Principle 2 Expanded: Ensure apps adhere to baseline security and privacy requirements

1. Apple

1.1. Apple Developer Security

1.1.1. Authorization and Authentication Sessions Overview

1.1.2. Secure Data Preventing Insecure Network Connections Ensure the Network Server Meets Minimum Requirements

1.1.3. Secure Data Preventing Insecure Network Connections Configure Exceptions Only When Needed; Prefer Server Fixes

1.1.4. Secure Code Code Signing Services Overview

1.1.5. Secure Code Notarizing macOS software before distribution Overview

1.1.6. Secure Code Notarizing macOS software before distribution Prepare your software for notarization

1.1.7. Secure Code Notarizing macOS software before distribution Add the entitlements needed by plug-ins

1.1.8. Secure Code Preparing your app to work with pointer authentication Overview

1.1.9. Secure Code Preparing your app to work with pointer authentication Build an arm64e binary to adopt pointer authentication

1.1.10. Secure Code Preparing your app to work with pointer authentication Recognize pointer authentication failures

1.1.11. Secure Code Preparing your app to work with pointer authentication Update your code to avoid pointer authentication failures

1.1.12. Secure Code Protecting user data with App Sandbox Overview

1.1.13. Secure Code Hardened Runtime Overview

1.1.14. Secure Code Disabling and Enabling System Integrity Protection Overview

1.1.15. Secure Code Disabling and Enabling System Integrity Protection Disable System Integrity Protection Temporarily

1.1.16. Secure Code Disabling and Enabling System Integrity Protection Enable System Integrity Protection

1.1.17. Cryptography Declare Your App’s Use of Encryption Overview

1.1.18. Cryptography Provide Compliance Documentation Overview

1.1.19. Cryptography Certificate, Key, and Trust Services Overview

1.1.20. Cryptography Cryptographic Message Syntax Services Overview

1.1.21. Cryptography Randomization Services Overview

1.1.22. Cryptography Security Transforms Overview

1.1.23. Cryptography ASN.1 Overview

1.1.24. Result Codes Security Framework Result Codes Discussion

2. App Defence Alliance

2.1. Application Security Assessment

2.1.1. Mobile 1.5.1.1 (Android)

2.1.2. Mobile 1.5.1.2 (Android)

2.1.3. Mobile 1.5.1.4 (Android)

2.1.4. Mobile 1.6.3.2 (Android)

2.1.5. Mobile 1.6.3.3 (Android)

2.1.6. Mobile 1.6.3.4 (Android)

2.1.7. Mobile 1.7.1.1 (Android)

2.1.8. Mobile 1.8.2.1 (Android)

2.1.9. Mobile 1.8.3.1 (Android)

2.1.10. Web 2.1.1

2.1.11. Web 2.2.1

2.1.12. Web 2.2.2

2.1.13. Web 2.2.3

2.1.14. Web 2.3.1

2.1.15. Web 2.3.2

2.1.16. Web 2.3.3

2.1.17. Web 2.3.4

2.1.18. Web 2.4.1

2.1.19. Web 3.1.1

2.1.20. Web 3.1.2

2.1.21. Web 3.1.3

2.1.22. Web 3.1.4

2.1.23. Web 3.1.5

2.1.24. Web 4.1.3

2.1.25. Web 6.3.1

2.1.26. Web 6.4.1

2.1.27. Cloud 1.6.1

2.1.28. Cloud 2.4.1

2.1.29. Cloud 2.5.1

2.1.30. Cloud 2.5.2

2.1.31. Cloud 2.5.3

2.1.32. Cloud 2.5.4

2.1.33. Cloud 2.8.1

2.1.34. Cloud 5.8.1

2.1.35. Cloud 6.11.1

3. NIAP

3.1. NIAP Profile Protection

3.1.1. 5.1.1 Cryptographic Support (FCS) FCS_CKM_EXT.1 Cryptographic Key Generation Services FCS_CKM_EXT.1.1

3.1.2. FCS_CKM.1.1/AK

3.1.3. FCS_CKM.1.1/SK

3.1.4. FCS_CKM.2.1

3.1.5. FCS_RBG_EXT.1 Random Bit Generation Services FCS_RBG_EXT.1.1

3.1.6. FCS_RBG.1.1

3.1.7. FCS_RBG.1.2

3.1.8. FCS_RBG.1.3

3.1.9. FCS_RBG.2.1

3.1.10. FCS_RBG.3.1

3.1.11. FCS_RBG.4.1

3.1.12. FCS_RBG.5.1

3.1.13. FPT_FLS.1.1

3.1.14. FPT_TST.1.1

3.1.15. FCS_PBKDF_EXT.1.1

3.1.16. FCS_PBKDF_EXT.1.2

3.1.17. FDP_DEC_EXT.1 Access to Platform Resources FDP_DEC_EXT.1.1

3.1.18. FDP_DEC_EXT.1.2

3.1.19. FDP_NET_EXT.1 Network Communications FDP_NET_EXT.1.1

3.1.20. FMT_SMF.1 Specification of Management Functions FMT_SMF.1.1

3.1.21. 5.1.4 Privacy (FPR) FPR_ANO_EXT.1 User Consent for Transmission of Personally Identifiable Information FPR_ANO_EXT.1.1

3.1.22. 5.1.5 Protection of the TSF (FPT) FPT_AEX_EXT.1 Anti-Exploitation Capabilities FPT_AEX_EXT.1.1

3.1.23. FPT_AEX_EXT.1.2

3.1.24. FPT_AEX_EXT.1.3

3.1.25. FPT_AEX_EXT.1.4

3.1.26. FPT_AEX_EXT.1.5

3.1.27. FCS_COP.1.1/Hash

3.1.28. FCS_COP.1.1/KeyedHash

3.1.29. FCS_COP.1.1/SigGen

3.1.30. FCS_COP.1.1/SigVer

3.1.31. FCS_COP.1.1/SKC

3.1.32. FCS_SNI_EXT.1.1

3.1.33. FCS_SNI_EXT.1.2

3.1.34. FCS_SNI_EXT.1.3

3.1.35. FPT_API_EXT.2.1

4. ETSI

4.1. EN 303 645

4.1.1. Principle 5.1-1

4.1.2. Principle 5.4-4

4.1.3. Principle 5.5-1

4.1.4. Principle 5.5-2

4.1.5. Principle 5.5-3

4.1.6. Principle 5.5-4

4.1.7. Principle 5.5-5

4.1.8. Principle 5.6-7

4.1.9. Principle 5.6-8

4.1.10. Principle 5.7-1

4.1.11. Principle 5.7-2

4.1.12. Principle 5.8-1

4.1.13. Principle 5.8-2

4.1.14. Principle 5.8-3

4.1.15. Principle 5.10-1

4.1.16. Principle 5.11-1

4.1.17. Principle 5.11-2

4.1.18. Principle 5.11-3

4.1.19. Principle 5.11-4

4.1.20. Principle 5.13-1A

4.1.21. Principle 5.13-1B

4.1.22. Principle 6-1

4.1.23. Principle 6-2

4.1.24. Principle 6-3A

4.1.25. Principle 6-3B

4.1.26. Principle 6-4

4.1.27. Principle 6-5

4.1.28. Principle 6-6

4.1.29. Principle 6-7

4.1.30. Principle 6-8

4.2. EN 319 401

4.2.1. REQ-7.4.1-02

4.2.2. REQ-7.4.1-07

4.2.3. REQ-7.4.2-01

4.2.4. REQ-7.4.5-02 b)

4.2.5. REQ-7.4.5-02 e)

4.2.6. REQ-7.5-01

4.2.7. REQ-7.5-02

4.2.8. REQ-7.5-03

4.2.9. REQ-7.5-04

4.2.10. REQ-7.5-05

4.3. TS 103 606

4.3.1. 11.2.1 Mutual TLS Authentication 11.2.1.2 Client certificate 11.2.1.2.4 Client certificate profile

4.3.2. 11.3 Operator application authentication 11.3.1 Encrypted application package overview

4.3.3. 11.3 Operator application authentication 11.3.2 Operator Signing Certificate

4.3.4. 11.3 Operator application authentication 11.3.3 Terminal Packaging Certificate

4.3.5. 11.3.4 Encrypted application packaging process 11.3.4.2 Operator application signing process

4.3.6. 11.3.4 Encrypted application packaging process 11.3.4.3 Process for encrypting an application package

4.3.7. 11.3.4 Encrypted application packaging process 11.3.4.4 Process for decrypting an application package

4.3.8. 12 Privacy

4.4. TS 103 732

4.4.1. O.LIMITED_PERMISSIONS

4.4.2. FAP_PRM.1

4.4.3. FAP_RSK.2

4.4.4. FAP_RSK.3

4.4.5. FAP_RSK.6

4.4.6. FAP_RSK.7

5. Google

5.1. Android Security Best Practices

5.1.1. Apply signature-based permissions

5.1.2. Provide the right permissions

5.1.3. Use intents to defer permissions

5.1.4. Share data securely across apps

5.1.5. Check availability of storage volume

5.1.6. Check validity of data

5.2. App Security Best Practices

5.2.1. App integrity-1

5.2.2. Input validation-1

5.2.3. Input validation-2

5.2.4. Input validation-3

5.2.5. Input validation-4

5.2.6. Input validation-5

5.2.7. User data-1

5.2.8. User data-3

5.2.9. User data-4

5.2.10. User data-5

5.2.11. User data-6

5.2.12. WebView-4

5.2.13. Minimize credential exposure-3

5.2.14. Minimize credential exposure-5

5.2.15. Use secure authentication-4

5.2.16. Practice secure account management-2

5.2.17. Practice secure account management-3

5.2.18. Stay vigilant-3

5.2.19. General best practices-3

5.2.20. Cryptography-1

5.2.21. Cryptography-4

5.2.22. Cryptography-5

5.2.23. Cryptography-6

5.2.24. Cryptography-7

5.2.25. Cryptography-8

5.2.26. Cryptography-9

5.2.27. Cryptography-10

5.2.28. Interprocess communication-3

5.2.29. Intents-3

5.2.30. Intents-5

5.2.31. Services-1

5.2.32. Services-2

5.2.33. Services-3

5.2.34. Services-4

5.2.35. Services-5

5.2.36. Binder and Messenger interfaces-3

5.2.37. Security with dynamically loaded code-2

5.2.38. Security in native code-1

5.2.39. Security in native code-2

5.3. Core App Quality

5.3.1. PS-T6

5.3.2. SC-P1

5.3.3. SC-P2

5.3.4. SC-P3

5.3.5. SC-P4

5.3.6. SC-P5

5.3.7. SC-AC1

5.3.8. SC-AC3

5.3.9. SC-N1

5.3.10. SC-W1

5.3.11. SC-W1

5.3.12. SC-E1

5.3.13. SC-C1

6. MITRE

6.1. ATT&CK Mobile Application Developer Guidance

6.1.1. Preventing SQL Injection (Secure Coding Practice)

6.1.2. Cross-Site Scripting (XSS) Mitigation

6.1.3. Static Code Analysis in the Build Pipeline

6.1.4. T1574.001 DLL

6.1.5. T1559.003 XPC Services

6.1.6. T1647 Plist File Modification

6.1.7. T1593.003 Code Repositories

6.1.8. T1550.001 Application Access Token

6.1.9. T1626 Abuse Elevation Control Mechanism

6.1.10. T1635.001 URI Hijacking

7. GSMA

7.1. MDSCert

7.1.1. FPR_ANO.2.1

7.1.2. FPR_ANO.2.2

7.1.3. FPT_LNW_EXT.1.1

7.1.4. FPT_LNW_EXT.1.2

7.1.5. ALC_DVS_EXT.1.1D

7.1.6. ALC_DVS_EXT.1.2D

7.1.7. ALC_DVS_EXT.1.3D

7.1.8. ALC_DVS_EXT.1.1C

7.1.9. ALC_DVS_EXT.1.2C

7.1.10. ALC_DVS_EXT.1.3C

8. Open Web Application Security Project (OWASP)

8.1. Application Security Verification Standard 5.0.0 (ASVS)

8.1.1. V1.1 Encoding and Sanitization Architecture

8.1.2. V1.2 Injection Prevention

8.1.3. V1.3 Sanitization

8.1.4. V1.4 Memory, String, and Unmanaged Code

8.1.5. V1.5 Safe Deserialization

8.1.6. V2.1 Validation and Business Logic Documentation

8.1.7. V2.2 Input Validation

8.1.8. V2.3 Business Logic Security

8.1.9. V2.4 Anti‑automation

8.1.10. V3.2 Unintended Content Interpretation

8.1.11. V3.3 Cookie Setup

8.1.12. V4.2 HTTP Message Structure Validation

8.1.13. V4.4 WebSocket

8.1.14. V5.2 File Upload and Content

8.1.15. V5.3 File Storage

8.1.16. V5.4 File Download

8.1.17. V6.5 General Multi‑factor authentication requirements

8.1.18. V6.7 Cryptographic authentication mechanism

8.1.19. V7.1 Session Management Documentation

8.1.20. V7.2 Fundamental Session Management Security

8.1.21. V7.3 Session Timeout

8.1.22. V7.4 Session Termination

8.1.23. V7.5 Defenses Against Session Abuse

8.1.24. V7.6 Federated Re‑authentication

8.1.25. V8.2 General Authorization Design

8.1.26. V8.3 Operation Level Authorization

8.1.27. V8.4 Other Authorization Considerations

8.1.28. V9.1 Token source and integrity

8.1.29. V10.2 OAuth Client

8.1.30. V10.4 OAuth Authorization Server

8.1.31. V10.5 OIDC Client

8.1.32. V10.6 OpenID Provider

8.1.33. V10.7 Consent Management

8.1.34. V11.1 Cryptographic Inventory and Documentation

8.1.35. V11.2 Secure Cryptography Implementation

8.1.36. V11.3 Encryption Algorithms

8.1.37. V11.4 Hashing and Hash‑based Functions

8.1.38. V11.5 Random Values

8.1.39. V11.6 Public Key Cryptography

8.1.40. V11.7 In‑Use Data Cryptography

8.1.41. V12.1 General TLS Security Guidance

8.1.42. V12.2 HTTPS Communication with External Facing Services

8.1.43. V12.3 General Service to Service Communication Security

8.1.44. V13.1 Configuration Documentation

8.1.45. V13.3 Secret Management

8.1.46. V13.4 Unintended Information Leakage

8.1.47. V14.2 General Data Protection

8.1.48. V14.3 Client‑side Data Protection

8.1.49. V15.1 Secure Coding and Architecture Documentation

8.1.50. V15.2 Security Architecture and Dependencies

8.1.51. V15.3 Defensive Coding

8.1.52. V15.4 Safe Concurrency

8.1.53. V16.2 General Logging

8.1.54. V16.3 Security Events

8.1.55. V16.4 Log Protection

8.1.56. V16.5 Error Handling

8.1.57. V17.2 Media

8.1.58. V17.3 Signaling

8.2. Mobile Application Security Verification Standard (MASVS)

8.2.1. MASVS-CRYPTO-1

8.2.2. MASVS-CRYPTO-2

8.2.3. MASVS-PLATFORM-2

8.2.4. MASVS-PLATFORM-3

8.2.5. MASVS-CODE-4

8.2.6. MASVS-PRIVACY-1

8.2.7. MASVS-PRIVACY-2

8.2.8. MASVS-PRIVACY-4