OWASP MASVS Android Checklist
Work through the OWASP MASVS mobile security checklist for Android, item by item, to verify your app's defenses.
- Architecture, design & threat modellingSecurity is considered in the app's design and a threat model exists (MASVS-ARCH).
- Secrets are not in the appNo API keys, passwords, or tokens hard-coded in code or resources.
- Sensitive data at restPrivate data uses encrypted storage or the Keystore, not plain SharedPreferences/files.
- No sensitive data in logsTokens, PII, and credentials never reach Logcat or crash logs.
- Backups exclude secretsallowBackup is off or excludes sensitive files from auto-backup.
- TLS everywhereAll network traffic is HTTPS; cleartext is disabled (MASVS-NETWORK).
- Certificate handlingNo disabled hostname/cert validation; pinning used where appropriate.
- Exported components minimisedOnly intended components are exported, and they're permission-protected.
- WebView hardeningJavaScript and file access are limited; no untrusted content with JS bridges.
- Pending intents & deep linksPendingIntents are immutable where possible; deep links are validated.
- Crypto done rightStrong algorithms and modes (AES-GCM), no ECB, no hard-coded IVs/keys (MASVS-CRYPTO).
- Authentication & sessionSessions expire, tokens are stored safely, and re-auth is required for sensitive actions (MASVS-AUTH).
- Anti-tampering / resilienceRelease builds are obfuscated (R8) and consider root/tamper checks (MASVS-RESILIENCE).
- Dependencies reviewedThird-party SDKs are trusted, up to date, and free of known-vulnerable versions.
About OWASP MASVS Android Checklist
Work through the OWASP MASVS mobile security checklist for Android, item by item, to verify your app's defenses.
OWASP MASVS Android Checklist is part of APKLint’s security & malware toolkit — Find risky behavior, trackers, and suspicious patterns. It’s free to use and needs no account.
It’s a free reference — there’s nothing to upload and no account needed.
When to use OWASP MASVS Android Checklist
- Best for
- Working through the OWASP MASVS mobile security checklist for Android item by item, entirely in your browser.
- Not the right tool for
- Not an automated scanner; for an automated MASVS-style pass over an APK use App Security Testing.
- What you get back
- A structured MASVS checklist you can step through, with what each control means.
- How it differs from related APKLint tools
- It is the manual companion to the automated App Security Testing tool.
- Limitations
- A reference checklist, it does not test your app for you.
How to use OWASP MASVS Android Checklist
- Open the checklist — Everything you need to review is laid out in plain language.
- Work through each item — Check your app against every point on the list.
- Fix what's flagged — Update your manifest, build, or listing where needed.
- Re-verify before release — Run through it once more before you publish.
Why use APKLint
Every tool is free with no login and no paywall. Reasonable file and input limits keep the free service stable.
A clean, focused interface with no third-party ad banners cluttering your results.
No upload and no account needed.
No analysis engine — this is a browser-only checklist.
Start immediately — no account, login, or email required.
Runs in any modern browser, on desktop or mobile.
Frequently asked questions
What does OWASP MASVS Android Checklist do?
Work through the OWASP MASVS mobile security checklist for Android, item by item, to verify your app's defenses.
Is it free to use?
Yes. Every tool on APKLint is completely free, with no sign-up and no account.
Do I need to upload anything?
No. This is a free reference checklist you work through in your browser — there's nothing to upload and no file is analyzed.
Does it cover the latest Google Play requirements?
This is a static reference guide, last reviewed June 2026. Android and Google Play requirements change over time, so verify time-sensitive policy details in the Play Console before publishing.