We’ll be looking at the following topics:
- What is the Mobile Application Security Assessment (MASA)?
- How does the MASA process work?
- Why is MASA important for an app?
- What’s next?
Before we get into the MASA process itself, let’s see what it aims to achieve and what the assessment entails.
What is the Mobile Application Security Assessment (MASA)?
First, let’s look at ADA (the App Defense Alliance), the initiator of MASA. ADA is a collaboration between Google and security industry partners, initially created with the aim to, and I quote, “stop bad apps before they reach users’ devices”. The alliance now has several initiatives ranging from assessing cloud applications, and malware mitigation. The relevant bit to this article is the Mobile Application Security Assessment (MASA).
MASA is a means to test mobile applications and verify their compliance with the Mobile Application Security Verification Standard (MASVS standard). It was created by the OWASP Mobile Application Security project. The initiative builds on the transparency improvements Google has been adding to the Play Store listings. At the same time, it makes developers more open to users regarding how their apps collect and process user data. This is very useful for both security and privacy reasons.
How does the MASA process work?
The MASA process involves submitting the target app to an authorized lab. The lab in question will then assess the app against a uniform list of checks. If successful, the app’s Play Store listing will be updated to show end-users that it has successfully passed this process.
The MASA assessment focuses on six key areas of an app:
- App storage,
- Cryptography,
- Authentication,
- Network communication,
- Platform requirements,
- Code quality.
Let’s see what each one of these involves.
Storage checks validate the fact that the application is only keeping key credentials in a system credentials store. This also ensures that no sensitive data is written to the logs and verifies that the user’s privacy is upheld within the app.
The cryptography requirement checks that modern, secure crypto standards are in use and that they’re initiated in a safe manner.
The authentication and session management checks make sure that user sessions are locked down and that mitigations are in place to keep sessions private to the end user only.
The network communication checks confirm that any data sent via the network is protected with modern standards and that the correct validations are in place to prevent eavesdropping or traffic modification.
The platform interaction requirements are specific to the Android ecosystem and confirm that only required permissions are asked for by the app. They also make sure that the app cannot be manipulated by external inputs on the end user’s device.
The final code checks show that the app has been built with good code quality and that third-party components are checked for vulnerabilities. The app is also checked to ensure that it’s signed and packaged correctly for the Play Store.
More information on the Mobile Application Security Assessment process and the full list of checks can be found on the App Defense Alliance homepage.
Why is MASA important for an app?
Now that I’ve explained what’s involved in the MASA process, let’s discuss why the process is important to us as software developers and for the VNC Server Mobile app. At RealVNC, we are passionate about security; we believe that it’s a critical aspect of modern technology services.
Customers should be asking for a high level of transparency from any prospective supplier; especially when you consider that Remote Access software is a powerful tool, and any vulnerability can be disastrous. It’s one of the reasons why security initiatives like our recent white-box security audit are essential. It’s also why we encourage our users to ask for such certifications from any provider that they’re working with.
We undertook the MASA process for our VNC Server Mobile app in Nov 2022, working together with NCC Group, an authorized MASA lab and a key player in the security industry. Our application flew through this assessment and gained an outstanding result – a PASS in each area on the first run.
Users can feel confident that our app has been vetted by external experts and can feel safe seeing the confirmation of our successful mobile assessment on the Play Store listing for VNC Server for Mobile: and the certification can also be validated in full on the MASA directory.
What’s next?
Security is engrained into all aspects of our VNC Connect product range, from the desktop to the back-end services, as well as the mobile VNC Viewer and Server. Each one of these is built with a secure-by-design mindset. We want customers to be able to see how our internal development practices are working to build secure solutions and how security is ingrained into each stage of our software development process.
As mentioned, we invited Cure53 in 2022 to perform a full white-box security audit, which produced a report that was full of praise. We reached out to NCC Group for our annual penetration test, which again had a very positive report, with only informational findings found. These initiatives will continue through 2023, as we look forward to continuing to affirm our strong security stance and giving users more transparency over all the security processes we have in place.
