Runtime Defense
Runtime attacks bypass perimeter and backend controls (hooking, overlays, instrumentation, replay).
MASC: MOBILE APP SECURITY FOR REGULATED APPS
MASC is Cryptomathic’s mobile app security platform, combining in‑app protection (MASC Core SDK) with server‑side verification and policy (MASC Assurance) - to reduce mobile fraud, protect secrets and sessions, and help teams support audit readiness without slowing development.
Device Exposure
Tokens, secrets, and IP are exposed on compromised devices.
Compliance Pressure
Mobile compliance frameworks increasingly expect in-app controls and demonstrable evidence.
Operational Tension
Development teams struggle to balance UX, security, and release velocity.
WHAT IS MASC?
MASC is a two-layer approach to mobile app security:
1. MASC Core (in-app SDK) embeds runtime protection, anti-tamper controls, secure storage, and network hardening directly into iOS and Android apps.
2. MASC Assurance (server-side) verifies mobile integrity signals, applies policy, and issues backend trust decisions - enabling centralized reactions and audit-grade visibility.
MASC is designed to help security teams reduce client-side risk without forcing major architectural change - and to help product teams ship quickly while keeping high-value flows protected.
Key Outcomes:
-
Detect and mitigate runtime manipulation and malware in the mobile channel
-
Protect code, assets, credentials, and sessions on the device
-
Strengthen API communication and session integrity
-
Support audit readiness through documentation, mappings, and evidence options
EXTENDING IN-APP PROTECTION WITH SERVER-SIDE VERIFICIATION
When paired with MASC Assurance, runtime signals from the SDK are verified server-side and evaluated against security policy. This enables device binding, centralized reactions, proof-of-possession and audit-grade evidence - without requiring an app redeploy.
Key Outcomes:
-
Over-the-air policy updates (govern reactions centrally)
-
Centralized reactions to mobile threats (allow / crash / report / block)
-
Reduced fraud exposure and faster audit preparation through consistent evidence
Native SDKs for Android and iOS.
Supports React Native, Flutter, and hybrid frameworks (scope/approach documented during onboarding).
Kotlin, Java, Swift, and Objective-C support.
Works with modern build tooling (Gradle, Xcode.
Separate dev, test, and production builds.
Designed for minimal code changes with integration guidance available.
Control mappings to OWASP MASVS and ENISA MAS (available on request).
PCI DSS 4.0 and PCI MPoC mappings (where applicable / available).
Supports step-up and risk-based controls for high-value flows (e.g., strong customer authentication use cases or PSD2).
Audit-friendly telemetry and evidence support options (privacy-conscious by design).
Tier 1 European Bank – Mobile Banking App
To meet customer demand, a large European bank launched a feature-rich mobile banking app for their retail customers.
.png?width=548&height=288&name=MASC%20DATA%20SHEETS%20(1).png)
Securing Mobile Banking Apps With MASC
Understand the threat landscap, how MASC's evolutionary security strategy can overcome them and provide 360º protections against attacks.
BOSA's Mobile Identity Wallet Transformation
By leveraging Cryptomathic's Mobile App Security Core (MASC), BOSA successfully enhanced the security and scalability of its mobile identity wallet.
Selecting The Right Mobile App Security Solution
Explore the mobile security threat landscape and learn how to evaluate and select the right layered, adaptive application security solution.