The ADA (App Defense Alliance) has launched an evaluation standard with the MASA program. It allows developers who have applications published in the Google Play Store to get their apps evaluated by an official lab partner. Most important, developers can receive the official Security Badge that fosters trust in their applications.
With our last blog posts, we already gave you an insight into the basics of mobile app security. We introduced you to OWASP (Open Web Application Security Project), MASVS (Mobile Application Security Verification Standard), and why third-party testing must be a fixed part of the application development cycle. With MASVS, the OWASP has developed an industry-wide standard that provides guidance based on its test criteria and has laid the foundations for mobile security.
To understand the process a little better, below are 7 things you should know before evaluating your applications through the MASA program.
1. How do I get started?
The assessment covers all aspects of client-side security, authentication to the backend/cloud service, and connectivity to the backend/cloud service, including general security and privacy best practices.
2. What is the scope of the assessment?
As one of the five officials authorized labs to conduct the assessments for MASA, you can directly begin the testing process with DEKRA. Firstly, you have to review and full fill out the intake form on our MASA page. To facilitate the whole process, verify our checklist before the preassessment. Additionally, you can log in to our free pre-assessment online tool.
3. How long is the certificate valid?
One year. Recertification is required after one year. DEKRA has a renewal program for apps that needs to be annually checked to maintain the Security Badge.
4. How much does it cost?
The free pre-assessment helps to identify potential vulnerabilities within your app before the actual MASA and thereby provides the opportunity to remedy these. So you are saving time and money by performing the pre-assessment upfront. Fees for MASA vary depending on apps, but on average you can expect the assessment to cost between $3-6K.
5. How long does the process take?
After completing the required paperwork, you can expect a lab report within 10 days, although completion times can vary based on lab feedback and your team’s ability to implement changes quickly. The best approach is to follow the checklist and the pre-assessment to be sure that your app is in a position to perform the assessment satisfactorily.
6. What types of apps are applicable for this program?
OWASP and MASVS can be used with any mobile app, including IoT, fitness/health, social, communications, VPN, productivity, and many more.
7. Will my competitors see my test results? Will my test result be public?
DEKRA never discloses any findings to 3rd party. A summary will be shared with Google once the app has met all of the requirements, which will be made public on the MASA Directory. You have complete control over when you want to make these results public.
By incorporating the new MASA validation into the compliance process, it provides various benefits to your company and in particular to your users. First, conducting regular mobile app security is fundamental because this guarantee that your apps follow security best practices in development and that the developers are aware of the new threats that emerge on a daily basis. This increases the transparency and the download rate.
Furthermore, it is important to point out that a 3rd party lab review helps the development team identify/mitigate usual topics in mobile security that could lead to vulnerabilities and in most cases the loss of confidence by your users. So MASA isn’t just an investment in your mobile security but in trust in your application.