The OWASP MASVS: A Community Effort To Fix Mobile AppSec

Technological revolutions can happen quickly. Less than a decade ago, smartphones were clunky devices with little keyboards: Expensive playthings for tech-savvy business users. Today, smartphones are an essential part of our lives. We've come to rely on them for information, navigation and communication, and they are ubiquitous both in business and in our private lives.

Every new technology introduces new security risks, and keeping up with those changes is one of the main challenges the security industry faces: We're always lagging a bit behind. When my team and I started working on our own mobile app testing methodology a while ago, we initially tried to find industry-wide best practices for developing secure mobile apps. As it turned out, there wasn't any: Security consulting companies would follow their own proprietary methdologies, but there was no widely accepted standard to compare them against, and the methodologies used varied widely in quality.

The default reflex for many was to apply old ways of doing things: Smartphones are like small computers, and mobile apps are like software, so surely the security requirements are similar? But it doesn't work like that. Smartphone operating systems are different from Desktop operating systems, and mobile apps are different from web apps: Virus scanners don't make sense on modern mobile OSes, and attackers rarely exploit buffer overflows and XSS vulnerabilities in mobile apps (as always, rare exceptions exist).

Over time, our industry has gotten a better grip on the mobile threat landscape. As it turns out, mobile security is all about data protection: Apps store our personal information, notes, account data, business information, and much more. They act as clients that connect us to services we use on a daily basis, and as communications hubs that processes each and every message we exchange with others. Compromise a person's smartphone and you get unfiltered access to that person's life. When we consider that mobile devices are more readily lost or stolen and mobile malware is on the rise, the need for data protection becomes even more apparent.

A security standard for mobile apps must therefore focus on how mobile apps handle, store and protect sensitive information. Even though modern mobile operating systems like iOS and Android offer great APIs for secure data storage and communcation, those have to be used correctly to be effective. Data storage, inter-app communication, proper use of cryptographic APIs and secure network communication are only some of the aspects that require careful consideration.

An important question in need of industry consensus is how far exactly one should go in protecting sensitive data. For example, most of us would agree that a mobile app should verify the server certificate in a TLS exchange. But what about SSL pinning? Does not doing it result in a vulnerability? Should it be a requirement if an app handles sensitive data, or is it maybe even counter-productive? What about locking the app after a certain idle time? Do we need to encrypt data stored in SQLite databases, even though the OS sandboxes the app?

Things become even more complicated when we start considering containerization and software protections. Some protective measures are widely assumed to be necessary - for example, many testers will report a lack of identifier renaming or root detection in an Android app as security flaw. On the other hand, we don't usually consider string encryption, debugger detection or control flow obfuscation as mandatory. However, this binary way of looking at things doesn't make sense because software protection is not a binary proposition: The question is not whether an app can be reverse engineered or not, but rather how much has been done to make the process more difficult. Finding the right requirements and testing processes for software protections is a difficult problem unique to mobile security, where containerization and obfuscation is becoming quite common. 

Finally, root malware and remote administration kits have made us aware that mobile operating systems themselves have exploitable flaws, so the case can be made that containerization, obfuscation and reactive defences are valid strategies to add protective layers to mobile apps. Our goal is therefore to provide software protection requirements in the higher verification levels, as well as testing procedures for validating the effectiveness of the protections (which will be documented in the Mobile Security Testing Guide).

The truth is that there's no one-size-fits-all: What is appropriate for one app might be overkill for another. The OWASP Mobile Application Security Verification Standard (MASVS) is an attempt to define different verification levels that can be applied to achieve different grades of security and resiliency. Level 1 defines baseline security requirements that are applicable to all mobile apps. Level 2 adds defense-in-depth and basic software protection requirements. Level 3 and 4 define stronger software protection requirements, and can be used for apps that process highly critical data.

In summary, the goals we aim to achieve with the MASVS are as follows:

  1. Provide requirements for software architects and developers seeking to develop secure mobile applications;
  2. Offer an industry standard to be used as a basis for mobile app security code review and testing methodologies;
  3. Clarify the role of software protection mechanisms in mobile security and provide requirements to verify their effectiveness;
  4. Provide suggestions as to what level of security is recommended for different use-cases.

We are aware that 100% industry consensus is impossible to achieve. Even so, we hope to provide a well though-out and balanced account of what mobile app security should look like.

Where are we at?

A current draft of the MASVS is accessible on GitHub. In addition to the MASVS, we are working on a new version of the OWASP Mobile Security Testing Guide (MSTG), which will contain detailed test cases for each requirement (this is currently in a very early stage).

How can you help?

You can provide feedback to the MASVS by creating issues and pull requests in the official GitHub repository.

We're also looking for authors, reviewers and chapter owners for the MSTG. To join the team, please join the OWASP Mobile Project channel on Slack (details below).

TL;DR

The OWASP Mobile Applicaton Security Verification Standard (MASVS) is a work-in-progress attempt to define security requirements for mobile apps. To join the effort, sign up to OWASP Slack. You can sign up for a user account here:

http://owasp.herokuapp.com

About the Author

Bernhard Mueller is a full-stack hacker, security researcher, and winner of BlackHat's Pwnie Award.

Follow him on Twitter: @muellerberndt