Welcome to appsecuritymapping.com – a home for comparing application security requirements, recommendations and standards.
Click on the paperclip or four line icons to access more information about the source document and provision information.
Our Approach
To identify relevant standards, Copper Horse conducted open source research which was informed by an initial list of standards provided by the UK Government, we also performed a review of open source data to identify other recommendations and standards. A quality assurance process was taken when determining if a standard or recommendation should be included. This process involved evaluation of papers and websites whose primary security focus was mobile applications or IoT ecosystem security, encompassing companion apps.
Once all the relevant documents were identified, the requirements were individually recorded and then mapped into logically similar categories, we separated categories based on design, software updates and different categories of security, privacy and quality considerations. Any outliers were then triaged, which in turn created new groupings or ‘topics’. It should be noted that the mappings are created based on the Copper Horse staff’s own judgement. Others may have different views as to which requirements belong to particular topics. The general goal was to understand where there were commonalities (and to what extent), and where there were areas of difference.
The study highlights that there were no standards identified for app stores and there was no unifying standard that covered app security across all device categories.
We recognise that other standards have been produced by BSI/ISO which can be accessed by the BSI website but these were out of scope as they require a user to purchase a licence, more info on this can be found on the FAQ page.
Some of the documents reviewed for this mapping site were testing guides. A testing guide is a document that is used by an organisation to test conformance to a standard. These are often based on widely recognised standards such as the OWASP MASVS, and re-use the existing requirements. One example of this is the App Defense Alliance, which does not include any additional requirements. For this reason it has not been mapped. If a testing guide includes unique requirements, in addition to the requirements from the core standard, we will endeavour to map both the core standard and the testing guide.
Updates
February 2023 release v2
New documents from the UK Government – Code of practice for app store operators and app developers and the European Telecommunications Standards Institute (ETSI) – TS 103 732 V1.1.1 Consumer Mobile Device Protection Profile along with updates to the National Information Assurance Partnership (NIAP) – Protection Profile for Application Software document from v1.2 to v1.3 and the Android Developers App security best practices documentation has added additional requirements since we last published in September 2021.
We are constantly monitoring the app security mapping landscape and will add any further candidate documents as they become available. Where possible we will remap data when new revisions are released.