Successful security assessment of our Android app

Our Android app (version 2024.9) has successfully passed MASA, a standardized security assessment, conducted by NCC Group.

The assessment called Mobile Application Security Assessment (MASA) is part of App Defense Alliance, originally launched by Google but now part of the Linux Foundation.

It is different from our typical app audits (2018, 2020, 2022 and 2024) where we define a threat model and have an audit firm look at our code, binaries and app running on various devices.

Instead, MASA is a standardized black-box assessment against a set of industry recognized security and testing criteria. This means that no code was reviewed during this assessment. It has two assessment levels: Assessment Level 1 (AL1) and Assessment Level 2 (AL2). Both require an authorized independent test lab, but AL2 is bit more in-depth and include a manual assessment in comparison to AL1. In our case we conducted an AL2 assessment using NCC Group as our test lab.

The testing criteria is based on the work of OWASP which continuously develop and publish the following two standards:

• Mobile Application Security Verification Standard (MASVS)
• Mobile Application Security Testing Guide (MASTG)

To summarize the result of the assessment, the Android app passed all controls without the need for any fixes or modifications. You can check out the result in terms of the App Defense Alliance Directory entry here or directly download the certificate here. As another result of the assessment, our app has now been marked with a Verified badge (also shown as Independently verified and Independent security review) in the Google Play Store.