MASA – Mobile Application Security Assessment

In a hyperconnected world, there are more than 5 billion mobile phone users interacting with each other using mobile applications. For this reason, it is crucial to ensure that the applications available in the Google Play Store follow the security best practices. To reach this goal the App Defense Alliance (ADA), through authorized labs, verifies if the application is aligned with guidelines based on MASVS Level 1 requirements. This project allows developers to focus on these key points to ensure app safety.

What is MASA?

Google has founded the App Defense Alliance to improve the protection for users from bad apps in the Google Play Store. The alliance utilizes each companies’ researchers in the field, integrating Google Play Protect detection systems with each partner’s scanning engines. One of the main advantages is that additional information about possible app risks can be generated for apps that are being queued to publish.

To improve the security in the Google Play ecosystem, ADA has launched its new program called Mobile Application Security Assessment (MASA) which aims to increase the security of the apps hosted in the store. This is done by incorporating the OWASP MASVS-Level1 requirements, including several categories like:

  • Data Storage and privacy requirements
  • Cryptography requirements
  • Authentication and session management requirements
  • Network communication requirements
  • Platform interaction requirements
  • Code quality and build settings requirements

In the past, Google has already taken some steps to increase safety and transparency for mobile applications. In October 2021, Google announced additional details for the Data safety section on Google Play. Developers are required to give more information about their apps’ privacy and security practices by completing a form in Play Console. This information will be shown on its app’s store listing to help Google Play users understand how such apps collect and shares user data before they download.

What is included in Google Play’s data safety section?

The Data Safety section on Google Play has become the simplest way for app developers to increase transparency. By letting people know what user data your app collects or shares, as well as showcasing the app’s key privacy and security features, users can make better decisions when choosing apps to install. All developers must disclose how they collect and handle user data for the apps they publish on Google Play and include details on how they protect this data with security measures such as encryption by July 20, 2022. This includes data collected and handled through any third-party libraries or SDKs used in their apps.

As a developer, some of the things that you must declare about your app and its user data usage include:

  • Data collection: is your app transmitting data from your app to a user’s device?
  • Data sharing: Is your app transferring user data collected from your app to a third party?
  • Data handling: which data your app collects is required/optional?
  • Data safety section:
    • Encryption in transit: Is data collected or shared by your app using encryption in transit to protect the flow of user data from the end user’s device to the server?
    • Deletion request mechanism: Does your app provide a way for users to request deletion of their data?

How does the assessment process work?

Although at this early stage the program is optative, it is highly recommended to be one of the early adopters of the program. To do so, here are some of the steps that you must follow to evaluate your app with DEKRA and obtain the security badge:

  1. Fill out our form at dekra.digital/masa or send an email to masa@dekra.com.
  2. DEKRA will arrange a meeting to clarify any questions that the customer may have about the assessment process.
  3. Our Mobile security engineers will perform the evaluation according to the MASA program based on (OWASP-MASSV Level 1 requirements). During this process, our team will be in constant contact with the developers to provide feedback and help to resolve any potential issues.
  4. Once the assessment has been completed, DEKRA will provide a full report with all the findings found during the assessment.
  5. DEKRA will notify the report results to Google.
  6. At this step, you are now eligible to display the Security Badge on your Data safety form. This process usually takes 1 week to be displayed in the Data Safety Label section.

Conclusion and further steps

As mobile apps with malware are emerging in the current Google Play Store, the App Defense Alliance in conjunction with the MASA program is a substantial effort to protect users against these bad actors. Incorporating the OWASP MASVS Level 1 requirements into its checklist gives more confidence to the users in downloading apps. In addition, it allows the developers to understand the app’s security state better, giving continuous improvement to have a healthier environment in Google Play Store.

Finally, being an early adopter of the MASA program assures that your apps belong to a group that meets an industry standard of security best practices, improving the visibility and the confidence in Google Play Store. DEKRA, as an authorized lab, can help you to perform this assessment smoothly and get the Security Badge successfully.

Simply test it with our free pre-assessment.