Mobile applications security standards: what they are and how to implement them

January 2025. It comes to light that thousands of mobile apps, including popular ones such as Candy Crush and Tinder, were collecting user data without their consent through the advertising ecosystem. The scandal is huge. Several questions rock the global app ecosystem: What are the actual mobile applications security standards? What happens to the data of hundreds of millions of users?

The episode spreads across the globe. Companies such as Gravy Analytics acquired hundreds of millions of pieces of personal data to resell them to companies, governments, and others.

Six months earlier, Duolingo, the popular language learning platform, saw the data of 2.6 million customers disappear: emails, phone numbers, social media profiles, and the languages they were studying.

Google Chrome, MOVEit, Optus… Over the last few years, there have been countless incidents that have highlighted the security problems with apps.

In the wake of these incidents, there has been growing debate about the need to promote security standards in mobile applications. One key player in this debate is MASVS (Mobile Application Security Verification Standard), developed by OWASP, the Open Web Application Security Project.

1- What are the mobile applications security standards?

Essentially, they are a kind of roadmap with technical specifications and best practice recommendations aimed at ensuring adequate protection of data and app operations against cybersecurity threats.

For developers, these standards provide a guide to strengthen their solutions. For users, they offer a layer of confidence regarding the protection of their data.

The consequences of uploading a poorly designed app to a store are obvious: data leaks, reputational damage, legal penalties and, now more than ever, the removal of the app from official stores. The case of Google’s Play Store is probably the most telling example.

2- The role of MASVS in secure app development

The Mobile Application Security Verification Standard (MASVS) is a framework that defines a series of security requirements that any mobile application should meet before hitting the market.

The framework launched by OWASP is not an audit, nor is it a tool. It is, in fact, a document that sets security levels for apps based on their complexity and level of exposure.

The ultimate goal of these mobile application security standards is to provide developers and companies with a common, verifiable basis for evaluating security throughout the development lifecycle.

3- What are the main security risks in mobile applications?

Below, we detail some of the most common security risks in the world of app development:

3.1 Reverse engineering

Reverse engineering allows attackers to decompile or analyze an application’s source code to identify exploitable vulnerabilities, discover proprietary algorithms, or extract secrets such as API keys.

This technique can facilitate the development of modified or malicious versions of the app. What are the consequences? Basically, the possibility that both the security and intellectual property of the developer could be compromised.

3.2 Malicious code injection

In this case, the security breach originates from the execution of unverified code within the app from third-party libraries or manipulated inputs.

Through this route, an attacker can inject scripts or binary code that alters the normal behavior of the application, access sensitive data, or take control of the system. This technique often exploits errors in input validation or vulnerable dependencies.

3.3 Data interception

Data interception, also known as a “man-in-the-middle” (MITM) attack, occurs when an attacker accesses information transmitted between the mobile device and the server.

The source of this risk usually lies in the use of inadequate encryption or if it is implemented incorrectly, exposing credentials, messages, bank details, and other private information.

3.4 Unauthorized access

In this case, an attacker exploits authentication or authorization flaws, such as weak passwords, tokens without expiration, or lack of role validation.

This allows them to access restricted functions or sensitive data under the radar.

3.5 Insecure storage of sensitive data

Storing sensitive information—such as passwords, tokens, card numbers, or addresses—in plain text or vulnerable locations on the device (such as unencrypted internal storage) puts the user’s security at risk.

If the device is lost or compromised, this data can be easily extracted and used maliciously. The recent past has proven the critical nature of this risk.

4- MASVS, categories, levels, and implementation

The mobile application security standards developed by OWASP are structured into several categories, each focusing on a specific aspect of app security:

• Architecture and design.
• Data management and privacy.
• Authentication and access control.
• Cryptography.
• Code and platform interaction
• Resistance to reverse engineering and dynamic analysis.

In addition, it defines three levels of security verification:

• MASVS-L1: Basic requirements applicable to all apps.
• MASVS-L2: For apps that handle sensitive data or critical transactions.
• MASVS-R: Resilience requirements for apps that could be subject to targeted attacks (e.g., financial apps).

OWASP’s main recommendation when implementing MASVS is to incorporate its recommendations from the start of development, following a Security by Design approach.

The document is very clear when setting out the recommendations that any developer should take into account in this process:

• Threat analysis: Identify potential attack vectors before coding.
• Continuous security testing: Use static (SAST) and dynamic (DAST) analysis tools.
• Strong encryption: Use proven algorithms and avoid plain text storage.
• Strict access control: Multi-factor authentication, session expiration, and protection against brute force attacks.
• Integration of security tools into CI/CD: To automate vulnerability checks.

5- Best practices and tools

The Mobile Application Security Verification Standard (MASVS) is not the only guide to consider when developing apps. Experts recommend following a series of best practices that will help strengthen the application before it hits the market.

Using the operating system’s storage (Keychain on iOS, Keystore on Android), minimizing the permissions requested, and avoiding unnecessary logs that could expose critical data are some of the most commonly recommended practices.

Obfuscating code to make reverse engineering more difficult and monitoring the app in real-time to detect anomalous behavior or unauthorized access are two other good practices that all developers should implement.

In any case, over the years, developers have equipped themselves with tools that help them comply with MASVS standards:

• Mobile Security Framework (MobSF): Enables static and dynamic analysis of mobile apps.
• OWASP Mobile App Security Testing Guide (MASTG): MASVS add-on with practical guides and detailed tests.
• Frida and Objection: Useful tools for dynamic testing and runtime analysis of apps.
• AppScan and Fortify: Commercial solutions for automated security analysis

6- In conclusion

Implementing security standards in mobile applications such as those defined by MASVS is essential in modern development. And not just to keep the app’s information and technological infrastructure safe. It is also necessary to gain and maintain the trust of users who are increasingly sensitive about the protection of their data.

At Tarlogic, we have had a team highly specialized in mobile app audit for many years, and there is one lesson that we have seen proven time and time again. Any application that wants to survive in today’s market must be able to demonstrate the efforts of its creators to keep pace with cybersecurity.