Mobile App Security After MAV: Who Sets the Standard Now?

In June 2025, the Department of Homeland Security made a quiet but significant decision. The Cybersecurity and Infrastructure Security Agency (CISA) shut down its Mobile App Vetting (MAV) Program, which had served as the federal government’s central mechanism for testing the security of mobile applications for years. The move didn’t make the front page headlines, but it has major implications for cybersecurity and IT professionals across both the public and private sectors.

The MAV Program offered agencies a consistent way to check whether mobile applications contained vulnerabilities, insecure code or compliance risks before being deployed. The discontinuation of this program means that the federal government no longer provides a standardized baseline for mobile app security.

Lawmakers have already expressed concern. Rep. Andrew Garbarino, chair of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, argued that shutting down MAV “sends the wrong signal” at a time when threats against federal systems and private companies are growing. Others described the decision as untimely, given high-profile security incidents such as Salt Typhoon, a recent campaign targeting communications networks and supply chains.

A New Era of Responsibility

In this environment, the first question that arises is: Who sets the bar for mobile app security now that CISA has stepped away? MAV had offered the ease and comfort of a single federal benchmark. Its absence shifts attention to the patchwork of state privacy laws, industry frameworks and independent audits. The U.S. now resembles a decentralized environment where each company has to set its own standards, decide how to measure against them and be ready to prove compliance to regulators and customers on its own.

Some companies are already showing what it looks like to take security into their own hands, though they share different levels of detail about what they are doing. Spotify has been especially open. The company explains how it scans the code it relies on before new features are released, which helps catch problems early. It also built an internal system that tracks security issues from the moment they are identified until they are fixed, ensuring the right teams stay accountable along the way.

DoorDash openly acknowledges the risks of relying on vendors and third-party systems. It gives users direct control over how their personal information is shared and posts updates for its restaurant and merchant partners when it makes security improvements to its platform.

Nextdoor has taken a similar approach by combining technical safeguards with public accountability. The neighborhood platform requires address verification to authenticate users, offers customizable privacy controls and uses a mix of human review and AI to moderate content. It publishes annual transparency reports that detail its safety strategies and security improvements, showing users how it protects their data and maintains trust at a hyperlocal level.

There’s a wide spectrum of responses now. Some organizations are publicly detailing their technical pipelines, while others focus on disclosures, privacy features and vendor accountability. In the absence of MAV, though, consumer platforms must show they are meeting a high standard of security through action, policy or transparency.

Proving Compliance Without Federal Guardrails

The second question is: How can organizations prove compliance in a landscape where oversight has faded? The answer lies in producing strong evidence of security and making that evidence visible to regulators, users and investors. Frameworks like the OWASP Mobile Application Security Verification Standard (MASVS) and guidance from the National Institute of Standards and Technology (NIST) are becoming benchmarks that companies seek to align with to demonstrate that their apps have been tested against accepted security best practices.

It's equally important to record how security is maintained over time. Companies need to show that their protections are not just one-off checks but part of a continuous process.

That record can take different forms. Continuous monitoring helps detect threats as they happen. Regular penetration testing probes for weaknesses before attackers can exploit them. Remediation efforts should be tracked and documented so it’s clear how issues are resolved. Transparency reports can then bring all of this together, giving regulators and users a clear picture of progress and setbacks. These practices create a trail of accountability that fills the gap left by the federal program.

Lawmakers have suggested that DHS may still serve as the Sector Risk Management Agency for communications and technology, but the details are unclear. Until that role is defined, private organizations will need to demonstrate compliance on their own terms.

Redefining What “Secure Enough” Means

A third and equally important question: What qualifies as secure enough in this new environment? In the past, organizations could point to federal vetting as a stamp of approval. Today, “secure enough” is defined by the strength of layered defenses and the ability to withstand real-world attacks.

At its core, being secure enough means protecting sensitive data wherever it moves or rests, testing mobile apps continuously rather than occasionally, and scrutinizing third-party code as carefully as in-house code. It also means that companies can show how quickly they respond when something goes wrong, with documented fixes and clear communication to the people affected.

This shift reframes security as a living commitment rather than a compliance hurdle. Secure enough is the ability to anticipate threats, withstand them when they arrive and recover in ways that preserve trust.

The Path Forward for Security Leaders

The retirement of the MAV Program marks the beginning of an era in which industry leaders must set the standards for mobile app security themselves. This means shifting from reliance on government-led vetting to proactive self-regulation. It requires embedding security into design and development, adopting widely recognized frameworks and creating a culture where compliance is proven through transparency.

What lies ahead is a test of technical resilience and organizational credibility. To succeed, organizations will need to treat security as a continuous process rather than a compliance exercise and communicate clearly about how they are protecting users. As state privacy laws expand and global regulations evolve, the ability to demonstrate accountability will become as important as the ability to detect threats.

The post-MAV era is a turning point. The guardrails may be gone, but the road ahead offers security leaders an opportunity to shape stronger practices, set higher expectations and build trust on their own terms.