Mobile App Security with OWASP MAS

Great mobile apps feel smooth and invisible, but attackers see every seam: cached secrets, shaky request signing, or APIs that trust the client too much. Use OWASP MASVS as your compass, but test like someone holding a rooted phone and plenty of time.

Local data and secrets

On Android, wander through SharedPreferences, internal and external storage, WebView caches, and SQLite or Realm databases to see what falls out. Check backup and export flags, then ask whether the Keystore uses tight aliases and StrongBox or TEE where available. On iOS, look into Keychain access groups, Secure Enclave usage, ATS enforcement, and stray data in plists or user defaults. Regardless of platform, scrub logs and crash reports for tokens or keys, block screenshots for sensitive screens, and clear app switcher previews so secrets do not linger in plain sight.

Runtime integrity

Assume the device is hostile. Bypass root or jailbreak detection, instrument with Frida or Objection, and try repackaging to see if signature checks matter. Break SSL pinning and request signing to confirm the server still validates. Anti-debugging and emulator checks should fail gracefully without locking out legitimate users, but they should slow down tampering enough to give your back end time to notice.

Authentication and sessions

OAuth2 or OIDC with PKCE should be implemented with care: validate redirect URIs, state, and nonce, and rotate refresh tokens. Test session fixation and token replay; keep access tokens short-lived and, where possible, bound to a device or app instance. Biometric flows need safe fallbacks and server-side re-verification for sensitive actions so a local bypass does not equal account takeover.

API abuse from the client side

Every mobile API is a chance for BOLA or IDOR if the server assumes the app enforces ownership. Swap tokens, change object IDs, and watch whether server-side checks hold. Exercise rate limits, replay protections using nonces and timestamps, and look for verbose error messages that spill clues. GraphQL or BFF layers should handle authorization consistently across versions, and mTLS can add a layer when the posture justifies it.

Transport and network

TLS must be mandatory, with modern ciphers and no cleartext fallbacks. Pin certificates with rotation plans and watch for downgrade or MITM attempts, especially around captive portals. Network security config on Android and ATS on iOS should explicitly restrict which domains and certificates are acceptable, shrinking the surface for abuse.

Build and supply chain

Third-party SDKs bring baggage: permissions, trackers, and potential supply-chain compromise. Track provenance, keep versions current, and maintain SBOMs for dependencies. Protect signing keys, prefer reproducible builds, and keep CI secrets out of logs and artifacts. Ephemeral runners, static analysis tools like MobSF or Semgrep, and guarded store uploads make tampering harder.

When you find weaknesses, tie them back to MASVS controls, ship a Frida or proxy proof of concept, and add regression tests. Always assume the client is compromised; the server should be the last line that refuses to trust blindly.