Mobile Application Security Assessment

Overview

Investing in mobile security is critical to ensure app safety for Google Play's billions of users. OWASP (the Open Web Application Security Project) has established itself as a highly respected industry standard for mobile application security. Their published set of security requirements, Mobile Application Security Verification Standard (MASVS) provides a set of baseline security criteria for developers. Along with their published set of testing criteria, MASTG (Mobile Application Security Testing Guide), OWASP offers an objective means for developers to have their apps evaluated against a common standard. Developers can work directly with a Google Authorized Lab partner to initiate the security assessment. Through MASA, Google will recognize developers who have had their applications independently validated against a set of MASVS Level 1 requirements.

CASA framework
Figure 1: MASA framework

Benefits

Performing regular security testing can help developers identify key vulnerabilities in their apps. Google Play will allow developers who have completed independent validation to showcase this on their Data safety section. This helps users feel more confident about an app's commitment to security and privacy.

How it works

If you are a developer and interested in participating, please reach out directly to one of the Authorized Labs listed below to initiate the testing process. Any fees or required paperwork will be handled directly between the lab and the developer. The lab will test the public version of the app available in the Play Store and provide assessment feedback directly to developers. Labs provide remediation steps to help developers fix any flagged issues. Once the app meets all requirements, the lab sends a Validation Report directly to Google as confirmation, and developers will be eligible to declare the security badge on their data safety form. On average, the process takes around 2-3 weeks from initial assessment to badge availability.

Disclaimer

MASA is intended to provide more transparency into the app's security architecture, however the limited nature of testing does not guarantee complete safety of the application. This independent review may not be scoped to verify the accuracy and completeness of a developer's Data safety declarations. Developers remain solely responsible for making complete and accurate declarations in their app's Play store listing.

FAQs

Click here to learn more about MASA and see answers to common questions.

Our partners

Google has onboarded a set of Authorized Labs to perform the app assessments. All the Authorized Labs provide comprehensive security testing and offer developers the means to obtain validation against published standards. Due to the migration to Linux Foundation we have paused onboarding new labs.

Authorized Labs partners

Start your MASA assessment by reaching out to the lab partners to initiate testing.