OWASP Mobile Application Security Verification Standard v2.1
Community-driven verification standard for mobile application security. 24 requirements across 8 groups: storage, cryptography, authentication, network communication, platform interaction, code quality, resilience, and privacy. Covers both iOS and Android with testable requirements mapped to the OWASP Mobile Application Security Testing Guide (MASTG). Widely adopted by mobile development teams, penetration testers, and security architects as the baseline for mobile app security assessments.
AC Access Control
| Control | Name | OWASP MASVS v2.1 References |
|---|---|---|
| AC-03 | Access Enforcement | MASVS-STORAGE-1MASVS-AUTH-1MASVS-AUTH-3MASVS-PLATFORM-1MASVS-PRIVACY-1MASVS-PRIVACY-4 |
| AC-04 | Information Flow Enforcement | MASVS-STORAGE-2MASVS-PLATFORM-1MASVS-PLATFORM-2MASVS-PLATFORM-3 |
| AC-06 | Least Privilege | MASVS-PRIVACY-1 |
| AC-07 | Unsuccessful Login Attempts | MASVS-AUTH-2 |
| AC-17 | Remote Access | MASVS-NETWORK-1 |
AU Audit and Accountability
| Control | Name | OWASP MASVS v2.1 References |
|---|---|---|
| AU-02 | Auditable Events | MASVS-STORAGE-2 |
CM Configuration Management
| Control | Name | OWASP MASVS v2.1 References |
|---|---|---|
| CM-02 | Baseline Configuration | MASVS-CODE-1MASVS-CODE-2 |
| CM-03 | Configuration Change Control | MASVS-CODE-2 |
| CM-06 | Configuration Settings | MASVS-CRYPTO-1MASVS-CRYPTO-2MASVS-CODE-1 |
| CM-07 | Least Functionality | MASVS-PLATFORM-1MASVS-PLATFORM-2 |
| CM-08 | Information System Component Inventory | MASVS-CODE-3 |
| CM-14 | Signed Components | MASVS-RESILIENCE-1MASVS-RESILIENCE-2 |
IA Identification and Authentication
| Control | Name | OWASP MASVS v2.1 References |
|---|---|---|
| IA-02 | User Identification And Authentication | MASVS-AUTH-1MASVS-AUTH-2MASVS-AUTH-3 |
| IA-05 | Authenticator Management | MASVS-AUTH-1MASVS-AUTH-2MASVS-NETWORK-2 |
| IA-07 | Cryptographic Module Authentication | MASVS-AUTH-2 |
| IA-08 | Identification and Authentication (Non-Organizational Users) | MASVS-AUTH-1 |
| IA-10 | Adaptive Authentication | MASVS-AUTH-3 |
| IA-11 | Re-authentication | MASVS-AUTH-3 |
MP Media Protection
| Control | Name | OWASP MASVS v2.1 References |
|---|---|---|
| MP-06 | Media Sanitization And Disposal | MASVS-STORAGE-1 |
PE Physical and Environmental Protection
| Control | Name | OWASP MASVS v2.1 References |
|---|---|---|
| PE-18 | Location Of Information System Components | MASVS-PLATFORM-3 |
PL Planning
| Control | Name | OWASP MASVS v2.1 References |
|---|---|---|
| PL-04 | Rules Of Behavior | MASVS-PRIVACY-3 |
PM Program Management
| Control | Name | OWASP MASVS v2.1 References |
|---|---|---|
| PM-25 | Minimization of Personally Identifiable Information Used in Testing, Training, and Research | MASVS-PRIVACY-1MASVS-PRIVACY-2 |
PT Personally Identifiable Information Processing and Transparency
| Control | Name | OWASP MASVS v2.1 References |
|---|---|---|
| PT-02 | Authority to Process Personally Identifiable Information | MASVS-PRIVACY-1MASVS-PRIVACY-2 |
| PT-03 | Personally Identifiable Information Processing Purposes | MASVS-PRIVACY-1MASVS-PRIVACY-3MASVS-PRIVACY-4 |
| PT-04 | Consent | MASVS-PRIVACY-3MASVS-PRIVACY-4 |
| PT-05 | Privacy Notice | MASVS-PRIVACY-3MASVS-PRIVACY-4 |
| PT-06 | System of Records Notice | MASVS-PRIVACY-2MASVS-PRIVACY-4 |
RA Risk Assessment
| Control | Name | OWASP MASVS v2.1 References |
|---|---|---|
| RA-05 | Vulnerability Scanning | MASVS-CODE-3 |
SA System and Services Acquisition
| Control | Name | OWASP MASVS v2.1 References |
|---|---|---|
| SA-08 | Security Engineering Principles | MASVS-CRYPTO-1MASVS-CRYPTO-2MASVS-PRIVACY-2MASVS-RESILIENCE-2MASVS-RESILIENCE-3MASVS-RESILIENCE-4 |
| SA-11 | Developer Security Testing | MASVS-PLATFORM-2MASVS-CODE-3MASVS-CODE-4MASVS-RESILIENCE-1 |
| SA-22 | Unsupported System Components | MASVS-CODE-1MASVS-CODE-2 |
SC System and Communications Protection
| Control | Name | OWASP MASVS v2.1 References |
|---|---|---|
| SC-04 | Information Remnance | MASVS-STORAGE-2MASVS-PLATFORM-3 |
| SC-07 | Boundary Protection | MASVS-NETWORK-1MASVS-PLATFORM-1MASVS-PLATFORM-2 |
| SC-08 | Transmission Integrity | MASVS-NETWORK-1MASVS-NETWORK-2 |
| SC-12 | Cryptographic Key Establishment And Management | MASVS-STORAGE-1MASVS-CRYPTO-2 |
| SC-13 | Use Of Cryptography | MASVS-CRYPTO-1MASVS-NETWORK-1MASVS-AUTH-2MASVS-RESILIENCE-2MASVS-RESILIENCE-3MASVS-RESILIENCE-4 |
| SC-17 | Public Key Infrastructure Certificates | MASVS-CRYPTO-2MASVS-NETWORK-2 |
| SC-18 | Mobile Code | MASVS-CODE-4 |
| SC-23 | Session Authenticity | MASVS-AUTH-1MASVS-AUTH-3MASVS-NETWORK-1MASVS-NETWORK-2 |
| SC-28 | Protection of Information at Rest | MASVS-STORAGE-1MASVS-STORAGE-2 |
SI System and Information Integrity
| Control | Name | OWASP MASVS v2.1 References |
|---|---|---|
| SI-02 | Flaw Remediation | MASVS-CODE-1MASVS-CODE-2MASVS-CODE-3 |
| SI-04 | Information System Monitoring Tools And Techniques | MASVS-RESILIENCE-4 |
| SI-06 | Security Functionality Verification | MASVS-RESILIENCE-1 |
| SI-07 | Software And Information Integrity | MASVS-RESILIENCE-1MASVS-RESILIENCE-2MASVS-RESILIENCE-3MASVS-RESILIENCE-4 |
| SI-10 | Information Accuracy, Completeness, Validity, And Authenticity | MASVS-PLATFORM-1MASVS-CODE-4 |
| SI-11 | Error Handling | MASVS-STORAGE-2MASVS-PLATFORM-3 |
| SI-16 | Memory Protection | MASVS-CODE-4 |
SR Supply Chain Risk Management
| Control | Name | OWASP MASVS v2.1 References |
|---|---|---|
| SR-03 | Supply Chain Controls and Processes | MASVS-CODE-3 |