The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security.
After collecting and processing all feedback from the MASVS-PRIVACY Proposal we're releasing the new MASVS-PRIVACY category.
The main goal of MASVS-PRIVACY is to provide a baseline for user privacy. It is not intended to cover all aspects of user privacy, especially when other standards and regulations such as ENISA or the GDPR already do that. We focus on the app itself, looking at what can be tested using information that's publicly available or found within the app through methods like static or dynamic analysis.
While some associated tests can be automated, others necessitate manual intervention due to the nuanced nature of privacy. For example, if an app collects data that it didn't mention in the app store or its privacy policy, it takes careful manual checking to spot this.
The new controls are:
The MASVS is now available in CycloneDX format (OWASP_MASVS.cdx.json), a widely adopted standard for software bill of materials (SBOM). This format enables easier integration and automation within DevOps pipelines, improving visibility and management of mobile app security. By using CycloneDX, developers and security teams can more efficiently assess, track and comply with MASVS requirements, resulting in more secure mobile applications.
Full Changelog: https://github.com/OWASP/owasp-masvs/compare/v2.0.0...v2.1.0
We are thrilled to announce the release of the new version of the OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0. With this update, we have set out to achieve several key objectives to ensure that MASVS remains a leading industry standard for mobile application security.
We believe that these changes will make the OWASP MASVS v2.0.0 an even more valuable resource for developers and security practitioners alike, and we are excited to see how the industry embraces these updates.
The MASVS v2.0.0 was presented at the OWASP AppSec Dublin 2023, you can watch the presentation ▶️ here.
The Levels you already know (L1, L2 and R) will be fully reviewed and backed up with a corrected and well-documented threat model.
Enter MAS Profiles: We are moving the levels to the MASTG tests so that we can evaluate different situations for the same control (e.g., in MASVS-STORAGE-1, it's OK to store data unencrypted in app internal storage for L1, but L2 requires data encryption). This can lead to different tests depending on the security profile of the application.
The MASTG, in its current version v1.5.0, currently still supports the MASVS v1.5.0. Bringing the MASTG to v2.0.0 to be fully compatible with MASVS v2.0.0 will take some time. That's why we need to introduce a "transition phase". We're currently mapping all new proposed test cases to the new profiles (at least L1 and L2), so even if the MASTG refactoring is not complete, you'll know what to test for, and you'll be able to find most of the tests already in the MASTG.
We thank everyone that has participated in the MASVS Refactoring. You can access all Discussion and documents for the refactoring here.
You'll notice that we have one new author in the MASVS: Jeroen Beckers
Jeroen is a mobile security lead responsible for quality assurance on mobile security projects and for R&D on all things mobile. Ever since his master's thesis on Android security, Jeroen has been interested in mobile devices and their (in)security. He loves sharing his knowledge with other people, as is demonstrated by his many talks & trainings at colleges, universities, clients and conferences.
💙 Special thanks to our MAS Advocate, NowSecure, who has once again demonstrated their commitment to the project by continuously supporting it with time/dedicated resources as well as feedback, data and content contributions.
Full Changelog: https://github.com/OWASP/owasp-masvs/compare/v1.5.0...v2.0.0
This release doesn't include any changes to the MASVS requirements. They will remain the same until the release of MASVS v2.0.0.
We'd like to thank all of our loyal contributors and welcome our new contributors.
Special thanks to Anil Baş, Haktan Emik for the Turkish translation and Panagiotis Yialouris for the Greek translation.
Carlos Holguera & Sven Schleier - OWASP MAS project
NOTE: the OWASP MASVS v2.0.0 release is getting closer. Have you already given your feedback to the MASVS Release Candidate?
Full Changelog: https://github.com/OWASP/owasp-masvs/compare/v1.4.2...v1.5.0
This is a minor release which doesn't include any changes to the MASVS requirements.
Full Changelog: https://github.com/OWASP/owasp-masvs/compare/v1.4.1...v1.4.2
This is a minor release which doesn't include any changes to the MASVS requirements.
Full Changelog: https://github.com/OWASP/owasp-masvs/compare/v1.4.0...v1.4.1
Full Changelog: https://github.com/OWASP/owasp-masvs/compare/v1.3.1...v1.4.0
We are proud to announce the introduction of a new document build pipeline, which is a major milestone for our project. The build pipeline is based on Pandocker and Github Actions. This significantly reduces the time spent on creating new releases and will also be the foundation for the OWASP MSTG and will be made available for the OWASP ASVS project.
With a little bit of delay we are happy to present version 1.2 of the MASVS! Changes:
Pre-release 1.2RC (English only). See Changelog for further details.