MASVS-PRIVACY

Mobile applications frequently access sensitive user data to deliver their core functionalities. This data ranges from personally identifiable information (PII), health metrics, location data, to device identifiers. Mobile devices are a constant companion to users, always connected, and equipped with numerous sensors—including cameras, microphones, GPS and BLE—that generate data capable of inferring user behavior and even identifying individuals. The landscape is further complicated by advanced tracking techniques, the integration of third-party SDKs, and a heightened awareness of privacy issues among users and regulators. As a response, there's a growing trend towards on-device processing to keep user data localized and more secure.

Today we're excited to announce the release of the new MASVS-PRIVACY, a new MASVS category and MAS profile with focus on privacy. The new profile is designed to help organizations and individuals assess the privacy implications of their mobile applications and make informed decisions.

The new controls are:

  • MASVS-PRIVACY-1: The app minimizes access to sensitive data and resources.
  • MASVS-PRIVACY-2: The app prevents identification of the user.
  • MASVS-PRIVACY-3: The app is transparent about data collection and usage.
  • MASVS-PRIVACY-4: The app offers user control over their data.

The proposal defines the scope of the new MASVS-PRIVACY category and profile, and includes a detailed description of each control, a rationale, and a list of tests. The new profile MAS-P, establishes a baseline for privacy and is intended to work cohesively, and in some cases even overlap, with other OWASP MAS profiles, such as MAS-L1 and MAS-L2, ensuring a holistic approach to both security and privacy.

Call to Action:

We'd be thrilled to hear what you think! Your input is really important to us, and it can make a big difference in shaping the final version of the document. Please take a moment to review it and share your comments, feedback, and ideas.

Review Timeline: until November 30, 2023

Please follow the link here to access the document: https://docs.google.com/document/d/1jq7V9cRureRFF_XT7d_Z9H_SLsaFs43cE50k6zMRu0Q/edit?usp=sharing