VibeReview VibeReview
Sign in Get started

OWASP MASVS

Mobile-app security controls mapped from your iOS or Android repo.

VibeReview reads your iOS or Android codebase, identifies the mobile-specific threat surface, and generates guardrails per MASVS category. From MASVS-STORAGE to MASVS-PRIVACY, coverage aligns with the MASTG test catalogue.

Request MASVS mapping report Talk to mobile AppSec

14-day free trial · No card required

You prompting Cursor · Sources/Auth/Session.swift

"Save the JWT so the app stays signed in across launches."

VibeReview matched 3 MASVS controls · invisibly
  • MASVS-STORAGE-1 — store credentials in Keychain, not UserDefaults
  • MASVS-STORAGE-2 — never write JWT to logs or analytics
  • MASVS-CRYPTO-2 — use kSecAttrAccessibleAfterFirstUnlock protection
Sources/Auth/Session.swift 
func saveSession(_ jwt: String) throws {
    let query: [String: Any] = [
        kSecClass as String: kSecClassGenericPassword,
        kSecAttrService as String: "app.vibereview.jwt",
        kSecAttrAccessible as String:
            kSecAttrAccessibleAfterFirstUnlock,
        kSecValueData as String: Data(jwt.utf8),
    ]
    SecItemDelete(query as CFDictionary)
    let status = SecItemAdd(query as CFDictionary, nil)
    guard status == errSecSuccess else { throw KeychainError(status) }
}

✓ JWT lives in the Keychain. No UserDefaults. No log lines. MASVS-STORAGE-1/2 and CRYPTO-2 satisfied.

MODEL

Threat model → MASVS categories.

Local-storage paths surface MASVS-STORAGE. Network calls surface MASVS-NETWORK. Crypto APIs surface MASVS-CRYPTO. iOS Keychain and Android Keystore traced per platform.

ENFORCE

Guardrails → category-specific rules.

Each guardrail names the MASVS control it enforces. WebView hardening, biometric auth, certificate pinning, jailbreak detection, anti-tamper.

EVIDENCE

PR review → mobile-aware diff checks.

Every mobile diff runs the platform's specific guardrails. Android-only and iOS-only rules fire on the right files.

REPORT

Coverage report → MASTG-aligned.

Coverage report aligns with the MASTG test catalogue. Per-category, per-control, per-test mapping.

WHAT'S COVERED

MASVS categories and the VibeReview controls behind them.

Coverage is platform-dependent. Your mapping report names the controls enforced for your iOS or Android repo.

  • MASVS-STORAGE: Keychain and Keystore use, secure preferences, file-protection class, no plaintext credentials in logs or caches.
  • MASVS-CRYPTO: Platform crypto APIs over custom implementations, AES mode rules, random-source enforcement.
  • MASVS-AUTH: OAuth flow validation, biometric prompt patterns, session lifetime, and credential rotation.
  • MASVS-NETWORK: TLS configuration, ATS exceptions, certificate pinning, no cleartext over HTTP.
  • MASVS-PLATFORM: WebView hardening, deep-link validation, IPC patterns, intent-filter restrictions, URL-scheme allow-listing.
  • MASVS-CODE: Dependency pinning, R8/ProGuard configuration, debuggable-flag rules, code-signing checks.
  • MASVS-RESILIENCE: Jailbreak and root detection patterns, anti-debug, anti-tamper, integrity checks.
  • MASVS-PRIVACY: Permission justification, app-tracking-transparency hooks, third-party SDK review, privacy manifest compliance.

Get the MASVS mapping report for your mobile app.

Point us at the iOS or Android repo. We generate the per-category coverage and walk you through it.

Request the mapping report Book a mobile briefing