Introducing MASVS-PRIVACY
After collecting and processing all feedback from the MASVS-PRIVACY Proposal we're releasing the new MASVS-PRIVACY category.
The main goal of MASVS-PRIVACY is to provide a baseline for user privacy. It is not intended to cover all aspects of user privacy, especially when other standards and regulations such as ENISA or the GDPR already do that. We focus on the app itself, looking at what can be tested using information that's publicly available or found within the app through methods like static or dynamic analysis.
While some associated tests can be automated, others necessitate manual intervention due to the nuanced nature of privacy. For example, if an app collects data that it didn't mention in the app store or its privacy policy, it takes careful manual checking to spot this.
The new controls are:
- MASVS-PRIVACY-1: The app minimizes access to sensitive data and resources.
- MASVS-PRIVACY-2: The app prevents identification of the user.
- MASVS-PRIVACY-3: The app is transparent about data collection and usage.
- MASVS-PRIVACY-4: The app offers user control over their data.
CycloneDX Support
The MASVS is now available in CycloneDX format (OWASP_MASVS.cdx.json), a widely adopted standard for software bill of materials (SBOM). This format enables easier integration and automation within DevOps pipelines, improving visibility and management of mobile app security. By using CycloneDX, developers and security teams can more efficiently assess, track and comply with MASVS requirements, resulting in more secure mobile applications.
What's Changed
- Added POC script that generates CycloneDX standards doc of MASVS by @stevespringett in #715
- Update to CycloneDX v1.6 standards support by @stevespringett in #717
- Add MASVS-PRIVACY by @cpholguera @sushi2k @TheDauntless in #720
New Contributors
- @stevespringett made their first contribution in #715
Full Changelog: v2.0.0...v2.1.0