Threat Model · OWASP MASVS (Android)
Generated 2026-05-07 · Costco Android
Executive summary
The OWASP Mobile Application Security Verification Standard (MASVS) defines security controls across 8 categories. Below is the current state per control, with platform-specific evidence. Threat scenarios at the bottom show realistic attack paths and what currently mitigates them.
OWASP MASVS coverage — android
| Category | ID | Control | Status | Evidence |
|---|---|---|---|---|
| STORAGE | MSTG-STORAGE-1 | App stores sensitive data only in suitable locations (Keychain / EncryptedSharedPreferences) | PASS | EncryptDecryptUtils + Keystore for tokens |
| STORAGE | MSTG-STORAGE-2 | Sensitive data is not stored in app-public storage / external storage / pasteboard | VERIFY | Audit DataStore for email persistence |
| STORAGE | MSTG-STORAGE-3 | Sensitive data is not written to logs | REVIEW | Logcat: 231+ Log.* calls — ReleaseTree must scrub |
| STORAGE | MSTG-STORAGE-7 | App removes sensitive data from views when backgrounded | FAIL | No FLAG_SECURE on payment/DMC screens |
| CRYPTO | MSTG-CRYPTO-1 | App does not rely on symmetric crypto with hardcoded keys | VERIFY | Audit any hardcoded keys in code/Constants |
| CRYPTO | MSTG-CRYPTO-3 | App uses cryptographic primitives appropriate to the use case | PASS | AES-256-GCM via Android Keystore |
| CRYPTO | MSTG-CRYPTO-6 | App uses secure random for security purposes | VERIFY | Audit Math.random() / new Random() in security paths |
| AUTH | MSTG-AUTH-1 | If users authenticate, the auth happens server-side, not client-side | PASS | OIDC + passkey via NokNok |
| AUTH | MSTG-AUTH-7 | App enforces secondary factor when accessing sensitive operations | PASS | Biometric prompt for membership card view |
| AUTH | MSTG-AUTH-8 | Biometric authentication is not bound to login state alone (uses keystore-bound key) | VERIFY | Confirm BiometricPrompt uses keystore-bound CryptoObject |
| NETWORK | MSTG-NETWORK-1 | Data is encrypted on the network using TLS | PASS | cleartextTrafficPermitted=false in network security config |
| NETWORK | MSTG-NETWORK-2 | TLS settings are in line with current best practice | VERIFY | Confirm TLS 1.2+ enforced; minimum TLS in network security config |
| NETWORK | MSTG-NETWORK-3 | App verifies the X.509 certificate of the remote endpoint when TLS is used | VERIFY | OkHttp CertificatePinner present? Confirm pins |
| NETWORK | MSTG-NETWORK-4 | App uses its own certificate store / public-key pinning | VERIFY | Same as -3 |
| PLATFORM | MSTG-PLATFORM-1 | App uses appropriate IPC mechanisms | REVIEW | 11+ exported intent filters; deep-link inventory |
| PLATFORM | MSTG-PLATFORM-2 | All inputs from external sources and the user are validated | PARTIAL | Intent extras chained without null checks (61+ findings) |
| PLATFORM | MSTG-PLATFORM-5 | JavaScript is disabled in WebViews unless explicitly required | FAIL | setJavaScriptEnabled(true) + addJavascriptInterface in offers WebView |
| PLATFORM | MSTG-PLATFORM-7 | If native methods of the app are exposed to a WebView, ensure obfuscation/encryption | REVIEW | JS interface audit; restrict to explicit methods |
| CODE | MSTG-CODE-2 | Released app is built in release mode with debug code excluded | PASS | minifyEnabled=true + shrinkResources=true |
| CODE | MSTG-CODE-3 | Debugging symbols and detailed error messages are removed | PASS | ProGuard/R8 strips; verify Timber ReleaseTree |
| CODE | MSTG-CODE-4 | App catches and handles all exceptions | PARTIAL | 6 empty catch blocks; CostcoApplication swallows |
| RESILIENCE | MSTG-RESILIENCE-1 | App detects and responds to a rooted/jailbroken device | FAIL | No root detection (RootBeer/Play Integrity not found) |
| RESILIENCE | MSTG-RESILIENCE-2 | App detects and responds to debugger attachment | FAIL | No isDebuggerConnected() / Debug.isDebuggerConnected check |
| RESILIENCE | MSTG-RESILIENCE-3 | App detects and responds to tampering | PARTIAL | ThreatMetrix provides device intelligence; no app-self integrity |
| RESILIENCE | MSTG-RESILIENCE-7 | App implements obfuscation | PASS | R8 + ProGuard rules |
| PRIVACY | MSTG-PRIVACY-1 | App declares the data it collects in the app store privacy disclosures | VERIFY | Play Console Data Safety section alignment |
| PRIVACY | MSTG-PRIVACY-2 | App provides a Privacy Manifest / data-extraction rules | VERIFY | data_extraction_rules.xml absent; allowBackup=false mitigates |
Threat scenarios
Each scenario describes a realistic attack and the current mitigation state.
Lost/stolen device with screen unlock
Attacker goal: Attacker accesses session tokens
Current mitigation: Tokens encrypted via Keystore (Android) / Keychain (iOS) — PASS. Keychain-stored tokens require unlock; biometric for membership re-prompt — PASS.
Malicious app on the same device
Attacker goal: Reads logs / clipboard for PII
Current mitigation: ReleaseTree / Logger.privacy redaction — PARTIAL. Pasteboard access not audited.
Compromised CDN / man-in-the-middle
Attacker goal: Serves modified offers HTML to WebView
Current mitigation: Cert pinning blocks MITM — PASS on iOS, VERIFY on Android. WebView lockdown gates exploit reach — PARTIAL.
Lost/stolen jailbroken device
Attacker goal: Bypasses biometric, reads tokens
Current mitigation: No root/jailbreak detection — FAIL on both. ThreatMetrix risk-scores transactions — PARTIAL.
Phishing deep-link via SMS / email
Attacker goal: Tricks user into authenticating to fake page
Current mitigation: Universal Links / App Links autoVerify protect intent routing — PASS. WebView allow-list — VERIFY.
App Store / Play Store rejection
Attacker goal: Privacy Manifest missing or App Store privacy labels misaligned
Current mitigation: Privacy Manifest required since 2024 — VERIFY iOS. Play Console Data Safety — VERIFY Android.
Insider data exfiltration
Attacker goal: Engineer adds debug logging that leaks PII to Crashlytics
Current mitigation: ReleaseTree filters; Logger privacy: .private redaction — PARTIAL. Code review + lint rules — VERIFY.
Background-location consent withdrawal
Attacker goal: Apple/Google removes app for unjustified background location
Current mitigation: Documented user-visible justification + foreground fallback — VERIFY. Periodic permission audit — RECOMMEND.
Recommended next steps
FLAG_SECURE / privacy overlay (now)
Sensitive screens (membership, payment) should not appear in app switcher snapshots.
Root / jailbreak detection (next)
RootBeer or Play Integrity; gate sensitive flows when high-risk device.
WebView lockdown (next)
Tighten setJavaScriptEnabled / addJavascriptInterface; allowlist hosts.
Privacy Manifest / Data Safety (now)
Verify Play Console Data Safety form; align with App Store privacy labels.