How Mobile-Specific Security Standards Are Driving Security Adoption

Regulatory requirements are a key driver in adopting mobile app security tools and practices. However, many of these regulations aren’t mobile app specific and have vague language, leaving their application up to interpretation. This lack of actionable guidance makes it challenging for developers to convert these regulations into clear requirements and security tests.

We dove into this topic, in our webinar: The Rise of Mobile Application Security Standards: Driving Adoption Through Automation. Ryan Lloyd, Guardsquare’s Chief Product Officer, shared industry trends and critical emerging resources that can help developers achieve their security goals.

The need for security guidance was driven home by the results of a live poll, in which only 2% of attendees said they have the necessary security expertise within their team.

Check out Guardsquare’s tips for leveraging industry standards and the power of automation to drive mobile app security strategy.

The rise of mobile application security standards

Mobile app security standards are developed and maintained by industry experts, and they’re a valuable resource for developers wanting to improve the security posture of their mobile application. Not to be confused with industry regulations, which are backed by governing bodies, these standards focus on how to build a security strategy and develop security expertise within existing teams.

OWASP MASVS

OWASP is a global coalition of security experts who are pooling their expertise to create open source security standards and resources. They’ve published many useful resources, but we’ll start with the Mobile App Security Verification Standard (MASVS). The MASVS framework offers practical and detailed guidance for secure mobile app design and helps developers determine what they need to verify in their app’s security posture.

MASVS establishes three security levels that correspond to the level of protection that a mobile app may need. Upcoming improvements to the MASVS will introduce a more tailored approach, with profiles for different security contexts. Developers should use data from threat modeling exercises, threat monitoring (from apps already in use), and relevant regulations to determine which MASVS level or profile applies to their mobile app.

The MASVS levels include:

• MASVS-L1 — Standard Security: Provides basic security recommendations that are relevant to all mobile applications.
• MASVS-L2 — Defense-in-Depth: Establishes more stringent controls for apps with higher risk, such as a mobile app that processes PII or interacts with backend processes that need to be protected.
• MASVS-R — Resiliency Against Reverse Engineering and Tampering: Offers controls for mobile apps that are specifically at risk for reverse engineering and tampering. Unlike L1 and L2, this verification level can be evaluated based on your app-specific threat model

OWASP MASTG

Another of OWASP’s vital resources is the Mobile Application Security Testing Guide (MASTG), a comprehensive manual for mobile app security testing. It’s a companion resource that describes the technical processes for verifying the controls listed in the OWASP MASVS.

Essentially, it translates MASVS into practical, concrete test cases. In other words, MASVS is the what, and MASTG is the how.

The App Defense Alliance & MASA

The App Defense Alliance, backed by Google, is an organization striving to improve the integrity of the Google Play App Store. Recently, they launched the Mobile Application Security Assessment (MASA), which is built upon the OWASP MASVS & MASTG frameworks.

MASA provides a program for Android developers to partner with authorized third-party testing providers. Developers can submit their mobile app to these Google Authorized Lab partners for testing. When the security of their application has been validated, , they’ll be able to display a badge in the Google Play Store.

MASA is helpful, but it isn’t practical to submit your app after every build for an external scan. These manual assessments will be time consuming and expensive, making them impractical to use every few weeks.

Leveraging automation to increase adoption

Development teams are often understaffed and over committed. With so much on their plates, they don’t need to add another manual, clunky task on top of their current workload. This is where automated security testing comes in handy. An automated testing tool facilitates the smooth integration of security testing and ensures it’s a consistent, repeatable, and scalable process.

Five important considerations before selecting an automated security testing tool:

1. Developers should select an automated security testing tool that supports their strategy and specific testing needs. The first step is to become familiar with the standards mentioned above and to perform threat modeling to gain a deeper understanding of their security profile and testing requirements.
2. They should choose tools that fit into their development process, integrating seamlessly into their CI pipeline, whether that be Github, Jenkins, Bitrise, or something else.
3. Ensure that the automated security testing tool they choose has the capability to provide concrete, practical recommendations with any findings. These recommendations should be actionable and reliable, as false positives lower confidence in testing strategy.
4. It’s also important to understand the strengths and limitations of tools on the market and how they complement their unique testing needs. For example, certain requirements necessitate manual testing (e.g., pentesting) or specialized tools to test third-party SDK, like Github Dependabots.

Next steps

A significant amount of time, resources, and expertise has been invested into security standards like OWASP’s MASVS and MASTG and ADA’s MASA. They provide actionable guidance based on real-world use cases and common vulnerabilities, a vital tool for developers working to meet complex regulatory requirements.

By leveraging both the free industry standards and a powerful mobile app security testing tool, developers will be better equipped to protect their app, their customers, and their brand from malicious actors.

Executive Summary (TL;DR)

• Regulatory compliance is a primary driver behind the adoption of mobile app security, but the regulations are complex and often lack mobile-specific guidance.
• Industry standards like OWASP’s MASVS, MASTG and ADA’s MASA provide the resources and actionable recommendations that developers need.
• Automation is a key element of this process, enabling consistent, repeatable, and scalable security testing.