K-Grid has developed the Mobile Application Security Testing Platform based on the Cloud Security Alliance ( CSA ) framework to test and vet all the mobile applications involving both static and dynamic analyses to evaluate security vulnerabilities for all platforms such as IOS, Android and Windows.

Mobile Application
Security Vetting

App security-vetting can be defined as the process of detecting the problems associated with an application which can potentially threaten user information security. The app security vetting can be done either by using testing tools or through manual inspection. The identification of malicious code or security risks related to developer negligence hidden in programs is necessary. App Vetting is performed on app after it has been developed and released for distribution but prior to its deployment either on the organization’s distribution platform or its mobile devices.

Mobile Application Security Risks

The key security risks identified under the MAST framework are as follows:

  • Privacy handling
    • Permission misuse
    • Improper information disclosure
  • Native problem
    • API/LIB Native Risk
    • Application collusion activities
    • Development obfuscation concerns
  • Protection requirement
    • Connection encryption strength
    • Data storage
  • Execution environment
  • Power consumption


The MAST initiative outlines a framework for vetting the security of mobile applications and awarding certificate to those which meet the MAST criteria for a secure application.

The Vetting process starts with the “applicant” i.e. the organization or single owner signing up with CSA-MAST through MAST-AVSI and selecting the auditor from a list of approved auditors. Once the applicant selects an auditor, he gets 15 days to submit the source code of the mobile application and other required documents. If the applicant does not have the source code of the mobile application, he may submit the packaged application. Upon successful verification of documents submitted by the applicant, the auditor shall initiate the vetting process as explained under section 5.1 and 5.2.

© 2018 Cloudatix All rights reserved.