Creating an IoT-connected Mobile App Compliance Program Leveraging OWASP MASVS


Authors:   Brian Reed


The presentation discusses the creation of a certification and testing regime for IoT connected mobile apps and VPNs using the 20 years of history and documentation of OWASP.
  • Mobile apps dominate usage in the market and have security vulnerabilities.
  • The OAuth Mobile Project was created to address mobile app security issues.
  • The prevalence of insecure data storage and network connections in mobile apps is similar to cross-site scripting in web apps.
  • The IOXT organization created a standard for certifying the security of IoT devices and expanded to include mobile connected apps.
  • The 20 years of history and documentation of OWASP were used to create a certification and testing regime for IoT connected mobile apps and VPNs.
  • The speaker's company is a financial sponsor of the OAuth Mobile Project and participates in creating tools and standards for mobile app security.
The speaker has been involved in mobile security since the days of Blackberry and has partnered with Apple and Google. Mobile apps have become a significant part of the digital economy, with 130 billion apps downloaded during the pandemic alone. However, 85% of all apps have security vulnerabilities, with insecure data storage and network connections being the most prevalent issues. The OAuth Mobile Project and IOXT were created to address these issues and provide certification and testing regimes for mobile app security.


Abstract:​The OWASP MASVS specification is the ultimate guide for mobile app security. In late 2020, Google, NowSecure, Amazon and other IoT device manufacturers as part of the ioXt Alliance partnered to create a mobile app protection profile specifically for security certification of mobile apps connected to IoT devices. From the start, the team of security veterans, who were well versed in the OWASP MASVS, sought to build upon the OWASP community work - with a specific focus on the unique needs of IoT-connected mobile apps. The outcome of this fast work launched in April 2021 with numerous IoT manufacturers already certified. Join this session led by Brooke Davis, Google Android Security Team and Brian Reed, Chief Mobility Officer at NowSecure to learn the inside story about the journey of creating this unique certification program and how to create your own security testing program for mobile apps connected to things.​​​


Post a comment