V1: Architecture, Design, and Threat Modeling Requirements – lists requirements on the architecture and design of the app. This control has 12 security verification requirements where only 5 are included in Level 1.
V2: Data Storage and Privacy Requirements – aim to validate the adequate protection of sensitive data handled by the app.
V3: Cryptography Requirements – ensure that the evaluated app uses cryptography according to industry best practices, specifically with the usage of International Standards.
V4: Authentication and Session Management Requirements – with the interaction between an app and a remote server during information exchange, this control is based on validating how such sessions are handled.
V5: Network Communication Requirements – validate that the communications in the app were designed to protect the confidentiality and integrity of information exchanged between the mobile app and remote service endpoints, for example using TLS protocol with adequate settings.
V6: Environmental Interaction Requirements – this control looks for a validation that the app is able to use platform APIs and standard components in a secure manner, as well as its handling of inter-app communication (IPC).
V7: Code Quality and Build Setting Requirements – aim to ensure that simple security coding practices are followed in the development of the app such as obfuscation and that the compiler activates several security mechanisms to avoid debugging.
V8: Resiliency Against Reverse Engineering Requirements – covers several defense-in-depth features to avoid an external actor to use techniques like tampering, debugging, reverse engineering, etc.
OWASP has released the Mobile Security Testing Guide (MSTG) to verify the OWASP Mobile Application Security Verification Standard, which specifies test cases for each requirement.
As part of the service portfolio offered by DEKRA, evaluations based on MASVS and Google’s MASA are included to guarantee application developers and owners that their apps meet the requirements established by such standards to substantially reduce the attack surface that could exist in the process of developing an application.
Does your application meet the required security standards?