Mobile Application Security Assessment (MASA)

A comprehensive and standardized framework developed in collaboration between Leviathan Security Group and the App Defense Alliance (ADA) to assess and harden the security of mobile applications, based on the industry-recognized OWASP Mobile Application Security Verification Standard (MASVS).

Choose your assurance level

Our Mobile Application Security Assessments, in partnership with the App Defense Alliance (ADA), classify the security of your application based on its compliance with MASA requirements. We offer two distinct assurance levels to meet your needs:

Level 1: Verified Self Attest

This entry-level assessment involves an automated scan of your application, followed by a developer-completed questionnaire. You’ll provide self-declarations and evidence to demonstrate compliance with MASA requirements.

Level 2: Lab Evaluation

For a more comprehensive evaluation, our authorized lab conducts a thorough manual review of your application. This detailed assessment ensures full compliance with all MASA requirements through rigorous testing and validation.

Google MASA Mobile Application Security Assessment Process

MASA Assurance Level 1

Assurance Process

For the MASA AL1 assurance level, our authorized lab will test the public version of your app, available on the Play Store, using advanced automation tools. Developers will also complete a self-attestation questionnaire to confirm compliance with a subset of MASA requirements. Once all requirements are met, we send a Validation Report to Google. This process typically takes 2-3 days.

Pricing

$500.00

Start your assessment within 30 days

1 round of retesting

MASA Assurance Level 2 Pricing

No Rush

$3,000

Best for projects with flexible deadlines.

Start your assessment within 30 days

1 round of retesting

Standard

$4,500

Aligns with standard project timelines, ensuring a timely security evaluation.

Start your assessment within 10 days

1 round of retesting

Priority

$6,000

The fastest route for projects with imminent deadlines.

Start your assessment within 2 days

1 round of retesting

MASA Assurance Level 2 Benefits

Google MASA Mobile Application Security Assessment Independent Security Review Badge Play Store

Independent Security Review Badge

Signals to users that an independent third-party has validated that you have designed your apps to meet industry accepted mobile security and privacy best practices and that you are going the extra mile to identify and mitigate vulnerabilities.

Google MASA Mobile Application Security Assessment Independent Security Review Play Store

App Validation Directory

Users also have the ability to “Learn More” about your app, which redirects them to the App Validation Directory, a centralized place to view all apps that have completed an independent security review.

Users can also discover additional technical assessment details in the App Validation Directory, helping them to make more informed decisions about what apps to download, use, and trust with their data.

Frequently Asked Questions (FAQs)

How do I know I need a mobile application security assessment?

MASA is a recommended program offered by Google and the App Defense Alliance to provide your app greater visibility within the Google Play Store.

What do I need to provide to have my app tested?

The only thing we need to proceed with our testing process is the link to your app’s listing on the Google Play Store.

We download the publicly available APK and conduct our testing from there.

How long does the entire testing process usually take?

In most cases, the entire process will take around two to three weeks to complete. This is highly dependent on how much time developers may require for implementing corrections to any high or critical vulnerabilities discovered during the testing process.

How often does an application need to be verified?

To maintain your security badge and your spot in the App Validation Director, you will need to complete the assessment annually. The 12-month period is calculated from the effective date of the app’s previous Validation Letter.

What happens if you discover a vulnerability in an application?

All vulnerabilities discovered that are rated as “High” or “Critical” must be corrected before the final Validation Letter can be provided. Leviathan will work with you to provide recommendations on how to correct the issues discovered and will validate that the corrections were implemented properly.

Who submits the assessment results?

Once testing is completed for your app and all outstanding issues with high or critical severity have been corrected, Leviathan will submit your Validation Letter to Google.