Lecture 8: MASVS - Security Checklist PDF

Summary

This document provides a lecture on MASVS (Mobile Application Security Verification Standard) security checklist. It details important aspects for secure mobile application development and deployment, focusing on areas like data storage, cryptographic techniques, and authentication protocols. It serves as a guide for developers to implement robust security measures in mobile applications.

Full Transcript

ITMC411
Security in mobile
computing
LECTURE 8
Mobile Application Security
Verification Standard
(Security Checklist)
 The MASVS Control Groups
The standard is divided into various groups of controls, labeled MASVS-XXXXX, that
represent the most critical areas of the mobile attack surface:
 MASVS-STORAGE: Secure storage of sensitive data on a device (data-at-rest).
 MASVS-CRYPTO: Cryptographic functionality used to protect sensitive data.
 MASVS-AUTH: Authentication and authorization mechanisms used by the
mobile app.
 MASVS-NETWORK: Secure network communication between the mobile app
and remote endpoints (data-in-transit).
 MASVS-PLATFORM: Secure interaction with the underlying mobile platform and
other installed apps.
 MASVS-CODE: Security best practices for data processing and keeping the app
up-to-date.
 MASVS-RESILIENCE: Resilience to reverse engineering and tampering attempts.
 MASVS-PRIVACY: Privacy controls to protect user privacy.
 MASVS-STORAGE
MASVS-STORAGE-1: Securely Store Sensitive Data
Encryption at Rest: Use strong encryption algorithms like
AES-256 to protect sensitive data when stored on the
device.
Secure Storage Locations: Utilize platform-specific secure
storage solutions, such as Android Keystore or iOS Secure
Enclave, for sensitive data like keys and tokens.
Key Management: Store encryption keys separately from
the data and protect them using hardware-backed key
management systems.
 MASVS-STORAGE
MASVS-STORAGE-2: Prevent Leakage of Sensitive Data
No Sensitive Data in Logs: Avoid logging sensitive data or
exposing it in error messages or stack traces.
Exclude from Unencrypted Backups: Ensure sensitive data is
not included in backups unless encrypted first.
Data Minimization: Store only the minimum amount of
sensitive data required for the app's functionality.
Secure Data Transfer: Prevent sensitive data from being
stored in insecure locations or transmitted unencrypted.
 MASVS-STORAGE
Best Practices:
Platform-Specific Solutions: Use Keychain on iOS and
Keystore on Android for secure data storage.
Regular Security Audits: Perform code reviews, penetration
testing, and security audits frequently.
Secure File Storage: Store sensitive files in encrypted
directories or use secure file APIs provided by the platform.
 MASVS-CRYPTO
MASVS-CRYPTO-1: Use Strong Cryptography and Follow Best
Practices
Encryption Algorithms: Use secure algorithms (e.g., AES-256
for symmetric encryption, RSA-2048/3072 for asymmetric
encryption).
Hash Functions: Use secure functions like SHA-256 or SHA-3;
avoid weak ones (e.g., MD5, SHA-1).
Key Derivation: Employ KDFs like PBKDF2, bcrypt, or scrypt
for handling passwords.
TLS for Communication: Use TLS 1.2+ for secure data
transmission.
Secure Libraries: Implement cryptography using trusted
libraries (e.g., BouncyCastle, OpenSSL) and keep them
updated.
 MASVS-CRYPTO
MASVS-CRYPTO-2: Perform Secure Key Management
Secure Key Storage: Use HSMs, TEEs, or platform features
like Android Keystore or iOS Secure Enclave.
Key Separation and Rotation: Use separate keys for different
purposes and rotate them periodically.
No Hardcoding: Avoid storing keys in source code or insecure
locations.
Key Destruction: Securely delete keys when they are no
longer needed.
 MASVS-CRYPTO
Industry Guidelines and Best Practices

Follow standards like NIST SP 800-57 and ISO/IEC 27001.

Use platform-native key management solutions for mobile

applications (e.g., Keychain for iOS, Keystore for Android).
 MASVS-AUTH
MASVS-AUTH-1: Secure Authentication and Authorization Protocols
Authentication Protocols: Use OAuth 2.0, OpenID Connect, or SAML 2.0
for secure and standardized user authentication.
Multi-Factor Authentication (MFA): Require a second authentication
method (e.g., OTP or biometrics) for added security.
Secure Tokens: Use secure tokens (e.g., JWT) and handle
expiration/renewal properly to prevent misuse.
Least Privilege Principle: Limit user access to only the permissions
necessary for their role.
Best Practices:
Enforce strong password policies (length, complexity).
Protect against brute force, credential stuffing, and session hijacking.
Use TLS/SSL for secure transmission during authentication.
 MASVS-AUTH
MASVS-AUTH-2: Secure Local Authentication
Platform-Specific Mechanisms: Use native systems like Face
ID or Touch ID (iOS) and BiometricPrompt API (Android).
Secure Credential Storage: Encrypt credentials and store
them securely (e.g., iOS Keychain, Android Keystore).
Biometric Authentication: Use biometrics securely; never
store raw biometric data.
Best Practices:
For iOS, use the LocalAuthentication framework.
For Android, use the BiometricPrompt API for secure
authentication.
 MASVS-AUTH
MASVS-AUTH-3: Additional Authentication for Sensitive
Operations
Re-authentication: Require password or biometric re-
authentication for critical actions (e.g., financial transactions).
Session Expiry: Enforce session timeout for inactive users to
prevent session hijacking.
Time-Based Tokens: Use TOTP or MFA for high-risk operations.
Examples of Sensitive Operations:
Transferring funds or updating payment details.
Accessing personal or confidential data.
Modifying system-level settings or configurations.
 MASVS-NETWORK
MASVS-NETWORK-1: Secure All Network Traffic
TLS Encryption: Use TLS 1.2 or 1.3 to secure data in transit and prevent
interception or tampering.
Disable Insecure Protocols: Avoid outdated protocols like SSL and early TLS
versions.
Certificate Validation: Always validate SSL/TLS certificates to verify server
authenticity and prevent MITM attacks.
Encrypt Sensitive Data: Transmit sensitive information (e.g., passwords,
tokens) securely, even in trusted networks.
Best Practices:
Enable Perfect Forward Secrecy (PFS) to protect session keys.
Use HTTP Strict Transport Security (HSTS) to enforce secure
connections.
 MASVS-NETWORK
MASVS-NETWORK-2: Perform Identity Pinning for Remote Endpoints
Public Key Pinning (HPKP): Verify server public keys to ensure only
authorized servers respond to app requests.
TLS/SSL Certificate Pinning: Pin certificates to prevent interception via
unauthorized certificates.
Handle Pinning Failures: Provide secure fallback mechanisms for certificate
changes, such as notifying users or stopping sensitive operations.
Best Practices:
Rotate pinned keys or certificates periodically.
Monitor unauthorized certificate issuance using Certificate
Transparency Logs.
 MASVS-PLATFORM
MASVS-PLATFORM-1: Secure Use of IPC Mechanisms
Secure Data Sharing: Ensure that IPC mechanisms (e.g., Intent on Android,
URL Schemes on iOS) do not expose sensitive data to unauthorized apps or
processes.
Use Strong Permissions: Implement strict permissions and ACLs to control
which apps or processes can access sensitive data via IPC.
Validate Data: Always validate and sanitize data received through IPC to
prevent malicious input.
Best Practices:
Use secure flags and explicit permissions to limit communication to
trusted processes.
Avoid shared memory or insecure communication channels.
 MASVS-PLATFORM
MASVS-PLATFORM-2: Secure Use of WebViews
Disable JavaScript: Only enable JavaScript in WebViews if necessary to
prevent XSS attacks.
Restrict Navigation: Implement URL whitelisting to ensure WebViews load
only trusted domains.
Secure Communication: Encrypt communication between WebViews and
the app backend using TLS, ensuring no sensitive data is exposed.
Best Practices:
Use secure flags like setAllowUniversalAccessFromFileURLs(false) to
prevent unsafe content loading.
Regularly update the WebView component to the latest secure
version.
 MASVS-PLATFORM
MASVS-PLATFORM-3: Secure Use of the User Interface
Prevent Sensitive Data Exposure: Avoid displaying sensitive information on
the UI unless necessary. Use secure input fields and avoid plain text display
of sensitive data.
Protect Against Screen Capture: Implement mechanisms to prevent screen
capture or recording when displaying sensitive data.
User Interaction & Authorization: Ensure secure authentication for
sensitive actions and prompt for confirmation during critical operations
(e.g., financial transactions).
Best Practices:
Use secure UI components (e.g., biometric authentication dialogs).
Implement timeouts or auto-logout for sensitive data apps to prevent
unauthorized access during inactivity.
 MASVS-CODE
MASVS-CODE-1: Use of Up-to-Date Platform Version
Use the latest stable platform versions (e.g., Android 13, iOS 17) for
security and performance improvements.
Avoid using deprecated APIs that are unsupported in newer platform
versions.
Update development tools (e.g., Android Studio, Xcode) for the latest
security features.
Best Practices:
Regularly monitor for platform updates and incorporate them into the
development process.
Test the app on the latest platform versions for compatibility and
security.
 MASVS-CODE
MASVS-CODE-2: Enforcing App Updates
Force updates for critical patches to address security
vulnerabilities.
Notify users about new versions via in-app or push notifications
for non-critical updates.
Secure the update Mechanism using trusted app stores or secure
internal systems.
Best Practices:
Use feature flags or remote configuration to trigger forced updates.
Implement rollback mechanisms in case an update causes issues.
 MASVS-CODE
MASVS-CODE-3: Use of Secure Software Components
Use trusted, actively maintained libraries and frameworks with a good
security record.
Regularly update third-party components and patch security
vulnerabilities.
Avoid deprecated or unmaintained components.
Best Practices:
Use Software Composition Analysis (SCA) tools to detect known
vulnerabilities in components.
Review and audit third-party components for security before
integrating them.
 MASVS-CODE
MASVS-CODE-4: Input Validation and Sanitization
Validate input types, formats, and ranges to ensure data conforms to
expectations.
Sanitize user-generated data to prevent injection attacks (e.g., SQL
injection, XSS).
Apply the principle of least privilege by limiting inputs to the
minimum required.
Best Practices:
Use secure input handling methods like parameterized queries or
ORM frameworks.
Implement input whitelisting to prevent injection of dangerous
characters.
 MASVS-RESILIENCE
MASVS-RESILIENCE-1: Platform Integrity Validation
Objective: Ensure the platform hasn't been tampered with
(e.g., rooting or jailbreaking).
Key Actions:
Use platform-specific tools (e.g., Android SafetyNet, iOS
DeviceCheck) to detect root/jailbreak status.
Perform integrity checks on system files and app
components (e.g., file hashes, signature verification).
Restrict sensitive operations to secure environments only.
 MASVS-RESILIENCE
MASVS-RESILIENCE-2: Anti-Tampering Mechanisms
Objective: Prevent or detect tampering with the app's code or
behavior.
Key Actions:
Code Obfuscation: Rename variables/methods to make
reverse engineering harder.
Anti-Debugging: Implement techniques to block debugger
tools.
File Integrity: Use cryptographic hashes to ensure app files
haven’t been altered.
 MASVS-RESILIENCE
MASVS-RESILIENCE-3: Anti-Static Analysis
Objective: Prevent static analysis (e.g., decompiling the app).
Key Actions:
Code Obfuscation and Encryption: Protect code from
decompiling tools.
Sensitive Data Protection: Avoid hardcoding secrets like
API keys directly in the code.
No Debug Info: Remove or obfuscate debug/logging
information before release.
 MASVS-RESILIENCE
MASVS-RESILIENCE-4: Anti-Dynamic Analysis
Objective: Defend against runtime analysis (e.g., inspecting
app behavior during execution).
Key Actions:
Runtime Detection: Detect if the app is running in an
emulator or controlled environment.
Anti-Tamper Features: Prevent runtime debugging or
manipulation (e.g., Frida, Xposed).
Secure Runtime: Use secure runtime environments like
Secure Enclaves for critical operations.
 MASVS-PRIVACY
MASVS-PRIVACY-1: Minimize Access to Sensitive Data
Objective: Limit data access to only what is necessary for the app’s
functionality.
Key Actions:
Collect only essential data; avoid sensitive data unless absolutely
required.
Use least privilege for sensitive resources (e.g., location, contacts,
camera) with explicit user permission.
Apply data minimization to ensure only necessary data is stored.
Best Practices:
Implement permission-based access for sensitive resources.
Regularly audit the data the app collects.
 MASVS-PRIVACY
MASVS-PRIVACY-2: Prevent User Identification
Objective: Avoid unnecessary tracking or identification of users.
Key Actions:
Anonymize user data where possible, especially for analytics.
Use tracking technologies only with user consent and for legitimate
purposes.
Limit identifiable information unless needed or consented by the user.
Best Practices:
Implement anonymous modes or guest access where identification is
not necessary.
Use pseudonymization to reduce identifiable data risks.
 MASVS-PRIVACY
MASVS-PRIVACY-3: Transparency About Data Collection
Objective: Be clear about data collection, usage, and sharing practices.
Key Actions:
Provide a clear, accessible privacy policy detailing data usage, storage,
and sharing.
Inform users of data collection at the time of request, explaining why
it's needed.
Data retention periods and deletion processes.
Best Practices:
Include a prominent link to the privacy policy in the app.
Implement in-app transparency notices, especially for sensitive data
(e.g., location, health data).
 MASVS-PRIVACY
MASVS-PRIVACY-4: User Control Over Data
Objective: Allow users to manage, access, and delete their data.
Key Actions:
Provide users with options to view, update, and delete their data (e.g.,
GDPR, CCPA compliance).
Enable data portability by allowing users to export their data in a
readable format.
Provide opt-out options for data collection or tracking without
affecting core functionality.
Best Practices:
Implement features for account deletion and data export.
Offer clear instructions on how users can manage or delete their data
in the app settings.
 Conclusion and Summary:
1. MASVS-STORAGE: Secure storage of sensitive data and prevention of
leakage.
2. MASVS-CRYPTO: Use of strong encryption and secure key management.
3. MASVS-AUTH: Implementation of secure authentication and
authorization protocols.
4. MASVS-NETWORK: Securing network communications with encryption
and identity pinning.
5. MASVS-PLATFORM: Ensuring secure interaction with platform features
(e.g., IPC, WebViews).
6. MASVS-CODE: Maintaining code quality, using up-to-date platform
versions, and validating untrusted inputs.
7. MASVS-RESILIENCE: Defending against reverse engineering and
tampering through integrity checks and anti-debugging mechanisms.
8. MASVS-PRIVACY: Protecting user privacy by minimizing data collection,
ensuring transparency, and giving users control over their data.
 References
 OWASP MASVS Official Documentation:

https://mas.owasp.org/MASVS/

 OWASP Mobile Application Security Testing Guide (MASTG):

https://mas.owasp.org/MASTG/

 OWASP Mobile Security Testing Checklist:

https://mas.owasp.org/checklists/