

In conjunction with the MASVS, OWASP also created the Mobile Application Security Testing Guide (MASTG) as a comprehensive guide to mobile application security testing and reverse engineering for both iOS and Android mobile apps. MASTG includes content around mobile platform internals, the mobile app development lifecycle, static and dynamic security testing, mobile app reverse engineering and tampering, assessing the quality of software protections around the mobile app, and test cases that map directly to the MASVS. NowSecure leverages the OWASP MASTG throughout our mobile app security testing software and services.

Released at the end of 2019, The OWASP API Top 10 is a newer list of risks and vulnerabilities identified by OWASP specifically for API security. As mobile apps increasingly use APIs for connectivity and services to backend systems and third-party services, the risks of API security failures expand dramatically. NowSecure tests for the OWASP API Top 10 throughout our mobile app security testing software and services.

Modern software builds use third-party and open-source components glued together in a complex and unique way, integrated with original code to achieve the desired functionalities. An accurate inventory of all components inside of an application is critical for organizations to identify risk, allow for greater transparency, and conduct rapid impact analysis.

OWASP CycloneDX is the leading standard for Software Bill of Material (SBOM) formatting. This is a lightweight SBOM standard for use in application security contexts and supply chain component analysis, and is offered in XML, JSON, and Protocol Buffers. There is also a large collection of official and community supported tools that create or interoperate with the standard. CycloneDX offers guiding principles to reinforce the risk-based approach to standards development.

The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures that, in total, maintains a list of more than 175,000 records. CVE and the National Vulnerability Database (NVD) operated by NIST work together to provide all vulnerabilities a security severity score based on the Common Vulnerability Scoring System (CVSS). NowSecure tests mobile apps for CVEs, flagging issues with remediation instructions and links to source CVE database.

The Common Vulnerabilities Scoring System (CVSS) offers organizationes a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score is translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes. NowSecure scores all findings with CVSS Scores linked back to the CVSS system to ensure understanding of level of risk and priority to address the issues.

Common Weakness Enumeration (CWE) is a community-developed list of software and hardware weaknesses serving as a common language with details to assist in identification, mitigation, and prevention efforts. The 2021 CWE Top 25 Most Dangerous Software Weaknesses is a list of the most common and impactful issues found in mobile and web apps over the past two calendar years. This list focuses on findings that are easy to find, exploit, and have high risk attached to them, allowing adversaries to take control of a system, steal data, or break an application. This standard leverages Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE. NowSecure tests mobile apps for the CWE Top 25, flagging issues with remediation instructions and links to the source CWE Top 25.

The App Defense Alliance (ADA) founded with a core mission in mind – to protect app users across the broader app ecosystem by preventing threats from reaching their devices and improving app quality. In 2022, The ADA created the Mobile App Security Assessment (MASA) verification program built on the industry standard OWASP MASVS and MASTG, By completing an ADA MASA verification from an ADA Authorized Labs, Android developers can add the independent security review badge to their Google Play Data Safety sections. NowSecure partnered with Google and other industry leaders to create the MASA program and serves as an ADA Authorized Lab.

The California Consumer Privacy Act (CCPA) of 2018 is legislation designed to give consumers more control over the personally identifiable information (PII) that organizationes collect about them. It puts forward a set of regulation which provide guidance around the “right to know” personal information, “right to delete” personal information, “right to opt-out” of selling personal information, and “right to non-discrimination” for exercising those rights. For organizations to meet these regulations, specific security requirements need to be met around PII. NowSecure tests mobile apps for CCPA throughout the mobile app security testing software and services, listing any potential violations, evidence, and remediation instructions. Read the NowSecure Blog What You Need to Know About the CCPA Data Privacy Regulation for Mobile Apps.

Federal Financial Institutions Examination Council (FFIEC) is a formal U.S. government interagency body including five banking regulators who design principles, standards, and reports that promote uniformity and consistency for financial institutions. In 2017 the FFIEC published the CyberSecurity Assessment tool as a response to the increasing volume and sophistication of cyber threats. NowSecure tests mobile apps for FFIEC throughout the mobile app security testing software and services, listing any potential violations, evidence, and remediation instructions.

The Federal Information Security Modernization Act (FISMA) originally passed in December 2002 and was amended in 2014. It requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources. NowSecure tests mobile apps for FISMA throughout the mobile app security testing software and services, listing any potential violations, evidence, and remediation instructions.

General Data Protection Regulation (GDPR) requires organizations to implement reasonable data protection measures to protect the personal data of consumers and employees against data loss or exposure. To achieve that goal, the law regulates all areas related to data management and processing, from obtaining user consent to setting up company-wide data protection practices and handling data breach incidents. NowSecure tests mobile apps for GDPR throughout the mobile app security testing software and services, listing any potential violations, evidence, and remediation instructions.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. Any organization operating within the healthcare industry or processing patient data must comply with HIPAA standards, and NowSecure tests mobile apps for HIPAA throughout the mobile app security testing software and services, listing any potential violations, evidence, and remediation instructions.

The ioXt Alliance defines the global standard for IoT security and is the result of the industry working together to set security standards that bring security, upgradability, and transparency to the market. NowSecure helped create the ioXt mobile app protection profile specification with ioXt, Google, and Amazon that ensures the rigorous security of IoT-connected mobile apps and mobile VPNs. NowSecure is an ioXt Authorized Lab that provides fast turnaround, high quality results and collaborative assistance to complete compliance certification promptly.

The National Information Assurance Partnership (NIAP) is responsible for U.S. implementation of the Common Criteria, including management of the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS) validation body. NIAP manages a national program for developing Protection Profiles, evaluation methodologies, and policies that will ensure achievable, repeatable, and testable requirements. For mobile apps, NIAP created the Mobile App Vetting Protection Profile for Application Software v 1.3. NowSecure is the only vendor to support the NIAP Mobile App Vetting Protection Profile V 1.3 with automated testing and expert professional services to help organizations achieve Authority to Operate (ATO) faster. Download the NowSecure Paper  How To Ensure NIAP Mobile App Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a standard requiring compliance for any organization or application accepting digital payment information. PCI DSS design ensures the safe handling of cardholder information at every step of the process. NowSecure tests mobile apps for PCI-DSS throughout the mobile app security testing software and services, listing any potential violations, evidence, and remediation instructions.