Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Verification Level
Name:
Org:
Title:
Phone:
E-mail:
Name:
Org:
Title:
Phone:
E-mail:
e Application Security Checklist
After consultation with <Customer> it was decided that only Level 1 requrirements are applicable to
<AppName>.
` 5.00
Android
P F
V1: Architecture, Design and Threat Modelling 0 0
V2: Data Storage and Privacy 0 0
V3: Cryptography Verification 0 0
V4: Authentication and Session Management 0 0
V5: Network Communication 0 0
V6: Environmental Interaction 0 0
V7: Code Quality and Build Settings 0 0
V8: Resiliency Against Reverse Engineering 0 0
MASVS Compliance Score ( / 5)
###
lling
MASVS Compliance Diagram - Android
Android
Android iOS
NA % P F NA %
13 #DIV/0! 0 0 13 #DIV/0!
12 #DIV/0! 0 0 11 #DIV/0!
6 #DIV/0! 0 0 6 #DIV/0!
10 #DIV/0! 0 0 10 #DIV/0!
5 #DIV/0! 0 0 5 #DIV/0!
8 #DIV/0! 0 0 10 #DIV/0!
0 #DIV/0! 0 0 8 #DIV/0!
13 #DIV/0! 0 0 13 #DIV/0!
MASVS Compliance Score ( / 5)
###
V1: Architecture, Design and Threat Modelling
MASVS Compliance Diagram - iOS
10.00 IOS
V2: Data Storage and Privacy V8: Resiliency Against Reverse Engineering
5.00
###
Compliance Diagram - iOS
IOS
vironmental Interaction
Mobile Application Security Requirements - Android
ID
V1
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
1.10
1.11
1.12
1.13
V2
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11
2.12
V3
3.1
3.2
3.3
3.4
3.5
3.6
V4
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
V5
5.1
5.2
5.3
5.4
5.5
V6
6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.8
6.9
6.10
V7
7.1
7.2
7.3
7.4
7.5
7.6
7.7
7.8
Legend
Symbol
Pass
Fail
N/A
Mobile Application Security Requirements - Android
Verify all third party components used by the mobile app, such as libraries and frameworks, are identified, and checked fo
Verify that security controls are never enforced only on the client side, but on the respective remote endpoints.
Verify that a high-level architecture for the mobile app and all connected remote services has been defined and security h
architecture.
Verify that data considered sensitive in the context of the mobile app is clearly identified.
Verify all app components are defined in terms of the business functions and/or security functions they provide.
Verify that a threat model for the mobile app and the associated remote services, which identifies potential threats and co
produced.
Verify all third party components have been assessed (associated risks) before being used or implemented. Additionally ve
ensure that each time a security update for a third party component is published, the change is inspected and the risk eva
Verify that the remote endpoint uses randomly generated access tokens to authenticate client requests without sending th
Verify that the remote endpoint terminates the existing session when the user logs out.
Verify that a password policy exists and is enforced at the remote endpoint.
Verify that the remote endpoint implements an exponential back-off, or temporarily locks the user account, when incorrec
submitted an excessive number of times.
Verify that biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Inste
keychain/keystore.
Verify that sessions are terminated at the remote endpoint after a predefined period of inactivity.
Verify that a second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforce
Verify that step-up authentication is required to enable actions that deal with sensitive data or transactions.
Verify that the app informs the user of all login activities with his or her account. Users are able view a list of devices used
specific devices.
Network Communication
Verify that data is encrypted on the network using TLS. The secure channel is used consistently throughout the app.
Verify that the TLS settings are in line with current best practices, as far as they are supported by the mobile operating sys
Verify that the app verifies the X.509 certificate of the remote endpoint when the secure channel is established. Only certi
accepted.
Verify that the app either uses its own certificate store, or pins the endpoint certificate or public key, and subsequently do
endpoints that offer a different certificate or key, even if signed by a trusted CA.
Verify that the app doesn't rely on a single insecure communication channel (email or SMS) for critical operations, such as
Platform Interaction
Verify that the app only requires the minimum set of permissions necessary.
Verify that all inputs from external sources and the user are validated and if necessary sanitized. This includes data receive
as intents, custom URLs, and network sources.
Verify that the app does not export sensitive functionality via custom URL schemes, unless these mechanisms are properly
Verify that the app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly pro
Verify that JavaScript is disabled in WebViews unless explicitly required.
Verify that WebViews are configured to allow only the minimum set of protocol handlers required (ideally, only https). Pot
file, tel and app-id, are disabled.
Verify that the app does not load user-supplied local resources into WebViews.
Verify that if Java objects are exposed in a WebView, verify that the WebView only renders JavaScript contained within the
Verify that object serialization, if any, is implemented using safe serialization APIs.
Verify that the app detects whether it is being executed on a rooted or jailbroken device. Depending on the business requ
app is terminated if the device is rooted or jailbroken.
Code Quality and Build Settings
Verify that the app is signed and provisioned with valid certificate.
Verify that the app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable).
Verify that debugging symbols have been removed from native binaries.
Verify that debugging code has been removed, and the app does not log verbose errors or debugging messages.
Verify that the app catches and handles possible exceptions.
Verify that error handling logic in security controls denies access by default.
Verify that in unmanaged code, memory is allocated, freed and used securely.
Free security features offered by the toolchain, such as byte-code minification, stack protection, PIE support and automati
Definition
Requirement is applicable to mobile App and implemented according to best practices.
Requirement is applicable to mobile App but not fulfilled.
Requirement is not applicable to mobile App.
Level 1 Level 2 Status
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ N/A
✓ N/A
✓ N/A
✓ N/A
✓ N/A
✓ N/A
✓ N/A
✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ N/A
✓ N/A
✓ N/A
✓ N/A
✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ N/A
✓ N/A
✓ N/A
✓ N/A
✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ N/A
✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
Testing Procedure
-
-
-
-
-
-
-
-
-
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
8.12
8.13
Legend
Symbol
Pass
Fail
N/A
Resiliency against Reverse Engineering - Android
Verify that the app detects the presence of widely used reverse engineering tools, such as code injection tools, hooking fra
Verify that the app detects, and response to, being run in an emulator using any method.
Verify that the app detects, and responds to, modifications of process memory, including relocation table patches and inje
Verify that the app implements multiple different responses to tampering, debugging and emulation (requirements 9.2 - 9
terminate the app.
Verify all executable files and libraries belonging to the app are either encrypted on the file level and/or important code an
encrypted or packed. Trivial static analysis should not reveal important code or data.
Verify that obfuscating transformations and functional defenses are interdependent and well-integrated throughout the ap
Device Binding
Verify that the app implements a 'device binding' functionality when a mobile device is treated as being trusted. Verify tha
device properties.
Impede Comprehension
Verify that the app uses multiple functionally independent means of emulator detection that, in context of the overall pro
significant manual effort to run the app in an emulator (supersedes requirement 9.5).
Verify that if the architecture requires sensitive information be stored on the device, the app only runs on operating system
key storage. Alternatively, the information is protected using obfuscation. Considering current published research, the obf
cause significant manual effort to reverse engineers seeking to comprehend or extract the sensitive data.
Verify that if the architecture requires sensitive computations be performed on the client-side, these computations are iso
hardware-based SE or TEE. Alternatively, the information is protected using obfuscation. Considering current published res
sufficient to cause significant manual effort to reverse engineers seeking to comprehend the sensitive portions of the code
Definition
Requirement is applicable to mobile App and implemented according to best practices.
Requirement is applicable to mobile App but not fulfilled.
Requirement is not applicable to mobile App.
R Status Testing Procedure
✓ N/A
Testing Advanced Root Detection
✓ N/A
Testing Debugging Defenses
✓ N/A Testing File Integrity Checks
✓ N/A
Testing Detection of Reverse Engineering Tools
✓ N/A Testing Simple Emulator Detection
✓ N/A Testing Memory Integrity Checks
✓ N/A
Verifying the Variability of Tampering Responses
✓ N/A
Testing Simple Obfuscation
✓ N/A Verifying that Defenses are Integrated
✓ N/A
Testing Device Binding
✓ N/A
Testing Advanced Anti-Emulation
✓ N/A
✓ N/A
ID
V1
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
1.10
1.11
1.12
1.13
V2
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11
2.12
V3
3.1
3.2
3.3
3.4
3.5
3.6
V4
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
V5
5.1
5.2
5.3
5.4
5.5
V6
6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.8
6.9
6.10
V7
7.1
7.2
7.3
7.4
7.5
7.6
7.7
7.8
Legend
Symbol
Pass
Fail
N/A
Mobile Application Security Requirements - iOS
Verify that a high-level architecture for the mobile app and all connected remote services has been defined and security h
Verify that data considered sensitive in the context of the mobile app is clearly identified.
Verify all app components are defined in terms of the business functions and/or security functions they provide.
Verify that a threat model for the mobile app and the associated remote services, which identifies potential threats and co
Verify all third party components have been assessed (associated risks) before being used or implemented. Additionally ve
time a security update for a third party component is published, the change is inspected and the risk evaluated.
Verify that all security controls have a centralized implementation.
Verify that all components that are not part of the application but that the application relies on to operate, are clearly iden
components are known.
Verify that there is an explicit policy for how cryptographic keys (if any) are managed, and the lifecycle of cryptographic ke
standard such as NIST SP 800-57.
Verify that remote endoints ensure that connecting clients use the current version of the mobile app.
Verify that security testing is performed as part of the development lifecycle. If some or all of the testing is automated, the
to the specific app.
Data Storage and Privacy
Verify that system credential storage facilities are used appropriately to store sensitive data, such as user credentials or cry
Verify that no sensitive data is written to application logs.
Verify that no sensitive data is shared with third parties unless it is a necessary part of the architecture.
Verify that the keyboard cache is disabled on text inputs that process sensitive data.
Verify that the clipboard is deactivated on text fields that may contain sensitive data.
Verify that no sensitive data, such as passwords and credit card numbers, is exposed through the user interface or leaks to
Verify that no sensitive data is included in backups.
Verify that the app removes sensitive data from views when backgrounded.
Verify that the app does not hold sensitive data in memory longer than necessary, and memory is cleared explicitly after u
Verify that the app enforces a minimum device-access-security policy, such as requiring the user to set a device passcode.
Verify that the app educates the user about the types of personally identifiable information processed, as well as security
app.
Cryptography
Verify that the app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption.
Verify that the app uses proven implementations of cryptographic primitives.
Verify that the app uses cryptographic primitives that are appropriate for the particular use-case, configured with paramet
Verify that the app does not use cryptographic protocols or algorithms that are widely considered depreciated for security
Verify that the app doesn't re-use the same cryptographic key for multiple purposes.
Verify that all random values are generated using a sufficiently secure random number generator.
Authentication and Session Management
Verify that if the app provides users with access to a remote service, an acceptable form of authentication such as usernam
remote endpoint.
Verify that the remote endpoint uses randomly generated access tokens to authenticate client requests without sending th
Verify that the remote endpoint terminates the existing session when the user logs out.
Verify that a password policy exists and is enforced at the remote endpoint.
Verify that the remote endpoint implements an exponential back-off, or temporarily locks the user account, when incorrec
excessive number of times.
Verify that biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Inste
Verify that sessions are terminated at the remote endpoint after a predefined period of inactivity.
Verify that a second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforce
Verify that step-up authentication is required to enable actions that deal with sensitive data or transactions.
Verify that the app informs the user of all login activities with his or her account. Users are able view a list of devices used
devices.
Network Communication
Verify that data is encrypted on the network using TLS. The secure channel is used consistently throughout the app.
Verify that the TLS settings are in line with current best practices, as far as they are supported by the mobile operating sys
Verify that the app verifies the X.509 certificate of the remote endpoint when the secure channel is established. Only certi
Verify that the app either uses its own certificate store, or pins the endpoint certificate or public key, and subsequently do
offer a different certificate or key, even if signed by a trusted CA.
Verify that the app doesn't rely on a single insecure communication channel (email or SMS) for critical operations, such as
Environmental Interaction
Verify that the app only requires the minimum set of permissions necessary.
Verify that all inputs from external sources and the user are validated and if necessary sanitized. This includes data receive
custom URLs, and network sources.
Verify that the app does not export sensitive functionality via custom URL schemes, unless these mechanisms are properly
Verify that the app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly pro
Verify that JavaScript is disabled in WebViews unless explicitly required.
Verify that WebViews are configured to allow only the minimum set of protocol handlers required (ideally, only https). Pot
app-id, are disabled.
Verify that the app does not load user-supplied local resources into WebViews.
Verify that if Java objects are exposed in a WebView, verify that the WebView only renders JavaScript contained within the
Verify that object serialization, if any, is implemented using safe serialization APIs.
Verify that the app detects whether it is being executed on a rooted or jailbroken device. Depending on the business requ
terminated if the device is rooted or jailbroken.
Code Quality and Build Settings
Verify that the app is signed and provisioned with valid certificate.
Verify that the app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable).
Verify that debugging symbols have been removed from native binaries.
Verify that debugging code has been removed, and the app does not log verbose errors or debugging messages.
Verify that the app catches and handles possible exceptions.
Verify that error handling logic in security controls denies access by default.
Verify that in unmanaged code, memory is allocated, freed and used securely.
Free security features offered by the toolchain, such as byte-code minification, stack protection, PIE support and automati
Definition
Requirement is applicable to mobile App and implemented according to best practices.
Requirement is applicable to mobile App but not fulfilled.
Requirement is not applicable to mobile App.
Level 1 Level 2 Status Testing Procedure
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ ✓ N/A
✓ N/A
✓ N/A
✓ N/A
✓ N/A
✓ N/A
✓ N/A
✓ N/A
✓ N/A
✓ ✓ N/A
Testing For Sensitive Data in Local Data Storage
✓ ✓ N/A Testing For Sensitive Data in Logs
✓ ✓ N/A
Testing Whether Sensitive Data Is Sent To Third Parties
✓ ✓ N/A
Testing Whether the Keyboard Cache Is Disabled for Text Input Fields
✓ ✓ N/A Testing for Sensitive Data in the Clipboard
✓ ✓ N/A
Testing Whether Sensitive Data Is Exposed via IPC Mechanisms
✓ ✓ N/A
Testing for Sensitive Data Disclosure Through the User Interface
✓ N/A Testing for Sensitive Data in Backups
✓ N/A
Testing for Sensitive Information in Auto-Generated Screenshots
✓ N/A Testing for Sensitive Data in Memory
✓ N/A Testing the Device-Access-Security Policy
✓ N/A
Verifying User Education Controls
✓ ✓ N/A
Verifying that Users Are Properly Authenticated
✓ ✓ N/A Testing Session Management
✓ ✓ N/A Testing the Password Policy
✓ ✓ N/A Testing the Logout Functionality
✓ ✓ N/A
Testing Excessive Login Attempts
✓ N/A
Testing Biometric Authentication
✓ N/A Testing the Session Timeout
✓ N/A Testing 2-Factor Authentication
✓ N/A Testing Step-up Authentication
✓ N/A
Testing User Device Management
✓ ✓ N/A
Testing for Unencrypted Sensitive Data on the Network
✓ ✓ N/A Verifying the TLS Settings
✓ ✓ N/A
Testing Endpoint Identify Verification
✓ N/A
Testing Custom Certificate Stores and SSL Pinning
✓ N/A
Verifying that Critical Operations Use Secure Communication Channels
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
8.12
8.13
Legend
Symbol
Pass
Fail
N/A
Resiliency Against Reverse Engineering - iOS
Verify that the app detects the presence of widely used reverse engineering tools, such as code injection tools, hooking fra
Verify that the app detects, and response to, being run in an emulator using any method.
Verify that the app detects, and responds to, modifications of process memory, including relocation table patches and inje
Verify that the app implements multiple different responses to tampering, debugging and emulation (requirements 9.2 - 9
terminate the app.
Verify all executable files and libraries belonging to the app are either encrypted on the file level and/or important code an
encrypted or packed. Trivial static analysis should not reveal important code or data.
Verify that obfuscating transformations and functional defenses are interdependent and well-integrated throughout the ap
Device Binding
Verify that the app implements a 'device binding' functionality when a mobile device is treated as being trusted. Verify tha
device properties.
Impede Comprehension
Verify that the app uses multiple functionally independent means of emulator detection that, in context of the overall pro
significant manual effort to run the app in an emulator (supersedes requirement 9.5).
Verify that if the architecture requires sensitive information be stored on the device, the app only runs on operating system
key storage. Alternatively, the information is protected using obfuscation. Considering current published research, the obf
cause significant manual effort to reverse engineers seeking to comprehend or extract the sensitive data.
Verify that if the architecture requires sensitive computations be performed on the client-side, these computations are iso
hardware-based SE or TEE. Alternatively, the information is protected using obfuscation. Considering current published res
sufficient to cause significant manual effort to reverse engineers seeking to comprehend the sensitive portions of the code
Definition
Requirement is applicable to mobile App and implemented according to best practices.
Requirement is applicable to mobile App but not fulfilled.
Requirement is not applicable to mobile App.
R Status Testing Procedure
✓ N/A
Testing Advanced Root Detection
✓ N/A
Testing Debugging Defenses
✓ N/A Testing File Integrity Checks
✓ N/A
Testing Detection of Reverse Engineering Tools
✓ N/A Testing Simple Emulator Detection
✓ N/A Testing Memory Integrity Checks
✓ N/A
Verifying the Variability of Tampering Responses
✓ N/A
Testing Simple Obfuscation
✓ N/A Verifying that Defenses are Integrated
✓ N/A
Testing Device Binding
✓ N/A
Testing Advanced Anti-Emulation
✓ N/A
✓ N/A