{ "name": "OWASP MASVS", "description": "OWASP Mobile Application Security Verification Standard", "enabled_fields": [ "level", "description" ], "status_choices": [ "Not Tested", "Out of scope", "Fail", "Partial", "Pass" ], "categories": [ "CRYPTO", "STORAGE", "PLATFORM", "ARCH", "NETWORK", "RESILIENCE", "AUTH", "CODE" ], "items": [ { "order": 1, "name": "All app components are identified and known to be needed.", "reference": "1.1", "category": "ARCH", "description": "All app components are identified and known to be needed.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 2, "name": "Security controls are never enforced only on the client side, but on the respective remote...", "reference": "1.2", "category": "ARCH", "description": "Security controls are never enforced only on the client side, but on the respective remote endpoints.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 3, "name": "A high-level architecture for the mobile app and all connected remote services has been defined...", "reference": "1.3", "category": "ARCH", "description": "A high-level architecture for the mobile app and all connected remote services has been defined and security has been addressed in that architecture.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 4, "name": "Data considered sensitive in the context of the mobile app is clearly identified.", "reference": "1.4", "category": "ARCH", "description": "Data considered sensitive in the context of the mobile app is clearly identified.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 5, "name": "All app components are defined in terms of the business functions and/or security functions they...", "reference": "1.5", "category": "ARCH", "description": "All app components are defined in terms of the business functions and/or security functions they provide.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 6, "name": "A threat model for the mobile app and the associated remote services has been produced that...", "reference": "1.6", "category": "ARCH", "description": "A threat model for the mobile app and the associated remote services has been produced that identifies potential threats and countermeasures.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 7, "name": "All security controls have a centralized implementation.", "reference": "1.7", "category": "ARCH", "description": "All security controls have a centralized implementation.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 8, "name": "There is an explicit policy for how cryptographic keys (if any) are managed, and the lifecycle of...", "reference": "1.8", "category": "ARCH", "description": "There is an explicit policy for how cryptographic keys (if any) are managed, and the lifecycle of cryptographic keys is enforced. Ideally, follow a key management standard such as NIST SP 800-57.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 9, "name": "A mechanism for enforcing updates of the mobile app exists.", "reference": "1.9", "category": "ARCH", "description": "A mechanism for enforcing updates of the mobile app exists.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 10, "name": "Security is addressed within all parts of the software development lifecycle.", "reference": "1.10", "category": "ARCH", "description": "Security is addressed within all parts of the software development lifecycle.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 11, "name": "A responsible disclosure policy is in place and effectively applied.", "reference": "1.11", "category": "ARCH", "description": "A responsible disclosure policy is in place and effectively applied.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 12, "name": "The app should comply with privacy laws and regulations.", "reference": "1.12", "category": "ARCH", "description": "The app should comply with privacy laws and regulations.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 13, "name": "System credential storage facilities need to be used to store sensitive data, such as PII, user...", "reference": "2.1", "category": "STORAGE", "description": "System credential storage facilities need to be used to store sensitive data, such as PII, user credentials or cryptographic keys.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 14, "name": "No sensitive data should be stored outside of the app container or system credential storage...", "reference": "2.2", "category": "STORAGE", "description": "No sensitive data should be stored outside of the app container or system credential storage facilities.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 15, "name": "No sensitive data is written to application logs.", "reference": "2.3", "category": "STORAGE", "description": "No sensitive data is written to application logs.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 16, "name": "No sensitive data is shared with third parties unless it is a necessary part of the architecture.", "reference": "2.4", "category": "STORAGE", "description": "No sensitive data is shared with third parties unless it is a necessary part of the architecture.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 17, "name": "The keyboard cache is disabled on text inputs that process sensitive data.", "reference": "2.5", "category": "STORAGE", "description": "The keyboard cache is disabled on text inputs that process sensitive data.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 18, "name": "No sensitive data is exposed via IPC mechanisms.", "reference": "2.6", "category": "STORAGE", "description": "No sensitive data is exposed via IPC mechanisms.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 19, "name": "No sensitive data, such as passwords or pins, is exposed through the user interface.", "reference": "2.7", "category": "STORAGE", "description": "No sensitive data, such as passwords or pins, is exposed through the user interface.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 20, "name": "No sensitive data is included in backups generated by the mobile operating system.", "reference": "2.8", "category": "STORAGE", "description": "No sensitive data is included in backups generated by the mobile operating system.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 21, "name": "The app removes sensitive data from views when moved to the background.", "reference": "2.9", "category": "STORAGE", "description": "The app removes sensitive data from views when moved to the background.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 22, "name": "The app does not hold sensitive data in memory longer than necessary, and memory is cleared...", "reference": "2.10", "category": "STORAGE", "description": "The app does not hold sensitive data in memory longer than necessary, and memory is cleared explicitly after use.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 23, "name": "The app enforces a minimum device-access-security policy, such as requiring the user to set a...", "reference": "2.11", "category": "STORAGE", "description": "The app enforces a minimum device-access-security policy, such as requiring the user to set a device passcode.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 24, "name": "The app educates the user about the types of personally identifiable information processed, as...", "reference": "2.12", "category": "STORAGE", "description": "The app educates the user about the types of personally identifiable information processed, as well as security best practices the user should follow in using the app.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 25, "name": "No sensitive data should be stored locally on the mobile device. Instead, data should be...", "reference": "2.13", "category": "STORAGE", "description": "No sensitive data should be stored locally on the mobile device. Instead, data should be retrieved from a remote endpoint when needed and only be kept in memory.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 26, "name": "If sensitive data is still required to be stored locally, it should be encrypted using a key...", "reference": "2.14", "category": "STORAGE", "description": "If sensitive data is still required to be stored locally, it should be encrypted using a key derived from hardware backed storage which requires authentication.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 27, "name": "The app\u2019s local storage should be wiped after an excessive number of failed authentication attempts.", "reference": "2.15", "category": "STORAGE", "description": "The app\u2019s local storage should be wiped after an excessive number of failed authentication attempts.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 28, "name": "The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption.", "reference": "3.1", "category": "CRYPTO", "description": "The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 29, "name": "The app uses proven implementations of cryptographic primitives.", "reference": "3.2", "category": "CRYPTO", "description": "The app uses proven implementations of cryptographic primitives.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 30, "name": "The app uses cryptographic primitives that are appropriate for the particular use-case,...", "reference": "3.3", "category": "CRYPTO", "description": "The app uses cryptographic primitives that are appropriate for the particular use-case, configured with parameters that adhere to industry best practices.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 31, "name": "The app does not use cryptographic protocols or algorithms that are widely considered deprecated...", "reference": "3.4", "category": "CRYPTO", "description": "The app does not use cryptographic protocols or algorithms that are widely considered deprecated for security purposes.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 32, "name": "The app doesn't re-use the same cryptographic key for multiple purposes.", "reference": "3.5", "category": "CRYPTO", "description": "The app doesn't re-use the same cryptographic key for multiple purposes.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 33, "name": "All random values are generated using a sufficiently secure random number generator.", "reference": "3.6", "category": "CRYPTO", "description": "All random values are generated using a sufficiently secure random number generator.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 34, "name": "If the app provides users access to a remote service, some form of authentication, such as...", "reference": "4.1", "category": "AUTH", "description": "If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 35, "name": "If stateful session management is used, the remote endpoint uses randomly generated session...", "reference": "4.2", "category": "AUTH", "description": "If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 36, "name": "If stateless token-based authentication is used, the server provides a token that has been signed...", "reference": "4.3", "category": "AUTH", "description": "If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 37, "name": "The remote endpoint terminates the existing session when the user logs out.", "reference": "4.4", "category": "AUTH", "description": "The remote endpoint terminates the existing session when the user logs out.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 38, "name": "A password policy exists and is enforced at the remote endpoint.", "reference": "4.5", "category": "AUTH", "description": "A password policy exists and is enforced at the remote endpoint.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 39, "name": "The remote endpoint implements a mechanism to protect against the submission of credentials an...", "reference": "4.6", "category": "AUTH", "description": "The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 40, "name": "Sessions are invalidated at the remote endpoint after a predefined period of inactivity and...", "reference": "4.7", "category": "AUTH", "description": "Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 41, "name": "Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns...", "reference": "4.8", "category": "AUTH", "description": "Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns \"true\" or \"false\"). Instead, it is based on unlocking the keychain/keystore.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 42, "name": "A second factor of authentication exists at the remote endpoint and the 2FA requirement is...", "reference": "4.9", "category": "AUTH", "description": "A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 43, "name": "Sensitive transactions require step-up authentication.", "reference": "4.10", "category": "AUTH", "description": "Sensitive transactions require step-up authentication.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 44, "name": "The app informs the user of all sensitive activities with their account. Users are able to view a...", "reference": "4.11", "category": "AUTH", "description": "The app informs the user of all sensitive activities with their account. Users are able to view a list of devices, view contextual information (IP address, location, etc.), and to block specific devices.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 45, "name": "Authorization models should be defined and enforced at the remote endpoint.", "reference": "4.12", "category": "AUTH", "description": "Authorization models should be defined and enforced at the remote endpoint.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 46, "name": "Data is encrypted on the network using TLS. The secure channel is used consistently throughout...", "reference": "5.1", "category": "NETWORK", "description": "Data is encrypted on the network using TLS. The secure channel is used consistently throughout the app.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 47, "name": "The TLS settings are in line with current best practices, or as close as possible if the mobile...", "reference": "5.2", "category": "NETWORK", "description": "The TLS settings are in line with current best practices, or as close as possible if the mobile operating system does not support the recommended standards.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 48, "name": "The app verifies the X.509 certificate of the remote endpoint when the secure channel is...", "reference": "5.3", "category": "NETWORK", "description": "The app verifies the X.509 certificate of the remote endpoint when the secure channel is established. Only certificates signed by a trusted CA are accepted.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 49, "name": "The app either uses its own certificate store, or pins the endpoint certificate or public key,...", "reference": "5.4", "category": "NETWORK", "description": "The app either uses its own certificate store, or pins the endpoint certificate or public key, and subsequently does not establish connections with endpoints that offer a different certificate or key, even if signed by a trusted CA.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 50, "name": "The app doesn't rely on a single insecure communication channel (email or SMS) for critical...", "reference": "5.5", "category": "NETWORK", "description": "The app doesn't rely on a single insecure communication channel (email or SMS) for critical operations, such as enrollments and account recovery.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 51, "name": "The app only depends on up-to-date connectivity and security libraries.", "reference": "5.6", "category": "NETWORK", "description": "The app only depends on up-to-date connectivity and security libraries.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 52, "name": "The app only requests the minimum set of permissions necessary.", "reference": "6.1", "category": "PLATFORM", "description": "The app only requests the minimum set of permissions necessary.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 53, "name": "All inputs from external sources and the user are validated and if necessary sanitized. This...", "reference": "6.2", "category": "PLATFORM", "description": "All inputs from external sources and the user are validated and if necessary sanitized. This includes data received via the UI, IPC mechanisms such as intents, custom URLs, and network sources.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 54, "name": "The app does not export sensitive functionality via custom URL schemes, unless these mechanisms...", "reference": "6.3", "category": "PLATFORM", "description": "The app does not export sensitive functionality via custom URL schemes, unless these mechanisms are properly protected.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 55, "name": "The app does not export sensitive functionality through IPC facilities, unless these mechanisms...", "reference": "6.4", "category": "PLATFORM", "description": "The app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly protected.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 56, "name": "JavaScript is disabled in WebViews unless explicitly required.", "reference": "6.5", "category": "PLATFORM", "description": "JavaScript is disabled in WebViews unless explicitly required.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 57, "name": "WebViews are configured to allow only the minimum set of protocol handlers required (ideally,...", "reference": "6.6", "category": "PLATFORM", "description": "WebViews are configured to allow only the minimum set of protocol handlers required (ideally, only https is supported). Potentially dangerous handlers, such as file, tel and app-id, are disabled.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 58, "name": "If native methods of the app are exposed to a WebView, verify that the WebView only renders...", "reference": "6.7", "category": "PLATFORM", "description": "If native methods of the app are exposed to a WebView, verify that the WebView only renders JavaScript contained within the app package.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 59, "name": "Object deserialization, if any, is implemented using safe serialization APIs.", "reference": "6.8", "category": "PLATFORM", "description": "Object deserialization, if any, is implemented using safe serialization APIs.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 60, "name": "The app protects itself against screen overlay attacks. (Android only)", "reference": "6.9", "category": "PLATFORM", "description": "The app protects itself against screen overlay attacks. (Android only)", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 61, "name": "A WebView's cache, storage, and loaded resources (JavaScript, etc.) should be cleared before the...", "reference": "6.10", "category": "PLATFORM", "description": "A WebView's cache, storage, and loaded resources (JavaScript, etc.) should be cleared before the WebView is destroyed.", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 62, "name": "Verify that the app prevents usage of custom third-party keyboards whenever sensitive data is...", "reference": "6.11", "category": "PLATFORM", "description": "Verify that the app prevents usage of custom third-party keyboards whenever sensitive data is entered (iOS only).", "subcategory": "", "level": "L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 63, "name": "The app is signed and provisioned with a valid certificate, of which the private key is properly...", "reference": "7.1", "category": "CODE", "description": "The app is signed and provisioned with a valid certificate, of which the private key is properly protected.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 64, "name": "The app has been built in release mode, with settings appropriate for a release build (e.g. non-...", "reference": "7.2", "category": "CODE", "description": "The app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable).", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 65, "name": "Debugging symbols have been removed from native binaries.", "reference": "7.3", "category": "CODE", "description": "Debugging symbols have been removed from native binaries.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 66, "name": "Debugging code and developer assistance code (e.g. test code, backdoors, hidden settings) have...", "reference": "7.4", "category": "CODE", "description": "Debugging code and developer assistance code (e.g. test code, backdoors, hidden settings) have been removed. The app does not log verbose errors or debugging messages.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 67, "name": "All third party components used by the mobile app, such as libraries and frameworks, are...", "reference": "7.5", "category": "CODE", "description": "All third party components used by the mobile app, such as libraries and frameworks, are identified, and checked for known vulnerabilities.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 68, "name": "The app catches and handles possible exceptions.", "reference": "7.6", "category": "CODE", "description": "The app catches and handles possible exceptions.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 69, "name": "Error handling logic in security controls denies access by default.", "reference": "7.7", "category": "CODE", "description": "Error handling logic in security controls denies access by default.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 70, "name": "In unmanaged code, memory is allocated, freed and used securely.", "reference": "7.8", "category": "CODE", "description": "In unmanaged code, memory is allocated, freed and used securely.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 71, "name": "Free security features offered by the toolchain, such as byte-code minification, stack...", "reference": "7.9", "category": "CODE", "description": "Free security features offered by the toolchain, such as byte-code minification, stack protection, PIE support and automatic reference counting, are activated.", "subcategory": "", "level": "L1, L2", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 72, "name": "The app detects, and responds to, the presence of a rooted or jailbroken device either by...", "reference": "8.1", "category": "RESILIENCE", "description": "The app detects, and responds to, the presence of a rooted or jailbroken device either by alerting the user or terminating the app.", "subcategory": "", "level": "R", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 73, "name": "The app prevents debugging and/or detects, and responds to, a debugger being attached. All...", "reference": "8.2", "category": "RESILIENCE", "description": "The app prevents debugging and/or detects, and responds to, a debugger being attached. All available debugging protocols must be covered.", "subcategory": "", "level": "R", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 74, "name": "The app detects, and responds to, tampering with executable files and critical data within its...", "reference": "8.3", "category": "RESILIENCE", "description": "The app detects, and responds to, tampering with executable files and critical data within its own sandbox.", "subcategory": "", "level": "R", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 75, "name": "The app detects, and responds to, the presence of widely used reverse engineering tools and...", "reference": "8.4", "category": "RESILIENCE", "description": "The app detects, and responds to, the presence of widely used reverse engineering tools and frameworks on the device.", "subcategory": "", "level": "R", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 76, "name": "The app detects, and responds to, being run in an emulator.", "reference": "8.5", "category": "RESILIENCE", "description": "The app detects, and responds to, being run in an emulator.", "subcategory": "", "level": "R", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 77, "name": "The app detects, and responds to, tampering the code and data in its own memory space.", "reference": "8.6", "category": "RESILIENCE", "description": "The app detects, and responds to, tampering the code and data in its own memory space.", "subcategory": "", "level": "R", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 78, "name": "The app implements multiple mechanisms in each defense category (8.1 to 8.6). Note that...", "reference": "8.7", "category": "RESILIENCE", "description": "The app implements multiple mechanisms in each defense category (8.1 to 8.6). Note that resiliency scales with the amount, diversity of the originality of the mechanisms used.", "subcategory": "", "level": "R", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 79, "name": "The detection mechanisms trigger responses of different types, including delayed and stealthy...", "reference": "8.8", "category": "RESILIENCE", "description": "The detection mechanisms trigger responses of different types, including delayed and stealthy responses.", "subcategory": "", "level": "R", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 80, "name": "Obfuscation is applied to programmatic defenses, which in turn impede de-obfuscation via dynamic...", "reference": "8.9", "category": "RESILIENCE", "description": "Obfuscation is applied to programmatic defenses, which in turn impede de-obfuscation via dynamic analysis.", "subcategory": "", "level": "R", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 81, "name": "The app implements a 'device binding' functionality using a device fingerprint derived from...", "reference": "8.10", "category": "RESILIENCE", "description": "The app implements a 'device binding' functionality using a device fingerprint derived from multiple properties unique to the device.", "subcategory": "", "level": "R", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 82, "name": "All executable files and libraries belonging to the app are either encrypted on the file level...", "reference": "8.11", "category": "RESILIENCE", "description": "All executable files and libraries belonging to the app are either encrypted on the file level and/or important code and data segments inside the executables are encrypted or packed. Trivial static analysis does not reveal important code or data.", "subcategory": "", "level": "R", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 83, "name": "If the goal of obfuscation is to protect sensitive computations, an obfuscation scheme is used...", "reference": "8.12", "category": "RESILIENCE", "description": "If the goal of obfuscation is to protect sensitive computations, an obfuscation scheme is used that is both appropriate for the particular task and robust against manual and automated de-obfuscation methods, considering currently published research. The effectiveness of the obfuscation scheme must be verified through manual testing. Note that hardware-based isolation features are preferred over obfuscation whenever possible.", "subcategory": "", "level": "R", "references": "", "riskrating": "", "notes": "", "guide": "" }, { "order": 84, "name": "As a defense in depth, next to having solid hardening of the communicating parties, application...", "reference": "8.13", "category": "RESILIENCE", "description": "As a defense in depth, next to having solid hardening of the communicating parties, application level payload encryption can be applied to further impede eavesdropping.", "subcategory": "", "level": "R", "references": "", "riskrating": "", "notes": "", "guide": "" } ] }