Threat Model · OWASP MASVS (iOS)
Generated 2026-05-07 · Costco iOS
Executive summary
The OWASP Mobile Application Security Verification Standard (MASVS) defines security controls across 8 categories. Below is the current state per control, with platform-specific evidence. Threat scenarios at the bottom show realistic attack paths and what currently mitigates them.
OWASP MASVS coverage — ios
| Category | ID | Control | Status | Evidence |
|---|---|---|---|---|
| STORAGE | MSTG-STORAGE-1 | App stores sensitive data only in suitable locations (Keychain / EncryptedSharedPreferences) | PASS | Storage SPM + Keychain wrappers |
| STORAGE | MSTG-STORAGE-2 | Sensitive data is not stored in app-public storage / external storage / pasteboard | VERIFY | Audit UserDefaults for non-prefs data |
| STORAGE | MSTG-STORAGE-3 | Sensitive data is not written to logs | REVIEW | 30+ print() calls; switch to Logger with privacy: .private |
| STORAGE | MSTG-STORAGE-7 | App removes sensitive data from views when backgrounded | FAIL | No privacy overlay on backgrounding for sensitive screens |
| CRYPTO | MSTG-CRYPTO-1 | App does not rely on symmetric crypto with hardcoded keys | VERIFY | Audit any hardcoded keys in plist/code |
| CRYPTO | MSTG-CRYPTO-3 | App uses cryptographic primitives appropriate to the use case | PASS | AES-GCM via Keychain / SecItemCopy |
| CRYPTO | MSTG-CRYPTO-6 | App uses secure random for security purposes | PASS | SecRandomCopyBytes used for OIDC nonces |
| AUTH | MSTG-AUTH-1 | If users authenticate, the auth happens server-side, not client-side | PASS | OIDC + passkey via NokNok |
| AUTH | MSTG-AUTH-7 | App enforces secondary factor when accessing sensitive operations | PASS | BiometricPrompt + Face/Touch ID |
| AUTH | MSTG-AUTH-8 | Biometric authentication is not bound to login state alone (uses keystore-bound key) | VERIFY | Confirm SecureEnclave-bound key on iOS biometric |
| NETWORK | MSTG-NETWORK-1 | Data is encrypted on the network using TLS | PARTIAL | Main app yes; NSE has NSAllowsArbitraryLoads |
| NETWORK | MSTG-NETWORK-2 | TLS settings are in line with current best practice | VERIFY | Confirm TLS 1.2+ enforced |
| NETWORK | MSTG-NETWORK-3 | App verifies the X.509 certificate of the remote endpoint when TLS is used | PASS | CostcoServerTrustManager pins certs |
| NETWORK | MSTG-NETWORK-4 | App uses its own certificate store / public-key pinning | PASS | Yes |
| PLATFORM | MSTG-PLATFORM-1 | App uses appropriate IPC mechanisms | REVIEW | Universal Links + URL schemes audit |
| PLATFORM | MSTG-PLATFORM-2 | All inputs from external sources and the user are validated | PARTIAL | URL force-unwrap; force-try on regex inputs |
| PLATFORM | MSTG-PLATFORM-5 | JavaScript is disabled in WebViews unless explicitly required | REVIEW | WKWebView evaluateJavaScript audit |
| PLATFORM | MSTG-PLATFORM-7 | If native methods of the app are exposed to a WebView, ensure obfuscation/encryption | N/A | WKWebView model differs |
| CODE | MSTG-CODE-2 | Released app is built in release mode with debug code excluded | VERIFY | Confirm Release build settings strip debug |
| CODE | MSTG-CODE-3 | Debugging symbols and detailed error messages are removed | VERIFY | Strip dSYMs from public bundle; only upload to Crashlytics |
| CODE | MSTG-CODE-4 | App catches and handles all exceptions | PARTIAL | try! patterns crash on any thrown error |
| RESILIENCE | MSTG-RESILIENCE-1 | App detects and responds to a rooted/jailbroken device | FAIL | No jailbreak detection |
| RESILIENCE | MSTG-RESILIENCE-2 | App detects and responds to debugger attachment | FAIL | No `getppid` or sysctl P_TRACED check |
| RESILIENCE | MSTG-RESILIENCE-3 | App detects and responds to tampering | PARTIAL | ThreatMetrix; no DTAppleAttestation usage detected |
| RESILIENCE | MSTG-RESILIENCE-7 | App implements obfuscation | VERIFY | Symbol stripping in release build settings |
| PRIVACY | MSTG-PRIVACY-1 | App declares the data it collects in the app store privacy disclosures | VERIFY | App Store privacy nutrition labels alignment |
| PRIVACY | MSTG-PRIVACY-2 | App provides a Privacy Manifest / data-extraction rules | FAIL | PrivacyInfo.xcprivacy required since 2024 — verify present |
Threat scenarios
Each scenario describes a realistic attack and the current mitigation state.
Lost/stolen device with screen unlock
Attacker goal: Attacker accesses session tokens
Current mitigation: Tokens encrypted via Keystore (Android) / Keychain (iOS) — PASS. Keychain-stored tokens require unlock; biometric for membership re-prompt — PASS.
Malicious app on the same device
Attacker goal: Reads logs / clipboard for PII
Current mitigation: ReleaseTree / Logger.privacy redaction — PARTIAL. Pasteboard access not audited.
Compromised CDN / man-in-the-middle
Attacker goal: Serves modified offers HTML to WebView
Current mitigation: Cert pinning blocks MITM — PASS on iOS, VERIFY on Android. WebView lockdown gates exploit reach — PARTIAL.
Lost/stolen jailbroken device
Attacker goal: Bypasses biometric, reads tokens
Current mitigation: No root/jailbreak detection — FAIL on both. ThreatMetrix risk-scores transactions — PARTIAL.
Phishing deep-link via SMS / email
Attacker goal: Tricks user into authenticating to fake page
Current mitigation: Universal Links / App Links autoVerify protect intent routing — PASS. WebView allow-list — VERIFY.
App Store / Play Store rejection
Attacker goal: Privacy Manifest missing or App Store privacy labels misaligned
Current mitigation: Privacy Manifest required since 2024 — VERIFY iOS. Play Console Data Safety — VERIFY Android.
Insider data exfiltration
Attacker goal: Engineer adds debug logging that leaks PII to Crashlytics
Current mitigation: ReleaseTree filters; Logger privacy: .private redaction — PARTIAL. Code review + lint rules — VERIFY.
Background-location consent withdrawal
Attacker goal: Apple/Google removes app for unjustified background location
Current mitigation: Documented user-visible justification + foreground fallback — VERIFY. Periodic permission audit — RECOMMEND.
Recommended next steps
FLAG_SECURE / privacy overlay (now)
Sensitive screens (membership, payment) should not appear in app switcher snapshots.
Root / jailbreak detection (next)
jailbreak heuristics + DTAppleAttestation; gate sensitive flows when high-risk device.
WebView lockdown (next)
Audit WKWebView evaluateJavaScript paths; allowlist hosts.
Privacy Manifest / Data Safety (now)
Generate PrivacyInfo.xcprivacy; align with App Store privacy labels.