Many people assume that all applications are designed and developed with security in mind first. After all, we expect things like cars, consumer products or even food to be safe for the end user – why should it be any different for software, and specifically, mobile applications?
In reality, application security is not always a primary focus for some companies and developers. Furthermore, even if security is prioritized, there is always the possibility of introducing security bugs. We have to realize that at the end of the day, security vulnerabilities are bugs, and no single application is bug-free. This is not an easy problem to solve and as an industry we still have a lot of work to do to get to a secure-by-default state.
The App Defense Alliance and MASA
Those App Defense Alliance was established to combat this pervasive security issue. A coalition of Google and mobile app security vendors, their mission is to ensure the security of Google Play and the broader app ecosystem.
In 2022, the App Defense Alliance has its Mobile Application Security Assessment (MASA) program to enable companies and developers to assess their mobile apps for security and privacy vulnerabilities. All MASA validated applications meet the mobile application security requirements set forth OWASP (the Open Web Application Security Project). This third-party validation shows a company’s commitment to security and privacy practices, and gives users confidence that apps have been vetted by outside experts to be safe and secure.
Pending MASA review
Any company or software developer can submit their applications to be evaluated by someone authorized partner of the MASA program. Google directly indicates on Google Play when a mobile app has been independently reviewed and certified to meet these industry security standards.
Organizations can work with the authorized partner of their choice – service costs are generally similar between vendors.
The MASA partner evaluates the mobile application to ensure that it meets each of the 32 safety requirements. These requirements include data storage and privacy, cryptography, authentication and session management, network communication, platform interaction and code quality and build settings. By failing a single test case, the application will not be compliant with MASA and it will have to be re-evaluated once the failed test cases have been fixed.
If the app meets all requirements, the test partner sends a validation report directly to Google as a confirmation, and developers are entitled to display the security badge on their data security form.
While the assessment program is rigorous, MASA should not be a significant undertaking for companies that include robust security testing as a core element in their SDLC. The evaluation process can take anywhere from a few days to a few weeks, depending on the MASA vendor and the company’s response to any questions that arise regarding the functionality and security features of the application.
HYPR MASA certification
As a security company, HYPR routinely conducts internal and external penetration testing engagements to validate our own security practices and detect any potential security risks.
Recently we have also done official MASA validation. Some MASA partners offer additional security services in addition to the MASA assessment. HYPR chose a partner that was also able to provide continuous automated mobile security testing services.
As you can see below, the “Independent Security Assessment” badge is displayed in Google Play, indicating that HYPR has successfully completed the MASA process.
Next steps for readers
Organizations looking to improve their security posture must conduct regular security audits in their SDLC. In the specific case of Android apps, the MASA program is now available so that any application can prove to users that it has gone through an independent security review and successfully met all test case requirements.
It is strongly recommended that all applications submit an assessment to determine if they have significant security flaws. Every MASA partner is qualified to do such a review. If the application has not gone through a security review before, we recommend having a professional security review before trying MASA.
*** This is a Security Bloggers Network syndicated blog from HYPR Blog written by Anton Gurov, CISO. Read the original post at: https://blog.hypr.com/the-importance-of-mobile-application-security-assessments