Cell safety requirements from the Open Net Software Safety Venture (OWASP) assist align cellular utility safety analysts and cellular app builders’ expectations about what must be remediated previous to launch. Requirements drive consistency, repeatability and pace.
NowSecure has lengthy embraced the worth of cellular safety requirements constructed by business specialists and validated by the open-source neighborhood. The corporate helps the work of OWASP in some ways and lately introduced full assist for OWASP Cell Software Safety Verification Customary (MASVS) V2. Organizations can faucet a mixture of automated cellular utility safety testing, Cell Pen Testing as a Service (PTaaS) and in-depth cellular app safety coaching to satisfy OWASP MASVS necessities.
Maybe no one is aware of OWASP MASVS higher than one in every of our personal, NowSecure Cell Safety Analysis Engineer Carlos Holguera. The co-leader of the OWASP Cell Software Safety (MAS) Venture joined NowSecure in 2021 and works full time to advance the group’s essential work. Holguera lately spoke with us concerning the thrilling developments the OWASP neighborhood can anticipate to see in 2023.
Q: What’s the OWASP Cell Software Safety Venture?
A: The OWASP MAS mission units the business customary for cellular app safety across the globe. It establishes a standard language and a basis for cellular utility safety necessities. It aligns safety and improvement groups to hurry safe cellular app improvement. It specifies easy methods to completely check cellular apps in opposition to the safety customary primarily based on threat degree. And it serves as a superb studying useful resource for inexperienced persons and professionals on every thing about cellular safety.
Q: Who’re key contributors?
A: The OWASP MAS assets are crafted and are curated by a workforce of quite a few specialists and neighborhood contributors working voluntarily. The core workforce contains me and Sven Schleier who lead the mission plus a co-author, Jeroen Beckers.
Neighborhood contributors open points, work on PR and talk with us through Slack or different channels. Business contributors similar to Android and the App Protection Alliance (ADA) present steady, high-value suggestions on all OWASP MAS initiatives such because the MASVS refactoring. And MAS advocates — NowSecure is the one one so far — are business adopters of the OWASP MASVS and MASTG who’ve invested a big quantity of assets to push the mission ahead by offering constant high-impact contributions and repeatedly spreading the phrase.
Q: How did you turn into an OWASP cellular mission chief?
A: OWASP was organizing a Safety Summit 2017 and one of many tracks was targeted on cellular safety, so I made a decision to attend. I used to be so amazed by the workforce, the subjects we mentioned and the issues we carried out that I began contributing to the mission. In 2018 I led my first session “Diving into Cell Crypto utilizing BDI with Frida” and have become a co-author, and in 2019 I led a serious restructuring of a number of areas of the MASTG in order that the Android and iOS chapters mirror one another as a lot as doable, making it simpler for readers to seek out the content material they need to discover.
After work, steady dedication, and extra work, similar to proposing and main main structural modifications, I made a decision to use for mission management. I used to be certain that I needed to proceed to push the mission and make investments lots of time to make every thing higher. I used to be very joyful once I obtained the approval from OWASP, and I’m certain it was among the best selections I’ve made in my profession.
Q: What are the renamed OWASP mission components?
A: Our mission was beforehand referred to as the OWASP Cell Safety Testing Information (MSTG) mission. Sadly, this was a supply of confusion as a result of we occurred to have a useful resource with the identical identify, the OWASP MSTG. Not solely that, however the identify didn’t replicate the total scope and attain of our mission. Since we already had the MASVS, have you ever ever questioned why the MSTG known as MSTG and never MASTG? Each paperwork are about cellular utility safety, and we needed to make that clear.
In August 2022 we renamed the mission to OWASP Cell App Safety (MAS). We additionally created a brand new brand and branding together with new covers and names for our foremost assets. All of this was accomplished to replicate all of the consistency, construction, and transparency we’re bringing with our MASVS and MASTG refactoring efforts to convey them as much as model 2.0.

The core assets are:
- OWASP Cell Software Safety Verification Customary (MASVS) is the business customary for cellular utility safety. It may be utilized by cellular software program architects and builders who need to construct safe cellular purposes, in addition to by safety testers to make sure completeness and consistency of check outcomes.
- OWASP Cell App Safety Testing Information (MASTG) is a complete information to cellular utility safety testing and reverse engineering. It describes technical procedures for verifying the controls listed within the OWASP MASVS.
- OWASP MAS Guidelines, which mixes the MASVS and MASTG to help safety assessments/pen checks and compliance.
- OWASP MAS Crackmes, a group of cellular reverse engineering challenges. These challenges are used as examples all through the OWASP MASTG. After all, you possibly can resolve them only for enjoyable.
Q: Why did OWASP embark on refactoring MASVS?
A: Primarily based on our experiences, the next points typically popped up:
- MASVS-ARCH (Structure, Design and Risk Modeling) comprises a number of controls that can not be validated from an exterior perspective. In consequence, it’s tough to clarify why we are able to’t cowl the complete MASVS for an exterior evaluation.
- There’s a clear overlap with the ASVS, which is way more thorough for numerous backend vulnerabilities.
- Some controls are very broad and require very broad check circumstances with a number of components.
- Some controls overlap (e.g. ‘up-to-date safety libraries’ and ‘all third-party elements are up-to-date’).

Q: How did you strategy the method and what did the work entail?
A: We’ve accomplished lots of brainstorming, impartial considering, collaboration, and neighborhood outreach to get suggestions. We arrange just a few targets:
- Hold abstraction: The MASVS retains being OS agnostic and high-level. We depart the main points to the MASTG.
- Simplify: Have fewer controls by eradicating overlaps and redundancies.
- Carry readability: Use customary terminology every time doable to go away no room for ambiguity in language and formulation. This contains terminology from requirements similar to NIST-SP 800-175B and NIST OSCAL in addition to well-known and used sources similar to CWEs, Android and Apple Developer Docs.
- Slim scope: Rely extra on different requirements together with OWASP ASVS, OWASP SAMM and NIST.SP.800-218 SSDF v1.1.
We began releasing one GitHub Dialogue per MASVS class together with a spreadsheet with an in depth view of the modifications. You may see why every management was eliminated/moved/reworded, learn concerning the focus of the brand new controls, see the checklist of proposed new MASTG checks, and see how the management pertains to different requirements and assets.
Right here’s what we did to date the second iteration:
- Processed all suggestions from every of the beta proposal feedback from the neighborhood.
- Tried to seek out overlaps and redundancies (once more), e.g. MASVS-NETWORK-1 (beta) vs. MASVS-NETWORK-2 (beta).
- Tried to begin all controls with ‘The app…’.
- Tried to formulate all controls with a ‘constructive’ formulation.
- Tried negating every management to see if it nonetheless coated the identical.
- Went by way of all check circumstances and double-checked protection.
- Requested what/how we’re defending in every management.
Along with being extraordinarily insightful, this train has allowed us to offer you a fair cleaner model of the MASVS, which is designed to stay a timeless baseline for cellular utility safety, leaving the heavy lifting to the MASTG, which is able to turn into extra dynamic and permit for extra particular and versatile testing.
We created new spreadsheets the place you possibly can examine all of the modifications and see the mappings from v2 to v1.4.2 and vice versa.
Q: What are the most important modifications in MASVS v2.0?
A: There are lots of:
- We eliminated the MASVS-ARCH class as a result of it’s coated by NIST.SP.800-218 SSDF v1.1 and OWASP SAMM.
- We decoupled MASVS-AUTH from OWASP ASVS. Customers should use the OWASP ASVS on the server aspect. MASVS is for the consumer aspect, i.e. the cellular utility.
- We’ve fastened the scope of many MASVS classes, particularly MASVS-STORAGE and MASVS-PLATFORM, which had some overlap.
- We additionally aligned MASVS-CODE with NIST.SP.800-218 SSDF v1.1 and eliminated controls that may be addressed by way of a safe SDLC.
- We’ve simplified the language and wording of the controls all through, particularly within the Cryptography, Community and Resilience classes. This enormously reduces pointless verbosity.
- We’ve eliminated the verification ranges from the MASVS and can rework them after which apply them to the MASTG check circumstances.
Q: How do these modifications enhance cellular utility safety for customers?
A: One of many issues we’re most happy with is the friendliness of our customary. Its simplicity makes it very accessible, so we tried to make it even friendlier to succeed in a fair wider viewers. The brand new MASVS controls are fewer in quantity associated to v1 and use less complicated language and acquainted ideas. Any reader, even a newbie or coming from one other subject (e.g. net utility safety), will perceive what ‘encrypted communication’ or ‘saved encrypted’ means. This fashion, we be sure that the upper degree of the cellular assault floor is nicely understood.
With the brand new MASVS and the upcoming MASTG refactor, we’re bringing a brand new dimension to MAS testing; now you possibly can check for compliance to our customary, but in addition customise it to your wants utilizing profiles.
We’re additionally happy with the synergy between MASVS and MSTG. It’s distinctive within the business and we’re going to make it even stronger. Till now, we now have supplied you the guidelines as a hyperlink between the 2. Quickly you’ll get extra, you’ll have the ability to work together with the usual in methods you by no means thought doable earlier than.
The core deliverable can be a machine-readable file, just like the one we at the moment use to generate the checklists, however enhanced so that you could use it to feed your personal tooling, reporting and documentation instruments. This lets you confirm MASVS compliance at newer and deeper ranges.
All of those mechanisms, processes, and automation make us extra agile and permit us to concentrate on what’s essential: persevering with to analysis and ship the business customary for cellular purposes.

Q: What’s subsequent for the MAS mission?
A: We are going to publish the ultimate model of the MASVS v2.0 after amassing and reviewing all feedback from the Launch Candidate. Hopefully this can occur in time for our upcoming presentation at OWASP AppSec Dublin.
Subsequent, we’ll publish our first proposal for MAS Profiles definitions. The MAS profiles will change the present MASVS ranges, however don’t fear, our beloved L1, L2, and R aren’t going away utterly. They’ll be again in a brand new, higher type. They are going to apply to particular MASTG checks as an alternative of MASVS controls. This can present a fine-grained view of how an utility maps to the general MAS.
We’ll kick off the MASTG refactor to v2.0. We’re within the means of defining the sections for the atomic checks. This is essential so that everybody is aware of what to do when writing new checks. For every check, we’ll be answering important questions:
- Why is the problem at hand unhealthy and why are we testing for it?
- How will we check for the problem?
- How will we repair the problem?
We are going to publish the primary proposal for MASTG atomic checks. We’ve printed a preliminary checklist of checks (together with solely titles). A few of them are within the MASTG already and a few are utterly new. This primary proposal will embrace the checklist of consolidated titles and a primary proposal for profiles (e.g. L1, L2) for every MASTG atomic check.
Q: Why did you be part of NowSecure?
A: I get this query very often. I say, ‘Have you ever seen the workforce?’ It might sound utopian, however think about for those who may assemble all the highest expertise within the cellular safety business, together with the creators of the important cellular safety instruments. Properly, cease imagining, as a result of right here they’re. So it was a no brainer for me.
Different pluses are the corporate’s tradition, values, and the truth that it already had a devoted analysis workforce. Additionally, NowSecure is a giant supporter of open-source initiatives similar to Frida and Radare, and naturally the OWASP MASVS and MASTG which I get to work on fulltime in my work with the corporate.
One other essential level is that NowSecure is in keeping with my very own ardour for cellular app safety. I fell in love with the OWASP cellular mission and needed to do one thing to avoid wasting the world from unsafe cellular purposes. Because it occurs, that’s additionally a NowSecure purpose. So it was a pure subsequent step for me.
Q: Once you’re not immersed in cellular utility safety, what do you love to do in your free time?
A: Espresso and Japanese. I really like going to espresso outlets, whether or not it’s in my metropolis or once I go to different locations. I’ve my very own espresso machine at house, and I’ve discovered loads about espresso and latte artwork over time. As with cellular safety and hacking, you need to be affected person, persistent, and prepared to just accept failure.

When I’ve some free time and vitality left over, I proceed to study Japanese. I’m in love with the language and I do know it might take a few years to know and converse in a suitable means, however I assume that’s a part of why I prefer it, it’s an countless problem. And I really like its calligraphy, consuming Japanese meals and visiting the nation.
The place to Study Extra
Discover OWASP cellular safety requirements in depth by enrolling in free coaching from NowSecure Academy. The on-demand coaching contains a number of programs about OWASP, together with OWASP cellular vs net requirements, OWASP MAS updates and the MASVS and MASTG updates.
As well as, be part of us from 2 – 3 p.m. ET on Feb. 21 for a particular upcoming NowSecure Tech Discuss the place you’ll get the prospect to satisfy Holguera and listen to him converse concerning the OWASP MASVS v2 updates. Register now.