Menu
Menu
inquire
Mobile app protection

Practice / 01 Mobile app protection checklist

The following checklist is designed to help you assess a particular app’s protection level, in order to verify that it is ready for distribution. You can also use it as a checklist for assessing a properly comprehensive protection solution. The checklist references the threats, prevention mechanisms, and four layers of mobile app protection described earlier in this guide.

You have formulated a threat model, and your team has identified the components and assets in your application that are most likely to be targeted by attackers; you are familiar with the OWASP MASVS requirements and committed to fulfilling them; you have an understanding of the threats that your app faces; and you are aware of some mechanisms that can be applied to prevent and mitigate those threats. What now?

The next step is to ensure that your application is as resilient as possible, making full use of those mechanisms.

Here it is especially important to bear in mind two points that we have tried to emphasize throughout this guide:

Protection is not a replacement or alternative to developing secure applications; it is an important supplement to it.
Mobile application protection is ineffective if it is not comprehensive, which is why protection mechanisms must be layered and interlinked.

The idea is to assess whether your app satisfies each requirement.


To add the interoperability with OWASP Mobile Application Security Checklist MAS  (https://mas.owasp.org/checklists/)  in this table, we refer to a related ID/Category.

Check Protection Layer Threat Prevention & Mitigation Related OWASP MAS categories

Code & Resource Hardening
(Obfuscation, Encryption, Virtualization, Stripping)
:

Are all executables encrypted? Are any sensitive strings, logic, debugging code, symbols, or native libraries comprehensible in the event of disassembly/decompilation?


  • Code & Resource Hardening
  • Decompilation & modification
  • Dynamic tampering
  • Mobile app fraud
  • MSTG-CODE-3
  • MSTG-CODE-4
  • MSTG-RESILIENCE-9*
  • MSTG-RESILIENCE-11
  • MSTG-RESILIENCE-12

Root, Jailbreak & custom firmware Detection & Prevention:

Does the app detect the presence of known dynamic instrumentation tools, or the attempt to interfere with its process?

  • Secure Runtime Environment
  • Dynamic tampering
  • Mobile app fraud
  • Network communications interception
  • MSTG-RESILIENCE-1
  • MSTG-RESILIENCE-9*

Dynamic Binary Instrumentation Detection & Prevention:

Does the app detect the presence of known dynamic instrumentation tools, or the attempt to interfere with its process?

  • Secure Runtime Environment
  • Dynamic tampering
  • Mobile app fraud
  • Network communications interception
  • MSTG-RESILIENCE-3
  • MSTG-RESILIENCE-4
  • MSTG-RESILIENCE-6
  • MSTG-RESILIENCE-9*

Debugger Detection & Prevention:

Does the app detect an attempt to attach a debugger to its process?

  • Secure Runtime Environment
  • Dynamic tampering
  • MSTG-CODE-2
  • MSTG-RESILIENCE-2
  • MSTG-RESILIENCE-9*

App Wrapper Detection & Prevention:

Does the app detect an attempt to run it within an app wrapper?

  • Secure Runtime Environment
  • Virtualized environments
  • MSTG-RESILIENCE-9*

Emulator Detection & Prevention:

Does the app detect an attempt to run it via an emulator?

  • Secure Runtime Environment
  • Virtualized environments
  • MSTG-RESILIENCE-5
  • MSTG-RESILIENCE-9*

Domain Certificate Checks (Public Key Pinning & Certificate Transparency):

Does the app perform its own certificate validation checks on remote endpoints?

  • Secure Network Communications
  • Network communications interception
  • MSTG-NETWORK-1
  • MSTG-NETWORK-2
  • MSTG-NETWORK-3
  • MSTG-NETWORK-4
  • MSTG-RESILIENCE-9*
  • MSTG-RESILIENCE-13

Dependency Validation:

Is the app free from vulnerable or malicious dependencies?

  • Application Integrity and Anti-Tampering**
  • Malware
  • Network communications interception
  • Mobile app fraud
  • MSTG-CODE-5

* MSTG-RESILIENCE-9: ‘Obfuscation is applied to programmatic defenses, which in turn impede de-obfuscation via dynamic analysis.’ In other words, the logic defining each of these protection mechanisms in your app must itself be resistant to reverse engineering. We would add that the mechanisms’ integrity must be guaranteed so that they cannot be removed or bypassed.

** As we have stressed throughout this guide, and especially in the page on the Four Layers of Mobile App Protection, guaranteeing the integrity of the code, resources, and application package is fundamental to ensuring a secure runtime environment and secure network communications, and one crucial aspect of code and resource integrity is encryption. In other words, although we have referenced the protection layers here in isolation, it is vital that they are combined in order to ensure comprehensive protection.