The same MASA requirements are used for all assurance levels. They span across all control groups of the OWASP Mobile Application Security Verification Standard (MASVS). For the full list of requirements see the MASA requirements guide. For an application to be MASA verified, the developer must pass all MASA requirements that are applicable to their application.
Certification Validity
MASA certification is valid for one year and represents your security status at a specific point in time. The developer should continue maintaining compliance through ongoing internal assessments as part of your security development life cycle. In cases where off-cycle certification is required, the developer should reach out to one of the Authorized Lab to initiate new certification. If you have any further questions about whether you need to recertify your applications, please contact the Authorized Labs.
Recertification Requirements
All applications must be re-certified every year to remain compliant. The application certification level may change each year from AL2 to AL1 or from AL1 to AL2.
Monitoring
MASA includes periodic spot checks by Authorized Labs to ensure certified apps maintain compliance with MASA. Labs will randomly scan certified apps and notify developers with any findings. Once the security issue has been disclosed to the developer, the developer has 90 days to resolve the issue before their certification is revoked. Developers will be notified via the email associated with the email from initial certification.