Vertical Structure’s expert team of mobile application specialists will put iOS and Android apps through automatic and bespoke, manual testing.

What is mobile application testing?

Mobile applications, by their very nature, ‘live in the wild’ and have their own unique cyber security concerns.

Mobile application is undertaken with both manual and automated methodologies, testing for functionality, usability and consistency of software applications designed for use by mobile devices.

Our approach to mobile app testing

Following our human-centric testing methodology, a code vulnerability report will be produced, with the goal of providing recommendations for improvements.

The reports are clear and easy to understand with the understanding that reports are written by humans, for humans.

Readability is our focus.

Our testers will ensure that applications are meeting or surpassing industry standards including MASVS L1 and L2.

What is MASVS? (Mobile Application Security Verification Standard)

As security testing has evolved it has been noted that mobile app security testing reports can sometimes be confusing; ‘all over the place.’

For example, some testers report a lack of obfuscation or root detection in an Android app as a “security flaw”.

On the other hand, measures like string encryption, debugger detection or control flow obfuscation aren't considered mandatory.

This binary way of looking at things doesn't make sense because resiliency is not a binary proposition, it depends on the particular client-side threats one aims to defend against.

Software protections are not useless, but they can ultimately be bypassed, so they must never be used as a replacement for security controls.

The overall goal of the MASVS is to offer a baseline for mobile application security (MASVSL1), while also allowing for the inclusion of defense-in-depth measures (MASVS-L2) and protections against client-side threats (MASVS-R).

What does MASVS achieve?

• Provide requirements for software architects and developers seeking to develop secure mobile applications;
• Offer an industry standard that can be tested against in mobile app security reviews;
• Provide specific recommendations as to what level of security is recommended for different use-cases.

What levels of MASVS are available?

MASVS-L1 for all mobile apps

MASVS-L1 lists security best practices that can be followed with a reasonable impact on development cost and user experience. Apply the requirements in MASVS-L1 for any app that don't qualify for one of the higher levels

MASVS-L2 for Health-Care Industry mobile apps

Mobile apps that store personally identifiable information that can be used for identity theft, fraudulent payments, or a variety of fraud schemes.

For the US healthcare sector, compliance considerations include:

• The Health Insurance Portability and Accountability Act (HIPAA)
• Privacy, Security, Breach Notification Rules
• Patient Safety Rule.
• Financial Industry:
• Apps that enable access to highly sensitive information like credit card numbers, personal information, or allow the user to move funds.
• These apps warrant additional security controls to prevent fraud. Financial apps need to ensure compliance to the Payment Card Industry Data Security Standard (PCI DSS), Gramm Leech Bliley Act and Sarbanes-Oxley Act (SOX).

MASVS L1+R for mobile apps where IP protection is a business goal

The resiliency controls listed in MASVS-R can be used to increase the effort needed to obtain the original source code and to impede tampering / cracking.

MASVS-R for mobile games

Games with an essential need to prevent modding and cheating, such as competitive online games. Cheating is an important issue in online games, as a large amount of cheaters leads to a disgruntled the player base and can ultimately cause a game to fail.

MASVS-R provides basic anti-tampering controls to help increase the effort for cheaters.

MASVS L2+R for financial industry mobile apps

Online banking apps that allow the user to move funds, where techniques code injection and instrumentation on compromised devices pose a risk.

In this case, controls from MASVS-R can be used to impede tampering, raising the bar for malware authors.

All mobile apps that, by design, need to store sensitive data on the mobile device, and at the same time must support a wide range of devices and operating system versions. In this case, resiliency controls can be used as a defense-in-depth measure to increase the effort for attackers aiming to extract the sensitive data.

While the MASVS is still in beta release, it is a guideline for security for mobile applications and its implementation is strongly encouraged.

The text in the MASVS section is extracted and adapted from the OWASP website.