Mobile applications have become an integral part of our daily lives and are growing increasingly important for businesses, especially in industries that handle highly sensitive data. A recent example from the banking sector illustrates this clearly: Over 10 % of the Swiss population now uses neo banks (linked page in German) – banks that typically interact with their customers exclusively through a single mobile application.

Mobile applications offer many advantages, but they also present a surface for attacks. Just like web applications, they are vulnerable to numerous security risks. This is exactly where penetration tests (pentests) according to the OWASP Mobile Application Security Verification Standard (MASVS) come into play. They systematically identify vulnerabilities and help companies protect their applications against cyberattacks.

But what exactly is a penetration test according to MASVS and what do professional security experts pay particular attention to? We summarize the most important facts.

Mobile Application Security Verification Standard (MASVS)

The OWASP Mobile Application Security Verification Standard (MASVS) is part of the OWASP Mobile Application Security (MAS) Project, an initiative of the Open Worldwide Application Security Project (OWASP). OWASP is a nonprofit organization dedicated to improving digital security worldwide. It is best known for the OWASP Top Ten, a list of the most common security risks for web applications.

The MASVS defines clear “controls”. These are specific security requirements regarding which protective measures should be implemented for mobile applications. These requirements are divided into various groups, each covering key security areas:

• MASVS-Storage: Sensitive data shall be stored securely and protected against leaks.
• MASVS-Crypto: The cryptography used shall comply with best practices to protect sensitive data.
• MASVS-Auth: Access to the application and the associated data shall be protected and restricted to authorized users only.
• MASVS-Network: Network traffic to the backend (API gateway) shall be protected against eavesdropping and manipulation.
• MASVS-Platform: The mechanisms offered by the platform shall be used securely. This applies, for example, to the secure use of the user interface (protection against shoulder surfing, etc.).
• MASVS-Code: Vulnerabilities are addressed based on the application’s source code. This applies, for example, to the use of third-party libraries.
• MASVS-Resilience: Measures to prevent reverse engineering, tampering, and misuse shall be implemented to ensure the integrity of the application.
• MASVS-Privacy: The focus is on protecting the privacy of the app’s users. For example, the goal is to collect as little data about them as possible. 

In the context of a mobile application pentest, these requirements serve as a structured testing framework. They serve, in a sense, as a catalog of security requirements: Penetration testers systematically verify whether the defined controls are being followed and specifically identify any deviations. To enable them to do this in practice, there are two additional subprojects, which are described below.

MASWE and MASTG as Supplements for Testing the Controls of the MASVS

To support developers and penetration testers in the practical implementation, OWASP has expanded the MASVS with two additional components:

• Mobile Application Weakness Enumeration (MASWE)
• Mobile Application Security Testing Guide (MASTG)

OWASP has illustrated the interaction between these components in the following diagram:

While the MASVS defines the requirements for a secure mobile application, MASWE and MASTG provide additional details on typical vulnerabilities and how they can be tested in practice.

Mobile Application Weakness Enumeration (MASWE)

The MASWE (currently still in beta) identifies specific vulnerabilities that are associated with the security controls defined in the MASVS. For each vulnerability, the MASWE provides a description, potential impacts, and possible corrective actions.

Some of the vulnerabilities only affect Android or iOS, but most apply to both platforms. In addition, all vulnerabilities are categorized into different testing profiles, allowing companies to select the appropriate security level for their mobile application:

Security Profiles

L1 – Basic Security Profile

• L1 serves as the foundation and is recommended for all mobile applications.
• Goal: Protection against general threats and implementation of key security best practices
• Assumption: The user is not acting maliciously and the operating system’s security controls can be trusted; however, other apps on the device are considered potentially malicious
• Suitable for applications without particularly sensitive functions or data

L2 – Advanced Security Profile

• L2 extends L1 and addresses advanced threats.
• Goal: Protection even on compromised devices (e.g., root/jailbreak)
• Assumption:
  • In addition to L1, the operating system’s security controls are no longer trusted
  • Furthermore, third parties with or without physical access are considered potential attackers
• Recommended for apps with sensitive functions or data

R – Resilience Profile

This profile focuses on the application’s resilience.

• Goal: Protection against reverse engineering and manipulative threats; this can be important, for example, if an application has premium features that require payment and you want to prevent these from being unlocked without authorization
• Assumption: In addition to L2, the user themselves is also considered a potential threat
• Recommended for apps that require application logic or business-critical data to be protected, such as proprietary software or paid features

Privacy Profile

• P – Privacy Profile
• This profile addresses the protection of user privacy.
• Goal:
  • Focus on privacy-friendly implementations
  • Includes best practices for protecting sensitive user information
• Recommended for all applications that process personal or sensitive data 

The profiles can be combined to achieve the desired security level – for example, L2 + P + R.

Mobile Application Security Testing Guide (MASTG)

The Mobile Application Security Testing Guide (MASTG) is a practical guide to security testing of mobile applications. While the MASVS defines security requirements and the MASWE describes typical vulnerabilities, the MASTG shows how these vulnerabilities can be tested in practice.

For the vulnerabilities defined in the MASWE, the MASTG provides appropriate test cases and test methods. These are assigned to the corresponding platforms (Android or iOS) as well as the respective security profiles. This allows penetration testers to systematically verify whether the security controls defined in the MASVS have been correctly implemented.

Each test case in the MASTG typically contains:

• a short description of the test objective
• an overview of the required prerequisites
• specific test steps for execution
• notes on expected observations and evaluation

In addition, links to best practices and further resources are often provided. In many cases, the MASTG also includes detailed demonstrations in which a test application with a corresponding vulnerability is provided. Using this application, the respective test case is demonstrated step by step.

Alongside the test cases, the MASTG also offers extensive background knowledge on mobile application security. This includes, among other things:

• Comprehensive description of Android and iOS: Information about the platforms themselves as well as their security features. These topics are explored in greater depth in the Knowledge Base, which contains detailed articles covering subjects such as key attestation in Android.
• More than 30 best practices for mobile application security, which are continuously updated.
• Various techniques relevant to mobile application penetration testing, such as signing IPA files.
• Various tools for testing applications: For example, the Burp Suite tool, which can be used to test the application’s HTTP traffic.
• Test applications for self-study and for testing specific test cases, techniques, or tools. These may be used at one’s own risk.

MASVS Pentests in Practice

The advantage of using the MASVS as a guide for a penetration test is therefore clear: The tests are based on clearly defined security controls and draw on established, field-proven testing methods. At the same time, the standard is continuously refined and updated by the cybersecurity community, ensuring that new attack techniques and best practices are regularly incorporated.

For this reason, professional penetration tester also frequently use the MASVS as a guide. This allows them to ensure that all security-relevant areas of a mobile application are systematically tested. Instead of relying solely on the assessment of a single company, the evaluation is based on a recognized industry standard.

Furthermore, the OWASP Mobile Application Security Project also offers significant value to developers and security specialists. The extensive resources enable continuous professional development and help make mobile applications more resilient to attacks in the long term.

Conclusion – Strengthening Cyber Resilience Through Structured Penetration Tests

Together, MASVS, MASWE, and MASTG form a comprehensive framework for mobile application security:

The MASVS defines security requirements through its security controls, the MASWE describes typical vulnerabilities, and the MASTG provides specific testing methods as well as a comprehensive reference guide for verifying them.

Combined, these components enable a structured testing of mobile applications. Companies are provided with a clear foundation for identifying and specifically addressing security vulnerabilities. In this way, OWASP makes a decisive contribution to strengthening the cyber resilience of mobile applications and making applications safer, more resilient, and more trustworthy for users.

Professional Testing of Mobile Applications

Do you operate a mobile application and want to have it tested for security vulnerabilities?

As part of a mobile application penetration test, Oneconsult’s experts will conduct a structured and practical analysis of your application – based, among other things, on the MASVS. You will then receive a clear assessment of the identified vulnerabilities, along with specific recommendations on how to further improve the security and resilience of your application.