As of July 20, 2022, Android developers publishing new or updated mobile apps in Google Play must declare how their apps collect, share and secure data. The new Google Play Data safety section provides greater transparency and enables users to examine an Android mobile app’s security and privacy practices to decide which ones to download. Developers can take an extra step to safeguard user trust and demonstrate a high standard of mobile security and privacy by undergoing an optional independent security review. Founded by Google and industry security partners, the App Defense Alliance (ADA) established the mobile application security assessment (MASA) program to validate mobile apps against a globally recognized industry standard.
Mobile app developers can work with ADA-authorized labs to have their apps assessed against the Open Web Application Security Project (OWASP) mobile application security verification standard (MASVS) L1 requirements to gain the MASA validation. Developers whose mobile apps have passed an independent security review will be able to highlight that distinction in their Google Play Data safety section with the independent security review badge.
Mobile security experts from an ADA-authorized lab use the MASA specification crafted from the OWASP mobile security testing guide (MSTG) through a mix of automated and manual application security testing to independently assess the Android apps against a set of checks in six key areas.
To prepare for their independent security review, developers should follow these secure coding best practices when building their Android mobile apps.
Android Data Storage: Security and Privacy
● Use the Android Keystore system to securely store credentials including passwords, private keys, cryptographic keys and other information.
● Do not store sensitive data in external storage.
● Do not write sensitive data to the system or in application logs.
● Do not cache sensitive inputs, such as password fields.
● Mask sensitive data during user input.
● Fill out the Google Play console data safety section accurately, including both app code and SDKs.
● Check first- and third-party code to confirm the use of industry-standard cryptographic libraries and algorithms (with recommended settings).
● Avoid outdated cryptography algorithms (such as MD5 or SHA-1) for sensitive data or authentication routines.
● Do not hardcode cryptographic keys or initialization vectors (IVs).
● For security, use pseudorandom number generators (PRNG) compliant with FIPS 140-2 security requirements for cryptographic modules.
Authentication and Session Management
● Ensure API endpoints that provide access to sensitive data require authentication.
● Use randomly generated session identifiers.
● Ensure sessions terminate at a remote endpoint when users log out.
● Include password complexity requirements enforced on both the client and server sides.
● Enable brute force protection for authentication endpoints.
● Ensure tokens have a reasonable expiration/timeout.
Android Network Communications
● Transmit all app data over TLS.
● Ensure the app verifies the validity of the certificate during the exchange.
● Declare all transmitted data.
● Do not request unnecessary app permissions.
● Validate any input your app accepts from external sources and sanitize if necessary.
● Ensure sensitive functionality is protected against unintended access for security and privacy.
● Remove all debugging symbols from the app and libraries.
● Remove debugging code (such as hidden settings).
● Disable verbose logging.
● Account for third-party SDKs in the data safety section.
● Update third-party SDKs and remove critical vulnerabilities.
● Enable PIC and stack smashing protection in apps and libraries.
Obtaining a MASA validation from an ADA-authorized lab gives developers a competitive advantage to drive more downloads by showcasing their commitment to mobile app security and privacy. When given a choice, mobile app users are more likely to download and use Android apps with the independent security review badge in Google Play. And enterprises with higher risk control requirements like finance, health care, energy and government are more likely to purchase and use these verified apps.