Skip to content

Blog

  • 7 min read

Celebrating 3 Years of NowSecure as an OWASP MAS Advocate

Few partnerships have been as impactful as the one between NowSecure and the OWASP Mobile App Security (MAS) project. Today, as we celebrate three years of NowSecure as an OWASP MAS Advocate, we reflect on a journey marked by innovation, collaboration, and continuous improvement that has set the blueprint for future industry partnerships.

Being a MAS Advocate means making high-impact contributions. NowSecure has delivered consistently, offering dedicated time from key experts, especially project leader Carlos Holguera, and stepping in with additional support whenever needed.

GitHub tells a compelling story about NowSecure's involvement in the OWASP MAS project over the past three years:

  • 320+ Pull Requests
  • 230+ Reviews
  • 42,000+ Additions
  • 29,500+ Deletions

These numbers reflect more than just activity, they demonstrate leadership. NowSecure has significantly enhanced OWASP MAS resources by contributing valuable content, reviewing community submissions, and maintaining the overall clarity and quality of the project.

But there's more to it than just numbers. NowSecure has been a driving force behind the evolution of the OWASP MAS project, providing strategic insights, technical expertise, and a commitment to excellence that has shaped our direction and impact. Below, we look back on the key milestones and contributions over the past few years, a timeline that highlights the valuable role NowSecure has played in each step of the evolution of the MAS project.

Rebranding From MSTG to OWASP MAS

In August 2022, we announced a rebranding of the project, formerly known as the "OWASP Mobile Security Testing Guide (MSTG)" project. The new identity, OWASP Mobile App Security (MAS), better reflects the full scope of our project, from the MAS Verification Standard (MASVS) and MAS Testing Guide (MASTG) to checklists and crackmes. And later, the Mobile App Security Weakness Enumeration (MASWE).

NowSecure provided strategic insight and industry perspective that helped clarify the project's scope and messaging. Their early feedback ensured that the new brand not only resonated with the community but also set a clear direction for future enhancements.

MASVS v2.0.0 Release

April 2023 saw the launch of MASVS v2.0.0, a major milestone that redefined mobile app security standards. This release introduced crucial improvements:

  • Abstraction & Simplification: Redundant controls were removed, making MASVS more approachable for developers.
  • Clarity Through Standardization: Leveraging and referencing well-established standards ensured that our controls were clear and actionable.
  • Introduction of MAS Testing Profiles: Transitioning from the previous "levels" to new "profiles" allowed for more tailored assessments in real-world scenarios.

NowSecure's technical expertise and continuous feedback during the development process were instrumental. Their real-world testing scenarios and rigorous review of the proposed changes helped shape a standard that truly meets the needs of modern mobile app security professionals.

MASTG Refactor Part 1: Testing Profiles & Atomic Tests

In July 2023, we announced the first phase of the MASTG refactor, including:

  • New MAS Testing Profiles: Replacing traditional verification levels with "profiles" backed-up by real-world scenarios. This change allows for more tailored assessments, making it easier to understand the context and applicability of each test.
  • Atomic Tests: Breaking down large tests into smaller, self-contained units has reduced ambiguity and improved traceability.

Throughout this process, NowSecure's in-depth technical reviews and pilot testing were invaluable. Their willingness to experiment with early versions of the refactored tests ensured that the new structure was both robust and practical for real-world application, ultimately enhancing the overall quality and consistency of the MASTG.

MASTG Refactor Part 2 - Modularizing the Framework

Later in September 2023, we announced the second phase of the MASTG refactor, focusing on a modular approach:

  • The guide was reorganized into distinct components—Tests, Techniques, Tools, and Apps—making it easier to locate and reference specific content.
  • This modularity enhances cross-referencing and maintainability of the overall framework.

NowSecure provided critical feedback on the modularization process and performed the implementation of the new structure. Their insights into how security professionals interact with the MASTG helped shape a more user-friendly and efficient resource.

Introducing MASVS-PRIVACY

October 2023 marked a significant expansion in our scope with the introduction of MASVS-PRIVACY as a proposal which was later included into the release of MASVS v2.1.0 in January 2024 after community and industry-wide thorough review.

NowSecure's leadership in mobile security and privacy issues was a driving force behind this addition. Their proactive stance on privacy concerns and hands-on experience with data protection challenges contributed to shaping a robust baseline that addresses modern privacy demands.

MAS Task Force

In February 2024, we launched the MAS Task Force, a focused group of mobile security experts who meet monthly to drive the MAS project roadmap forward. Their efforts include managing GitHub issues, refining new MAS profiles and risks, assigning tasks, and developing vulnerable code snippets for both Android and iOS. Currently, the group is focused on porting V1 tests to V2 in preparation for MASTG V2.

NowSecure's continued support plays a key role in making this initiative possible. By enabling Carlos Holguera to dedicate time and expertise to lead the effort, the task force has maintained strong momentum. With a combination of technical depth and strategic direction, Carlos has helped the group prioritize effectively and push the MAS project forward with consistency and clarity.

New MAS Test Apps and Standardized Demos

In May 2024, we launched new MAS Test Apps for Android and iOS, designed to facilitate hands-on learning and testing. These apps include:

  • Skeleton Applications: Basic frameworks for Android and iOS, allowing users to explore and validate security scenarios.
  • Code Samples: Embedded within the apps, these samples demonstrate best (and worst) practices and common pitfalls in mobile app security.
  • Build Automation: Leveraging GitHub Actions, we automated the build and MASTG integration process for these demos, ensuring that they remain up-to-date and functional.

NowSecure's expertise in mobile app security testing was invaluable in the development of these test apps. Their insights into real-world vulnerabilities and hands-on experience with mobile security challenges helped shape the design and functionality of the apps, ensuring that they are both practical and effective for users.

Introducing the OWASP MASWE

July 2024 saw the introduction of the Mobile App Security Weakness Enumeration (MASWE):

  • MASWE bridges the gap between high-level MASVS controls and detailed MASTG tests.
  • It offers a granular view of specific weaknesses, enhancing traceability from requirements down to individual test cases.

NowSecure's comprehensive review and detailed feedback on early drafts of MASWE were critical. Their ability to pinpoint real-world vulnerabilities and suggest actionable improvements helped shape MASWE into a tool that complements both MASVS and MASTG, ensuring that our framework remains holistic and responsive to emerging threats.

OWASP Project Summit 2024

In November 2024, we hosted the OWASP Project Summit, where NowSecure led the mobile app security track. This five-day event brought together experts from various companies to discuss the future of mobile security, share insights, and collaborate on innovative solutions. During the summit, approximately 40 pull requests were created, and countless discussions were held.

NowSecure played a key role by reviewing the contributions and driving technical discussions, ensuring that the ideas generated were actionable and aligned with the project's goals. Under the leadership of Carlos Holguera, who helped organize and guide the track, NowSecure fostered an environment of collaboration and knowledge sharing—setting a high standard for future OWASP events.

Looking Ahead

As we celebrate this three-year partnership, we're excited about what lies ahead. These contributions aren't just milestones, they're building blocks for the future. Thanks to the incredible community support, ongoing advocacy, and passion of organizations like NowSecure, the next chapters of the MAS project promise even greater innovation and impact in the years to come.

We invite you to join us on this journey, share your insights, and contribute to shaping the future of mobile security.

Thank you, NowSecure, for being a beacon of excellence and a trusted partner in our mission to secure mobile applications worldwide.

  • 6 min read

Introducing the new Mobile App Security Weakness Enumeration (MASWE)

The OWASP MAS project continues to lead the way in mobile application security, providing robust and up-to-date resources for developers and security professionals alike. Our team has been working diligently with the MAS community and industry to refactor the Mobile Application Security Verification Standard (MASVS) and the Mobile Application Security Testing Guide (MASTG). In this blog post, we'll walk you through our latest addition to the MAS project: the brand new Mobile App Security Weakness Enumeration (MASWE).

Refactoring the MASTG

We began the refactoring process in 2021, focusing first on the MASVS and then on the MASTG. Our primary goal was to break the MASTG v1 into modular components, including tests, techniques, tools, and applications.

This modular approach allows us to maintain and update each component independently, ensuring that the MASTG remains current and relevant. For example, in our previous structure, the MASTG consisted of large test cases within a single markdown file. This was not only difficult to maintain but also made it challenging to reference specific tests; and it was impossible to have metadata for each test.

The new structure divides tests into individual pages (Markdown files with metadata), each with its own ID (MASTG-TEST-****) and links to relevant techniques (MASTG-TECH-****) and tools (MASTG-TOOL-****). This encapsulation ensures that each test is easily referenced and promotes reusability across all MAS components. For example, you can open a test and see what tools and techniques are being used, and soon you'll be able to do the same in reverse: open a tool or technique and see all the tests that use it. This deep cross-referencing can be extremely powerful when exploring the MASTG.

Introducing MASWE

A significant addition to our project is the introduction of MASWE, designed to fill the gap between high-level MASVS controls and low-level MASTG tests. The MASWE identifies specific weaknesses in mobile applications, similar to Common Weakness Enumerations (CWEs) in the broader software security industry. This new layer provides a detailed description of each weakness, bridging the conceptual gap and making the testing process more coherent.

Now MASVS, MASWE and MASTG are all seamlessly connected. We start with the high-level requirements, zoom in on the specific weaknesses, and then go low-level to the tests and hands-on with the demos. Here's how it works:

  1. MASVS Controls: High-level platform-agnostic requirements.

    For example, "The app employs current cryptography and uses it according to best practices." (MASVS-CRYPTO-1).

  2. MASWE Weaknesses: Specific weaknesses, typically also platform-agnostic, related to the controls.

    For example, "use of weak pseudo-random number generation" (MASWE-0027).

  3. MASTG Tests: Each weakness is evaluated by executing tests that guide the tester in identifying and mitigating the issues using various tools and techniques on each mobile platform.

    For example, testing for "insecure random API usage on Android" (MASTG-TEST-0204).

  4. MASTG Demos: Practical demonstrations that include working code samples and test scripts to ensure reproducibility and reliability.

    For example, a sample using Java's Random() instead of SecureRandom() (MASTG-DEMO-0007).

Practical Applications and Demos

To ensure our guidelines are practical and reliable, we've developed new MAS Test Apps for both Android and iOS.

These simple, skeleton applications are designed to embed code samples directly, allowing users to validate and experiment with the provided demos. This approach ensures that all code samples are functional and up-to-date, fostering a hands-on learning experience.

For example, to test for secure storage, MASTG-DEMO-0002 shows how to use dynamic analysis with Frida to identify the issues in the code. The demo includes:

  • a Kotlin code sample (ready to be copied into the app and run on a device)
  • the specific test steps for this case using Frida
  • the shell script including the Frida command
  • the frida script to be injected
  • the output with explanations
  • the final evaluation of the test

You can run everything on your own device and validate the results yourself! Just clone the repository and navigate to the demo folder, install Frida on your computer and your Android device, and follow the steps.

🧪 These demos can also be used as experimental playgrounds to improve your skills and practice with different cases as you study mobile app security with the MASTG. For example, you can try to reverse engineer the app and see if you're able to find the same issues as the demo or you can try to fix the issues and see if you can validate the fix.

They are also great for advanced researchers and pentesters to quickly validate certain scenarios. For example, it's very common to find cases where Android behaves differently depending on the version or the manufacturer. With these demos, you can quickly validate if a certain issue is present on a specific device or Android version.

Automation with GitHub Actions

Going forward, we want to automate the process of creating and validating the new demos, and ensure that the tests remain functional over time. We'll be using GitHub Actions to do this. Here is the plan:

  1. Build the app: Automatically build the APK/IPA for Android and iOS.
  2. Deploy the app to a virtual device: install and run the generated app on a virtual device.
  3. Execute tests and validate results: Execute static tests with tools like semgrep or radare2 as well as dynamic tests using Frida and mitmproxy on the target device. Finally, compare the test results with the expected output.

We've currently implemented a PoC for the first step (only for Android APKs), and are working on the next steps. If you're interested in contributing to this effort, please let us know!

Feedback Wanted

We encourage you to explore the new MASWE, MASTG tests and MASTG demos. Your insights and experiences are invaluable to us, and we invite you to share your feedback in our GitHub discussions to help us continue to improve. This way we can ensure that our resources are practical, reliable, and valuable for real-world application.

You can also contribute to the project by creating new weaknesses, tests, techniques, tools, or demos. We welcome all contributions and feedback, and we look forward to working with you to make the MAS project the best it can be.

:simple-github: Go to our GitHub repo and check our [milestones](https://github.com/OWASP/owasp-mastg/milestones) and [GitHub discussions](https://github.com/OWASP/owasp-mastg/discussions/categories/maswe-mastg-v2-beta-Feedback).
  • 1 min read

New Standard for Secure Mobile App Transactions

The Cyber Security Agency of Singapore (CSA) launched the "Safe App Standard" on January 10, 2024. Tailored for local app developers and service providers, this guideline is based on the OWASP Mobile Application Security Verification Standard (MASVS) and focuses on critical areas such as authentication and authorization (MASVS-AUTH), data storage (MASVS-STORAGE), and tamper resistance (MASVS-RESILIENCE). The initiative aims to protect apps from common cyber threats and ensure a safer digital space for users.

While the Safe App Standard is a significant step forward in securing mobile applications, developers are encouraged to consider the full MASVS and select the appropriate MAS profiles for comprehensive protection. This holistic approach to app security ensures that apps go beyond meeting the baseline and are protected against a wider range of cyber threats, providing robust security for end users.

  • 2 min read

MASVS-PRIVACY

Mobile applications frequently access sensitive user data to deliver their core functionalities. This data ranges from personally identifiable information (PII), health metrics, location data, to device identifiers. Mobile devices are a constant companion to users, always connected, and equipped with numerous sensors—including cameras, microphones, GPS and BLE—that generate data capable of inferring user behavior and even identifying individuals. The landscape is further complicated by advanced tracking techniques, the integration of third-party SDKs, and a heightened awareness of privacy issues among users and regulators. As a response, there's a growing trend towards on-device processing to keep user data localized and more secure.

  • 2 min read

MASTG Refactor Part 2 - Techniques, Tools & Reference Apps

We are thrilled to announce the second phase of the MASTG (Mobile Application Security Testing Guide) refactor. These changes aim to enhance the usability and accessibility of the MASTG.

The primary focus of this new refactor is the reorganization of the MASTG content into different components, each housed in its dedicated section/folder and existing now as individual pages in our website (markdown files with metadata/frontmatter in GitHub):

  • 3 min read

MAS Testing Profiles and MASTG Atomic Tests

The MASTG refactoring is a significant upgrade that addresses some existing challenges and introduces exciting new features. It aims to streamline compliance, simplify testing and improve usability for security testers and other stakeholders.

MAS Testing Profiles

As part of the MASVS refactoring, we've replaced the three traditional verification levels (L1, L2, and R) with security testing profiles in the MASTG. These new profiles are designed to enhance our ability to capture various security nuances associated with mobile apps, allowing us to evaluate different situations for the same MASVS control. For instance, in MASVS-STORAGE-1, it's acceptable to store data unencrypted in app internal storage for MAS-L1, but MAS-L2 requires data encryption.

  • 3 min read

MASVS v2 Colors

We're bringing official colors to the MASVS! The new colors will be used across the MASVS v2.0.0 and MASTG v2.0.0 to help users quickly identify the different control groups. We've also revamped certain areas of our website to make them more readable and easier to navigate as well as to prepare for what's coming with the MASTG v2.0.0 (keyword: "atomic tests").