{"id":15503,"date":"2022-12-14T20:35:49","date_gmt":"2022-12-14T20:35:49","guid":{"rendered":"http:\/\/abstracta.us\/blog\/?p=15503"},"modified":"2025-05-05T21:19:40","modified_gmt":"2025-05-05T21:19:40","slug":"how-to-take-the-security-of-your-mobile-apps-to-the-next-level-of-owasp","status":"publish","type":"post","link":"https:\/\/abstracta.us\/blog\/mobile-testing\/how-to-take-the-security-of-your-mobile-apps-to-the-next-level-of-owasp\/","title":{"rendered":"Mobile Application Testing Strategy: How to Take The Security of Your Mobile Apps to the Next Level of OWASP"},"content":{"rendered":"\n<p>What is OWASP and why is it becoming increasingly relevant in the IT industry? What methods exist to complete validations according to its security standards? Take a look at this article from Mat\u00edas Reina and take its input in mind for your mobile application testing strategy. And don&#8217;t forget! You can <a href=\"https:\/\/www.apptim.com\/owasp-mobile-security\">connect with Apptim<\/a> for immersing yourself efficiently in the OWASP universe and mobile security.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/abstracta.us\/wp-content\/uploads\/2023\/05\/image-24-1024x691.png\" alt=\"\" class=\"wp-image-15765\"\/><\/figure>\n\n\n\n<p>Recently, we published an article in which we contextualized and briefly explained why <strong>it is so important to focus on mobile security as part of your mobile application testing strategy when developing quality applications.\u00a0<\/strong><\/p>\n\n\n\n<p>It is essential to remember that all or the vast majority of apps use a backend of services that must be tested according to the Open Web Application Security Project (OWASP) standards. And it is not possible to perform an evaluation of the mobile part without considering the backend.<\/p>\n\n\n\n<p><strong>Why is OWASP so crucial on this path? It is a benchmark organization and community in web and now also mobile security. It proposes an open source and collaborative methodology for security audits to ensure regular review of a project to minimize errors and risks.<\/strong><\/p>\n\n\n\n<p><strong>How Does OWASP Work Concerning Mobile and Why it is so Important for Your Mobile Application Testing Strategy?<\/strong><\/p>\n\n\n\n<p>In mobile, we have <a href=\"https:\/\/mas.owasp.org\/#our-mission\">OWASP MAS (Mobile Application Security)<\/a>, which centralizes the area&#8217;s initiatives. Within OWASP M\u00c1S, we have:<\/p>\n\n\n\n<p><strong>\u2705 MASVS &#8211; Mobile Application Security Verification Standard (MASVS)<\/strong><\/p>\n\n\n\n<p>Currently, at version 1.4.2, MASVS establishes the security requirements for an app, which can be useful in different scenarios:<\/p>\n\n\n\n<ol><li>As a metric &#8211; To provide a security standard against which existing mobile apps can be compared by developers and application owners.<\/li><li>As guidance &#8211; To provide guidance during all phases of mobile app development and testing.<\/li><li>During procurement &#8211; To provide a baseline for mobile app security verification.<\/li><\/ol>\n\n\n\n<p>MASVS has a set of requirements for each of the following aspects of the app:<\/p>\n\n\n\n<ul><li>V1: Architecture, Design, and Threat Modeling Requirements.<\/li><li>V2: Data Storage and Privacy Requirements.<\/li><li>V3: Cryptography Requirements.<\/li><li>V4: Authentication and Session Management Requirements.<\/li><li>V5: Network Communication Requirements.<\/li><li>V6: Environmental Interaction Requirements.<\/li><li>V7: Code Quality and Build Setting Requirements.<\/li><li>V8: Resiliency Against Reverse Engineering Requirements.<\/li><\/ul>\n\n\n\n<p><strong>\u2705 MASTG &#8211; Testing Guidelines: Mobile Application Security Testing Guide\u00a0<\/strong><\/p>\n\n\n\n<p>They are currently at version 1.5. The MASTG is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the controls listed in the MASVS. There are two types of approaches to test each requirement, which complement each other:<\/p>\n\n\n\n<ol><li>SAST &#8211; Static Application Security Testing: involves analyzing the code, and the artifacts that make up my system.<\/li><li>DAST &#8211; Dynamic Application Security Testing: involves running the application to analyze its behavior.<\/li><\/ol>\n\n\n\n<p><strong>\u2705 OWASP MAS Checklist<\/strong><\/p>\n\n\n\n<p>It is a <a href=\"https:\/\/github.com\/OWASP\/owasp-mastg\/releases\/latest\/download\/Mobile_App_Security_Checklist_en.xlsx\">spreadsheet<\/a> that integrates the corresponding MASTG tests on each platform (Android and iOS) for each MASVS requirement.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Mobile_AppSec_Model_For_Your_Mobile_Application_Testing_Strategy\"><\/span><strong>Mobile AppSec Model For Your Mobile Application Testing Strateg<\/strong>y<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>What security levels exist for the aspects mentioned above? We can list 2: L1 and L2. L1 is the basic one, which any mobile app should have. L2 adds some extra requirements for those applications where security is more relevant because they handle sensitive data.\u00a0<\/strong><\/p>\n\n\n\n<p>In addition, they can be combined with another set of requirements related to MASVS-R reverse engineering resilience, which aims to protect the intellectual property of applications and make it more difficult for hackers to analyze them. The R level should never be understood as a replacement for security controls.<\/p>\n\n\n\n<p>Reverse engineering resiliency requirements can be combined with the two security levels, so we have 4 possible options to choose from for our application:<\/p>\n\n\n\n<ul><li>L1<\/li><li>L1+R<\/li><li>L2<\/li><li>L2+R<\/li><\/ul>\n\n\n\n<p>As we start our analysis on what level of security we need according to our business, we can choose one of those 4 levels or a subset of our own that combines the requirements of L1, L2, and R.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"MASA\"><\/span><strong>MASA<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/abstracta.us\/wp-content\/uploads\/2023\/05\/image-23-1024x467.png\" alt=\"Mobile Application Security Testing Assessment (MASA)\" class=\"wp-image-15764\"\/><\/figure>\n\n\n\n<p><strong>Based on these standards, the &#8220;Mobile Application Security Assessment&#8221; (MASA) is created with the support of Google, which collects a subset of the requirements of the MASVS-L1 level. This subset adds a new level to the 4 previously described. It is a lower security level and can be a good initial target when starting to evaluate the security aspects of applications.\u00a0<\/strong><\/p>\n\n\n\n<p>MASA allows you to add a highlight in the Play Store, which indicates that the application has an external security review. As we mentioned at the beginning of the article, this gives users more confidence in the security of apps that have such a highlight.<\/p>\n\n\n\n<p>Ultimately, as specified by the <a href=\"https:\/\/appdefensealliance.dev\/masa\/faq\">App Defense Alliance<\/a>, <strong>performing regular security testing <br>as part of your mobile application testing strategy can help you identify key vulnerabilities and mitigate future liability. OWASP MASVS can be applied to any mobile app. <\/strong>For example, in a variety of app categories, such as IoT, fitness\/health, social, communications, VPN, productivity, and many more.<\/p>\n\n\n\n<p>&#8220;The scope of the assessment consists of client security, authentication to the backend or cloud service, and connectivity to the backend or cloud service in which overall security and some privacy best practices are analyzed, &#8221; the official site points out. &#8220;The assessment will review a subset of level 1 MASVS requirements that can be tested and are available on GitHub <a href=\"https:\/\/github.com\/appdefensealliance\/ASA\/blob\/main\/MobileAppSecurityAssessment\/MobileSecurityGuide.md\">here<\/a>.&#8221;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Security_Testing_Automation\"><\/span><strong>Security Testing Automation<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h4 class=\"wp-block-heading\">What are the validations being performed, and are they automated?\u00a0<\/h4>\n\n\n\n<p>While OWASP is making a great effort to make the various MASVS requirements clear and automatable, it is not currently possible to automate all requirements. This does not imply that tools for static code analysis or other tools are not used to increase the efficiency of analysis when necessary. But each application is different and may require custom analysis to see how the requirements and guidelines fit it.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Can a functional tester do security testing?<\/strong><\/h4>\n\n\n\n<p>Many of the OWASP requirements and guidelines require a great deal of business knowledge that the tester can use to assist or check some of the MASVS requirements. Some will require assistance on technical issues to be able to take evidence, such as application logs and SQLs it runs, among others.<\/p>\n\n\n\n<p><strong>Do you know the new version of <\/strong><a href=\"https:\/\/github.com\/OWASP\/owasp-masvs\/discussions\/553\"><strong>MASVS<\/strong><\/a><strong>? <\/strong>Carlos Holguera and Sven Schleier are leading a refactor to achieve version 2.0, and there will also be a refactoring of the MSTG to ensure that each MASVS control has a clearly defined test case.<\/p>\n\n\n\n<p>We share some images to let you know more about what&#8217;s coming:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/abstracta.us\/wp-content\/uploads\/2023\/05\/image-22-1024x497.png\" alt=\"Refactoring: Things to keep in minds while refactoring\n\nKeep Abstraction- Leave details for the MSTG.\n\nSimplify- Less requirements, better categorized.\n\nNarrow Scope- Rely more on other standards (e.g. OWASP ASVS, OWASP SAMM.)\n\nEnsure Actionability- Test cases in the MSTG more automation friendly. \n\nClarity- Leave  no room for ambiguity in language and formulation. \n\nAttackers View- Clear overview of the mobile attack surface.\" class=\"wp-image-15763\"\/><\/figure>\n\n\n\n<p><strong>Are you using MASVS as a standard to develop secure applications or are you planning to do so? We invite you to do it through a quality partner like Apptim, a spin-off company of Abstracta. It is a company that offers solutions for creating robust mobile applications, used by more than 250 companies worldwide.\u00a0<\/strong><\/p>\n\n\n\n<p><strong>Apptim helps you to get involved in the OWASP universe quickly and efficiently. <\/strong><a href=\"https:\/\/www.apptim.com\/owasp-mobile-security\"><strong>Schedule a free call in one click!<\/strong><\/a><\/p>\n\n\n\n<p><strong>In need of a testing partner <\/strong><strong>for applying all this in your mobile application testing strategy?<\/strong> Abstracta is one of the most trusted companies in software quality engineering. Learn more about our <a href=\"https:\/\/abstracta.us\/\"><strong>solutions<\/strong><\/a>, and <a href=\"https:\/\/abstracta.us\/contact-us\"><strong>contact us<\/strong><\/a> to discuss how we can help you grow your business.<\/p>\n\n\n\n<p><strong>Follow us on <\/strong><a href=\"https:\/\/www.linkedin.com\/company\/abstracta\/\"><strong>Linkedin<\/strong><\/a><strong> &amp; <\/strong><a href=\"https:\/\/twitter.com\/AbstractaUS\"><strong>Twitter<\/strong><\/a><strong> to be part of our community!<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>What is OWASP and why is it becoming increasingly relevant in the IT industry? What methods exist to complete validations according to its security standards? Take a look at this article from Mat\u00edas Reina and take its input in mind for your mobile application testing&#8230;<\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[79],"tags":[573],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v14.0.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Mobile Application Testing Strategy: Take Your Security to the Next Level<\/title>\n<meta name=\"description\" content=\"What is OWASP and why is it becoming increasingly relevant in the IT industry? What methods exist to complete validations according to its security standards?\" \/>\n<meta name=\"robots\" content=\"index, follow\" \/>\n<meta name=\"googlebot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta name=\"bingbot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/abstracta.us\/blog\/mobile-testing\/how-to-take-the-security-of-your-mobile-apps-to-the-next-level-of-owasp\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Mobile Application Testing Strategy: Take Your Security to the Next Level\" \/>\n<meta property=\"og:description\" content=\"What is OWASP and why is it becoming increasingly relevant in the IT industry? What methods exist to complete validations according to its security standards?\" \/>\n<meta property=\"og:url\" content=\"https:\/\/abstracta.us\/blog\/mobile-testing\/how-to-take-the-security-of-your-mobile-apps-to-the-next-level-of-owasp\/\" \/>\n<meta property=\"og:site_name\" content=\"Blog about AI-powered quality engineering for teams building complex software | Abstracta\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/AbstractaQA\/\" \/>\n<meta property=\"article:published_time\" content=\"2022-12-14T20:35:49+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-05T21:19:40+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/abstracta.us\/wp-content\/uploads\/2022\/12\/How-to-Take-The-Security-of-your-Mobile-Apps-to-the-Next-Level-of-OWASP-01.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1250\" \/>\n\t<meta property=\"og:image:height\" content=\"704\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@AbstractaUS\" \/>\n<meta name=\"twitter:site\" content=\"@AbstractaUS\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/abstracta.us\/blog\/#website\",\"url\":\"https:\/\/abstracta.us\/blog\/\",\"name\":\"Blog about AI-powered quality engineering for teams building complex software | Abstracta\",\"description\":\"AI-powered quality engineering\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/abstracta.us\/blog\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/abstracta.us\/blog\/mobile-testing\/how-to-take-the-security-of-your-mobile-apps-to-the-next-level-of-owasp\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/abstracta.us\/wp-content\/uploads\/2023\/05\/image-24-1024x691.png\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/abstracta.us\/blog\/mobile-testing\/how-to-take-the-security-of-your-mobile-apps-to-the-next-level-of-owasp\/#webpage\",\"url\":\"https:\/\/abstracta.us\/blog\/mobile-testing\/how-to-take-the-security-of-your-mobile-apps-to-the-next-level-of-owasp\/\",\"name\":\"Mobile Application Testing Strategy: Take Your Security to the Next Level\",\"isPartOf\":{\"@id\":\"https:\/\/abstracta.us\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/abstracta.us\/blog\/mobile-testing\/how-to-take-the-security-of-your-mobile-apps-to-the-next-level-of-owasp\/#primaryimage\"},\"datePublished\":\"2022-12-14T20:35:49+00:00\",\"dateModified\":\"2025-05-05T21:19:40+00:00\",\"author\":{\"@id\":\"https:\/\/abstracta.us\/blog\/#\/schema\/person\/e275014614651e6a8aca3909808be424\"},\"description\":\"What is OWASP and why is it becoming increasingly relevant in the IT industry? What methods exist to complete validations according to its security standards?\",\"breadcrumb\":{\"@id\":\"https:\/\/abstracta.us\/blog\/mobile-testing\/how-to-take-the-security-of-your-mobile-apps-to-the-next-level-of-owasp\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/abstracta.us\/blog\/mobile-testing\/how-to-take-the-security-of-your-mobile-apps-to-the-next-level-of-owasp\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/abstracta.us\/blog\/mobile-testing\/how-to-take-the-security-of-your-mobile-apps-to-the-next-level-of-owasp\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/abstracta.us\/blog\/\",\"url\":\"https:\/\/abstracta.us\/blog\/\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"position\":2,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/abstracta.us\/blog\/mobile-testing\/\",\"url\":\"https:\/\/abstracta.us\/blog\/mobile-testing\/\",\"name\":\"Mobile Testing\"}},{\"@type\":\"ListItem\",\"position\":3,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/abstracta.us\/blog\/mobile-testing\/how-to-take-the-security-of-your-mobile-apps-to-the-next-level-of-owasp\/\",\"url\":\"https:\/\/abstracta.us\/blog\/mobile-testing\/how-to-take-the-security-of-your-mobile-apps-to-the-next-level-of-owasp\/\",\"name\":\"Mobile Application Testing Strategy: How to Take The Security of Your Mobile Apps to the Next Level of OWASP\"}}]},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/abstracta.us\/blog\/#\/schema\/person\/e275014614651e6a8aca3909808be424\",\"name\":\"Mat\\u00edas Reina, Co-CEO at Abstracta\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/abstracta.us\/blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e631f3dfc7128f794190c1163b341d0a?s=96&d=blank&r=g\",\"caption\":\"Mat\\u00edas Reina, Co-CEO at Abstracta\"},\"description\":\"CEO, Abstracta\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/posts\/15503"}],"collection":[{"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/comments?post=15503"}],"version-history":[{"count":4,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/posts\/15503\/revisions"}],"predecessor-version":[{"id":15766,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/posts\/15503\/revisions\/15766"}],"wp:attachment":[{"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/media?parent=15503"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/categories?post=15503"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/tags?post=15503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}