The OWASP MAS project continues to lead the way in mobile application security. This article describes the resources and tools which have recently been added to OWASP MAS, which provides mobile app security guidance and tools for developers and security professionals alike. Also, we will argue that OWASP really deserves to receive the full support of the major mobile platform and device vendors.
OWASP MAS has announced new tools in August 2024.
As developers and organizations continue to create mobile applications, and as regulations such as the EU DMA and the UK DMCC take effect, it's essential to ensure that best practices for mobile app security are widely available to the developer community. OWASP MAS is in a position to play this community role and has a long list of corporate sponsors. But there is a need for everyone to contribute - it would be nice if Apple, Google and Huawei were on that list of sponsors, but they are missing in action.
OWASP continues to update and reinforce the Mobile Application Security guidelines and tools. As we pointed out in our previous blogs on the topic, OWASP MAS received a major update last year. Also at the beginning of 2024 the OWASP Mobile Top Ten was also brought up to date.
The momentum continues with the latest news from the OWASP MAS team announcing a redesign of the testing guide and new tools.
OWASP MAS offers a comprehensive suite of tools and resources, the most important being:
Last year's update saw the publication of the new MASVS v2.0 document which drove a major simplification and clarification of the overall security categories and controls.
However this left a gap between the high-level MASVS categories and the detailed MASTG which was not updated at the same time and was structured around the previous version of MASVS.
This has now been addressed as the MAS team refactor the MASTG to be easier to navigate and better aligned with MASVS v2.0, making clear the link between controls and specific tests.
The MASTG is now structured in a way that makes it easy to navigate between tests, techniques and tools. This promotes reusability. For example, you can open a test and see what tools and techniques are being used, and the intent is that eventually this will work in reverse too so everything is cross-referenced: you will be able to open a tool or technique and see all the tests that use it.
Also added to MASTG are new demos: practical demonstrations that include working code samples and test scripts.
In addition, a brand new initiative called the new Mobile App Security Weakness Enumeration (MASWE) has been launched, designed to fill the gap between high-level MASVS controls and low-level MASTG tests. The MASWE identifies specific weaknesses in mobile applications, similar to Common Weakness Enumerations (CWEs).
This all sounds great but there is much work to be done. These tools are not final and there are a number of empty templates in the new MASWE. This is a community project after all, so the OWASP MAS team is seeking help from everyone with a stake in the game, saying: “You can also contribute to the project by creating new weaknesses, tests, techniques, tools, or demos. We welcome all contributions and feedback, and we look forward to working with you to make the MAS project the best it can be.”
While OWASP MAS champions best-practice sharing and collaboration, the major mobile platform providers like Apple, Google, and Huawei are pursuing proprietary security solutions.
These approaches, come with significant drawbacks:
To truly advance mobile app security, the industry must move towards a model of open standards and collaboration. This approach would:
OWASP MAS is well positioned to play this role and everyone in the mobile community should find a way to contribute.
Finally it would be great to see Apple, Google and Huawei throw their weight behind OWASP MAS too. They have much they can contribute and they could play a pivotal role in shaping a more secure mobile ecosystem for all - rather than continuing to defend their “walled gardens”.
Mobile app security is too important to be siloed within proprietary ecosystems. As the digital landscape evolves, collaboration and open standards will be key to staying ahead of emerging threats and ensuring the safety of mobile users worldwide.
- VP Marketing, Approov
George is based in the Bay Area and has an extensive background in cyber-security, cloud services and communications software. Before joining Approov he held leadership positions in Imperva, Citrix, Juniper Networks and HP.
