Me - Skyvpn.app 1667935511015000
Me - Skyvpn.app 1667935511015000
Me - Skyvpn.app 1667935511015000
Google
11/8/2022 - 2.4.0
The following assessment was performed using the OWASP Mobile Application Security
Verification Standard (MASVS) version 1.4, with the test guidance from OWASP Mobile Security
Testing Guide (MSTG) version 1.3. Full specifications can be found on GitHub here.
Architecture, Design and Threat Pass Security controls were enforced on the remote endpoint.
Modeling Requirements Software updates are provided by the developer and
(MSTG-ARCH-2) deployed through the Google Play Store.
Data Storage and Privacy Pass The developer protected sensitive data using industry
Requirements recommended best practices. No sensitive data storage
(MSTG-STORAGE-1, MSTG-STORAGE-2, outside the application container or logs were detected
MSTG-STORAGE-3, MSTG-STORAGE-5, during testing. The developer declarations on the security
MSTG-STORAGE-7, MSTG-STORAGE-12)
and privacy label are accurate and understandable by the
user.
Cryptography Requirements Pass The app uses cryptographic primitives that are appropriate
(MSTG-CRYPTO-1, MSTG-CRYPTO-2, for the particular use-case, configured with parameters that
MSTG-CRYPTO-3, MSTG-CRYPTO-4, adhere to industry best practices. The app does not use
MSTG-CRYPTO-5, MSTG-CRYPTO-6)
cryptographic protocols or algorithms that are widely
considered deprecated for security purposes.
Authentication and Session Pass The app and remote endpoint implemented authentication
Management Requirements methods which followed the guidelines from OWASP
(MSTG-AUTH-1, MSTG-AUTH-2, MSTG- MASVS. Bruteforce mitigations were in place at the remote
AUTH-3, MSTG-AUTH-4, MSTG-AUTH-5, endpoint and session tokens were managed in a secure
MSTG-AUTH-6, MSTG-AUTH-7)
manner.
Network Communication Pass The app only depends on up-to-date connectivity and
Requirements security libraries. Communications with the remote endpoint
(MSTG-NETWORK-1, MSTG-NETWORK-2, are protected using TLS with settings in line with current
MSTG-NETWORK-3) best practices. The app only accepted valid certificates.
Platform Interaction Requirements Pass The app only requested the minimum set of permissions
(MSTG-PLATFORM-1, MSTG-PLATFORM- necessary and did not export sensitive functionality. Inputs
2, MSTG-PLATFORM-3, MSTG- from external sources and the user were validated.
PLATFORM-4)
Code Quality and Build Setting Pass The application was built in release mode with debugging
Requirements symbols removed using the default security compiler
(MSTG-CODE-1, MSTG-CODE-2, MSTG-
CODE-3, MSTG-CODE-4, MSTG-CODE-5, settings.
MSTG-CODE-9)
Limitations
• Application testing was conducted on NowSecure instrumented devices that have been
jailbroken/rooted. This affords the analysts the greatest level of coverage. While the
mobile operating system can offer mitigating controls for application security, in most
situations it is best practice for the application to secure its own data as much as
possible, making the assumption that it is operating on a compromised device.