What's the value of this program for developers?
Performing regular security testing for your application can help you identify key vulnerabilities in your app and mitigate future liability. Google Play will allow developers who have gone through independent validation to showcase this on the Data safety form.
What’s the benefit to users?
Users can feel confident the apps have been vetted by external experts and have a higher assurance about the safety / security of those offerings.
What types of apps are applicable for this program?
OWASP MASVS is applicable to any mobile app. This includes a variety of app categories including IoT, fitness/health, social, comms, VPN, productivity and many more.
What is the scope of assessment?
The scope of the assessment consists of client-side security, authentication to the backend/cloud service, and connectivity to the backend/cloud service looking at general security and some privacy best practices.
What type of test cases will this assessment cover?
The assessment will review a subset of testable Level 1 MASVS requirements available on Github here.
How long is the certificate valid?
1 year. After 1 year, the developer is responsible for re-certifying their app.
How much does it cost?
Fees vary depending on lab partner, but on average you can expect the assessment to cost between $3-6K for AL2 and $500 for AL1.
How long does the process take?
Once you complete necessary paperwork, you can expect an assessment from the lab within 10 days. Timeframes for completion can vary depending on lab feedback and your team's ability to implement changes quickly.
Who are the lab partners?
Google has onboarded a set of authorized labs to perform the app assessments. All the authorized labs provide comprehensive security testing and offer developers the means to obtain certification against published standards.
How do I get started?
Developers have the opportunity to work directly with an Authorized Lab to initiate the testing process. Any fees or required paperwork will be handled directly between the lab and developer.
Can I submit my own test / use a different lab?
At this time, we only accept assessment results from the MASA authorized lab partners. If you are working with a lab who is interested in participating in the program, please have them complete the form here.
Will my competitors see my test results? Will my test results be made public?
The initial test results will only be shared with your team. Once the app has met all requirements, the lab will submit a report summary to Google which will be made publicly available on a future-launching MASA directory. The report summary is limited to testing scope and does not include any sensitive findings related to your app. You have full control as to when you want to make these results public.
Is there any way to showcase this on our Google Play listing?
The primary way this will be surfaced to users is through the Data Safety section via a security badge. This option is available only for the applications that completed AL2 assessment. We’re exploring ways to showcase this information to more users across Play.
Will certification become mandatory for apps in the Google Play store?
At this time, we don't have plans to make certification mandatory for app developers.
How long does it take for the results to show up on the Data Safety label?
Once you update your Data Safety section to indicate your app has "been independently validated" the designation will appear on your Data Safety label within one week.
How should I refer to this program externally?
Developers who have completed certification can say they have been independently validated through the App Defense Alliance
Does a developer have to get recertified for each update or release of their app?
No, MASA certification is annual and intended as a moment in time evaluation. Developers should continue maintaining compliance through internal assessments as part of their security development life cycle.
Who will keep track of the yearly recertification requirements for these apps, and who will notify the developers when their certification will expire?
It is the developer responsibility to keep their certification valid.
Will Google have access to any of the lab results or findings?
Google only receives a validation report from Authorized Lab partners stating whether the app meets the requirements or not. No application code, scan results, or vulnerability findings are shared or disclosed to Google as part of verification.
What if I disagree with the lab findings / assessment results?
MASA assessments are conducted by third-party authorized labs. If you do not agree with the assessment results or have questions regarding the status of your compliance, you can appeal directly to the lab who initiated testing of your app.
What if I publish my application for the first time?
Developers can submit a pre-release build to the lab for early testing, but the final, certified version must be the official APK published on the Google Play Store.
Will the lab be able to review my app if it is obfuscated?
Obfuscation can make it difficult for lab testing tools to assess your application. In these instances, you may be required to send additional assets to labs to facilitate testing, and may incur additional fees.