9 Things Every Mobile App Developer Should Know About OWASP

It is widely accepted that mobile applications have quickly become a primary, if not the primary means of interaction between organizations with their customers. The increased adoption of mobile applications naturally has attracted increased attention by threat actors and has added two key challenges for developers: how to protect their apps on mobile platforms and how to develop the required security skillset.

These challenges are further exacerbated by the ongoing cybersecurity skills gap. There are an estimated 3.4 million unfilled cybersecurity jobs today, leaving many organizations without internal security expertise. As a result, developers are tasked with quickly getting up to speed on mobile app security. Luckily, they don’t have to do it alone.

OWASP, a key resource in the security community, provides education and practical guidance to help mobile app developers achieve a stronger and more consistent security posture. Let's walk through some common questions about OWASP and how you can use OWASP to level up your mobile app security.

The ultimate OWASP Q&A

#1 What is OWASP?

“The OWASP® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.” - OWASP Foundation

OWASP stands for Open Web Application Security Project, and it’s made up of experts from around the world. These security professionals pool their collective expertise, developing and maintaining free software security resources for both web and mobile applications. These resources include technical documentation, security frameworks, testing guides, and more. Developers can use these resources to develop more secure applications, protecting their IP, sensitive data, revenue, and brand. They are also a great resource for elevating the security understanding of development teams in general.

#2 What is the OWASP MAS Project?

The mobile platform has different characteristics and features than desktop and web applications in regards to permissions, protecting local data, client-server communications, and so on. Additionally, much of the mobile app’s code runs on the end-user’s device, and developers have little control over that environment. As a result, the security risks, vulnerabilities, and threats a developer must prepare for are unique on a mobile platform.

The OWASP Mobile App Security (MAS) Project, the mobile-specific branch of OWASP, establishes vendor-neutral processes, tools, test cases, and more to guide the implementation of mobile app security for iOS, Android, and hybrid applications.

These resources include (more on them below):

• Mobile Application Security Verification Standard (MASVS)
• Mobile Application Security Testing Guide (MASTG)
• Mobile Application Security Checklist (MAS Checklist)

#3 Why is OWASP important for mobile app developers?

As mentioned above, many companies lack internal security expertise. Without extensive knowledge of secure coding practices and common vulnerabilities, it can be difficult to know where to start. To make things more challenging, threat actors are continually developing new methods of attack or finding new vulnerabilities to exploit, turning security into a moving target.

Developers working in highly regulated markets, like healthcare or financial services, must also factor in requirements from relevant regulations, like HIPAA and PCI. These regulations are complex and often lack mobile-specific security requirements, making them more challenging to implement.

OWASP’s resources help developers understand the attacks their mobile apps might face and provide actionable recommendations for protecting against them.

#4 What is the OWASP Mobile Top 10 List?

In 2023, OWASP is updating their Mobile Top 10 List. This list is a high-level overview of the most common vulnerabilities, how they might be exploited, and how to mitigate these risks.

The Mobile Top 10 list includes:

• M1: Improper Credential Usage
• M2: Inadequate Supply Chain Security
• M3: Insecure Authentication/Authorization
• M4: Insufficient Input/Output Validation
• M5: Insecure Communication
• M6: Inadequate Privacy Controls
• M7: Insufficient Binary Protections
• M8: Security Misconfiguration
• M9: Insecure Data Storage
• M10: Insufficient Cryptography

This list is an educational resource and quick reference guide that can be used to raise internal awareness around common vulnerabilities and guide developers to key focus areas to better secure their mobile apps. However, the Top 10 list is only the tip of the security iceberg. It should be used in conjunction with other more comprehensive OWASP resources.

#5 What is OWASP MASVS?

“The OWASP Mobile Application Security Verification Standard (MASVS) is the industry standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results.” - OWASP Foundation

The Mobile App Security Verification Standard (MASVS) provides recommendations for security controls across seven areas of the mobile app attack surface. These categories of controls include:

• Storage
• Cryptography
• Authentication and authorization
• Network communication
• Interaction with the mobile platform
• Code quality
• Resilience against reverse engineering and tampering

MASVS is a useful resource at every stage of the development lifecycle, guiding developers to take a more proactive and comprehensive approach to securing their mobile app, rather than treating it as an afterthought.

#6 What has changed with MASVS 2.0?

OWASP has been refactoring its security standards since 2021, and in April 2023, the foundation released a refined MASVS 2.0.

The purpose of this refactoring is to:

• Simplify security recommendations by reducing overlap and redundancy.
• Add detail and specificity to controls that had previously been too broad to be actionable.
• Standardize terminology to align with industry standards like NIST.

These efforts to streamline standards have established MASVS as a more universal mobile app security standard that can be applied across operating systems, industries, and regions.

The Mobile App Testing Guide (more on this resource below), or MASTG, is currently undergoing a similar refactoring process, with the goal of more comprehensive and atomic tests that cover the MASVS requirements.

#7 What are MASVS verification levels?

The security needs between mobile applications can vary greatly based on industry, functionality, and the usage of sensitive data. To help developers determine what level of security measures they need to implement, the previous version of MASVS outlined three verification levels, including:

1. MASVS-L1: Outlines basic security best practices that apply to most, if not all mobile apps.
2. MASVS-L2: Recommends more advanced controls for apps that handle sensitive data or are in highly-regulated industries.
3. MASVS-R: Establishes security controls that protect against client-side attacks, like tampering and reverse-engineering.

OWASP has announced plans to replace these levels with “security testing profiles” and move them to the MASTG resource. You can read more about the profiles here. One of the most significant changes is the addition of a fourth level, MAS-H, to meet the security requirements of mobile government, military and corporate apps. Overall, these profiles will provide greater flexibility, allowing organization’s to tailor their security profile based on their unique threat model.

#8 What is OWASP MASTG?

“The OWASP Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the controls listed in the OWASP MASVS.” - OWASP Foundation

The Mobile App Security Testing Guide provides recommendations on how to verify the requirements spelled out in the MASVS.

If MASVS tells developers what they need to verify, MASTG is the companion resource that tells them how to do so. It outlines precisely what tests need to be conducted, enabling developers to identify weaknesses earlier in the development process for faster and more cost-effective remediation.

The importance of mobile application security testing cannot be overstated. It’s as important to the development lifecycle as functional or performance tests.

#9 What is the OWASP MAS Checklist?

The Mobile App Security (MAS) Checklist is a newer OWASP tool, released in late 2022. The checklist links MASTG test cases to each MASVS control. It can be used during an internal security assessment or external pentest, ensuring all relevant controls have been tested and verified.

Putting OWASP resources to work

There’s a lot at stake when it comes to mobile app security. Mobile applications are more exposed and provide a greater opportunity for threat actors. To prepare for real-world threats, developers must adopt a security first mindset throughout the DevSecOps lifecycle.

The OWASP resources are invaluable because they tap into the expertise of security researchers from around the world, provide mobile focused recommendations and actionable guidance, and can be leveraged to raise the security understanding of development teams.

Tools that provide automated security testing and sophisticated protection mechanisms are vital to the implementation of OWASP security standards. These tools support mobile app security that is scalable and comprehensive. Developers should seek security solutions built upon the OWASP guidelines.

Guardsquare’s full suite of mobile app security solutions enable developers to protect, test, and monitor their mobile applications without slowing down their release schedule.

Executive Summary (TL;DR)

• OWASP provides comprehensive mobile app security resources to educate and guide developers.
• These are critical to implementing secure mobile app development practices and maintaining a strong security posture.
• Here we answer the most common questions about OWASP and its various resources.