The Importance of Mobile Application Security Assessments in App Development
Aldo Salas, Application Security Lead, HYPR
4 Min. Read | January 23, 2023
Many people assume that all applications are designed and developed with a secure-first mindset. After all, we expect things like cars, consumer products or even food to be safe for the end user — why should it be different for software, and specifically, mobile applications?
In reality, application security is not always a primary focus for several companies and developers. Furthermore, even when security is prioritized, there’s always the possibility of introducing security bugs. We have to realize that at the end of the day security vulnerabilities are bugs, and no single application is bug-free. This is not an easy problem to solve and, as an industry, we still have much work to do in order to get to a secure-by-default state.
The App Defense Alliance and MASA
The App Defense Alliance was established to help combat this pervasive security issue. A coalition of Google and mobile app security vendors, its mission is to ensure the safety of Google Play and the broader app ecosystem.
In 2022, the App Defense Alliance launched its Mobile Application Security Assessment (MASA) program to enable companies and developers to assess their mobile apps for security and privacy vulnerabilities. All MASA validated applications meet the mobile application security requirements set by OWASP (the Open Web Application Security Project). This third-party validation demonstrates a company’s commitment to security and privacy practices, and gives users confidence that apps have been vetted by outside experts to be safe and secure.
Undergoing MASA Assessment
Any company or software developer can submit their applications to be assessed by an authorized partner of the MASA program. Google directly showcases in Google Play if a mobile app has been independently reviewed and certified to meet these industry security standards.
Organizations can work with the authorized partner of their choosing — service fees are generally similar between vendors.
The MASA partner assesses the mobile application to ensure it meets each of the 32 security requirements. These requirements encompass data storage and privacy, cryptography, authentication and session management, network communications, platform interaction and code quality and build settings. By failing a single test-case, the application will not be in compliance with MASA and it will need to be re-evaluated once the failed test-cases have been fixed.
Once the app meets all requirements, the testing partner sends a Validation Report directly to Google as confirmation, and developers become eligible to display the security badge on their data safety form.
While the assessment program is rigorous, MASA should not be a significant undertaking for companies that include robust security testing as a core element in their SDLC. The evaluation process can take anywhere from a few days to a couple of weeks, depending on the MASA vendor and the company’s response to any questions that arise regarding the application’s functionality and security features.
HYPR MASA Certification
As a security company, HYPR routinely undergoes internal and external penetration testing engagements to validate our own security practices and uncover any potential security risks.
Recently, we also underwent official MASA validation. Some MASA partners offer extra security services in addition to MASA assessment. HYPR chose a partner that was able to also provide continuous automated mobile security testing services.
As you can see below, the “Independent security review” badge is displayed in Google Play, indicating that HYPR successfully completed the MASA process.
Next Steps for Readers
Organizations looking to improve their security posture must conduct regular security reviews in their SDLC. In the specific case of Android apps, the MASA program is now available so that any application can prove to users that it has gone through an independent security review and successfully met every test case requirement.
It’s strongly recommended that all applications submit to an assessment in order to determine if they have significant security flaws. Any MASA partner is qualified to conduct such a review. If the application has not previously gone through a security review, we would recommend conducting a professional security review before attempting MASA.
Note that if your application includes hardening measures you will likely need to disable them in order to conduct the MASA validation. This may add to your cycle time. For example, the HYPR application has built-in root detection and code obfuscation, among other capabilities. Our MASA partner requested that we build an application without these features to conduct their assessment.