As of 2026, the current official OWASP MASVS is version 2.1.0, released on 18 January 2024. The Mobile Application Security Verification Standard organizes mobile app security into 8 categories holding 24 security controls, and OWASP describes it as "the industry standard for mobile app security." Here is what the standard covers, what changed in the version 2 refactor, and what it means for a team shipping an app.
What is the OWASP MASVS?
The MASVS is "a community effort to establish a framework of security requirements needed to design, develop and test secure mobile apps on iOS and Android." (OWASP MASVS) In plain terms, it is the requirements checklist: the things a mobile app should do to be considered secure. It is maintained by the OWASP Mobile Application Security (MAS) project, it is free and open under the Creative Commons Attribution-ShareAlike 4.0 license, and OWASP positions it as "the industry standard for mobile app security." (OWASP/masvs)
What is the latest version of the OWASP MASVS in 2026?
The latest official release is MASVS v2.1.0, dated 18 January 2024, and it is still current in 2026. (MASVS releases) The single change in v2.1.0 was the addition of the MASVS-PRIVACY category. (CHANGELOG) If you see references to MASVS "L1 / L2 / R levels," you are looking at the older version 1 model, which the version 2 refactor retired.
What are the 8 MASVS categories?
MASVS "is composed of eight categories, each containing a set of security controls." (Using the MASVS) There are 24 controls in total, distributed as below.
| Category | What it covers (OWASP) | Controls |
|---|---|---|
| MASVS-STORAGE | "Secure storage of sensitive data on a device (data-at-rest)." | 2 |
| MASVS-CRYPTO | "Cryptographic functionality used to protect sensitive data." | 2 |
| MASVS-AUTH | "Authentication and authorization mechanisms used by the mobile app." | 3 |
| MASVS-NETWORK | "Secure network communication between the mobile app and remote endpoints (data-in-transit)." | 2 |
| MASVS-PLATFORM | "Secure interaction with the underlying mobile platform and other installed apps." | 3 |
| MASVS-CODE | "Security best practices for data processing and keeping the app up-to-date." | 4 |
| MASVS-RESILIENCE | "Resilience to reverse engineering and tampering attempts." | 4 |
| MASVS-PRIVACY | "Privacy controls to protect user privacy." | 4 |
Control counts come from the official controls directory in the MASVS repository. (controls)
What changed in MASVS version 2?
Version 2.0.0, released in April 2023, was a major refactor. Per the official changelog, it (CHANGELOG):
removed the verification levels (L1, L2, R) "in favor of the security testing profiles,"
"removed the MASVS-ARCH category,"
"removed the MASVS requirements and replaced them with security controls," and
moved from the old MSTG to the MASTG for test cases, splitting the project into the MASVS (the standard) and the MASTG (the testing guide).
Version 2.1.0 then added the MASVS-PRIVACY category in January 2024, bringing the standard to its current 8 categories.
What happened to the L1, L2, and R verification levels?
They were replaced, not renamed. Starting with version 2.0.0, "the verification levels have been replaced by the security testing profiles, which are now part of the MASTG." (MASVS) The MASTG defines three profiles, described as equivalent to the old levels:
MAS-L1, "for apps that handle sensitive data and require a basic level of security,"
MAS-L2, "for apps that handle highly sensitive data and require a higher level of security," and
MAS-R, "for apps that require resilience against reverse engineering and tampering, independently of the security level."
The risk-tiering idea survived the refactor, but it now lives in the MASTG as profiles rather than in the MASVS as levels.
How do MASVS, MASTG, and MASWE fit together?
They are three documents in the OWASP MAS project with distinct jobs. MASVS is the standard: the security requirements to verify. The MASTG (Mobile Application Security Testing Guide) is "a comprehensive manual" of techniques with "an exhaustive set of test cases (the MASTG tests) that are mapped to the MASVS." (MASTG) The MASWE is the enumeration of common mobile weaknesses, mapped to both. The short version: MASVS is the what, MASTG is the how, MASWE is the what-can-go-wrong.
What does MASVS mean for a team shipping a mobile app?
In practice, you do not test against the MASVS prose directly. You pick the MASTG security testing profile that matches the app's risk (MAS-L1, MAS-L2, or MAS-R), take the in-scope MASVS controls for that profile, and run the corresponding MASTG test cases during a mobile security assessment, mapping any findings to MASWE weaknesses. Two practical points are worth stating plainly: the standard is free, so the cost is testing and engineering time rather than a license, and there is no official "MASVS certified" stamp. OWASP is explicit that "we cannot formally certify any mobile applications, nor can we accredit third parties to do so," (MASVS) so any vendor claiming MASVS certification is making an unsanctioned claim.
The verdict: where MASVS stands in 2026
MASVS v2.1.0 is stable and category-based: 8 categories, 24 controls, no verification levels. Treat it as the requirements layer your testing maps to, reach for the MASTG when you need the actual test cases and the risk profile, and discount any "certified" claim. The standard tells you what secure looks like; proving it is the MASTG's job.
Sources
OWASP MASVS releases (latest v2.1.0), 2026. https://github.com/OWASP/masvs/releases
OWASP MASVS CHANGELOG, 2026. https://github.com/OWASP/masvs/blob/master/CHANGELOG.md
OWASP MASVS, Using the MASVS (categories and controls), 2026. https://mas.owasp.org/MASVS/03-Using_the_MASVS/
OWASP MASVS controls directory, 2026. https://github.com/OWASP/masvs/tree/master/controls
OWASP MASVS site (definition, profiles, certification statement). https://mas.owasp.org/MASVS/
OWASP MASTG (testing guide mapped to MASVS). https://github.com/OWASP/mastg
OWASP Mobile Application Security (MAS) project. https://mas.owasp.org/
Email Us
Call Us
