Google MASA: Assessing the security of apps available in the Play Store

A song starts playing on the radio. You like it and think «who could it be from?» You open your phone and download an app to recognize it for you. Then you download another app to listen to it again. You like it so much that you go to another app to find out more about the artist. And so on ad infinitum. Our cell phones are full of the most diverse applications. Apps that we use to manage our bank accounts, send messages or check the weather forecast. These applications have access to a lot of our data. We give them permission to know our location or access our photo gallery. But are the apps available in the Play Store that we install on our mobile devices secure? The Google MASA initiative aims to evaluate the security of apps to give users the assurance that they are safe.

MASA stands for Mobile Application Security Assessment. This project, launched by Google through the App Defense Alliance, seeks to ensure the security of the apps that billions of people download through the Play Store.

If mobile applications have acquired enormous importance and presence in our daily lives, their security is essential to protect our devices, but also our privacy or our businesses, against cyber-attacks that may violate them.

What applications does Google MASA want to evaluate? All those that are available in the Play Store. The company clarifies that the evaluation of the security of apps through Google MASA protocols is not expected to be mandatory, but it is certainly recommended and its execution will imply that Google certifies that the app has passed the security evaluation. This will increase user confidence.

1. App Defense Alliance: Ensuring Play Store security

Google MASA is one of the three initiatives launched by the App Defense Alliance founded by the multinational company to achieve a central objective: to improve the security of the Play Store and the entire ecosystem of applications it hosts. The other two initiatives are:

• Malware Mitigation. A project focused on detecting potentially harmful applications and stopping them before they become accessible to all users on Google Play. To do this, Google and its partners scan and assess the risk of apps that are in the queue to be published on Google Play.
• CASA. An initiative focused on assessing the security of apps in the cloud.

The App Defense Alliance’s mission rests on five core principles that govern the various initiatives being put in place:

• Protection. Defending Android users against malware, ransomware, and other emerging threats in the cybersecurity landscape.
• Collaboration. Google assumes that to achieve app securitization, it is essential to have the support and collaboration of other industry players, such as cybersecurity and cyberintelligence services companies.
• Education. Both application developers and users must be aware of the importance of security and carry out good practices in the development and use of applications, respectively.
• Transparency. Encourage the transfer of valuable information, to build a more secure application ecosystem.
• Evolution. Attackers are constantly innovating and optimizing their techniques and tactics. Therefore, it is essential to constantly evaluate applications in search of new threats.

2. Google MASA. A three-level security assessment system

Taking into account the aspirations and principles of the App Defense Alliance, Google MASA is set to be a far-reaching and impactful initiative in the way mobile applications are developed and protected.

The evaluation system is based on OWASP’s MASVS. That is the security verification standard for mobile applications developed by the OWASP foundation, which has become a canonical reference worldwide. Given the above, Google MASA simply promotes the security verification of apps available in the Play Store, using the OWASP methodology and offering a security certification to those apps that successfully pass the evaluation.

Precisely, Google’s role is limited to the conception of the initiative and the issuance of the certifications, which will be visible in the security section of each app. The rest of the process is left to developers and labs authorized by Google to carry out the evaluation.

Thus, Google MASA is based on three levels:

• The security requirements demanded in MASVS Level 1.
• The procedures to perform the tests that verify these requirements are included in the MSTG; the OWASP guide to performing security tests on mobile devices.
• The expertise and knowledge accumulated by laboratories and companies that provide cybersecurity services in the elaboration of such tests and the analysis of the results obtained.

2.1. MASVS

OWASP is a foundation dedicated to collecting best practices in cybersecurity and transferring information that is useful to analysts and specialists. Its enormous production of knowledge has made it a truly global benchmark. So much so that the OWASP methodology has become a standard worldwide. A fact that Google recognizes when it bases its MASA initiative on this technology methodology.

Among its many projects, MASVS stands out, as a guide focused on standardizing the security requirements that mobile applications must meet to guarantee protection against malicious attacks. For this purpose, MASVS builds a system that combines verification levels and verification requirements.

2.1.1. Verification levels

MASVS stipulates three levels depending on the level of security to be achieved in the application:

• Level 1 (L1). Standard security. This level is recommended for all mobile applications. It is based on basic security requirements related to code quality, data management, and the interaction of the app with the mobile environment. This level is the one required to obtain MASA certification.
• Level 2 (L2). Defense in depth. In addition to the requirements included in level 1, more advanced controls are added. This level is desirable for applications that handle highly sensitive data such as banking.
• Resistance against reverse engineering and tampering (R). This level requires applications to have specific protection techniques to deal with specific and well-defined attacks. Its requirements are different from those of the other levels, hence it can be added to each of them, but not used alone.

2.1.2. Verification requirements

Depending on the verification level chosen for the app, remember that in the case of Google MASA level 1 is required, MASVS establishes a series of security requirements grouped into seven categories, such as data storage and privacy (V2) or interaction with the platform (V6).

Some requirements are mandatory for both levels 1 and 2. For example, requirement 4.5. A password policy exists and is enforced on the server. While others are only necessary if level 2 is chosen, such as 4.10. To perform critical transactions, additional authentication is required.

There is an eighth category of requirements (V8), focused solely and exclusively on level R. And therefore irrelevant for Google MASA certification.

2.2. MSTG

MASVS establishes the requirements that an application must meet to be verified with a security level 1 and, therefore, be eligible for MASA certification. But how are these requirements met?

The answer is also provided by OWASP through the MSTG. This guide standardizes the tests that must be carried out for each of the security requirements. It also provides the technical explanation needed to carry them out. This means that all applications, regardless of their sector or the origin of their developers, will be subjected to the same security tests.

It is precisely this standardization that makes the MSTG a basic working document in the field of cybersecurity and a reference for initiatives such as Google MASA.

2.3. Authorized laboratories

We have the application security requirements and the procedures for testing to validate these requirements. Only one more element is missing: who is going to perform the tests?

Google entrusts this task to laboratories authorized by the multinational. Companies of renowned prestige and proven experience in handling the OWASP methodology and in performing techniques such as mobile application audits or penetration tests.

These laboratories will perform the tests with their professional excellence, evaluate the results, and send them to the developers with advice on how to solve the security problems or risks detected.

3. The stages of the Google MASA certification process

The collaboration between Google, the laboratories, and companies authorized to carry out the evaluations and the developers allows the MASA initiative to be particularly agile. Thus, from the time the developer takes the initiative to obtain Google MASA certification until it appears in the security section of the app in the Play Store, only a few weeks may pass. Let’s take a closer look at each stage of the process:

3.1. Decision-making and agreement between developers and labs

First, of course, there is the phase in which the app developer decides to evaluate the app’s protection and certify its security. Once the decision has been made, the developer must select one of the Google-authorized laboratories to carry out the assessment.

After closing the agreement and providing the cybersecurity services company with the necessary information, the company will start testing the application’s public version, available on Google Play.

3.2. Application testing, evaluation, and remediation

The authorized laboratory will perform all the tests collected in the MSTG and will provide the developer with the evaluation within 10 days.

This evaluation will include advice and steps to solve the detected problems. Depending on the vulnerabilities found and the ability of the developer’s team to implement the recommendations made by the lab, the end of the assessment phase may vary.

Once the application meets all the requirements established for level 1 in MASVS, the laboratory will terminate the assessment.

3.3. Validation report to Google and obtaining MASA certification

At this point, the company in charge of testing the app will send a validation report directly to Google, without the developer having to perform this task. This will confirm that the application in question complies with the security requirements demanded by MASA and the developer will be able to state on the app’s data security form that it has Google MASA certification. This will appear in the security section, visible to all users, within a week.

Google and the App Defense Alliance estimate that it will take only two to three weeks from the initial lab evaluation to the availability of the badge.

4. Benefits of Google MASA

In light of everything we have been saying, it seems clear that this initiative has the great benefit of increasing the level of security of the mobile applications we use in all areas of our lives. From the family to the professional sphere.

While Google seeks to secure the Play Store and its app ecosystem, individuals, businesses and app developers themselves can also benefit from obtaining Google MASA certification.

4.1. For developers and companies

First and foremost, and although it may seem extremely obvious, developers get, above all, to make their applications more secure.

No company likes to have apps burdened by vulnerabilities that can be exploited by malicious agents. A massive leak of personal data, the hijacking of privileged information, or the crash of the application can have catastrophic consequences for the business. Both financially and in terms of reputation.

Obtaining Google MASA certification obliges companies to work constantly on protecting their applications.
In addition, by submitting them to an independent evaluation, carried out by prestigious professionals and using the OWASP methodology, they can know with absolute precision what vulnerabilities their application has and how to solve them. What the development team may have missed will certainly come to light during the assessment.

If all this were not enough, obtaining the certificate or badge contributes to the application gaining prestige and generating trust in the user who downloads it from Google Play. Trust is a capital asset, both in the business and in the personal sphere.

4.2. For companies and end-users

Large parts of our lives are stored on our mobile devices. And extremely sensitive data. Like the passwords to our email or our bank app. The mobile is a part of ourselves and a first-class work tool. That’s why we all want it to be fully protected against threats.

When it comes to downloading an application, security must be a key element in answering the key question: “Should I download it or not? As we become more aware of the risks associated with insecure applications, protection is becoming increasingly important. We no longer care only about the usability of an application or its functionalities, but also about its level of security and its ability to protect our data.

Therefore, applications with the Google MASA badge or certification automatically acquire a patina of reliability in the eyes of companies and individuals. Even if these users are unaware of the vicissitudes linked to the process of evaluating the security requirements of the application. Or if they do not even know what OWASP is. What is certain is that the security section will clearly state that the application has been evaluated by independent laboratories and its level of protection is optimal.

In the long run, those applications that are not verified will be relegated by users, since their security will not have been checked by any external agent authorized for this task. Data is an important asset for any business… and so is security.

4.3. Permanent protection of the app ecosystem

The attentive reader will surely not have missed a point: we have not indicated the expiration date of the Google MASA certification.

Google has established that the certification must be renewed every year. So apps are re-evaluated once a year to ensure that they adapt to changing conditions in the cybersecurity domain and are secure against new attacks designed and implemented by the bad guys.

In this way, apps that embrace the MASA initiative will be able to assure users who download them from Google Play that they are secure and that their devices will be safe.

After all, there is no point in an application being able to guarantee that it meets the security requirements demanded by Google MASA for one year if, in the following months, it does not carry out actions to permanently fortify itself against new threats.

In short, the MASA initiative will allow users to know which apps available on Google Play are safe; it will help developers to work on protecting their apps and gain users’ trust, and it will make it easier for the ecosystem of apps that people and businesses use daily to be safe and optimally and permanently protected against attackers.