Skip to the main content.

2 min read

OWASP MASVS Verified: Cryptomathic MASC Meets All Applicable Controls

OWASP MASVS Verified: Cryptomathic MASC Meets All Applicable Controls

Cryptomathic has completed an independent security assessment of the Mobile Application Security Core (MASC) with NowSecure. The engagement covered iOS and Android builds of the MASC library and a reference application during Q3 2025. Testing aligned to the OWASP Mobile Application Security Verification Standard (MASVS) and used the Mobile Application Security Testing Guide (MASTG) for test execution. 

Scope and Method 

NowSecure performed static and dynamic analysis, reverse engineering attempts, forensic data review, and network security testing across both stock and compromised devices where relevant. The assessment focused on MASC’s protections as delivered in the SDK and exercised through the reference app provided by Cryptomathic. 

Results 

All applicable MASVS controls for the assessed scope were passed. NowSecure reported no exploitable findings in the tested versions during the engagement window. The testing observed effective protections against reverse engineering, hooking and debugging frameworks, and memory inspection techniques. Certificate pinning bypass attempts and malicious accessibility abuse were blocked. Traffic protections prevented man-in-the-middle interception and modification in the evaluated scenarios. No sensitive data was observed in logs, snapshots, or other artifacts during forensic review. These results highlight the value of aligning to a recognized mobile security benchmark like OWASP MASVS. 

Securing mobile apps with masc thumbnail-1

Discover how you can secure your mobile apps with MASC. Download here.

Why MASVS Matters for Financial Services 

Financial apps are among the most attractive targets for attackers, which makes a neutral and testable security benchmark essential. MASVS is widely recognized across the industry as the most comprehensive, vendor-independent baseline for mobile application security. It maps directly to the threat profile of banking, wallet, and payment apps—covering sensitive data at rest, authentication, cryptography hygiene, secure communications, and resilience against reverse engineering. By aligning with MASVS, financial institutions gain an assessment framework that auditors, regulators, and developers can all interpret consistently. This allows for benchmarking across providers, simplifies compliance discussions, and ensures that security controls focus on the risks that matter most in mobile finance. 

What This Means for Customers 

For customers, the practical takeaway is straightforward. This result confirms that MASC’s protective measures, code hardening, secret handling, and runtime checks meet the MASVS requirements relevant to the tested scope. Final MASVS conformance for a production app still depends on the host application’s own implementation choices, platform settings, and secure development practices. 

Continuous Improvement 

Our security engineering and QA teams track emerging attack tooling and OS changes, review dependencies for known CVEs, and run ongoing tests with banking and wallet issuers. We treat third-party assessment as a recurring control, not a one-off event, ensuring resilience as mobile threat tooling and OS platforms evolve. 

Independent Attestation 

A summary attestation from NowSecure, including scope and versions, is available under NDA. Please contact us if you need to reference these results in your internal risk reviews. 

Next Steps 

If you are evaluating controls for MASVS, DORA, PCI MPoC, or eIDAS-aligned mobile apps, we can map MASC to your requirements and provide a short pilot plan. 

The Future of Mobile Application Security

Discover how MASC future-proofs your mobile applications. Download now.