What's the value of this program for developers?
Performing regular security testing for your application can help you identify key vulnerabilities in your app and mitigate future liability. Google Play will allow developers who have gone through independent validation to showcase this on the Data safety form.
What’s the benefit to users?
Users can feel confident the apps have been vetted by external experts and have a higher assurance about the safety / security of those offerings.
What types of apps are applicable for this program?
OWASP MASVS is applicable to any mobile app. This includes a variety of app categories including IoT, fitness/health, social, comms, VPN, productivity and many more.
What is the scope of assessment?
The scope of the assessment consists of client-side security, authentication to the backend/cloud service, and connectivity to the backend/cloud service looking at general security and some privacy best practices.
What type of test cases will this assessment cover?
The assessment will review a subset of testable Level 1 MASVS requirements available on Github here.
How long is the certificate valid?
1 year. After 1 year, the developer is responsible for re-certifying their app.
How much does it cost?
Fees vary depending on lab partner, but on average you can expect the assessment to cost between $3-6K.
How long does the process take?
Once you complete necessary paperwork, you can expect an assessment from the lab within 10 days. Timeframes for completion can vary depending on lab feedback and your team's ability to implement changes quickly.
Who are the lab partners?
Google has onboarded a set of authorized labs to perform the app assessments. All the authorized labs provide comprehensive security testing and offer developers the means to obtain certification against published standards.
How do I get started?
Developers have the opportunity to work directly with an Authorized Lab to initiate the testing process. Any fees or required paperwork will be handled directly between the lab and developer.
Can I submit my own test / use a different lab?
At this time, we only accept assessment results from the MASA authorized lab partners. If you are working with a lab who is interested in participating in the program, please have them complete the form here.
Will my competitors see my test results? Will my test results be made public?
The initial test results will only be shared with your team. Once the app has met all requirements, the lab will submit a report summary to Google which will be made publicly available on a future-launching MASA directory. The report summary is limited to testing scope and does not include any sensitive findings related to your app. You have full control as to when you want to make these results public.
Is there any way to showcase this on our Google Play listing?
The primary way this will be surfaced to users is through the Data Safety section via a security badge. We’re exploring ways to showcase this information to more users across Play.
Will certification become mandatory for apps in the Google Play store?
At this time, we don't have plans to make certification mandatory for app developers.
How long does it take for the results to show up on the Data Safety label?
Once you update your Data Safety section to indicate your app has "been independently validated" the designation will appear on your Data Safety label within one week.
How should I refer to this program externally?
Developers who have completed certification can say they have been independently validated through the App Defense Alliance