OWASP MASVS – Mobile Application Security Verification Standard Testing

Manual mobile security verification aligned to OWASP MASVS, for iOS, Android, and the APIs that power them.

The OWASP Mobile Application Security Verification Standard is the industry-recognised framework for defining and verifying the security requirements of mobile applications. Used by development teams, enterprise procurement functions, and security auditors worldwide, MASVS provides a structured, evidence-backed baseline for what secure mobile application development looks like in practice. Our CREST-accredited consultants deliver manual, expert-led MASVS testing and reporting across all levels — giving your organisation independently verified evidence of your mobile application’s security posture.

Discuss Your MASVS Requirements >

Service Overview

What is OWASP MASVS?

The OWASP Mobile Application Security Verification Standard (MASVS) is a community-driven framework that defines security requirements for mobile applications — covering iOS, Android, and the back-end services they depend on. It works alongside the OWASP Mobile Application Security Testing Guide (MASTG), which provides the detailed testing procedures used to verify each requirement.

MASVS is structured around security control categories rather than a simple numbered tier — covering storage, cryptography, authentication, network communication, platform interaction, code quality, and resilience. Each category contains requirements that can be verified at L1 (standard security) or L2 (defence in depth), with an additional resilience profile (MASVS-R) for applications that require protection against reverse engineering and tampering.

MASVS has been adopted across the industry — by mobile development teams building secure-by-design applications, by enterprise procurement teams setting minimum security requirements for third-party mobile software, and by compliance functions requiring independent evidence of mobile application security controls.

Pentest Limited - OWASP MASVS

MASVS Levels & Profiles

What Our Mobile Application Testing Covers

Our testing is aligned with the OWASP and scoped specifically to your application. Every assessment is conducted manually by our consultants, supported by specialist tooling where a

MASVS-L1 — Standard Security

L1 represents the minimum security baseline that all mobile applications should meet. It covers the most fundamental security requirements, secure data storage, safe network communication, correct use of platform APIs, and baseline code quality, and is appropriate for any application regardless of its risk profile.

L1 verification can be achieved through dynamic and static analysis of the application and is the starting point for any organisation beginning a MASVS programme. It provides documented evidence of baseline security posture suitable for procurement and compliance purposes.

Appropriate for: All mobile applications as a minimum baseline, applications with limited sensitive data handling, and as the first phase of a broader MASVS programme.

MASVS-L2 — Defence in depth

L2 goes beyond baseline requirements to verify that an application implements defence in depth — meaning that even if one control fails, additional layers of security remain in place. It is appropriate for applications handling sensitive personal data, performing significant financial transactions, or operating in regulated industries where a security failure carries material consequences.

L2 verification requires deeper assessment than L1 alone — including authenticated testing, local data storage analysis, and structured verification of controls that cannot be assessed from the outside. The result is a comprehensive, evidence-backed assessment of your application's security posture against the full MASVS requirement set.

Appropriate for: Applications handling healthcare data, financial transactions, personal data at scale, and any mobile application where security failure would have significant operational, regulatory, or reputational consequences.

MASVS-R — Resilience

MASVS-R can be applied in addition to L1 or L2 verification and addresses a distinct set of requirements — the application's resistance to reverse engineering, tampering, and client-side attack. It is relevant for applications where the integrity of the client-side code is critical, such as mobile banking applications, DRM-protected content platforms, and applications containing sensitive business logic that must not be exposed.

MASVS-R verification assesses the effectiveness of anti-tampering controls, obfuscation, jailbreak and root detection, and other client-side protections — testing whether they can be bypassed by a motivated attacker with physical access to the device.

Appropriate for: Mobile banking and fintech applications, DRM and content protection platforms, applications containing proprietary business logic, and any context where client-side integrity is a security requirement.

Our MASVS Services

Pentest MASVS Services

Our MASVS assessments are scoped to your application and conducted manually by our directly employed, CREST-certified consultants, supported by specialist mobile testing tooling. Every finding is the result of active manual investigation, not automated scanner output.

L1 — MASVS-Aligned Penetration Testing & Reporting

MASVS L1 requirements are addressed as part of our standard mobile application penetration testing. However, a standard test report does not provide the structured evidence needed to satisfy L1 verification requirements for procurement or compliance purposes.

Where documented MASVS evidence is required, we provide MASVS-aligned reporting alongside our standard assessment. This includes a completed verification checklist mapped to L1 requirements, test results documented against each MASVS control — including both passed and failed items — and clear remediation guidance for any failed requirements.

L2 and MASVS-R — Mobile Application Security Verification

L2 and MASVS-R require a more comprehensive programme of assessment than penetration testing alone. Many controls at these levels require authenticated access, local storage analysis, binary reverse engineering, and structured verification procedures conducted in collaboration with your development team.

Our L2 and MASVS-R engagements are scoped individually to the application under review. We work with your team to understand the application's architecture, data flows, platform dependencies, and technology stack before agreeing the assessment approach — ensuring our verification covers the controls most relevant to your application and delivers the evidence your compliance or procurement process requires.

Every L2 and MASVS-R engagement is conducted manually by directly employed, CREST-certified consultants — producing a verified, evidence-backed report mapped to the full MASVS requirement set at the relevant level.

Our MASVS Clients

Who We Work With

Application Developers & Product Teams

Using MASVS as a secure development framework and requiring independent verification that their application meets the standard before release or as part of a continuous security programme.

Enterprise Procurement Teams

Requiring third-party mobile applications to demonstrate MASVS compliance as a condition of procurement, or verifying the security posture of mobile software under consideration.

Regulated industries

Healthcare, financial services, and other regulated sectors where mobile application security requirements are increasingly framed around recognised standards, and where independent evidence of security controls is required for audit or regulatory purposes.

Organisations Requiring MASVS-R

Where the integrity of client-side code is a security requirement and resistance to reverse engineering and tampering must be independently verified.

Contact Us

Discuss your MASVS requirements

Whether you’re working towards initial L1 verification or need a full L2 and MASVS-R assessment, fill in the form below and a member of our team will be in touch within one business day.